Part 1 — Defensive Application Security in a Modern Organisation
Defending web and mobile applications against the bad guys has always been hard, there is no escaping that fact. However it doesn’t seem to be getting any easier either. Evolving development practices (Agile, DevOps, CD/CI, IaC) have a big part to play, but there are several other trends that are also not helping the situation. So in this modern world of development, how can we better secure these applications?
The short answer is we need to change the way we approach application security, by designing an application security programme or secure software development lifecycle SSDLC that fits better into these evolving development practices.
Before we cover the how, let’s take a look at some (there are probably a lot more!) trends making it harder to secure modern day applications.
Online Tech Boom
Businesses are being forced online as newer tech companies are disrupting their current business models (Uber to the transport industry, AirBnb to the hotel industry, Netflix to the movie and DVD industry, Alibaba to the retail industry). Use of smartphones and IoT devices have also increased the number of internet connected devices online. It’s no longer strange to hear about interconnected toasters or teddy bears.
These new business models, especially for free online services rely heavily on collecting personal, sensitive, unique data about their customers. The majority are online only companies that don’t own many physical assets or products and instead monetise using user’s data:
- Uber, the world’s largest taxi company owns no vehicle.
- AirBnb, the largest accommodation provider owns no real estate.
- Netflix, the fastest growing television network lays no cables.
- Alibaba, the biggest online retailer in China has no inventory.
- Facebook, the most popular, biggest social network created no content.
Also don’t forget the saying “If you are not paying for it, you’re not the customer; you’re the product being sold”. What does this mean? Well attackers have bigger incentives (more sensitive data to steal) and a larger attack surface to exploit. And boy have criminals taken advantage of the situation. Ransomware is everywhere, stolen data is being sold on DarkNet Markets, DDOS-as-a-Service providers are blackmailing companies and individuals and of course stealing payment data is still a common occurrence.
Changing Development Practices
To get products out to market quicker companies are moving from physical data centres to the cloud. A big motivator for this move is that it can help and make it easier to adopt DevOps practices, Agile methodologies and continuous development / delivery processes. These shifts in methodologies, platforms and practices have rapidly changed the way we approach building software and has also enabled companies to develop and deploy much faster than was previously thought possible. Changing the deployment time scale in most cases from months to hours.
Silicon Valley have even coined phrases like “fail fast, fail often” referring to the mentality that we need to deploy to production more often even if that means we break the site more often too. The idea is that if we move faster and in smaller increments the failures will be faster to fix and have less impact when they do fail. Well that’s the idea anyway, the reality is a little different!
The point is, waterfall based developments with 3–6 month deploy to production release cycles are and will be behind us, especially for the online tech industry. So we can’t expect the traditional, heavily manual security processes to fit into this new way of looking at software development.
More and more breaches are making it into the public domain and even onto mainstream media with people like Edward Snowden and TV shows like Mr Robot that are educating the general population of the importance of good security practices. Not only in their personal lives but also in a business context.
However, even with this extra exposure to breaches and how they affect companies, it can still be difficult to convince businesses to invest in the security of their applications. So less focus on security and in turn less jobs available… which brings us to the next trend.
Security Skills Shortage
What does a decade or more of company’s not caring about or investing in security look like? Well, it looks like a very small community of skilled professionals. Security related jobs have increased recently as businesses finally realise they need to start investing in security. However skilled security people don’t just pop up out of nowhere, so it’s going to take a while for universities, schools and industry to catch up with this demand. In the meantime this shortage has lead to companies struggling to hire skilled security people to fill these much needed roles.
Security is Hard
Hackers have it easy, they only have to find one hole in a system at one point in time to break in and steal data. Companies on the other hand have to constantly defend against attackers by not only securing that one hole, but every hole, make sure all those holes stay closed and new ones don’t open.
Ok so “have it easy” is not fair, but it is true that defensive security is difficult and a complex beast at times. Implementing an effective application security programme with 1–2 security people, limited budget, 200 developers that release code to production 30 times a day and all use different technology stacks makes the problem of securing these applications quite tricky! Resources, tools and services from the likes of OWASP and the rest of the security industry help, but it does take time for them to catch up with newer industry trends and practices making it hard to select and implement initiatives that will work within your organisation.
Light at the End of the Tunnel
Can we secure applications developed using modern practices and processes but still allow companies to deliver software at speed? Yes is the quick answer, as many companies have proved it can be done. However it’s not an easy journey, with roadblocks at every turn and a very confusing landscape of sometimes ineffective “best practices” to wade through. If you are interested in learning about designing and implementing an application security programme then check out some of the next articles in this series.
Articles in this series