Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.
The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways today's typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.
"What's the problem? We don't even know if we're chasing the right things," said Wickett, researcher with the firm Signal Sciences. "We have to ask the question, 'Is what we're testing driving us toward finding the right issues?'"
Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often don't account for the exigencies of real-world attack patterns.
"When we think about things from the adversary perspective, we talk about means, motives, and opportunities," said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. "What's happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry we're not really driving those bad guys away."
Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to "sit with for a minute," Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, it'll be unhackable.
"That is a fallacy," he says.
It's this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications.
"Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on," Lietz said. "Essentially, you got to have some way to have a conversation about what's real and what's perceived."
They suggested organizations work to come up with what they call a "Real World Top 10" for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks.
This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently they're operating based on how much it costs the enterprise to fix a problem.
"Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know something's really deeply ingrained, how you've built your application there's actually long-term debt," Lietz explained. "They're surfing for your long-term debt just as much you're trying to get rid of it."
Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.
"I've made a lot more friends in our developer community because I've found a way to be valuable," Lietz says. "I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline."
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.