How Do I Create More Secure Apps?
How Do I Create More Secure Apps?
This security expert explains why testing, training, and practice are the keys to being secure in an ever-changing threatscape.
Join the DZone community and get the full member experience.Join For Free
Thanks to Ed Adams, CEO of Security Innovation for sharing his thoughts on the state of IT security today.
Q: How is your company involved in security?
A: Security Innovation, Inc. secures software for the world’s most recognizable brands. We do this by providing high-quality testing services for any kind of software plus a training platform to show engineers how to create secure code. Let me expand a bit:
- Application security testing: We secure software as if it were own. Scanners are good for catching common problems in common software like web applications. However, software runs everything now – our phones, our cars, our commerce, and our healthcare. In order to protect important brands and sensitive information, you’ve got to test all kinds of software: embedded systems, web, cloud, mobile, legacy, etc. And you’ve got to test critical software deeply. That is precisely what we do for nearly 50% of the Fortune 100, always delivering zero false positives.
- Application security training: There are more than 40 million software developers… and only a very small percentage know how to write secure code. There isn’t any magic to it, but people need to be trained. They also need a place to practice, just like any skill. We offer more than 100 always-available online training courses, plus a CMD+CTRL practice range for web, mobile, social, and IT infrastructure so engineers can apply what they learned in a safe sandbox before taking their newly-learned skills into battle for real. CMD+CTRL is a “hack the app” game that users really enjoy. They learn and don’t even realize they’re learning.
Q: What do you see as the most important elements of application, environmental, and data security?
A: Software, software, and software. Most of our data today is digital (software) – and most of it is duplicated and stored in multiple places. Our critical applications are software-based (banking, e-commerce, healthcare, energy.) Our environments are increasingly monitored and managed by software systems. If we don’t secure the software that is literally running our lives, we are doomed.
Q: Which programming languages and frameworks do you, or your firm, use?
A: For our testing and training platforms, we use (and have training for) almost every major development language and framework: Java, .NET, C/C++, Ruby on Rails, GitHub, iOS, Swift, Android, etc.
Q: How is the cybersecurity threat landscape changing?
A: Automated penetration testing is now a commodity. You can rent bots and cheap labor to run scanners to find unpatched vulnerabilities. Phishing emails to deploy malware is also rampant today – if companies only disallowed email from servers whose registration date is less than 2 days old, it would eliminate more than 90% of all phishing and spam traffic!
Q: What kind of security techniques and tools do you find most effective? Least effective?
A: Our world is application security, so we tend to focus on techniques that are effective at finding security vulnerabilities in software. We find threat modeling to be a most effective technique because it quickly identifies potential soft-spots in your application, and it also creates a de facto security test plan as you’re threat modeling. With respect to testing itself, we find grey-box testing to be the most effective method, by far. Grey-box is a combination of SAST (white-box, aka code review) and DAST (black-box, aka pen testing.) Grey-box allows for the identification of source-code level problems; but, it also allows you to validate if the vulnerability is real vs. a false-positive, determine if a compensating control is in place (e.g., WAF), and trace data from the user to the code and back.
Q: What are some real-world problems you are helping your client solve by securing applications and data?
- Use a Dell laptop? We secure the file encryption and biometric authentication.
- Withdraw money from a Diebold ATM? Our software ensures secure communications with the ARM chips in there.
- Use AWS or Azure to deploy applications? We are retained to test and harden both platforms.
- Planning to buy a GM or Volkswagen? Our software secures your privacy in “the most important safety advancement since the seatbelt,” V2V (vehicle-to-vehicle communication).
- Take any PCI certification or re-qualifcation CBT course? We built it.
- Use Symantec anti-virus, we test it.
- Buy online? 5 of the top 6 credit card processors are our customers.
- Use any Microsoft software? We built the training courses that are mandatory for all Microsoft product teams.
- Ever take a breathalyzer test? We tested them for accuracy and anti-tamper.
Q: What are the most common issues you see affecting security?
A: Ignorance. Security is fundamentally a people problem. Better education means smarter decisions will be made. This is why phishing simulation has become so popular. Assess, train, re-assess. We’ve been doing it for decades in many other industries. IT security’s time is now.
Q: Do you have any concerns regarding the current state of security?
A: How much time have you got? Don’t get me wrong; we are improving. However, so are the bad guys. This is an arms race. Until we start legislating, and yes I mean national and other state government involvement, we are never going to make real progress.
Q: What’s the future for security from your point of view - where do the greatest opportunities lie?
A: I think cybersecurity insurance has a very bright future because I see it becoming mandatory once legislation starts to become reality.
Q: What do developers need to keep in mind when working on security?
A: That it takes just as long to write a line of secure code as it does to write a line of insecure code. Security is not a tax of software development alacrity; in fact, building security into requirements and design early in a software development project has been proven to increase the throughput of a development team. Less defects, less triage, and less re-work/patching leaves time for more feature development and innovation.
Q: How do developers and security professionals fail to work together now, and how can they work together more effectively?
A: A core shift in culture is needed. Developers need to understand that security is simply another aspect of software quality – just like functionality, performance, reliability, accessibility, etc. Once they acknowledge this, they can own it. Once they own it, the security problem begins to be addressed at the developer desktop and we can finally start to secure at the source. Security professionals need to stop relying on automated scanning tools that inundate already busy developers with loads of false positives, that end up wasting the dev team’s time. This is a primary reason for the friction between developers and security professionals today.
Q: Is there anything you’d like to know about what software developers are doing with regards to security?
A: I would love to understand how many companies have put a real DevSecOps practice in place. A lot of companies are talking about it, but I have seen very few actually do it. I fear this is going to end up being another buzz word that has great potential in the concept, but can’t get any traction in reality. Kind of like RASP (real-time application self-protection) – great concept but more science fiction than reality… and will be for quite some time it appears.
Q: What have I failed to ask you that you think we need to consider with regards to security?
A: Keep the conversations going! Keep talking about it, writing about it, exploring it. Don’t let security fall off your radar – it is too important today. If you do, your tomorrow is going to be a lot more painful.
Opinions expressed by DZone contributors are their own.