Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/2/2018
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Speed Up AppSec Improvement With an Adversary-Driven Approach

Stop overwhelming developers and start using real-world attack behavior to prioritize application vulnerability fixes.

Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.

The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways today's typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.  

"What's the problem? We don't even know if we're chasing the right things," said Wickett, researcher with the firm Signal Sciences. "We have to ask the question, 'Is what we're testing driving us toward finding the right issues?'" 

Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often don't account for the exigencies of real-world attack patterns.  

"When we think about things from the adversary perspective, we talk about means, motives, and opportunities," said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. "What's happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry we're not really driving those bad guys away."

Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to "sit with for a minute," Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, it'll be unhackable. 

"That is a fallacy," he says.

It's this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications. 

"Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on," Lietz said. "Essentially, you got to have some way to have a conversation about what's real and what's perceived."

They suggested organizations work to come up with what they call a "Real World Top 10" for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks. 

This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently they're operating based on how much it costs the enterprise to fix a problem.

"Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know something's really deeply ingrained, how you've built your application there's actually long-term debt," Lietz explained. "They're surfing for your long-term debt just as much you're trying to get rid of it."

Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.  

"I've made a lot more friends in our developer community because I've found a way to be valuable," Lietz says. "I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline."

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1689
PUBLISHED: 2019-12-10
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.
CVE-2016-10001
PUBLISHED: 2019-12-10
inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitra...
CVE-2019-6183
PUBLISHED: 2019-12-10
A denial of service vulnerability has been reported in Lenovo Energy Management Driver for Windows 10 versions prior to 15.11.29.7 that could cause systems to experience a blue screen error. Lenovo Energy Management is a client utility. Lenovo XClarity Energy Manager is not affected.
CVE-2019-6192
PUBLISHED: 2019-12-10
A potential vulnerability has been reported in Lenovo Power Management Driver versions prior to 1.67.17.48 leading to a buffer overflow which could cause a denial of service.
CVE-2019-4095
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.