Over the last 30 years, many organizations have done an amazing job of automating their business, resulting in productivity gains, efficiencies and innovations. Unfortunately, the threat landscape has changed dramatically during this time. A lot of that application code, written without security in mind decades ago, is still the heart-and-soul of many enterprises. That code was designed for a world where computers could not be accessed remotely. Since then, it has been wrapped, integrated, connected, ported, and most importantly, exposed. That application code is not strong enough to withstand today's threat.
Today, applications must protect themselves against well-financed individuals and organizations that are actively exploiting applications, primarily for financial gain, and, occasionally, for idealistic reasons. Threat agents have been wildly successful at exploitation because virtually all web applications have simple flaws that allow them to be compromised. As they say, when it comes to application security, there are two kinds of people: those who know that their code is insecure and those who don't.
Why can't we as developers find these flaws and eliminate them?
An analysis of many recent studies suggests that over 80 percent of applications contain simple vulnerabilities. If only 5 percent of the world's critical applications were this vulnerable, that would be a staggering statistic. But 80 percent is truly mind-blowing. Why can't we as developers find these flaws and eliminate them?
To give you an idea of the complexity involved, imagine finding all of the loopholes that are contained in the U.S. Tax Code - it's roughly one million lines long - the size of a single large web application. That would be a big job requiring some expertise. Now, imagine that you are a typical financial institution with over 1,000 applications in your portfolio that use an enormous variety of languages, platforms, architectures, frameworks and libraries. Can you start to appreciate the magnitude of the challenge? You could use a spell-checker on the Tax Code, and it might even find some problems, but it probably won't notice the really serious issues, would it?
I know that we can do better moving forward. I've been a programmer and security specialist for over 20 years, specializing in application security since the mid-1990s. In 1999, I started one of the world's first application security practices and verified a wide variety of critical applications with a combination of code review and penetration testing.
Shortly thereafter, a few like-minded individuals and I started the Open Web Application Security Project (OWASP) whose mission is to improve the world's application security posture. I served as Chair until a few months ago. OWASP has a number of free and open-source resources that developers can use right now to help secure their code.
5 Tips for Developers
- Start with the OWASP Top Ten - This awareness document will help you understand, identify, and fix the most critical application security risks quickly. I wrote the first version in 2002, and have updated it many times since.
- Get hands-on with WebGoat - WebGoat is a deliberately flawed application that is riddled with holes to give people the opportunity for hands-on learning. It is open-sourced to help developers and security testers get experience with real vulnerabilities. I've found that this is the only way to fully understand application security.
- Leverage the OWASP Cheat Sheets - This is a fantastic series from leading experts globally. Let me know what you think of the Cross-Site Scripting Prevention Cheat Sheet, one of OWASP's most popular pages.
- Verify Your Applications - There is no substitute for getting real facts about the security of your application portfolio. I wrote the OWASP Application Security Verification Standard to help developers get started scanning, testing and code reviewing with tools like OWASP Zap and CSRFTester.
- Get Training - Perhaps the hardest thing about application security is that there are so many different ways that software can fail, particularly when it's targeted by a motivated attacker. The key is training to get started with securing applications quickly. If instructor-led training isn't possible, eLearning solutions are available to allow developers to learn on-demand and get hands-on, practical experience with vulnerabilities, security controls and real code. Training is a remarkably effective way to reduce vulnerabilities. In one large organization where I trained many developers, there was a 70% reduction in vulnerabilities on projects where developers had taken the course.
Before you trust your business to application software, make certain that the people who are writing your code know how to defend your business and its assets. It's time to learn.
Jeff Williams is the co-founder of both OWASP and Aspect Security, a consulting company focused in providing application security.