Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/9/2016
01:30 PM
Kunal Anand
Kunal Anand
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How (And Why) AppSec Is Important To Your Business

WhiteHat founder Jeremiah Grossman and Prevoty founder & CTO Kunal Anand share their perspectives on the past and future of application security.

At the OWASP Conference in San Francisco, WhiteHat Founder Jeremiah Grossman and Prevoty founder & CTO Kunal Anand discussed the importance of application security, the most critical AppSec vulnerability, and how two name-brand companies influenced their views and careers. 

Second in a series of Dark Reading interviews with cybersecurity experts by cybersecurity experts.

Kunal Anand: Why are companies doing such a bad job fixing vulnerabilities?

Jeremiah Grossman: Really, most of the time, it comes down to just a raw development environment ROI. [CIOs/CSO] have a choice to make, a very difficult choice. Do they create revenue-generating features that if they don't ship, will for a fact, cost the company money or do they decide to use those limited development resources they have to fix vulnerabilities that might get exploited and might cause the company money.

KA: I think about legacy applications as a brush fire waiting to happen. The thing that we noticed is that legacy applications have lots of problems -- and the developers who worked on them aren't at the company anymore. There are no budgets associated with it. No one knows in some cases where that code even is. It's just this thing that's running in a production environment.

KA:  What would you say has been the biggest change in application security over the last five years, or even 10 years?

JG: I think the biggest change in the threat landscape is SQL injection, which first came on the scene Christmas day 1998. Today, it’s the vulnerability that's causing us the most grief. Bad guys didn't start using it really until about 2005 or so, or maybe even 2007, [and] we've had the vulnerabilities in websites for 10, 15 years or more. We've all known [about] it, but a lot of us [who’ve] been around in application security for a while, were always wondering when [SQL injection attacks were] actually going to happen. Well, they happened [within] the last three to five years.

KA: What are you seeing from the boardroom? Are board members starting to care more about security?

JG: It's only been in the last 18 months that there actually seems to be board-level interest. I'm getting pinged, "Can you come talk to our board about this cyber security stuff and explain the landscape?" They want to know what questions to ask, how to read the answers and those sorts of things. I think the reason is because the losses are now very big. I mean $100 million plus lawsuits. CEOs getting fired. Class action lawsuits.                           

KA: Applications are the center of everything and you could argue that applications are your business. Is it [too] much of a stretch to say an attack on your applications is an attack on your business?

JG: It's probably pretty close. If the business asks, “If we turned off the website, how much of our business would go away? Then you'll know [from the answer] what the apps mean to your business. For some companies, it's 5%. Some none. Some, it's everything. 

KA: How did you get started in application security? 

JG: Application security found me, I didn't choose it. One day, summer '99, somebody had found vulnerabilities in Yahoo, eBay and Amazon and I couldn't figure out why this was newsworthy because I thought everybody already knew websites have little bombs and that no one exactly knew how to secure them.

Everybody has hobbies. Paint pictures. Play video games. I break software. That's what I do. Because of the vulnerability in Yahoo mail, I went home and I signed up for a new Yahoo mail account and then I proceeded to hack into my own Yahoo mail account.  It took me about 50 minutes and in a way I guess you could say I was breaking into 120 million other people's Yahoo account.  I told Yahoo what I found. I sent them an e-mail anonymously and they reported back saying, "Thank you very much. Let us know if we can send you a t-shirt." For me that was awesome. I was in cloud nine. I get to hack in Yahoo and get a t-shirt. It's great and they said, "Let us know if you find out any more." I said, okay, and by another week goes by, I dropped another half dozen issues on them.

I was curious about who I was communicating with over there and (found out) it was one of the two founders of Yahoo, who was David Filo, and I was blown away. Those emails actually led to a job at Yahoo doing what I do for the rest of Yahoo. Web security wasn't a term back then. Application security wasn't a term back then and so, that was really, really the start of the industry and the start of my career.

KA: My start in application security is totally different. I had no concept of application security or security at all. I started off my career at NASA GPL and I worked there as a software engineer across lots of different projects. There was a big company in Los Angeles that was up and coming: MySpace. I always have a hard time when looking people in the eye and telling with a straight face that I went from NASA to MySpace.

At that time, the Samy worm had already happened. Security was obviously an issue at MySpace, and so I jumped in and Dan Kaminsky taught me everything about application security. I did not know anything at all about cross-site scripting, SQL injection. Dan and I worked together to try and eradicate cross scripting for MySpace, building filters, security tools and that was my first exposure to application security.

JG: With security, it's not enough to find one vulnerability, you have to find all vulnerabilities at all times, because you know that you're going to get hacked and you're the web security guy and that's not a good fun position to be in.

At WhiteHat, we scan lots and lots of websites. We find oodles of vulnerabilities and, statistically, only half the issues for good reasons or bad reasons, we can abate. But only half the vulnerabilities get fixed and the ones that do get fixed, take between two and six months on average to get fixed. Remediation is a major problem. It's not enough for WhiteHat or anybody else just to find problems if they're never [going to] get fixed. 

Video of the complete Q&A can be viewed here

More on this topic: 

 

Interop 2016 Las VegasFind out more about security at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kunal Anand is Imperva's Chief Technology Officer (CTO). Kunal joined Imperva when Prevoty, a company he co-founded in 2013 and where he served as CTO, was acquired by Imperva in August 2018. Before joining Prevoty, he was the director of technology at BBC Worldwide. Kunal ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11976
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-13179
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
CVE-2020-8918
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
CVE-2020-9244
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R...
CVE-2020-9403
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.