Even with all we know about cross-site scripting and SQL injections, these attacks on servers remain pervasive. Part of that is due to the fact that security technology (firewalls, signatures, past definitions) was not focused on these types of attacks. Another part is that developers have not embraced security as something that is their concern.
Kunal Anand, founder and CTO of security platform provider Prevoty, has been on the front lines battling cross-site scripting since he was at MySpace in 2006. “Then, we had the Samy worm,” he recalled, “and we were facing nascent cross-site scripting and SQL injections. And over the years, it seems that there’s more cross-site scripting today.”
Firewalls are still an important part of an organization’s defense, but Anand said they can’t defend against things that happen inside the application. “There’s a mismatch between the attack surface and security technology,” he said.
When people think of ensuring security is built into software, Anand said they think back to 2000, when Microsoft released its Windows XP operating system. “That was so notorious for being buggy that Bill Gates moved people off other projects to work on security, and created the security development life cycle.”
From that evolved the secure software development life cycle (SSDLC). Three phases of the SSDLC are requirements, threat modeling and the development process. Testing is the next phase, Anand said.
So, if developers aren’t up to speed on security, the code will come right back to them from test/QA with vulnerabilities, which will require developers to come to grips with having responsibility for security. Once that happens, Anand said, “testers will see a lot fewer issues that make the [dev-test] cycle repeat over and over again.
“The person writing the app has the power. The developer may punt, but it will come back to them.”
Prevoty’s platform “focuses purely on execution,” Anand said. “You can send a malformed query and we can pick it out. We don’t need a pattern to detect it.” With Prevoty, developers can use a drop-in for their legacy apps, or, through the SSDLC, can make a function call to make sure a database query or a piece of content is safe.”
The platform uses proprietary tokenizers and parsers to “see what these things will do before they are implemented,” said Anand. “We can do examinations in less than a second to filter out” attacks.
The software behind Prevoty has been in development for four years, and the company came out of stealth mode only at the beginning of this year. “We’re focused on helping app development teams deploy new software faster, and with fewer security issues than in the past,” said Anand.