The Future of Application Security(ISC)Â²'s Lim on New Vulnerabilities, Development Strategies
Despite increased awareness of application security concerns, security leaders and practitioners throughout the Asia Pacific region continue to grapple with challenges and increasing vulnerabilities from emerging threats.
Anthony Lim, vice chairman, Application Security Advisor Council, (ISC)Â² of Singapore, says many organizations continue to struggle with understanding and dealing with application security, especially at a strategic level. Consequently, applications continue to reel under new forms of attacks, only increasing the challenges for CISOs.
"All I see are more targets for hackers - starting with just mischief and curiosity, leading to crime and other malicious intents," he says.
In this interview with Information Security Media Group, Lim says application security must begin at the development level. Security and development leaders must ensure programs are written properly in the first place, so they encounter minimum, if any, post-production fixes. He also discusses:
- Strategies to secure the application development lifecycle;
- How to bridge application security gaps;
- The future of application security.
Anthony is a pioneer holder of the (ISC)Â² Certified Secure Software Lifecycle Professional certification and recipient of its senior professional and president's awards. A 20-year veteran in Asia Pacific cybersecurity business development management, practice and advocacy, Lim was a regional security business leader at Whitehat, IBM, CA, Check Point and other U.S. vendors.
Securing the Development Life Cycle
GEETHA NANDIKOTKUR: Software applications are the top targets today. How should CISOs and practitioners secure the software development lifecycle?
ANTHONY LIM: Firstly, CISOs should recognize and prioritize that application security is a real issue and part of their responsibility - not so earlier, as development teams usually have no alignment with CISOs.
Security practitioners should ensure there are proper ethos and processes of software development quality assurance across the life cycle. If they outsource their app-dev, they should ensure suppliers observe the proper level of security-based quality assurance.
The CISO and team should keep abreast of application security requirements and align these with applications and middleware, etc., that their organization uses. Developers should keep security in mind throughout application requirements, architecture and design phases.
Top App-Sec Challenges
NANDIKOTKUR: What are the biggest application security issues?
LIM: Firstly, basic vulnerabilities like SQL injection and cross-site scripting (identified more than 10 years ago) continue to prevail, as applications get longer and more complicated - hence, susceptible to errors.
Secondly, new software application areas like Java, Android, cloud, Web 2.0, HTML5, and Internet of Things are becoming prevalent more quickly than people can learn about security issues.
Thirdly, vulnerabilities in middleware, like the recent Heartbleed and Shellshock-Bash cases, which had flaws embedded and unnoticed for years, are becoming uncovered, causing organizations and equipment to scramble for patches, solutions and updates before hackers and malware exploit them.
Bridging the Gaps
NANDIKOTKUR: How can these issues be addressed and security gaps bridged?
LIM: Traditionally, security teams represent the network and infrastructure domain, with little experience or interest in software development. Similarly, development folks have little experience or interest in security or network - hence the large gap in understanding application security. The question then is, who's responsible for secure quality assurance? If the organization's top officials don't take the onus for security and definitive security policy, hackers will thrive.
NANDIKOTKUR: Is the shortage of skills in developing secure applications one of the reasons?
LIM: No, there are many, especially the young, who can write programs and learn very quickly. But they are often not attuned to writing securely or quality-assuring their codes. They write beautiful apps with rich features and functions, but miss the point that hackers can inject code to hijack their apps, or crash them, or "poison" their cookies.
Security in programming is not new - basics like input validation or error handling, if diligently included in app-dev, can stop many attacks. Also, when "borrowing" a software routine library, check if there's any flaw that must be or has been fixed.
Developers have the best intentions about writing good code, but pressures of time, resources and priorities make security quality assurance take a back seat, and an app goes into production with flaws that hackers find and exploit.
NANDIKOTKUR: How should the future of application security look?
LIM: With the explosion of software applications (mobile devices, cloud, web services, software-defined networks, datacenters, etc.), there's an increasing need for awareness, commitment and effective processes for security QA within the app-dev life cycle.
Ideally, I see developers and security professionals having some basic training (if not certification, yet) in applications security - even basics like requiring security elements right from the start in the requirements stage, including input validation, error handling, secure data handling and such features when writing code. They should also build security protections into the software like providing sufficient input validation so the application can't be attacked using command injection techniques.
Couple this with automated security QA scanning and reporting tools like "black-box" and "white-box" to ensure comprehensive coverage in the robustness of the application before production. As new attacks proliferate, both developers and security people must continually keep themselves informed of new issues and be ready and quick to access and deploy fixes to "old" issues suddenly being uncovered or exploited (like old Windows versions, Heartbleed, Bash, ICS/SCADA etc.).
Security and development leaders must believe the only way to ensure application security is having the programs written properly in the first place, so as to encounter minimum post-production fixes. There's no other solution to stop application attacks, unlike firewalls for networks. Web application firewalls are very hard to build, configure and use - that's why there are so few such vendors currently; though it makes sense to guard against unprotected vulnerabilities by using Web application firewall.