Not a week goes by without Web hacking – Sony (again!), FBI, Citibank, ADP, and many others that we don’t even hear about. At best, companies are tinkering with their Web security issues instead of attacking them head-on. What more proof do we need that it’s a war out there? It’s time to wake up people. Either you fight to protect your property or surrender and let looters take what they want. You wouldn’t leave the door to your house unlocked. Nor would you have your valuables lying around for anyone to steal. And you would protect your car against theft by having an alarm. So, why would you leave your most important assets, your information assets, available with limited or no protection?
And, playing with an occasional and casual assessment of Web security or bringing a few consultants in to get your PCI compliance for the auditors is not going to cut the mustard. We need a totally radical approach to the problem.
When do you need Evolution?
Evolution is good for certain things. Human beings have evolved over many centuries. We couldn’t have done a revolution to change human beings. It’s part of the natural process. That’s because it’d be an unnatural act to change that process. Evolution, by definition, means progression over time. Even in the technology arena, we didn’t go from 64K memory to many gigabytes overnight. It took many years to get there. A drastic move like that would be cost prohibitive and not practical. Of course, once we know how to expand, we can start leap-frogging by doubling or tripling our performance in a very short time. Moore’s law proves that theory. We also didn’t jump from Mainframe to Cloud in a year. It took many years of evolution to go through client-server, Internet, and other phases. Who would have imagined iCloud in the 80s? Even in programming languages, we have been using c, c++, Java for more than a decade. Yes, we have had derivative languages in between like Ajax, but fundamentals haven’t changed that significantly. Evolution is good in cases where slow adaptation is required because the risk of revolution is much bigger, and in some cases, too costly. Another possible issue could be that no one is motivated enough to start a revolution.
When do you need Revolution?
A revolution (from the Latin word, revolutio, "a turnaround") is a significant or marked change that usually occurs in a short period of time. Although revolution is mostly associated with political incidents like the recent revolutions in Tunisia, Egypt, and other Middle Eastern countries, there are many examples in technology and business. The Industrial Revolution in the 18th to 19th Century clearly changed the dynamics of the world. And, who can forget the Internet Revolution, which, with the advent of the browser technology in the 90s changed the way we do business? One could also argue that even though cell phones have been around for a while, SmartPhones with iPhone and Android also started a revolution where the dynamics of accessing almost everything from your cell has and will continue to change. Revolution is important in cases where the old way just isn’t working and people are tired of it. Sometimes people might not know what the new solution is but they are ready for that big change.
Application Security Crisis
Security issues in applications have been around for decades. Hackers have been exploiting vulnerabilities and attacking and stealing information for many years. It’s gotten much worse in the recent years because more and more transactions are being done through websites -- low-hanging fruit for hackers to exploit Web vulnerabilities. Traditionally, schools have never done a good job of teaching students how to do secure coding. They were taught to avoid basic software defects but not worry about security. It’s only in the recent years that some universities have started to emphasize secure coding in their computer science curriculum. So, years of evolution in application security has resulted in a lot of code and over 250 million websites, most of which are vulnerable. This has put us behind the hacker curve by many years. A continuous evolutionary approach will be disastrous with more lethal and devastating attacks against our commercial and government infrastructure. We know that more and more organized hackers groups are forming outside the U.S. that are having a field day in attacking our web infrastructure. In addition, while many belittle the threat of cyberwar, it’s very real as evidenced by many Chinese sponsored attacks. And, it’s not going to stop. It’s time for a revolution to protect your websites.
How to Revolutionize Application Security
Let’s first look at what organizations have been doing in application security with an evolutionary approach. Large organizations test only a fraction of their applications, mainly the external facing ones, so they can get compliant with various regulatory standards like PCI, NIST, SANS, FISMA etc. Most auditors don’t necessarily look to see the depth of security testing and how these companies are fixing vulnerabilities or blocking them in the interim. And, these fractions of applications are only being tested annually or quarterly at best. As I have mentioned in a previous article on this site, this is like doing partial heart surgery. End result? False sense of security. Small to mid-sized companies are in even worse shape. Their limited security budget is typically allocated to other security issues like network firewall, anti-virus, anti-spam etc. with limited to no funds going to application security where the hackers are attacking. So, you are spending a lot more incremental budget on other security problems to gain marginal security and spending little to none on Web security where all the vulnerabilities are. The math is very simple. Borrowing from the famous U.S. robber Willie Sutton who said he robbed banks because that’s where the money is - why do hackers attack Web applications? Because that’s where the vulnerabilities are.
But, what does it mean to take a revolutionary approach to application security? You have to take an aggressive stand to attack the problem. Here are a few steps to start a successful application security revolution:
• Create an aggressive plan – Include your reasons for why you want all applications tested on a continuous basis. Create a proposal that shows the return on investment and highlight the recent breaches. Pick a short-time frame to start seeing results. Remember this is a revolution not an evolution.
• Educate everyone – Get more stakeholders involved and get their feedback. Educate them on why this is imperative. It’s a collective issue not just one individual’s. All business units should be concerned about these issues.
• Get top brass involved – CISO, CIO, CFO (yes, just mention the impact on the stock price in the case of the Heartland breach), and the CEO. Educate them, but more importantly let them hear from the horse’s mouth. Set up calls for them to talk to the victims – Sony, Heartland, Citibank, Epsilon, and many others
• Recognize others – This is not about being a hero. Recognize everyone who’s helping you so they pull more people.
• The plan should include:
o Objective – why is this so important
o Inventory of ALL Web applications – external and internal listed in priority
o Plan to test all of these applications – you can vary the depth of testing depending on how critical the application is
o Examples - include cases of recent breaches with the financial impact
o Cost - show the cost of testing all applications with a combination of automated and manual efforts including the internal headcount
o Return – show cost of not moving forward this with the revolution with calculations on costs of a breach, compliance issues, brand equity etc.
o Implementation plan – with tight timeline for every step and the owners
o Remediation plan – show how the vulnerabilities will be fixed or blocked to protect the infrastructure. Prioritize your vulnerabilities using a quantitative score.
Go for it, Captain! You are in charge!