Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/2/2018
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Speed Up AppSec Improvement With an Adversary-Driven Approach

Stop overwhelming developers and start using real-world attack behavior to prioritize application vulnerability fixes.

Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.

The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways today's typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.  

"What's the problem? We don't even know if we're chasing the right things," said Wickett, researcher with the firm Signal Sciences. "We have to ask the question, 'Is what we're testing driving us toward finding the right issues?'" 

Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often don't account for the exigencies of real-world attack patterns.  

"When we think about things from the adversary perspective, we talk about means, motives, and opportunities," said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. "What's happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry we're not really driving those bad guys away."

Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to "sit with for a minute," Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, it'll be unhackable. 

"That is a fallacy," he says.

It's this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications. 

"Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on," Lietz said. "Essentially, you got to have some way to have a conversation about what's real and what's perceived."

They suggested organizations work to come up with what they call a "Real World Top 10" for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks. 

This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently they're operating based on how much it costs the enterprise to fix a problem.

"Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know something's really deeply ingrained, how you've built your application there's actually long-term debt," Lietz explained. "They're surfing for your long-term debt just as much you're trying to get rid of it."

Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.  

"I've made a lot more friends in our developer community because I've found a way to be valuable," Lietz says. "I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline."

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16137
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of ...
CVE-2020-16138
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being ...
CVE-2020-16139
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE i...
CVE-2020-16186
PUBLISHED: 2020-08-12
A stored Cross-site scripting (XSS) vulnerability in Firco Continuity 6.2.0.0 allows remote unauthenticated attackers to inject arbitrary web script or HTML through the username field of the login page.
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...