In my previous post, we talked about the basics of application security and how only 60% of corporations have implemented a DAST tool set. The scary part is that most corporations who are implementing basic application level security start with DAST. What this really means is that only 60% of corporations have even started to implement basic application security principles. Obviously, some companies are much further along and have implemented other technologies such SAST, glass box testing, and secure coding guidelines, but these are the minority.
The real problem is that there really isn’t any common ground between programmers and IT security. For years, IT Security departments across the globe have been focused on hardware and network security. They are generally only concerned with how hackers can get into their network and cause harm to systems or gather data from a system that they have hacked. The “hackerscape”, if you will, is changing. Hackers are spending much less time now looking for open ports on a server and trying to penetrate the network from a weak point.
Hackers have learned that it is much easier to get access to a particular application and then find a weak point in the application. In most cases, they don’t even need to get access, they can get it from a public facing website. At this point, organizations face much bigger problems. The biggest is that they are not coding with security in mind. Programmers don’t think to sanitize input to prevent sql injection, to remove hardcoded paths, to separate private and public data in the database… You get the idea, programmers don’t know about and generally don’t care about security. Those who do are either rare, or belong to one of the companies that are doing great with application security.
Many of you might be thinking at this point, “but that’s what our firewalls are for.” A firewall helps to keep people out of your network, but no network level security can prevent attacks such as sql injection, cross site scripting, and cross site request forgery. OWASP just released their annual Top 10 list of web vulnerabilities the other day and you’ll notice that injection is the number one risk, and actually has been for as long as I’ve been watching OWASP. All in all, SQL Injection in particular is not all that hard to remediate through secure coding guidelines, much easier the XSS in my opinion. This tells me a few things: security generally isn’t concerned with apps, programmers aren’t concerned with security, and there is no communication between the two.
Finally, we get to the point of this article, how do we fix this problem? The fix is simple, you must have a convergence between security and programming. Every organization needs at least one programmer in their IT Security department, rather than the traditional network engineer. That person needs to be trained to understand security, but also keep their programming skill set. Tools, such as DAST, are not very useful if the person using the tool does not understand the code output and the programmer speak that is mixed in with all of the technology. You also need someone who can serve as an ambassador to the programmers in the company to educate them on security, get them using these technology, and to get them to embrace some secure coding guidelines.
I think that’s about all I have to say about that. If you have any opinions on the subject, particularly if they differ from mine, feel free to drop a comment. We can all learn from this!