Tuesday, February 02, 2010

Be Ready -- With Answers

Where are most reported security vulnerabilities located? In Web applications. How is malware predominately distributed and end-users infected? By visiting legitimate websites that have been hacked and loaded with drive-by-download browser exploits. What were the main attack vectors used in the Aurora attacks affecting Google, Adobe, Yahoo and many others? Targeted reconnoissance using social networks and Web browser exploits. What type of cyber attack recently targeted 49 US House of Representatives members just after President Obama’s State of the Union Address? Website defacement. Popular blog TechCrunch received similar treatment, twice, and just before Apple’s recent iPad announcement. What was the main attack vector used in the largest credit card breach ever, affecting Heartland Payment Systems? SQL Injection of a Web application.

Let’s also not forget that according to Verizon’s Data Breach Incident Report (DBIR), “SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking.”

Obviously today’s threat landscape is focused on the Web, not networks as in years past. We are now seeing larger, more high profile, costly, and embarrassing events with increased regularity. But make no mistake, this is just the beginning of what’s to come. The trends are easy to read. Web attacks will get worse, far worse, and far more common. Sure there have been some lawsuits and fines, but no one has gone out of business, suffered a significant stock drop, or lost their lives as a result of a Web security incident. The fact is everyone can still get their webmail, update their Facebook, post to Twitter, check their online bank account balance, and buy a book on Amazon -- all still relatively safely. Enjoy this moment, the age of application security innocence is nearly over.

Web security, application security, software security, or whatever you want to call it will soon come into its own. It will no longer be acceptable, feasible, or even seriously suggestible to run for cover by simply adding more firewalls and SSL. Things like “the cloud” will help make this fail plain as day. For application security professionals working in this field, struggling to get their concerns taken seriously by the business, rest assured very soon they will be coming to you rather than the other way around. They’ll want answers, nay solutions, and will come with a checkbook in hand ready to make the problem go away. When they come to you with this urgency it will be as result of a serious breach, customer revolt, vendor compromise, exposure of the organization’s crown jewels, etc. Issues that directly affect the bottom-line and the ability to transact business.

It would be nice to proactively head off the coming catastrophes, but unfortunately the information security industry doesn’t really work that way. Businesses have a hard time spending ahead of an incident. Really bad things have to happen before the allocation of resources can be justified. At least, that is how has always worked. So today your job is to prepare -- and have the answers ready when asked. This is how:

1) Make yourself visible
Brand yourself, and/or your team, as the go-to internal expert(s) for “application security.” Regularly share interesting links, summarize interesting white papers, and offer to coordinate workshops for management and development teams so they can get up to speed. If you need content, every Friday I publish a “Best of Application Security” feature on my blog. Of course, continue voicing concerns about present risks, even if it means being ignored and overruled when suggesting proactive application security programs. The side effect is that this will help establish your organizational visibility. And you won’t be ignored for long given the coming threats. These recent blog posts can help hone your arguments: “Budgeting for Web Application Security” and “Overcoming Objections to an Application Security Program.”

2) Have your answers ready
Build your internal step-by-step plan for an application security program. Need help getting started? Look no further than Securosis’s “Web Application Security Program” white paper. Take its guidance and adapt it to your organization’s specific needs. So when its asked for you are not caught flatfooted. Few things say more about a person and a security professional than their readiness, especially in the eyes of management.

3) Engage with the community
OWASP, WASC, SANS, MITRE, etc. pick your group and a project to get involved in. Meet people, ask questions, and help out as best you can. No one can be expected to have all the answers to every Web security question, the knowledge base is far too big, so build up your network of contacts so you can ask peers. Remember, this is a two-way street, you get what you give.


Sherif Koussa said...

Great post. SANS/OWASP actually did help a lot. One of the things that helped me personally was to get involved in security related open source app (WebGoat5.0 from OWASP in my case). It was a sure way for me to dive deep into the field and understand what's happening behind the scenes and how easy the attacks can happen.

Jeremiah Grossman said...

@Sherif, exactly. Not enough can be said about getting your hands dirty and working with others with similar interests. Well done!

Tyler said...

If you think you can get away with it, do PoC's against your own organization's web apps. People go nuts for that.

Jim Manico said...

I'm very excited to see synergy between OWASP, WASC, MITRE and other organizations. I think it's clear that those who want to work together to solve the complexities of AppSec understand just how difficult this field is. If anyone is offering you a silver bullet, be careful. AppSec is a team sport.

acheter kamagra said...

Si vous pensez que vous pouvez sortir avec elle, ne PoC contre applications web de votre propre organisation. Les gens deviennent fous pour cela.