I spent last week at this year’s RSA Conference in San Francisco with a new look at it from a pure Application Security perspective, and specifically one of education for application developers. I left the conference with a sense of optimism about where we are headed. Application security improvement is not about a tool (although tools must play their part); it’s about people, process, respect for the developer and a shared goal. I am glad to see this being talked about more and more and even happening in practice.
This is neither new, my idea, nor unknown, but it is still amazing how many stories there are of a scanner of some sort being rolled out with little else. Inevitably a big report of vulnerabilities is handed over to a development team without context but with the demand they be fixed. And inevitably, either nothing is done, or just enough is done to appease auditors and other compliance gods without any improvement in security.
Some examples from my experience at the show where this is changing:
- John Sapp gave a great talk entitled Innovation in Application Security. He explained how he approached the problem by building a process, including a model of a federated relationship with the business units that operates according to their needs under a framework that allows feedback about improvements steps and measured results to shared management.
- Two different meetings with large organizations, one a Security Innovation customer, one not, that built well thought-out training programs for developers to roll out static analysis. The training included secure application development as well as hands on applied use of the tool that was being rolled out.
- Meetings with several vendors in the vulnerability management space that all saw the expressed need for developer education as it relates to their scanning offerings.
- Meetings with several vendors in the security education and certification space all seeing the need to do more specifically for application developers.
- This article, which Bill Brenner of CSO Magazine wrote about the Rugged Software Initiative get-together, a meeting which I did not attend.
This all adds up to good news. Many different people and organizations are coming to the same conclusion – that we in security need to work in partnership with those doing application development to facilitate their work. This will provide maximum security gain with minimum pain and produce measurable results. That like us, application developers care about what they do, have pride in their work, and do their job well. The poor state of application security is not due to laziness or stupidity, but rather a lack of security built into their process and goals, and a dearth of specific security education related to the job they have. This is what has to change, and I see across the industry signs that it is.