Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/1/2016
12:15 PM
50%
50%

Raising The Stakes For Application Security

Why, if we already know most everything we need to know about exploited vulnerabilities in software, do hacks keep happening?

What’s at stake when we talk about application security? Just the security and privacy of over two billion people. An easy way to visualize application security is that it encompasses everything that happens within the walls of your Web browser: when you share pictures, manage finances, conduct e-commerce, further your education, reveal deeply personal information with friends and family, and so much more online. That’s application security, and that’s how important it is. Application security is something we must get right or a great many people and companies get hurt.

Given the immensity of valuables accessible via the Web, it’s become a happy hunting ground for cyberattackers. If cybersecurity is to improve, if people and companies are to be protected, we must understand that the primary job of application security is making software secure. When you distill everything down, that’s effectively what needs to be done – securing software. Any organization may achieve this by securely coding new websites and new underlying software, AND by addressing vulnerabilities in their current websites long outside the software development life-cycle.

Let’s say this another way. It’s essential to secure both old software and new software because here’s the thing: When analyzing the plethora of incidents stemming from a lack of application security, one can quickly determine that basically every one of them was preventable. We effectively know just about everything about these exploited vulnerabilities: how to find the issues, how to fix them, and of course, how to prevent issues from existing in the first place. If this is the case, if we supposedly have all the answers, then why do hacks keep happening? This is a question I’m asked all the time and it’s a fair one.

The answer is overwhelmingly not so much a lack of knowledge, security tools, or general awareness, but instead a lack of focus on the correct area of security. Application security. Across the information security industry, the lion’s share of security budget is spent on firewalls, antivirus software, and other traditional security solutions, which do little to nothing to prevent application-layer attacks and do little to nothing to secure software. We need a wholesale shift in priorities, lest the article you’re reading right now continues to be relevant year after year – and the damage that comes with it.

There is another important application security challenge that needs to be observed: skill alignment. The skillsets of many security people are historically based in network-layer security, and they do not have direct experience in how software is built. This makes the conversation between infosec and development difficult at best, and often the groups talk past each other. It’s time for this to change! And, this conversation shouldn’t begin and end with compliance, particularly PCI-DSS, as it will only lead to disappointment and business loss.

For example, protection against the OWASP Top 10 is a requirement for PCI DSS compliance. Once security people have “checked this box,” many think it’s time to move on to the next problem. This is dangerous thinking, as the bad guys, our online adversaries, simply don’t limit themselves to the OWASP Top Ten. They are knowledgeable in dozens of techniques that aren’t on the list, and are more than happy to exploit an organization’s website via any of these avenues. This is precisely why it’s crucial that our application security strategy always keep the methods of the various classes of cyberattackers in mind.

When helping to advise companies, a regular piece of advice I share is that organizations need to invest in application security education for both software developers AND security professionals. Depending on the needs of the organization, this could be a few hour-long crash courses or a multi-day intensive training program. Understanding software security should also provide insight into how attackers are thinking. This is key because without a clear picture of how adversaries operate, it’s impossible to create an effective defense or provide any real peace of mind. Not to mention, taking the time to learn application security skills is incredibly valuable and a lot of fun. Understanding how software is secured and defended pays dividends for years to come.

Where do we go from here? In application security, while technology helps, it’s people that matter most. Look at the priorities of the business. Track where the business assets are. If you find the value revolves around Web-based software, then that’s where the majority of security focus needs to be. While experts may debate details about what specifically to do when, everyone must agree that the first step is the security of the software. The information is out there, and getting started it’s just a one search away.

Related Content:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.
CVE-2019-17611
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.