Secure the Software, Secure the App
If we had to create a simple visual, application security is about protecting what is seen within the walls of a web browser. More specifically, the websites where over two billion people shop, pay their bills, learn, share their most intimate secrets, find out where something is, and so much more.
It stands to reason that something this important, the web, has become the most common avenue of cyber-attacks. Another reason for this is that websites and web applications exist largely outside the sphere of traditional security protections like firewalls, antivirus software, and TLS/SSL encryption.
Imagine also that the source of greatest vulnerability and risk is also the area that people are the least focused on protecting. If you don’t agree, just follow the money. Organizations generally spend 90 percent of their security budget on firewalls and antivirus software. But the bulk of the risk, and the breaches we all read about, are predominately due to software that’s not secure, particularly web applications.
If cybersecurity is to get better, we have to change our way of thinking and understand that the primary job of application security is making sure that our software is secure.
Yes, I know it sounds so simple! Organizations must ensure that new websites and new software are coded securely, AND just as important, organizations must address the countless vulnerabilities that already exist in their websites. Websites that were built without any kind of secure software development lifecycle.
The problem is, even many security people really don’t understand how software is built and designed because their backgrounds and skill sets are often limited to network-layer security. It’s time to evolve.
For example, PCI DSS compliance requires that businesses protect themselves against the OWASP Top 10, so you have a bunch of people thinking that application security begins and ends with the Top 10. They’re just trying to check a box and say, OK, we’re done with app sec, let’s move on to the next thing.
That’s not how it works because that’s not how the bad guys work. The bad guys are quite happy and well-equipped to exploit websites using dozens of other techniques that aren’t on the OWASP Top Ten. Not to mention that no company has an OWASP Top Ten problem. It’s usually a Top 3-5 problem, and that varies greatly from organization to organization.
I constantly advise companies to invest more in developer education, performing static analysis, implementing web application firewalls, and other practices. I tell them to do anything except continue the status quo of spending large sums on firewalls and antivirus software. Anyone who is paying attention knows that won’t do anything to curtail the most common method of cyber-attack.
And in what seems to be a new trend surfacing, antivirus software itself is riddled with holes that can be exploited, and yet the industry spends $8 billion a year on it. That’s a lot of money spent on security software that makes us less secure. Let’s be clear, firewalls and antivirus have a place in the InfoSec ecosystem, it’s just that security budgets are grossly out of line with present-day risks and how business invests in IT. Furthermore, it’s imperative that more people working in the security community better understand software—and software security—if we’re going to effectively protect our applications and the underlying data.
Remember, finding and fixing vulnerabilities isn’t an academic exercise; it’s all about keeping a sentient attacker out of our systems and away from the data they protect. But without a clear picture of their adversaries, security professionals will have a difficult time developing effective strategies to defeat them.
I think the biggest driver of change will be the influence that cybersecurity insurance companies have on the way we practice not only application security, but all things computer security. As claims increase and insurers get more actuarial data, they’ll better understand the security measures companies were taking, as well as how the attackers breached the system.
At that point, insurance companies will be perfectly positioned to say, you must do application security this way or your premiums will go up. That’s going to be a wake-up call for the security community. And it might be the only way our outdated vision of application security is going to evolve.