When Jeff Williams, co-founder and CTO of Contrast Security, created the OWASP Top Ten list, first published in 2003, he was proud of the work done; but now more than a decade later, Williams expresses disappointment in the unchanged list.
RELATED CONTENT: For effective DevSecOps, shift left AND extend right
“My thought at the time was, we’ll put this Top Ten out, we’ll solve some of these issues and we’ll raise the bar over time to get to a place where application security is a lot better,” Williams said. “It’s hard to believe that it’s almost 20 years later. Part of me is like that they’re difficult to solve because they’re pervasive across so much code everywhere, and some of them are tricky to find. But at the same time they’re also basic blocking and tackling, like solving SQL injection is not particularly hard. We’ve taken this approach of mostly chasing vulnerabilities and trying to remediate them as opposed to changing the way that we interact with databases. If everyone used prepared statements everywhere, we’d be a lot closer to solving SQL injections. It’s when people write custom queries and concatenate in untrusted data that we get into trouble.”
He said he believes the right path forward is to give developers great automation so they just get alerted whenever they step outside the guardrails that DevSecOps provide. “For me, we’re not going to train our way out of this, we’re not going to pen test our way out of this, we’re not going to static analysis our way out of this. We’re going to have to get really good accurate automation that works instantly if we want to solve this, because the scale of the problem is just staggering.”
Williams went on to note that on average, applications have 27.6 serious vulnerabilities.”If we were an airline, and on average every time you did a safety check there were 27.6 safety problems, nobody would ever leave the ground,” he said. “But we don’t treat it like airline safety. People are a lot .. we don’t take it as seriously as we should, as a country or a world. We just don’t. We could do better. We just need the commitment.”
A self-protecting prophecy
Cybersecurity expert Ed Amoroso talks about a model he calls Explode-Offload-Reload. Contrast Security’s Williams explained: “What that means is as you move from the traditional internal monolithic applications, you need to explode them into pieces, and move each of those workloads into the cloud, that’s off-loading, and then reload means adding those protections back to the stack that runs that code, creating a secure, self-protecting instance in the cloud. Instead of having one big wall, now you’ve got a whole bunch of little walls. It’s not even good to think about walls; it’s really just to secure applications that are able to protect themselves. But I like that description because he’s talking about how organizations can move from a very sort of traditional outside-in approach to security to the future, which is this self-protecting way of doing things.”