“The second piece,” he added, “is you’ve got to have automation. You’re not going to get it right by hand the first time every time. Code reviews by hand are great, but not every line of code is going to get scrutinized properly. Developers are people… They get tired, they get hungry, they run out of caffeine at 3 o’clock in the morning, their eyes are getting blurry, you’re not going to have perfect code. You need tooling that can watch out for them all the time, whether they’re kind of asleep at the switch or not, or whether that’s important to them or not, some sort of tool can be reading that code and looking for security all the time. You’ve got to put both of these together, but you can’t really expect that developers are going to make this a top-of-line issue unless there’s some external factor requiring it. Management has got to elevate it.”
Gartner’s Feiman sees a new way forward. “If we cannot test all applications and cannot test them well, I see only one solution: Applications must test themselves,” he said. “We cannot diagnose all applications, that’s why apps must diagnose themselves. And because we cannot protect all applications with means that exist today—all these firewalls, IPSes, IDSes, Web application firewalls, encryption—the only solution is that applications must protect themselves.”
Software security is a gnarly hairball. As Feiman pointed out, “Software security is the most recent addition to the application security stack. Identity Access Management, 45 years old; network protection, 30 years old; endpoint, 25 years old. We are desperate because we see that attacks are absolutely pervasive and very successful, and we cannot stop them.
“But the network vendors keep selling them…keep pushing them, not just selling them. Same with firewall vendors. Same with endpoint protection. They keep adding new features, tweaking here and there, saying, well, now it will do much better, now it will do much better. And because we don’t know anything else, we’ll do it. So before penicillin, they recommended using some herbs, and you were taking them because there was nothing else in the market. What I’m saying is, that huge gap that had become clear to me four years ago when I starting working on that research, is to say, ‘How come, if we all claim that the app is the most precious asset—the app and the data it handles—how come that it’s absolutely powerless? It has no skills to detect, has no skills to protect itself. How come?”
And so, Feiman came up with the notion of Runtime Application Software Protection (RASP). But it comes with a caveat: “We gave identity and access management 45 years to evolve. And, after 45 years, it’s still not sufficient. We gave network security 30 years to evolve, and it’s not working. Well, it’s at the end of its capacities. We gave endpoint protection 25 years to evolve, and we still have viruses it cannot protect against.
“So all these technologies are complex implementations, and RASP is at the embryonic stage now, but there are already production implementations that have been acquired by enterprises and do a very important job of protecting the assets of the most famous organizations in the world.”
Another approach, suggested by Bugcrowd’s Raethke, is to create a “fire team” consisting of representatives of multiple departments that can champion change within an enterprise. “You’re taking one or two engineers, with an Ops guy, security, executive management, and one or two people from sales and one or two from marketing,” he said. This way, any feedback on the project is heard by all groups, and it’s an effective means of changing an operation. “This gives you a way to roll all your people through it.”
Communication across all organizational disciplines is key, said Raethke. “Any practice [including security] that you introduce to your organization has to be sustainable.” He suggested starting with two developers and two members of the operations team, then bringing in sales, marketing and executives after a commonality first been established.
Cigital’s Steven said that along with communication, training is critical. “We hire developers and train them on security because over that period of time we’ve not really succeeded in doing the opposite,” he said. “I think when you look at the security practitioner community, a lot of them are testers and security practitioners that are beginning to learn a bit about coding to be more effective at their job, and frankly, I think a lot of this design—we’re talking about really design decisions, talking about classifying the problems by the kind of flaw, and taking the right kind of design or software security initiative approach to solve it—I think it’s a little bit beyond their skill set.
“There are different classes of people,” he continued. “We’re starting to see from the OWASP community these testing practitioners: Some of them have five years’ experience, 10 years’ experience now, doing penetration testing. This group of people may not know development, they may not have really talked to executive management before, so the politics in building a security group may be a challenge. When they stroll down to talk to the architects in the organization about adopting a new open-source framework or library you’re going to build your website on, you can imagine that’s going to be a tough climb for them. There’s a development gap there, and an architecture gap.”
Training and planning for vulnerabilities are tips that Rogue Wave’s Cope offered. “The only way to really protect yourself there is is to stay up to date on the latest patches, latest news, latest fixes, and expect them to continue… With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you know what is affected.