Changing Landscape of Application Security
TOM FIELD: Why don't you tell us a bit about yourself and Prevoty?
KUNAL ANAND: At Prevoty we have a mission to revolutionize application security. As for my background, I started my career as a software engineer at the Jet Propulsion Laboratory at the NASA Space Center in Southern California. While I was at JPL, I got to work on all sorts of software projects spanning business applications to computer engineering efforts. I eventually joined MySpace, where I led the security team. At the time, I was focused on what was then nascent cross-site scripting attacks. Years later I joined the BBC worldwide as director of technology, and I was overseeing technical development across digital gaming and entertainment initiatives. So, throughout my career I've really seen a proliferation of application security attacks, and have garnered what I like to call trial-by-fire experience in terms of best practices for securing applications.
Migrating Attacks
FIELD: Give us some background on why attacks are migrating from the network to the application level.
ANAND: I think there are lots of factors that are contributing to it. I'll start with what I consider to be the biggest one. Your average hacker is both incredibly smart yet predictably lazy. So, that means they're armed with automated tools and payloads, and essentially these adversaries are using those weapons to look for the weakest points to target [in the] infrastructure to exploit. Historically, we've seen that applications have become the weakest point, compared to five years ago; there's a bigger prize for successfully attacking an application today. It has to do with how distributed today's environment really has become.
If an attacker is successful at exploiting an application, they could exfiltrate sensitive information in various data stores, or even propagate malicious code across partner and third-party data. I mean, I think to really compound things, a successful application doesn't have to come from the perimeter. It could come from within the trusted internet zone, or even a trusted extranet provider, thus making attacks really difficult to pinpoint and extremely difficult to prevent.
Unprepared Organizations
FIELD: How unprepared do you find organizations are to handle this shift in attacks?
ANAND: If we look at general industry statistics, 99 percent of the IT security [budget] is focused on perimeter-based defense such as firewalls, meaning that only one percent is focused on dedicated application security. Network security does a great job of protecting the border of your infrastructure, but there's a pretty large gap when it comes to providing application security. So given the increasing number of threats that we're seeing, there's clearly a mismatch of resources. And additionally, there's a huge onus on software development teams to develop new applications and features, which often means that building security into the new technologies is either an afterthought, or sometimes a non-start. There's a concept of the SSDLC, sometimes referred to as the secure software development lifecycle, that it's really hard for organizations to practice it. Staying on top of the latest threats and exploits that are happening every single day is already taxing for security and engineering teams. [This] is to say that a lot of organizations need to adapt to handle these targeted attacks.
Threats Against Organizations
FIELD: What do you see as some of the specific threats against organizations today?
ANAND: There are three primary threats that target applications. The first is called cross-site scripting, and it's the ability for an attacker to execute malicious code inside of your browser. The vector can be public or internal web form, even from trusted partner data feeds and information sources. We call cross-scripting the gateway to more sophisticated attacks.
The second attack is called SQL injection, and it allows attackers to perform data exfiltration and tampering. We've been hearing lots of SQL injection attacks recently, specifically with companies that are reporting stolen passwords and sensitive information such as credit card number breaches.
The third attack is called cross-site forgery, and it allows attackers to perform actions on a user's behalf without their knowledge or permission, sometimes referred to as CSRS. It becomes a lot more critical as application sensitivity increases, such as banking applications, credit applications, et cetera.
Mitigating Threats
FIELD: How is Prevoty helping organizations mitigate these three main threats you just described?
ANAND: At Prevoty we've developed an engine that allows applications to be able to actively prevent these aforementioned attacks, some within their application. We have a fundamental belief that application security should happen within the application instead of at the perimeter or network layer. Being built into the application, security technologies have the advantage of knowing what we call context, and it makes sense when you think about the threats that I just mentioned. So cross-site scripting happens because malicious input is flowing through the application and getting rendered through a user, or getting persisted. SQL injection happens because malicious codes are being executed from the application to the database, and cross-site request forgery happens because the application fails to securely manage and keep track of generated tokens. I mean, if you'd think about the common denominator, it's the application itself.
So to counter these top attacks, at Prevoty we've developed trusted content to protect against XSS, or cross-site scripting, trusted core to protect against SQL injection, and trusted token to protect against cross-site request forgery. In contrast to the solutions out there that rely on past definitions and signature, Prevoty really doesn't. There are no white [or] black lists, string replacements, and/or regular expressions. I think what makes Prevoty revolutionary is that we focus on how things are going to execute before they do. So in the case of cross-site scripting, we know it's going to execute in the browser, whether it's a content fragment or full HTML document, and for SQL injection we know it fields tables and functions the core is going to access.
We built our technology to stay ahead of exploits, which ultimately reduces the cost of remediation and cleanup. Now the added advantage of being online is that we're able to give the application these real-time rich intelligence reports around content, cores and users. This intelligence gives the application a significant advantage over adversaries using automated payloads and weapons that I mentioned before. So I like to put it in a really simple way: A hacker has an infinite amount of time to launch a successful attack, and your application has less than a split second to defend itself. At Prevoty, our team has always believed that the applications should be able to defend themselves. And by using Prevoty, your application can.
Shifting from Network to Application Level Attacks
FIELD: What's your fundamental advice to organizations making the shift from focusing on network to application level attacks?
ANAND: So I'll hop in a DeLorean and go back in time for a little bit, but when I was starting my career out at JPL I got to meet engineers from the security team. One in particular who had been working in security for more than a few decades taught me how security is a cat-and-mouse game. An organization is only as strong as the weakest link, and there's really no silver bullet that will handle network, application, operational, employee security on top of other vectors. So flash forward to today and I think that sentiment is still true. Organizations need to make sure that they have the best chance to protect themselves, and I really believe that a layered security approach is one that's both well understood and rational. So, layered security means protecting your network, threat modeling, securing your application, and following secure coding practices, etc.
Given how fast the vendor landscape is, I really think the biggest challenge that organizations have today is picking the right tool for the job. I think the important thing for security leaders, evangelists and developers to do is really distinguish between technology add-ons versus technologies that simply scale with the business.