Wednesday, July 02, 2008

Web Application Security Today - Are We All Insane?

CSO magazine was kind enough to publish an opinion piece where I present a top-down view of the current state of web application security. I nervously expect a “spirited” flow of blog comments because it questions the value of certain best-practices and deeply held personal philosophies. Fortunately though our general public discourse has advanced a great deal recently and the community at large is a lot more informed of the challenges at hand. I pulled out a snippet to give a feel.

"It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us. Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion. We're losing two dollars for every dollar spent."



dre said...

"beating the drum for software in the Software Development Lifecycle (SDL)"

This is a great point. It would be nice if developers focused on building software instead of writing it. Software that can be built every time with no errors is software that we can put more trust in. It's easier to add tests. It's easier to through an automated static checker or bytecode inspector that looks for certain security properties -- and have a lead developer go through the results.

They don't need to be security experts, or know anything about security. They need to be building code that doesn't have errors and is easily testable. Then we can solve these problems when they rebuild the web -- today, instead of 10 years in the future.

Matt Presson said...

I do agree with andre that security needs to be built in to the SDLC, but as someone who works in a large corporation with various development teams, I find it hard to swallow the statement that "they don't need to know anything about security." In fact I heartily disagree.

The best way to ensure that developers write secure software is to make them think about security, and to educate them into how they should think about it. Essentially, increase awareness! If you don't know what is possible you can't write more secure code. This is just a fact of life.

Furthermore, allowing some tool to tell you what is wrong, security wise, is not sufficient and never will be. A tool can help, but should NEVER hold the sole responsibility of finding security bugs. It takes an intelligent person to spot security issues an recommend viable fixes. People can also check for things tools can't, like something that doesn't have a scanning signature yet.

Tools have their place, but in the end education is always more beneficial. It helps prevent future issues and gives you insight into why.

Rafal Los said...
This comment has been removed by the author.
Rafal Los said...

@Andre - easier said than done

@Matt - But... sadly - when a "human" looks for vulnerabilities you get inconsistent results, and you don't know whether you are testing the security of the application or the knowledge of the security "expert"... I've written on this topic in the past, it's tough.

Jim Manico said...

@ Rafal - But... sadly - when a "computer" looks for vulnerabilities you get less-than-useful results, and you don't know whether you are testing the security of the application or the knowledge of the tool. Applications are like clay and no tool will ever be able to discover the truly interesting vulnerabilities. It's takes a combination of manual testing, automated testing, manual code review and automated code review.