Thursday, July 2, 2015

State of Application Security 2015

In May 2015 the SANS Institute released survey results from 435 participants around application security practices from the perspectives of defenders (security engineers and internal security team), breakers (penetration testers) and builders (software developers).
While a closer alignment bodes well for the future of applications, results also show continued gaps between the groups, such as builders putting security off on ‘someone else’ and defenders trying to force security through compliance reviews and penetration testing rather than working with builders to design and build in security from the start.
Having been on the breaker/defender side for a long time in my career, I certainly recognise this behaviour. Penetration testing is often being used to validate the security of software (either during the development cycle or most often at the end or even after going live) and the results coming out of these assessment are always written from the breaker’s perspective. They often do not succeeded into describing their findings and recommendations in a language that is directly usable for these builders, or the breakers just do not understand enough from the application architecture and coding in order to give valuable recommendations.
Also, the builders often do not have a good understanding of what all these security vulnerabilities mean and “security” is something they think the infrastructure team, security engineers or even development frameworks should solve. The builder’s main drivers (often set by company management) are to build end-user features and meeting time-to-market expectations, not making sure their code is written in a safe and secure manner … even if their software is controlling traffic light systems, running air-traffic systems, allowing people to do online banking or simply storing health information about a country’s citizens.
Since starting Secure Code Warrior with an extremely smart team of ex-breakers & ex-defenders (who now all transformed into builders themselves), I have become a big fan of letting your builders verify their own code for security problems and making sure they have the knowledge and automated tools (think agile & continuous integration) to make sure any code they push to the code repositories has been checked for the most critical web application vulnerabilities.
I think that is exactly why Microsoft Azure App Service, a cloud service for building websites and mobile apps, has announced a new feature in June 2015 to automatically scan web applications for security issues. Google already has something similar named Google Cloud Security Scanner in beta running since February 2015.