The 2015 (ISC)2 Global Information Security Workforce Study captures something we know to be true, yet few surveys actually spell it out so clearly: Application vulnerabilities (security defects) represent the top security concern of the 13K+ information security professionals that were surveyed.
These security concerns are the things that keep the surveyed information security professionals up at night, and application vulnerabilities are the top concern for almost ¾ of them. There’s good reason to worry about application vulnerabilities – applications are prolific, easily accessible, often not developed with solid security in mind, and typically contain lots of vulnerabilities. Perhaps we’ve become desensitized to the constant flow of vulnerabilities being published on a daily basis. “Oh! Another vulnerability. We’ll have to [fix | patch] that sometime….” Building secure software applications is a hard problem, particularly with business pressures to release new functionality quickly for systems that are often very complex and hard to keep secure.
At a high level, software security defects are generally due to some issue (architecture, design, logic, or coding flaw) or a system mis-configuration. There’s an abundance of gory details that represent root causes, but for argument’s sake, let’s bucket the causes as either some developer-induced flaw or system mis-configuration.
We know about the challenges of building secure software, yet there is so much software that gets released with so many vulnerabilities. I think two big causes of vulnerable software are the:
- software security knowledge gap in the development team
- lack of sufficient security testing
For example, the Study found that of the Top 10 Common Threats, web application attacks (other than SQL injection) was ranked 3 out of 10, and SQL injection was ranked 6 out of 10. At least in the case of SQL injection, this is a very well-known issue, countermeasures are well-documented, and it is easily preventable. So why is SQL injection still such a big problem? Perhaps development teams don’t really know about SQL injection and how to prevent it. (There are also other possibilities such as being forced to use insecure libraries, etc.)
Software Security Knowledge Gap
The Study also discusses the importance of training. Because building secure software is a difficult problem, it requires specialized knowledge to get it right. The challenge is ensuring that each member of the team has the software security knowledge needed to fulfill their particular role – as a designer, architect, coder, tester, etc. There is a cascading negative effect as software applications move from one phase of the development lifecycle to another, so it’s important that each person does their job correctly to ensure security is considered at each phase and that their teammates are up for success. Technology and attacks are constantly changing, and it is necessary to keep the entire team current with what is going on so that they can proactively design, build, and test applications to be as secure as possible. As such, it is necessary to invest in your personnel to give them the training and the tools they need to build secure systems.
Security testing is an incredibly powerful tool to help look for vulnerabilities. Security testing also should be done during coding so that issues can be found and remediated quickly. It goes without saying that security testing also needs to be done when the coding is completed, and in a manner that is commensurate to the risk: a dynamic scan may be appropriate for some applications, but other applications may need to have a full manual penetration test, fuzzing, static code analysis, and a manual code review. Thorough and appropriate security testing helps find those security defects that keep the information security professionals up at night.
The following set of charts from the Study points out that application security scanning is not done as often as it should be. It’s not done when it should be (early in the lifecycle), and it’s not done as it needs to be for applications hosted in data centers and in the cloud.
Helping You Build Secure Software
Security Innovation can help you build secure software. We have a comprehensive training program that offers role-based training for the entire team that can address the software security knowledge gap found in most software development teams. TEAM Professor is computer based training (CBT) that consists of over 100 courses. The CBT classes are a convenient way of allowing geographically dispersed development team members to get the technical training to help them know what to do and how to do it. For hands-on and highly-interactive training, we offer Instructor-Led Training (ILT) delivered by a team of professionals. In addition, the TEAM Mentor knowledge base is an interactive database with prescriptive guidance and code examples to help developers better understand analysis tools output. TEAM Mentor integrates with static analysis tools to provide answers to developers software security questions right from within the IDE.
Security Innovation offers a variety of security testing options to help catch the security vulnerabilities that slipped through. MAST (Managed Application Security Testing) is turn-key security testing solution that matches the level of security testing with your enterprise application risk profiles. We also offer a comprehensive suite of Software Security Assessment activities, including:
- Architecture & Design Reviews
- Security Code Reviews
- Application Penetration Testing
- Threat Modeling
By educating the entire development team, you can close that software security knowledge gap that contributes to so many software security defects. Properly and thoroughly testing the application as it is being developed and after code completion can help find bugs that have slipped through so that they can be fixed. These are two powerful actions that can mean more robust and secure applications