Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/1/2016
12:15 PM
50%
50%

Raising The Stakes For Application Security

Why, if we already know most everything we need to know about exploited vulnerabilities in software, do hacks keep happening?

What’s at stake when we talk about application security? Just the security and privacy of over two billion people. An easy way to visualize application security is that it encompasses everything that happens within the walls of your Web browser: when you share pictures, manage finances, conduct e-commerce, further your education, reveal deeply personal information with friends and family, and so much more online. That’s application security, and that’s how important it is. Application security is something we must get right or a great many people and companies get hurt.

Given the immensity of valuables accessible via the Web, it’s become a happy hunting ground for cyberattackers. If cybersecurity is to improve, if people and companies are to be protected, we must understand that the primary job of application security is making software secure. When you distill everything down, that’s effectively what needs to be done – securing software. Any organization may achieve this by securely coding new websites and new underlying software, AND by addressing vulnerabilities in their current websites long outside the software development life-cycle.

Let’s say this another way. It’s essential to secure both old software and new software because here’s the thing: When analyzing the plethora of incidents stemming from a lack of application security, one can quickly determine that basically every one of them was preventable. We effectively know just about everything about these exploited vulnerabilities: how to find the issues, how to fix them, and of course, how to prevent issues from existing in the first place. If this is the case, if we supposedly have all the answers, then why do hacks keep happening? This is a question I’m asked all the time and it’s a fair one.

The answer is overwhelmingly not so much a lack of knowledge, security tools, or general awareness, but instead a lack of focus on the correct area of security. Application security. Across the information security industry, the lion’s share of security budget is spent on firewalls, antivirus software, and other traditional security solutions, which do little to nothing to prevent application-layer attacks and do little to nothing to secure software. We need a wholesale shift in priorities, lest the article you’re reading right now continues to be relevant year after year – and the damage that comes with it.

There is another important application security challenge that needs to be observed: skill alignment. The skillsets of many security people are historically based in network-layer security, and they do not have direct experience in how software is built. This makes the conversation between infosec and development difficult at best, and often the groups talk past each other. It’s time for this to change! And, this conversation shouldn’t begin and end with compliance, particularly PCI-DSS, as it will only lead to disappointment and business loss.

For example, protection against the OWASP Top 10 is a requirement for PCI DSS compliance. Once security people have “checked this box,” many think it’s time to move on to the next problem. This is dangerous thinking, as the bad guys, our online adversaries, simply don’t limit themselves to the OWASP Top Ten. They are knowledgeable in dozens of techniques that aren’t on the list, and are more than happy to exploit an organization’s website via any of these avenues. This is precisely why it’s crucial that our application security strategy always keep the methods of the various classes of cyberattackers in mind.

When helping to advise companies, a regular piece of advice I share is that organizations need to invest in application security education for both software developers AND security professionals. Depending on the needs of the organization, this could be a few hour-long crash courses or a multi-day intensive training program. Understanding software security should also provide insight into how attackers are thinking. This is key because without a clear picture of how adversaries operate, it’s impossible to create an effective defense or provide any real peace of mind. Not to mention, taking the time to learn application security skills is incredibly valuable and a lot of fun. Understanding how software is secured and defended pays dividends for years to come.

Where do we go from here? In application security, while technology helps, it’s people that matter most. Look at the priorities of the business. Track where the business assets are. If you find the value revolves around Web-based software, then that’s where the majority of security focus needs to be. While experts may debate details about what specifically to do when, everyone must agree that the first step is the security of the software. The information is out there, and getting started it’s just a one search away.

Related Content:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).