Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/2/2018
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Speed Up AppSec Improvement With an Adversary-Driven Approach

Stop overwhelming developers and start using real-world attack behavior to prioritize application vulnerability fixes.

Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.

The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways today's typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.  

"What's the problem? We don't even know if we're chasing the right things," said Wickett, researcher with the firm Signal Sciences. "We have to ask the question, 'Is what we're testing driving us toward finding the right issues?'" 

Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often don't account for the exigencies of real-world attack patterns.  

"When we think about things from the adversary perspective, we talk about means, motives, and opportunities," said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. "What's happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry we're not really driving those bad guys away."

Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to "sit with for a minute," Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, it'll be unhackable. 

"That is a fallacy," he says.

It's this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications. 

"Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on," Lietz said. "Essentially, you got to have some way to have a conversation about what's real and what's perceived."

They suggested organizations work to come up with what they call a "Real World Top 10" for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks. 

This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently they're operating based on how much it costs the enterprise to fix a problem.

"Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know something's really deeply ingrained, how you've built your application there's actually long-term debt," Lietz explained. "They're surfing for your long-term debt just as much you're trying to get rid of it."

Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.  

"I've made a lot more friends in our developer community because I've found a way to be valuable," Lietz says. "I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline."

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.