Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2018
10:30 AM
Matt Rose
Matt Rose
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

AppSec Is Dead, but Software Security Is Alive & Well

Application security must be re-envisioned to support software security. It's time to shake up your processes.

There's no denying that an enterprise's application ecosystem must be protected, especially when the average total cost of a breach comes in at $3.62 million. But thwarting increasingly severe and frequent threats requires a holistic approach to security, one that places emphasis on managing not only application vulnerabilities but all software exposure.

In fact, the term "application security" should be removed from an organization's vocabulary and replaced with the broader term "software security." Software serves as the backbone to much of the digital transformation taking place within organizations today, which means it's time for CIOs, security leaders, and DevOps roles to come together and understand that the approach to securing software needs to evolve as well.

Mobile, cloud, the Internet of Things, microservices, and artificial intelligence, for example, have made software more complex. However, the emphasis remains focused on speed over security, disregarding the DevOps process, sometimes entirely. Historically, traditional security approaches have slowed the speed of development by acting as deliberate benchmarks that developers must "check off" in order to resume coding activities.

This alone gives essential security practices a bad reputation within an organization, but it also adds to the misguided stigma that developers are a source of the issue. Suddenly, you have a divided force that opens an enterprise up to software exposure. We see careless oversights and avoidable mistakes being made throughout all stages of the software development life cycle (SDLC). Addressing complex software development and related vulnerabilities requires a shift away from a siloed security approach to one that encompasses software as a whole and integrates it from the start of the SDLC.

Let's review the definitions of software and applications. Software is "organized information in the form of operating systems, utilities, programs, and applications that enable computers to work"; an application is "a program or group of programs designed for end users and written to fulfill a particular purpose of the user." We tend to use the word application as a simple way of talking about user interfaces. But really, the security of an app extends well beyond the UI to include back-end systems and integrations.

Based on the definitions above, the following statements apply:

  1. Software is the umbrella for anything written in code; an application is a component of software and just as vulnerable.
  2. Applications allow a user to perform a task or activity while software executes that task or activity.
  3. Application security came about as initial security testing focused on testing a running application, much like quality assurance testing, and ignored the back-end software components.
  4. If something is written in a coding language, then it needs to be tested to ensure it is secure. All software is written in a coding language.
  5. Software is the ecosystem of technology while applications are the entry point into that ecosystem.

Today, the complexity of software certainly perpetuates the security problems we're facing. Organizations such as Panera, Facebook, and Lord & Taylor, to name a few, have learned the hard way that vulnerabilities within an application often signal greater software exposure because, at the end of the day, an attack or hack implicates both. And with the one-year anniversary of Equifax mega breach just behind us, it's a stark reminder that we need to understand what's in a software stack. In the case of Equifax, an exploited vulnerability in the popular open source web software Apache Struts led to the compromise of almost 150 million people's personal information. There's much work to be done to improve the state of software security.

These four priorities are a good place to start:

  1. Organizations need to move beyond the barriers and limitations of traditional gated security approaches and move to a new era of full visibility and control over their software exposure at any stage of the development life cycle.
  2. Proper and consistent training should be funded and provided across entire organizations.
  3. Remediation efforts need to be made into actionable insights that address vulnerabilities within the entire SDLC.
  4. Everyone that touches software and participates in the security of it needs to be forward thinking, forgetting the typical nuances of the past.

Long gone are the days where organizations could be unprepared for and caught off-guard by compromised data and other cyber-incident damage. Attacks are only going to grow in frequency and complexity, as will software itself. As such, application security must be re-envisioned to support software security. AppSec is dead. Software security is alive and well.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Matt has over 18 years of software development, sales, engineering management and consulting experience. Matt has helped some of the largest organizations in the world in a variety of industries, regions and technical environments implement secure software development life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John160
50%
50%
John160,
User Rank: Apprentice
1/22/2019 | 6:08:19 AM
Ignorance
The author clearly has no idea about what he is writing. Application security is much more than the author described and it is just a silly thing to discard what has already been done in the area (and it successfully done). there is nothing worth reading and taking into consideration in this article. Hopefully experts like Matt Rose won't be affecting the state of application security
scarabeetle
50%
50%
scarabeetle,
User Rank: Author
11/8/2018 | 8:52:36 AM
S-SDLC is key
Software security IS the right path.  I agree with the previous commenter that having the static and dynamic testing built-in to the build process that keeps security testing proactive, rather than reactive (after deployment) is key.  
username007
100%
0%
username007,
User Rank: Strategist
10/29/2018 | 12:33:37 PM
Wait what?
I stopped doing Application Security about a year ago mostly due to the burn out of working with new kids being taught in school the insecure way to code all the way to the old school dev that has been coding since the Com64 thinking "if it ain't broke don't fix it"; however the point here is I have been doing this for some time too.

Now, Matt Rose seems to think that for whatever reason the industry should shake what it has already worked so hard on and just throw it away. Software Security is not the same thing as Application Security. They can NOT be intermingled and they are in so way similiar. Building an application, something an end-user actually uses, should not be treated the same way the back end database gets built. One gets handled with configuration management, I.E. company policies on how something should be configured and can be audited easily, while the other is handled with vulnerability management, I.E. with reactive response such as code review, penetration testing, or vulnerability scanning.

DevOps and Agile do not have the time that security needs to do all of our checking. So with that, Security needs to be baked into the SDLC process, not bolted on like some crap Captcha. Individuals that show the aptitude, need to be dubed security champions within their team, to help make sure best coding practices are followed.

We, as senior staff, need to stop trying to change things just for the sake of change or because we learned new words and think they need to go in a different order. This post wreaks of someone living in the Waterfall days, knowing just enough about security to cause more harm than good.

AppSec is not dead, but arrogance over how it should be handled needs to be.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.