"In the web and rich Internet application world, injection flaws and scripting attacks are very prevalent," says Paul, (ISC)2's software assurance adviser, in an interview with Information Security Media Group's Tom Field [transcript below].
Paul sees other top application security threats as being brute-force cracking, session hijacking and perimeter attacks. Applications serve as conduits to sensitive data, and exploiting them can lead to large scores of information, he says.
From weak authentication controls to apps requesting permission from the users who may not be worried about compromise, the landscape today is plagued by data security issues.
And having a traditional security professional tasked with handling software and application security threats is setting up a company for failure, Paul explains. App-sec professionals must know how to do more than just write secure code or conduct penetration tests. They need to know how to integrate security into the software development lifecycle.
Paul's suggestion: Teach the software developers the security aspects of software assurance.
"Having said that, that would sound sacrilegious to any security professional, but the truth is that is what it is," he says. "Go to the development teams and try to have them be trained in application security issues so as they write these applications, they know how to be able to secure it by building the necessary security controls in."
In an exclusive interview about the state of global application security, Paul discusses:
- The top application security threats today;
- How some security pros are ill-prepared to tackle these threats;
- Opportunities and challenges for someone wanting a career in application security.
Paul started his career as a Shark Researcher in Bimini Biological Field Station (Bahamas). He came to the USA and got his Management Information Systems degree from the University of Oklahoma. He joined Dell and managed the global application security program before founding and serving as the President and CEO of SecuRisk Solutions and Express Certifications, companies that specialize in Security Products, Consulting, Training and Certifications. He is the author of the official (ISC)2 guide to the CSSLP and serves as (ISC)2's software assurance advisor. He is also a member of the Application Security Advisory Board and the winner of the first Information Security Leadership Awards as a practitioner in the Americas region.
Top Application Security Threats
TOM FIELD: What do you see as the top application security threats globally today?
MANO PAUL: Well that's kind of a broad question, depending on who you ask, the type of industry or the type of technology used. One may feel different about the application security threats that we need to be concerned with, but one thing that I'm noticing globally and universally is that in today's application security threats, what we see as a result of these exploits is they have more to do with data disclosure and alteration than with availability.
The name of the game today I feel is data theft. In fact, a new term seems to be emerging and catching ground, which you may be aware of, which is "big data," that is the amount of data both belonging to a company as well as personal information. Just looking at all of the information security news that is publicly reported, we don't see as many denial-of-service or distributed denial-of-service attacks as we see data breaches. Since applications are serving as conduits to this data, unauthorized access to data is made possible because hackers have figured out that exploiting the vulnerabilities and the applications can help them steal information. In the web and rich Internet application world, injection flaws and scripting attacks are very prevalent, but these are only two of the many others that we need to be concerned with that need to be addressed: forgery, brute-force cracking, hard-coded passwords and files, session hijacking and replay attacks, perimeter attacks, are a few of the others that we need to be concerned with as well.
From there, if I was to look at the landscape today and look at the mobile computing world, again we're plagued with data security issues. We're not having strong authentication credentials combined with controls and limited remote-wide technologies. To add on to that whole situation, with the plethora of apps that we see on the iPhone, Android or Windows phone, most of these apps are now starting to request permissions from the user, which means the security position has been moved to the end user who may not necessarily be worried about compromise as much as they're concerned about convenience and control.
From there, I'm also starting to notice and see the world of cloud computing, where applications are designed to be discoverable and provide business functionality with APIs. But insecure APIs are now becoming one of the biggest threats. To survey the situation, the speed at which security standards for the cloud computing models have been adopted is at a snail's pace while businesses are adopting cloud computing at supersonic speeds. These are just some of the threats that I think are plaguing the application security world globally that we need to pay attention to.
How Security Pros are Ill-Prepared
FIELD: In what ways do you see that security pros are perhaps ill-prepared to tackle some of these emerging threats?
PAUL: If I may actually take the liberty to say so, the network hacker I think is a thing of the past, mainly because most companies have matured to protect their perimeters and in some cases actually the perimeter is vanishing with the outsourcing, the off-shoring and subscription-based service solutions like cloud computing that we're starting to see. The threat landscape has changed as well and hackers are targeting applications over networks. The threat agents are evolving as well, and not all of them are in fact human as is evident from the increased number of malicious software or malware. But unfortunately, the traditional security guy or girl who used to configure network firewalls, manage anti-virus and patching deployment is also the same person that's tasked to handle software and application security threats within many companies, and in my experience I find that such arrangements are essentially positioning the company for failure because it's hard to take a network security person and teach them software development. The good news, however, is that you can take a software developer and teach him, or her, the security aspects of software assurance relatively easily.
I would also suggest that the types of attacks are not just against data itself, but against protocols as well. The recent browser exploit against SSL/TLS, which we came to know as BEAST, was recently disclosed at a security conference in September of this year, and now puts to question the trust that we can have when data is in transit or motion using the protocol that we deemed was secure. Until security professionals understand the changing threat landscape and the threat agents, we'll continue to always be training when it comes to assuring the trust that the stakeholders of our companies have entrusted on us.
Key Demands on App Security Pros
FIELD: Given what you've outlined for us, what would you say are the key demands today on application security professionals?
PAUL: If I was to actually borrow an analogy, because I was a shark researcher in the past, I would like to draw an analogy from sharks. In my opinion, I think that the bull shark is much more dangerous than the Great White, because a bull shark can not only hunt in salt water, but it has been observed to attack in brackish estuaries and sometimes even inland fresh-water rivers. In the same manner, the most dangerous attacker profile that we see today is the one who knows how to conduct not only network but host application attacks as well. They know how to bypass firewalls and overflow attacks to exploit the host itself or even do a sequel-injection attack. The demand today for the application security professional is very similar. They need to know how to defend, in a very holistic manner, the network, the host and the applications within the company.
Additionally, the app-sec professional must be more than just someone who knows how to write secure code or conduct code reviews and penetration tests. They'll need to know how to integrate security into the software development lifecycle, or the SDLC, by identifying the correct activities that need to be conducted in pretty much every phase of the software development lifecycle, from requirements to release, and eventually retirement as well. They should be able to influence the development organization within companies to build security into the applications they write.
Application Security Careers
FIELD: For somebody looking to start or re-start a career in application security today, where do you see their opportunities and their challenges?
PAUL: In terms of opportunities, I think that the saying, "the sky is the limit," is in fact an understatement in an app generation where data is the new frontier for the global world economy as well as military strength. The opportunities I think are limitless. I believe that in the future wars will not be fought with missile heads but with bits and bytes, and whoever controls that information is the one who can deliver the "checkmate." We're already starting to see some of this within the context of cybersecurity involving hacktivists and nation states that are exploiting applications to promote their cause.
Regarding the challenges, what I look for in an application security professional today are the "three C's." The first C is content knowledge, which when I say content knowledge I'm looking for somebody who is multifaceted and has multi-technological skills. The second C I would say is communication skills so they can actually express the application security issues appropriately, which means they know how to talk the right language; they know how to talk the talk from the builder to the boardroom. Third I would say is being current; the third C is being current, meaning that they can keep up with the fast pace of change in the software industry. One of the books I like to read is, "Who Moved My Cheese?," which is about adapting to change. But I think in today's landscape, someone should actually write a book called, "Where is My Cheese," to stay current. It requires daily discipline to find time to see what's happening in the industry and then determining the applicability within the company. I must admit though that this is one of my biggest challenges since I have to balance the faith, family, finance and fun aspects of my life. It's challenging but for someone who wants a career in application security, my advice would be to make sure that you double up and hone in on those "three Cs." Get content knowledge, the multifaceted and multi-technological communication skills to talk the talk, and stay current as well.
From an employer's perspective, one of the biggest challenges is to find the right people, and many application security jobs today go unfilled. From my experience, what I find is that there's a fallacy in the way employers are approaching application security professionals, because they're looking for educated and experienced folks with many years of experience in security. While the application security threats are relatively new and evolving daily, for that matter, trying to find a veteran security expert with ten years or more of experience in application security is kind of a moot point, and what I find works best is to go to the software teams and teach them about application security and stop trying to find security professionals and teach them software. Of course, having said that, that would sound sacrilegious to any security professional, but the truth is that is what it is. Go to the development teams and try to have them be trained in application security issues so that as they write these applications, they know how to be able to secure it by building the necessary security controls in.