By Dan Corsberg
This is a call to action…all hands on deck so to speak (my submariner past coming to the fore).
According to the National Institute of Standards, 92% of all security vulnerabilities are now considered application vulnerabilities and not network vulnerabilities. From TJX to Heartland, companies are paying hundreds of millions of dollars to learn this. On a personal level, most of us have been notified that some aspect of our digital fingerprint (SSN, credit card numbers, checking accounts, etc.) has been compromised. In many cases the root cause is bad design, implementation, operation, and/or maintenance of software applications.
From a developer’s perspective, this should be very unsettling because we as a community are to a large extent, a part of the problem rather than the solution. After all, who else designs, implements, tests, and deploys these suspect applications? After teaching application security to developers for a number of years, I can attest to how difficult it is for us to change our thinking. That change is not an option. Either we change or the software development will be done elsewhere by others.
What is the biggest inhibitor to this change? Think about the applications that you are working on. Have you been taking a strong, proactive approach to addressing security? If not, why not?
Your answer maybe the same as countless developers have given to us over the years:
· My application is behind a firewall (or several firewalls).
· My application is on a secure network.
· My application is not external facing – no web access.
· We trust our clients, so there is no problem
According to the Identity Theft Resource Center, out of the more than 120 million compromised records in 2007, network security lapses caused only 137,000 of the compromised assets. The fallacies of depending on a single perimeter defense are many. For example,
- One compromise and the attacker is inside the soft internals of your infrastructure.
- Traditionally, internal employees and others with elevated privileges (allowing them to bypass that perimeter defense) are the most significant source of attacks.
- New channels, technologies, and techniques are continually emerging to enable greater access to information and functionality – these also increase our attack surface and risks.
So, what can be done?
Secure thinking skills:
You and your teams need to recognize potential security vulnerabilities in software design and in code.
Secure programming skills:
You and your teams need to practice secure coding techniques and development methods. These skills will enable you to avoid creating security vulnerabilities, to recognize existing vulnerabilities, and to consider alternatives for closing existing holes.
So where can you go to get a jump start on learning and developing these skills?
Of course, we are in the business of training and would welcome the opportunity to help your cause. However, there are other places to go (starting with the remainder of this article).
A primary and valuable information source is the Open Web Application Security Project (OWASP). OWASP is an open-source application security project not affiliated with any technology company. The OWASP community supports the informed use of security technology. This community includes corporations, educational organizations, and individuals active internationally. Take a few minutes to visit the OWASP website (OWASP.org). You will find detailed and current information on a wide variety of topic. Of particular interest is the “A Guide to Building Secure Web Applications and Web Services 3.0 Black Hat Edition”. Do not shy away from this document if you are not working on web applications. The vulnerabilities and attacks that are discussed in this free document can easily exist in backend database applications and virtually any legacy application (often these were not written with security in mind and are now being exposed to attack on an increasing basis).
Another extremely important information source is your own cyber security resources. Get to know them, what they do, and how they do it. What they have to deal with on a continual basis just might surprise you.
There are many lists out there, ranging from OWASP’s Top Ten Vulnerabilities to MITRE’s Top 25 Most Dangerous Programming Errors. They are all useful, but translating those into meaningful terms that you and your team can relate to can be challenging. There is nothing quite as impactful as deploying a seemingly typical web application and seeing an SQL Injection attack extract all of the information from the backend database (you know, that database that is behind the firewall?). We feel there is nothing quite as effective at raising awareness like a series of attacks and countermeasures against an application. While we have the ulterior motive of wanting to provide your teams with that experience, the most important message here is that you need to be taking action now because the bad guys are probing at the doors, windows, chimneys, and any other opening they can find.
|
