A Fresh Look at Application SecurityExpert Says Standard Coding Process Is Essential
Application security is not keeping pace with evolving attacks, says Prasenjit Saha, a CEO of infrastructure management services and security business at Happiest Minds Technologies Pvt. Ltd., a Bengaluru-based IT Services Company. One problem: lack of a standard, secure coding process in the application development life cycle.
"Most often, the architecture design team, developer team and security team don't align at the concept stage," Saha says.
Instead, security teams tend to get involved at the conclusion stage for the vulnerability test, resulting in fire-fighting with no great output on application design and security. "A strong integration of these groups at the design stage will combat sophisticated threats," Saha maintains.
In an interview with Information Security Media Group (transcript below), Saha discusses application security challenges of CISOs and reasons for not detecting threats in advance. He throws light on the security shortcomings of the software application development life cycle process and also discusses:
- Skills needed for detecting threats early;
- How and why coders become easy targets for attackers;
- Mitigating risks from emerging technologies.
Saha is the CEO of the infrastructure management services and security business of Happiest Minds Technologies Pvt. Ltd., an IT Services Company focused on enabling digital transformation for customers through technologies including mobility, big data analytics, security, cloud computing, social computing, M2M/IoT, unified communications, etc. Previously, he worked as vice president, SBU/profit center head for the Enterprise Solution division of Wipro Technologies.
AppSec Not Aligned With Threats
GEETHA NANDIKOTKUR: Why is the application security domain not keeping pace with growing threats?
PRASENJIT SAHA: In enterprises, the architecture design, developer and security teams do not align at the concept stage. Security teams are always involved at the conclusion stage for the vulnerability test, resulting in fire-fighting with no great output. Security issues crop up during testing, but the developer community will be unable to carry out remediation due to time pressure and complexity of architecture and programs. An integration of these groups at the design stage will combat sophisticated threats.
Key Challenge for CISOs
NANDIKOTKUR: So, what's the key challenge for CISOs? How do they bridge the gap?
SAHA: Most often, critical issues of the program cannot be addressed, as there is no coordination or skills available. Finding a specialist team with an overall understanding of the entire application development life cycle process, security aspects and design aspects is a challenge. All teams are allowed to work in silos. All these pose great challenges to CISOs.
The reason is the application security market is just going through the maturing curve and will take a while to meet business requirements.
Take programs like J2E, .Net, ASP.Net, ActiveX controls etc., rolled out in 2002. They took almost six years to stabilize, place security controls and identify gaps. The new applications will undergo that phase. However, the stabilizing time can be condensed by involving security teams early.
Regarding skill development and bridging gaps between teams, security teams must be clued in to the life cycle process and allowed to fix vulnerabilities on a day-to-day basis on the black box and white box testing. Development teams are always under pressure of time and cost.
Security teams are equally under pressure. There are always bandwidth challenges. All teams should follow a secure agile phenomenon during the development stage. It is about self-learning to fix issues that crop up.
NANDIKOTKUR: It's said that attackers love coders. Where's the loophole, and where are the vulnerabilities?
SAHA: There are three areas where developers can go wrong:
- Firstly, the developer and architecture teams ignore standard principles of the coding process. Following 14 different Do's and Don'ts eliminates over 80 percent errors.
- Developers fail to anticipate a zero-day attack, thus failing to fix vulnerabilities. Attackers easily exploit this. This is when the security practitioner's view is required for guidance about secure coding standards
- There's a lack of a far-sighted approach among developers in understanding the deployment of the architecture and pre-empting the use of the applications in various environments and embedding appropriate secure codes.
Threat Mitigation Techniques
NANDIKOTKUR: What, then, are the ways to mitigate risks due to unknown threats and new technologies?
SAHA: Today's world is driven by social media, mobility, analytics and cloud, combined with multi-channel communication such as data, voice and video, influenced by digital transformation. This is going borderless. The industry is witnessing the evolution of Internet of Things, M2M and smart cities that are throwing security challenges as they demand new codes which are secure. Evolution of concepts like edge intelligence, where the intelligence shifts to the edge, as apps come to the data at a much larger scale, machine-to-machine, with little or no human interface or intervention, the crowd sourcing model -obtaining needed services, ideas or content from a large group of people, especially from an online community rather than from traditional employees or suppliers - [these] are throwing up newer risks.
Some elements which can help mitigate risks:
- Enterprises can look at security as a service (SaaS) platform to be vigilant about threats and pre-empt them.
- Build security architecture using standard coding analysis applicable which is dynamic and applicable to Web-based applications, mobile based, etc.
- Security auditing is recommended to detect threats, place controls and recommend tools to mitigate risk.
- Security teams should understand the business context and build capabilities to detect and respond to any threats that impact business applications (including packaged apps, Web apps and custom apps).
- Traditional security tools do not have the integration and inspection capabilities for business contexts (though they can still carry out traffic inspection for protocol level anomalies and code level anomalies). To extract and use the information relevant to security, a separate intelligence engine is required. This should have the ability to look at transactions logs and audit logs to determine fraudulent activities and anomalous patterns and correlate this information with other layers to identify relevant threats and attacks.