The software security world is prone to ebbing and flowing. Twenty years ago, firewalls were the new hot solution. Fifteen years later, there were these hot new things called application firewalls. What was old was new again.
So it was at the annual RSA Conference this year. Last year was something of a flush out, as some venture-backed security firms made their last gasps, giving way to a slightly smaller show floor this year. Chief among last year’s meltdowns was Norse Security, a company that offered little more than a live threat map, and which only two years ago was the hottest booth on the show floor.
(Related: Security in software needs to be Job One)
This year, Norse is gone, and taking its place are a host of companies both old and new, offering technology that, were it offered in a vacuum, would be slightly puzzling. After all, less than a year after computer security literally influenced the American presidential election, the big theme of the show is visibility solutions.
While this may seem like a step back, Jeff Williams, CTO and cofounder of Contrast Security, said this is actually just the beginning for cloud-based security solutions. He was also the founder of Open Web Application Security Project, which first identified the Top 10 major security holes in web applications more than a decade ago.
Now, a decade later, Williams said the OWASP Top 10 really hasn’t changed, which is indicative of the continuing difficulty faced by security professionals and developers. As a veteran of the security industry, Williams said the Contrast Security approach is informed by his experience in what actually works and what doesn’t.
“Long term, the answer is that all code is instrumented for security. I’ve done this for a long time,” said Williams. “I’ve tried training, I’ve tried process solutions, scanning, expert penetration tests, all the way back to the Orange book. I’ve tried everything. The solution that fits the need is if we can instrument the security in the code, it separates out the developer responsibilities.”
And that’s the key, said Williams: letting developers code. “They can worry about functionality, and security folks can worry about security. We can weave it together. Right now, the instrumentation platforms aren’t strong enough. They’re good for web platforms, and they’re starting to get there for mobile devices, but then then IoT is behind that for instrumentation. Eventually, it’s got to be there. You need that visibility and control,” he said.
Contrast Security offers a security solution Williams likened to AppDynamics or New Relic, but for security concerns. The system behaves somewhat similarly to DTrace in that it monitors applications at the system level, and can trace data as it flows through, thus allowing Contrast to identify anomalous behavior without giving false positives.
False positives are the classic problem in static analysis, which has long been the standard tool for security inside the enterprise software development toolbox. Williams said that static analysis is better suited for detecting functionality bugs due to the high rate of false positives and the requirement of having experts on the team to interpret the analysis.
That doesn’t mean it cannot be an effective tool for security in application development when properly used, however. Justin Somaini, Chief Security Officer of SAP, said that keeping the company’s 100 million lines of code secure is a very tall order. But it’s the team’s goal to have zero exploitable bugs in shipped products.
While that may seem like a lofty goal, Somaini’s explanation of the team’s tactics really highlights the lengths to which a crew of developers must go to maintain such rigorous security standards.
“We run six different static-analysis tools. We have our own language for this, ABAP, which we sell,” said Somaini. The ABAP static analysis tool is included in the SUPPORT_QUERY_FRAMEWORK package inside SAP_BASIS.
“When you talk about a company that has thrown the kitchen sink in on security, SAP is one of them,” said Somaini. He also added that transparency is a big part of their strategy at SAP, ensuring that bugs are immediately patched and documented. Somaini added that SAP is considering joining the CVE database.
Somaini said that he’s become interested in solutions that allow large aggregate views of security data, such as logs. Log analysis was also a big theme at the show. One company showing off its machine learning-based analysis system was PatternEx.
Erik Bloch, senior director of security solutions at PatternEx, said that companies generate a great deal of logs on their networks, and given some time with a human to train the algorithms on normal network behaviors, PatternEx can then spot outliers and alert security teams to activities on the network that are suspicious.
While the company is still in early stages, machine learning still offers some shocking revelations for companies asking specific questions. Bloch said that anomalies can be anything, from one user on the network uploading tons of data to the cloud, to a single machine outputting information after hours when users have gone home.