RSAC 2010 Guide: Application SecurityBy Adrian Lane
Continuing our postings from the Securosis Guide to the RSA Conference 2010, we turn our attention to application security.
Application Security is a nascent market, but data from several recent data breach reports and OWASP studies have disproven the myth of the “Insider Threat”. The primary cause of breaches is poorly executed applications – specifically web applications that rely on complex multi-layered infrastructure. While there is no agreement on which methods and technologies are ‘best’ for securing applications, application developers show growing interest in learning about the available options.
What We Expect to See
A Focus on Web Application Development Security: As a general rule we don’t have very good statistics in security and risk management, but this trend is changing. With better forensic information we are showing that web application breaches are the leading cause of security breaches. While this has not yet translated into a significant change in security spending, expect to see long lines and greater interest in code security products and education. Vendors will be disappointed at dealing with lower level IT and software practitioners who come across as tire-kickers who ask too many questions, but this is tomorrow’s buying center! These are the people who will change their applications and deployments to be more secure, not CIOs.
Anti-exploitation: While education in the development community lags regarding what constitutes risky code, tools that identify poor code or provide anti-exploitation will get a lot of attention as they raise the bar without a lot of re-engineering. The tools vary greatly in the depth of their features, how they are deployed, and where in the development cycle they fit. For example, some examine source code, some examine objects while they are compiled or linked, and others offer run-time protection. You will need to ask the vendor what classes of anti-exploitation they provide, and see if their model fits your development framework.
Integrated Assessment and Firewall Technologies: Web application development cycles are so short that full regression testing of new functions is generally impossible. More, test systems fail to mimic live production sites, so many vulnerabilities are missed prior to deployment. This has increased demand for application scanning, and changed it into a never-ending task. The window of time between when a vulnerability is introduced and when it is discovered is very small. In most cases exploitation begins before a fix can be identified, implemented, tested, and rolled out to production servers. To fill the gap, vulnerabilities discovered by application scanners are being fed into web application firewall (WAF) platforms in near-real-time to block while the application fix is underway. Since the 2009 RSA show, the number of WAF vendors who offer dynamic blocking has tripled. The quality of the assessment is still key, but investigate what your WAF provider is offering, how quickly new policies can be deployed, and what the performance impact will be. This is an effective security feature but has potential policy management and performance impacts which you need to understand.