I interviewed world-renowned computer security and cybersecurity expert, Walter O’Brien--the founder and CEO of Scorpion Computer Services, Inc., as well as the executive producer of the CBS crime-drama, Scorpion--for his take on the future of application security. His company’s product, ScenGen, is used to test application security rigorously.
Walter immigrated to the United States on an EB-1-1 visa and has since built Scorpion Computer Services into a security juggernaut that works with a mix of contractors with IQs and emotional quotients (EQs) greater than 150. Scorpion Computer Services’ revenue is split between federal and state government, Fortune 1000 enterprises, and private-party concierge services that help individuals and small businesses.
Scorpion Computer Services approaches everything like a software problem, using an agile process to arrive at solutions. The company regularly consults with U.S. government agencies to stop foreign hacks, build cloud architecture, and secure data in the cloud. The company increasingly finds itself in competition with Ernst & Young, Boston Consulting Group and Bain Consulting in the pursuit of consulting contracts.
One of Scorpion Computer Services’ products, ScenGen, is a scenario generator written by Walter O’Brien and deployed on a number of projects including financial services and electric utilities. ScenGen is an artificial intelligence engine that generates all conceivable test scenarios for the target software, which, in result, provides 100% test and behavioral coverage. ScenGen has been used in application security testing environments to identify possible security vulnerabilities in banking software and electric utility SCADA systems.
An expert in application security, I asked Walter about the topic for our DZone readers.
T: What do you see as the most important elements of application security?
W: First, most applications in use by financial and energy institutions today have not been thoroughly tested from a branch coverage perspective. When we look at many of the possible combinations of paths through the application have not been tested before delivery, we see situations where these paths are first made by end users. Hackers can-- and do--exploit vulnerabilities by finding scenarios that were never identified during testing. For a real and recent example: An email system could be vulnerable to attack if no one has tested sending a blank email, unexpected characters like emojis, or an unusually large body of text. Hackers capitalize on those unknowns. And when they find those vulnerabilities, they exploit them.
Second, we see a lack of consequences for the personnel who should be responsible for securing applications. The same bank has been hacked every six months for the last six years retains the same CTO throughout. A number of institutions lack the identification of who is ultimately responsible for application security, and they fail to measure and act when systems fail. Application security is still not given sufficient weight among C-level executives.
Third, migration integrity. Institutions don’t always get from developers what they asked for. There’s a pervasive inability among institutions to prove that what was developed and integrated into their systems is what they asked for. Particularly acute is the inability to identify “secondary considerations,” like application security.
T: What institutions can do to strengthen their knowledge around application security?
W: Use ScenGen (scenario generator), Scorpion Computer Services’ artificial intelligence engine to help identify every possible scenario through an application. Generate all possible tests against the software, and with 100% test and behavior coverage, if anything changes you’ll know.
Use Serem for migration integrity: Every file is Choctaw with a unique key for the file and proves that nothing has changed in the file from when the key was established.
Measure keystroke dynamics: the rhythm with which you type in your username and password. We can absolutely cut down from 100,000 hackers to maybe five that have a level of sophistication and intelligence that will require extra work.
Apply automation and tools. Trust but verify. Use automation to ensure that tests are repeatable, executed rapidly and to generate metrics for test execution coverage.
T: What are the most important tools in application security?
W: Really good tools find problems and then people need to fix those problems. Others have tools that do not find problems, but they will give you a certificate of security for $10,000. Under the latter scenario, all that the institution receives is plausible deniability. And at that price, it’s expensive. Many security firms got to where they are today because they are politically suitable. People with real security software and relevant expertise can be expensive in terms of time, and it is very time-intensive for a company to address all the problems that a thorough investigation uncovers. More importantly, a thorough investigation into application security can expose problems and eliminate plausible deniability.
T: What are the skills that make someone good at developing secure applications?
W: First, experience does matter. Experience in application security is ultimately an accumulation of skills. Having a resource available that thinks like a hacker--particularly in cyber-sensitive areas--is invaluable. Second, know the difference between optimistic versus pessimistic coding. For example, a brokerage house and a financial exchange have an agreed upon protocol financial interchange. If you assume the protocol financial interchange is faulty, and you’re going to get errors, you will be prepared for it. Evaluate a programmer with the equivalent of a security stress test. Send errors and see how the programmer responds. Set expectations, build something bulletproof, and be pessimistic. Design around the contract instead of starting with code, and begin by writing test cases. Write the test first. If you are unable to do so, you don’t have the requirements you need to write the code. If you hire a security firm and they find no problems, you don’t have the right security firm. I know one company with its CSO in a different building and on a different floor from all the application testing employees to maintain plausible deniability.
T: How has application security evolved over time?
W: We’ve seen an evolution in awareness. Everyone talks about cyber security but people confuse talking with doing. Not enough is actually being done, even though CSOs and CTOs are increasingly educated about the risks. Insurers have taken note, too, and ask to be compensated accordingly. So far, there’s no effect on the application security robustness--other than rising insurance rates.
Companies have been unwilling to spend the time and the money to identify and fix the problem because it costs them less to take the losses and pay insurance premiums. There is a certain tolerance for errors and financial losses from hacking. So far, the prevalent view is that executives don’t yet care about the security of their customer’s information. They care more about the bottom line.
It’s not a dire or unfixable situation, however. Confirmed incidences of ransomware will grow. It will take someone stealing $10 billion--or catastrophic destruction of difficult to replace critical infrastructure--and insurance not covering the loss or for premiums to rise to uncomfortable levels before companies start taking application security seriously.
T: What’s the future of application security – where do the greatest opportunities lie?
W: Put customers and security first--ahead of the shareholders. Prioritizing customers and security will ultimately take care of the shareholders. If a bank ever differentiates itself as being the most secure bank, it will earn a lot of business. There are opportunities for brands to adopt a more secure solution and make that part of their marketing. There’s an opportunity for more cloud migration.
After thirteen years of operating AWS, Amazon has gotten pretty good at security. Companies need to get out of the business of running their own data centers and moving to secure clouds and hybrid clouds. If one cloud company is holding the data centers of 100 Fortune 1000 companies, they can afford to invest in the high level of security we’re talking about.
Right now, as an economy, the United States is putting $1 trillion under the mattress every year and it’s getting stolen. Procurement is the enemy of security because it takes three or four years to buy technology and install it. And by then it’s out of date.
T: What do developers need to keep in mind when working on application security?
W: First, be pessimistic by assuming the worst. Second, managers need to budget and allow enough time and financial resources to test. Do not have the same people write code and test it. Developers build and testers break. The two have a different mindset. Third, recognize the importance of configuration management to ensure you’re delivering the right package to the right person at the right time.
Configuration management is not a side hobby. You can improve productivity in an organization by giving one person the job of ensuring a clean deployment. This relates to security because things are wrong and everything should be secure. Open source has vulnerabilities in it. Politics are one culprit. You can be right, or you can be popular.
T: Parting thoughts?
W: Getting on the radar is important but so is getting people to take action. There’s not one simple solution. We had a cyber “Pearl Harbor” with the Office of Personnel Management (OPM) cyberattack, and that Office shouldn’t wait for another. Computers aren’t magic--they’re math. Scorpion Computer Services and others provide real solutions to security problems.