What’s at stake when we talk about application security? Just the security and privacy of over two billion people. An easy way to visualize application security is that it encompasses everything that happens within the walls of your Web browser: when you share pictures, manage finances, conduct e-commerce, further your education, reveal deeply personal information with friends and family, and so much more online. That’s application security, and that’s how important it is. Application security is something we must get right or a great many people and companies get hurt.
Given the immensity of valuables accessible via the Web, it’s become a happy hunting ground for cyberattackers. If cybersecurity is to improve, if people and companies are to be protected, we must understand that the primary job of application security is making software secure. When you distill everything down, that’s effectively what needs to be done – securing software. Any organization may achieve this by securely coding new websites and new underlying software, AND by addressing vulnerabilities in their current websites long outside the software development life-cycle.
Let’s say this another way. It’s essential to secure both old software and new software because here’s the thing: When analyzing the plethora of incidents stemming from a lack of application security, one can quickly determine that basically every one of them was preventable. We effectively know just about everything about these exploited vulnerabilities: how to find the issues, how to fix them, and of course, how to prevent issues from existing in the first place. If this is the case, if we supposedly have all the answers, then why do hacks keep happening? This is a question I’m asked all the time and it’s a fair one.
The answer is overwhelmingly not so much a lack of knowledge, security tools, or general awareness, but instead a lack of focus on the correct area of security. Application security. Across the information security industry, the lion’s share of security budget is spent on firewalls, antivirus software, and other traditional security solutions, which do little to nothing to prevent application-layer attacks and do little to nothing to secure software. We need a wholesale shift in priorities, lest the article you’re reading right now continues to be relevant year after year – and the damage that comes with it.
There is another important application security challenge that needs to be observed: skill alignment. The skillsets of many security people are historically based in network-layer security, and they do not have direct experience in how software is built. This makes the conversation between infosec and development difficult at best, and often the groups talk past each other. It’s time for this to change! And, this conversation shouldn’t begin and end with compliance, particularly PCI-DSS, as it will only lead to disappointment and business loss.
For example, protection against the OWASP Top 10 is a requirement for PCI DSS compliance. Once security people have “checked this box,” many think it’s time to move on to the next problem. This is dangerous thinking, as the bad guys, our online adversaries, simply don’t limit themselves to the OWASP Top Ten. They are knowledgeable in dozens of techniques that aren’t on the list, and are more than happy to exploit an organization’s website via any of these avenues. This is precisely why it’s crucial that our application security strategy always keep the methods of the various classes of cyberattackers in mind.
When helping to advise companies, a regular piece of advice I share is that organizations need to invest in application security education for both software developers AND security professionals. Depending on the needs of the organization, this could be a few hour-long crash courses or a multi-day intensive training program. Understanding software security should also provide insight into how attackers are thinking. This is key because without a clear picture of how adversaries operate, it’s impossible to create an effective defense or provide any real peace of mind. Not to mention, taking the time to learn application security skills is incredibly valuable and a lot of fun. Understanding how software is secured and defended pays dividends for years to come.
Where do we go from here? In application security, while technology helps, it’s people that matter most. Look at the priorities of the business. Track where the business assets are. If you find the value revolves around Web-based software, then that’s where the majority of security focus needs to be. While experts may debate details about what specifically to do when, everyone must agree that the first step is the security of the software. The information is out there, and getting started it’s just a one search away.