RSA Guide 2011: Application SecurityBy Adrian Lane
When we say application security, for we generally mean web application security. We probably could have cheated and simply reposted last year’s guide to application security and still been close. Yes, application security is still a nascent market. Last year the focus was anti-exploitation to prevent code injection attacks, and the value provided by integrating assessment and web application firewall technologies. While the threats remain the same, there are some new twists which deserve attention.
What We Expect to See
- Code Review Services: Strapping security onto the network layer and hoping it catches your application vulnerabilities is a band-aid at best, and companies that produce applications know this. With HP’s acquisition of Fortify a few months ago, Microsoft’s announcement of Attack Surface Analyzer, and IBM’s acquisition of Ounce Labs in 2009, it’s clear that the world’s major software providers know this as well. And they are looking to capitalize on the movement. Third party source code review services are on the rise, and most web development teams now use either white-box or black-box testing in their certification processes. “Building security in” is an increasingly common mantra for development teams, and there is tremendous opportunity to sell security products and services into this nascent market. Most development teams are just now learning about secure coding techniques, threat modeling, and how to build unit-based security tests to run alongside their functional tests. We expect to see many vendors offering tools, education, and services that foster secure code everywhere from design to post-deployment. Not just pre-and-post deployment checkers and firewalls, but security offerings for every single step in the development lifecycle.
- Buyer Shift: “What?” you say. I am not selling to the IT manager? Not here you are not. IT plays a part, but the buying center is shifting to the development team for web application security technologies. And that’s a very different conversation, with a much different set of requirements and use cases the vendor needs to address.
- OWASP As the Guiding Light: Publicity concerning application security issues is growing. OWASP — the Open Web Application Security Project — provides a Top 10 list of the most common threats to applications. And it’s a good rundown of sneaky, underhanded tricks attackers use to compromise web applications for fun and profit. Even better, it’s backed by measurable statistics so it’s not all conjecture and innuendo. This list is driving many companies’ marketing campaigns, and the alignment of their service offerings as well. How well any given vendor protects applications from these threats is open for debate, but the fact that they are responding to the most common threat vectors we see today is very good news. Web application vulnerabilities represent a significant threat to organizations as web services are an integral part of business operations, and the push for more SaaS and cloud based services means attackers have an increasing number of potential targets.
As if you haven’t had enough cloud on a stick, up next are our thoughts on endpoint security, and then virtualization and cloud security in the RSA Guide. I know, you can’t wait.