Next-Gen Application SecurityWhy App Sec Needs DevOps Speed and Portfolio Scale
The OWASP Top Ten 2013 was recently released, with very minor differences from its original version in 2003. The decade-long lack of change in application security is also evidenced by organizations that analyze applications for vulnerabilities. These reports continue to show that an overwhelming percentage of applications have serious vulnerabilities.
For example, Aspect Security's 2013 Global Application Security Risk Report shows that 98 percent of applications are susceptible to at least one application security risk, and the average application introduces 22.4 risks.
Even trivial applications may be the weak link in your defenses.
Other details in these reports are interesting, but the important takeaway is that application security has not improved in the last 10 years.
But the problems go way beyond the tools. Application security processes are also largely incompatible with modern software development. Agile and DevOps software development processes just don't work well with the "big design up front" and "big test at the end" style of application security that most organizations practice. The result is that security has very little influence on the software trajectory. We have to seek out ways to have a long-term influence on software development culture.
Immediate Security Feedback
First, and most important, developers get application security feedback way too late. Imagine you are a developer in a financial organization, and your application goes through penetration testing before it's deployed, and annually thereafter. There's a very good chance that you will never see the results of those tests. Why? Because the results might have been sent to a team of maintenance developers, assigned to a different developer on your team, accepted by management or many other outcomes. Developers need feedback immediately; otherwise, the opportunity to learn from mistakes is almost completely lost.
Even automated application security scanning tools don't provide feedback fast enough and in a way that developers can use them effectively. Most organizations have a very small number of people who have the significant application security expertise required to deploy and use these tools - much less triage their output. Accelerated software development cycles exacerbate this problem because releases are monthly, weekly, daily or even hourly, so there's no way that experts can be involved in each one. As a result, the application security team becomes a bottleneck that prevents the kind of feedback developers need.
Scaling to the Entire Application Portfolio
Second, we need to bring application security to all applications. Certainly Internet-facing applications are important, but internal applications often process more sensitive information and are protected far less well. With the boundaries between internal and external crumbling under pressure from web, cloud and mobile, the likelihood that an attacker will be able to target "internal" applications has never been higher. Even trivial applications may be the weak link in your defenses that allows an attacker a foothold for more serious exploits.
The same tools and processes that prevent immediate feedback also prevent application security programs from scaling beyond a small slice of a typical application portfolio. Using expert teams with expert tools to scan applications and gather application-security information just takes too long. We need tools that can be installed and used by non-experts to continuously gather application security intelligence across an entire portfolio.
Next-Generation Application Security
If we want to overcome the fundamental challenges of speed and scale, application security has to reinvent itself in a way that is compatible with modern software development. A small community has emerged that's thinking about this challenge. This is a work in progress, but here are a few ideas that are central to this new approach:
- Be mean to your code. Netflix pioneered the Chaos Monkey approach to creating resilient systems. You can use the Hacker Monkey approach and automate real-time attacks against your applications continuously throughout development, testing and production. It might seem scary to attack your applications, but there are plenty of tools that automate this kind of "negative" security test, and it's better to learn about vulnerabilities by hacking yourself.
- Verify your defenses. Security isn't just about hacking. You can also automate the verification of your security defenses by writing tools that verify authentication, access control, encryption, input validation, output encoding and even logging. Take your secure coding policies, guidelines and other rules and turn them into automated sensors. There is a screaming need for tools that make it easy to automate these "positive" security tests.
- Instrument everything. You can't improve what you can't see. We can learn from the "big data" revolution how to use sensors to automatically gather information about every application without experts. We can get information not only about applications and vulnerabilities, but about development processes, training effectiveness, use of components and operations security.
- Standardize defenses. Standard defenses make application security better and easier to verify. Application security programs shouldn't be primarily about finding vulnerabilities; they should focus on making it simpler for developers to write secure code. Standardizing defenses at the enterprise architecture level speeds secure development and enables agility. And because standard controls are easier to verify, visibility is improved, creating a virtuous cycle.
Instrumenting the Future
Speed and scale are the main challenges for application security. Without them, it's unlikely that we will ever make substantial improvement. It's time to move away from expert-based scanning tools towards a scalable, sensor-based approach.
If you're curious about the sensor approach, you can start today without a lot of investment. Create a simple sensor that reports something interesting about applications' security - application size, use of libraries, encryption, API usage, etc. Deploy that job wherever it makes sense - development environment, configuration management, continuous integration or app servers. Then sit back and watch your application security dashboard populate.
If you keep adding sensors, you'll end up with an application security intelligence platform that allows unparalleled visibility into the security of your portfolio. You'll be able to track trends, perform "what if" analysis and query security information from your entire portfolio in real-time. You'll be able to make informed architecture decisions as well as accurate security business cases and push new application security policies across your portfolio. This brings application security right into application development and allows security specialists to effectively leverage their expertise.
Jeff Williams has more than 20 years of experience in software development and security. In 2002, he founded Aspect Security to provide application security consulting, verification and educational services. He has created many open-source standards, tools, libraries and guidelines - including the OWASP Top Ten.