Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:15 PM

Raising The Stakes For Application Security

Why, if we already know most everything we need to know about exploited vulnerabilities in software, do hacks keep happening?

What’s at stake when we talk about application security? Just the security and privacy of over two billion people. An easy way to visualize application security is that it encompasses everything that happens within the walls of your Web browser: when you share pictures, manage finances, conduct e-commerce, further your education, reveal deeply personal information with friends and family, and so much more online. That’s application security, and that’s how important it is. Application security is something we must get right or a great many people and companies get hurt.

Given the immensity of valuables accessible via the Web, it’s become a happy hunting ground for cyberattackers. If cybersecurity is to improve, if people and companies are to be protected, we must understand that the primary job of application security is making software secure. When you distill everything down, that’s effectively what needs to be done – securing software. Any organization may achieve this by securely coding new websites and new underlying software, AND by addressing vulnerabilities in their current websites long outside the software development life-cycle.

Let’s say this another way. It’s essential to secure both old software and new software because here’s the thing: When analyzing the plethora of incidents stemming from a lack of application security, one can quickly determine that basically every one of them was preventable. We effectively know just about everything about these exploited vulnerabilities: how to find the issues, how to fix them, and of course, how to prevent issues from existing in the first place. If this is the case, if we supposedly have all the answers, then why do hacks keep happening? This is a question I’m asked all the time and it’s a fair one.

The answer is overwhelmingly not so much a lack of knowledge, security tools, or general awareness, but instead a lack of focus on the correct area of security. Application security. Across the information security industry, the lion’s share of security budget is spent on firewalls, antivirus software, and other traditional security solutions, which do little to nothing to prevent application-layer attacks and do little to nothing to secure software. We need a wholesale shift in priorities, lest the article you’re reading right now continues to be relevant year after year – and the damage that comes with it.

There is another important application security challenge that needs to be observed: skill alignment. The skillsets of many security people are historically based in network-layer security, and they do not have direct experience in how software is built. This makes the conversation between infosec and development difficult at best, and often the groups talk past each other. It’s time for this to change! And, this conversation shouldn’t begin and end with compliance, particularly PCI-DSS, as it will only lead to disappointment and business loss.

For example, protection against the OWASP Top 10 is a requirement for PCI DSS compliance. Once security people have “checked this box,” many think it’s time to move on to the next problem. This is dangerous thinking, as the bad guys, our online adversaries, simply don’t limit themselves to the OWASP Top Ten. They are knowledgeable in dozens of techniques that aren’t on the list, and are more than happy to exploit an organization’s website via any of these avenues. This is precisely why it’s crucial that our application security strategy always keep the methods of the various classes of cyberattackers in mind.

When helping to advise companies, a regular piece of advice I share is that organizations need to invest in application security education for both software developers AND security professionals. Depending on the needs of the organization, this could be a few hour-long crash courses or a multi-day intensive training program. Understanding software security should also provide insight into how attackers are thinking. This is key because without a clear picture of how adversaries operate, it’s impossible to create an effective defense or provide any real peace of mind. Not to mention, taking the time to learn application security skills is incredibly valuable and a lot of fun. Understanding how software is secured and defended pays dividends for years to come.

Where do we go from here? In application security, while technology helps, it’s people that matter most. Look at the priorities of the business. Track where the business assets are. If you find the value revolves around Web-based software, then that’s where the majority of security focus needs to be. While experts may debate details about what specifically to do when, everyone must agree that the first step is the security of the software. The information is out there, and getting started it’s just a one search away.

Related Content:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...
PUBLISHED: 2021-05-06
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
PUBLISHED: 2021-05-06
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
PUBLISHED: 2021-05-06
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.