Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/1/2016
12:15 PM
50%
50%

Raising The Stakes For Application Security

Why, if we already know most everything we need to know about exploited vulnerabilities in software, do hacks keep happening?

What’s at stake when we talk about application security? Just the security and privacy of over two billion people. An easy way to visualize application security is that it encompasses everything that happens within the walls of your Web browser: when you share pictures, manage finances, conduct e-commerce, further your education, reveal deeply personal information with friends and family, and so much more online. That’s application security, and that’s how important it is. Application security is something we must get right or a great many people and companies get hurt.

Given the immensity of valuables accessible via the Web, it’s become a happy hunting ground for cyberattackers. If cybersecurity is to improve, if people and companies are to be protected, we must understand that the primary job of application security is making software secure. When you distill everything down, that’s effectively what needs to be done – securing software. Any organization may achieve this by securely coding new websites and new underlying software, AND by addressing vulnerabilities in their current websites long outside the software development life-cycle.

Let’s say this another way. It’s essential to secure both old software and new software because here’s the thing: When analyzing the plethora of incidents stemming from a lack of application security, one can quickly determine that basically every one of them was preventable. We effectively know just about everything about these exploited vulnerabilities: how to find the issues, how to fix them, and of course, how to prevent issues from existing in the first place. If this is the case, if we supposedly have all the answers, then why do hacks keep happening? This is a question I’m asked all the time and it’s a fair one.

The answer is overwhelmingly not so much a lack of knowledge, security tools, or general awareness, but instead a lack of focus on the correct area of security. Application security. Across the information security industry, the lion’s share of security budget is spent on firewalls, antivirus software, and other traditional security solutions, which do little to nothing to prevent application-layer attacks and do little to nothing to secure software. We need a wholesale shift in priorities, lest the article you’re reading right now continues to be relevant year after year – and the damage that comes with it.

There is another important application security challenge that needs to be observed: skill alignment. The skillsets of many security people are historically based in network-layer security, and they do not have direct experience in how software is built. This makes the conversation between infosec and development difficult at best, and often the groups talk past each other. It’s time for this to change! And, this conversation shouldn’t begin and end with compliance, particularly PCI-DSS, as it will only lead to disappointment and business loss.

For example, protection against the OWASP Top 10 is a requirement for PCI DSS compliance. Once security people have “checked this box,” many think it’s time to move on to the next problem. This is dangerous thinking, as the bad guys, our online adversaries, simply don’t limit themselves to the OWASP Top Ten. They are knowledgeable in dozens of techniques that aren’t on the list, and are more than happy to exploit an organization’s website via any of these avenues. This is precisely why it’s crucial that our application security strategy always keep the methods of the various classes of cyberattackers in mind.

When helping to advise companies, a regular piece of advice I share is that organizations need to invest in application security education for both software developers AND security professionals. Depending on the needs of the organization, this could be a few hour-long crash courses or a multi-day intensive training program. Understanding software security should also provide insight into how attackers are thinking. This is key because without a clear picture of how adversaries operate, it’s impossible to create an effective defense or provide any real peace of mind. Not to mention, taking the time to learn application security skills is incredibly valuable and a lot of fun. Understanding how software is secured and defended pays dividends for years to come.

Where do we go from here? In application security, while technology helps, it’s people that matter most. Look at the priorities of the business. Track where the business assets are. If you find the value revolves around Web-based software, then that’s where the majority of security focus needs to be. While experts may debate details about what specifically to do when, everyone must agree that the first step is the security of the software. The information is out there, and getting started it’s just a one search away.

Related Content:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33347
PUBLISHED: 2021-06-18
An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means of weak password, the storage XSS vulnerability can occur.
CVE-2021-33576
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
CVE-2021-33577
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
CVE-2021-32536
PUBLISHED: 2021-06-18
The login page in the MCUsystem does not filter with special characters, which allows remote attackers can inject JavaScript without privilege and thus perform reflected XSS attacks.
CVE-2021-21669
PUBLISHED: 2021-06-18
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.