The Weakest Link in Security

Today, every organization makes sure that their their IT infrastructure is

secure, by using firewalls, IPS, etc, making it extremely difficult for

perpetrators. Even hackers know this fact, which is why they're trying to

discover new ways to attack. The soft spot here turns out to be application

vulnerabilities. So organizations today are slowly realizing that while their

network, OS, and standard apps that ship with the OS are adequately-secured,

their third party applications infrastructure is vulnerable to malware attacks,

and therefore needs to be secured. This is easier said than done, because

application security is still a comparatively newer domain than infrastructure

security, and would require some time to grasp.

The focus therefore is now gradually shifting to application security and its

testing. Companies are now looking for applications to secure their business.

What makes matters even more difficult is the fact that most applications have

become Internet ready, which has made the security threats even more

sophisticated and rampant.

As applications are getting bigger and more complex, ironically the coding

skills to ensure their integrity have not evolved in a similar fashion. No one

knows whose applications will be the next target. So it is becoming increasingly

important for all companies to focus on improving application security. Each

application author needs to ensure that their application vulnerability is not

the one exploited in an attack.

According to various research reports, 75% of application and software

security breaches and vulnerabilities are the reasons for majority of the

exposures. A hacker will always try and find the easiest place to attack, i.e.

the weakest link. Since application vulnerabilities are most common, it is quite

natural that the hackers would attack them. Application developers have usually

focused on parameters such as functionality, performance etc. of the application

because that's what their customers or application users have always demanded.

Focus on security of the application has been considerably low, as it has not

specifically asked for. As it is said, most investments are made to 'get'

something. But investments in security are required so that we 'don't get'

something-which is 'not get' compromised or exposed. Hence it is extremely

difficult to quantify and justify.

Developing security standards



Standards is a term used when there is a large scale acceptance of a way of

doing things. Hence the seed of every standard is of course the 'best practice'.

However organizations can start by adopting best practices such as secure coding

guidelines, developer trainings on secure coding principles, application risk

assessments, security testing, etc.

Security standards allow for a common basic level of application security

development and testing across organizations and industries. This raises the bar

for the attackers. It should be set up in a way that they are used consistently

and measurably across organizations. Each organization needs to finetune their

security standards for their applications based on their customer base and the

data they manage.

Organizations should stick to some points. Firstly, setting up a security

core team that can set up a suitable security architecture, and benchmark

against the industry. Then assess the current security practices and conduct a

gap analysis followed by identifying the security processes for the SSDL is

another important step. After that, providing training to identified development

teams and follow through with handholding throughout the SSDL. And finally,

facilitating the rollout and stabilization of the process across the

organization is another key job.

Basically there are several standards or schools of thought, the most notable

being ISO-27001 for computer security. Unfortunately, there is currently no

standard for application security testing, though doing most of the above would

be a good start. It actually depends on what the person or organization wants to

secure in the first place-they should list out the needs and objectives, then go

through a risk management exercise, first with themselves and then with a

qualified consultant.

A security standard is at the end of the day but a reference guide. It should

not give the user a false sense of comfort.

Building a security team



Building a security team today is a challenge because many organizations

seem to have a 'mental block' prioritizing the budget and management power to

make this happen. They are yet to fully appreciate the importance of security,

which is still perceived as a cost and an inconvenience on the side which is why

there is suddenly the plethora of compliance and regulatory policies.

Perhaps one of the biggest challenges to build a security team is a lack of

suitably qualified and experienced personnel. IT security is a fairly new

industry. Shortage of QA professionals with security testing expertise is a real

problem. Until recently there were no CISO/CSO or compliance officers or IT

auditors. These days, to meet the professional and technical manpower shortage,

many countries are having universities and schools starting courses and giving

degrees and diplomas focused on IT security.

The challenges start right from prioritizing companies to finding talent. The

team is always chasing a moving target. The whole process involves a huge

learning curve and a lot of expertise to understand the whole dynamics of

security. Getting support from the management and showing RoI on secure

development processes is perhaps one of the greatest challenges in this field.

Guidelines for distinguishing a security bug from a functional issue is very

tough to create.

Challenges to build a smart tool



With the increased level of sophistication, a good start would be for

developers to add 'security' as a key design parameter or requirement when

creating applications. How much security to consider needs to be derived out of

the risk the application faces in terms of its use and deployment. One cannot

expect the developers to think only of security, because finally applications

are built to aid business and not to act as a hindrance. Key is to build in the

right amount of security right from the inception of the application across the

software development lifecycle. One should always use their mind and keep that

open to develop applications. Building a security tool is a challenge given the

diversity of software applications and systems. No single security tool can

address all phases of the development life cycle, or all potential threats to

applications.

Another point one must remember is that a security tool is also a software.

Hence all rules about software security also apply to these tools. In fact the

tool itself should be secured more. The big challenge faced by security tools is

of automation. The hacker is a person who has all the time in the world and most

importantly a 'human', hence can think differently and sometime outside any set

'algorithms'. Hence the protection mechanism which tries to defend against this

irrational attacker finds it difficult to handle the variations. Hence a good

security posture would also be a combination of a tool (automation) and

expertise (human).

A smart security tool would be one that enforces the processes and workflow

for the Secure Development Life cycle. A tool should be developed which would

centralize the management and execution of various stages of the SSDL and would

also be modified by each company for its requirements and processes. After

developing the whole thing should be transparent to the end-user.

Setting up standards



Some challenges are the ever-changing face of IT security, getting

knowledgeable persons, providing training to employees, being able to show RoI

to the company on the investments required for a stable, robust and sustainable

secure development process, and of course the constant pressure of lack of time.

In many ways the business challenges are similar to those of investing in

insurance. The RoI is not clear until there is a security violation. There is a

need to create individual standards keeping the customer's demand in mind.

The first challenge is how to go about finding a standard they can learn,

understand and finally implement. Secondly, the company has to decide what they

want to secure, which staff and departments are involved, who will own and

manage the initiative and at best hire a consultant to advise on, or seek peers'

experiences.

Developers vs Testers



There are several differences from a skilled and experienced standpoint. An

important aspect to talk about here is 'psychology' or the difference in

thinking. The developer is a 'builder' or 'creator'. He wants to build something

for good use for good users. Hence his focus is on giving good features,

performance, etc. Adding security controls reduces the good experience of the

good users. Hence he doesn't like it. Also developers are proud of what they

have built and hence get very defensive when mistakes are pointed out, and try

and show that the mistake is not there, rather than fixing it. The security

testers' job is to find mistakes. They are more concerned about how the bad guys

would attack the system than not how the good guys would use it. To them the 5

locks on the room is good security as that would help stop the bad guys. In fact

they would be unhappy if they find all locks are of the same type and would

insist on having different types of locks so that it is difficult for the

hackers to unlock or crack it. Testers tend to overlook the practical

difficulties in building security controls. All this leads to conflicts between

developers and testers which leads to development of insecure applications. A

balanced approach is what is required and both teams need to work together to

secure all necessary applications..

Though there is no 100% solution for application security, still all should

look at the efficiency and effectiveness of security testing which is cost

effective and increase customer satisfaction level.