Application Security
11/21/2013
01:06 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Application Security: We Still Have A Long Way To Go

The past decade shows only trivial progress in improving web app security, according to new vulnerability guidelines in the OWASP Top Ten 2013.

Application security problems are not only the most common type of vulnerability, they also lead to the majority of breaches. In 2003, I wrote the first Top Ten Application Security Risks for the Open Web Application Security Project (OWASP). Our goal at the time was to raise awareness and improve software security through the establishment of free and open industry standards.

In case you are wondering, OWASP is an open-source community comprised of software developers from corporations, educational organizations, and other interested individuals from around the world.

The first Top Ten was based primarily on our members' experiences -- we didn’t have much data to support our choices back then. Today, there’s serious analysis backing the standard in the OWASP Top Ten 2013. The data comes from eight leading security firms specializing in application testing and verification. Collectively, the data is comprised of over half a million vulnerabilities, across hundreds of organizations, and thousands of applications.

The Top 10 items are selected and prioritized according to their prevalence and consensus estimates of exploitability, detectability, and impact. It’s been translated into dozens of languages and is implemented in most application security tools. There are three major updates this year:

  • Using Known Vulnerable Components. Modern applications frequently leverage hundreds of libraries. All of this code runs with the full privilege of the application, so vulnerabilities can be devastating. A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities. The new OWASP Top Ten has suggestions for finding and eliminating these problems.

  • Missing Function Level Access Control. When developers create web interfaces, they have to restrict which users can see various links, buttons, forms, and pages. Developers usually get this right because it is very visible. Unfortunately, making it pretty doesn’t make it secure. Developers often forget that they also have to put access controls in the business logic that actually performs business functions. The new OWASP Top Ten expands this category and provides helpful guidance.

  • Sensitive Data Exposure. The importance of encrypting both web traffic and sensitive data in storage cannot be underestimated. This new combined Top Ten item is intended to focus development teams on creating a unified strategy to identify sensitive data and encrypt it wherever it goes. You can refer to the new OWASP Top Ten for guidance on storing credentials safely, encrypting backups, caching, autocomplete and other often overlooked topics.

Important work is still ahead
Over the last 10 years, the OWASP Top Ten has been used by millions of people, referenced by the Federal Trade Commission, and the OWASP Foundation has grown immensely. We’re very proud of our efforts to date, but we still have a long way to go.

Initially, our principal goal was to raise the floor every few years, but we haven’t been able to do that, as evidenced by what I consider to be essentially trivial results in improving application security. In the decade between the 2003 and 2013 editions, we haven’t been able to stamp out even one category of application security problem. For example, SQL Injection appeared in 1998 and is still a huge problem that accounted for 83 percent of breaches over the last 15 years and resulted in the compromise of hundreds of millions of people’s credit card numbers, financial information, and healthcare information.

One reason for these disappointing results is because the OWASP Top Ten is only an awareness document -- just one tiny first step towards cultivating a culture that generates application security. To be sure, there’s no better first step for raising IT industry awareness of the application security issues that drive security managers to focus on cost-effective defense strategies.

To that end, I encourage you to pick just one of the Top Ten, create sensors in your development and test organizations, and establish a real-time dashboard across your application portfolio. Then expand your program to cover other risks. There is no "right" way to create an application security program, so don’t measure yourself against what others are doing.

If you know a developer, take a second and send them a copy of the OWASP Top Ten. It’s time to eliminate simple vulnerabilities like Cross-Site Scripting and SQL Injection forever.

Now it’s your turn. What are the application security problems that are keeping you up at night? Let’s chat about them in the comments and brainstorm ways we can make faster progress in improving application security.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
11/21/2013 | 5:39:47 PM
Re: App security tools ?
Not providing developers with ample time has always been a problem, at least in my experiences. The reason is usually because developers have to deal with deadlines and demands that management doesn't always know impacts the software development lifecycle. Doesn't anyone else here agree with that assessment?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 4:23:01 PM
Re: App security tools ?
@irakov raises two great points about 1. companies not giving developers the time they need for security review and testing and 2. guidance about the best tools available to perform those test.  For example,  what are the steps you recommend to make headway against SQL Injection?
irakov
50%
50%
irakov,
User Rank: Apprentice
11/21/2013 | 2:09:07 PM
App security tools ?
Jeff,


The companies still do not allocate enough time for app level security review and testing. HealthCare.gov is one recent example. It would useful if you could write a high-level review of the app security tools that allow projects to address app security issues.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.