CSI Annual Conference - Highlights on Web App Security

RafalLos — Wed, 19 Nov 2008 04:00:00 GMT

Listening to the speakers (yes, this time around I was a spectator only... sort of) and the audience from these past 2 days, and specifically at the Web 2.0 Security Summit here at CSI Annual 2008... I've come up with a few things that I think you (the readers who may or may not have attended) should come away with. These are important points, highlights from a very well organized conference geared towards actual solutions rather than the typical smoke, mirrors, and hand-waving [Trey Ford] you may expect from a security conferences. A nod to Robert Richardson for the guest pass, and an excellent conference.

From the experts

Threats continue to escalate and get more clever in their attack
Browsers cannot be trusted, applications can be compromised - this is not a rosy picture
End-user (and business) "push" is needed to help move browser developers to produce more secure browsers
HTML-spec and standards are actually working against security in some cases (see: ClickJacking)
Web applications are, and will continue to be, the prime target for attackers
Few businesses are prepared to drive standardized security throughout their organization
Metrics - good metrics collection and delivery is one of the secrets to making a security program work for you
Process, services, secure coding tools, code analyzers/scanners and Web App Firewalls are not mutually exclusive
Your business must have a short-term tactical fix and long term strategic plan to succeed
Services and tools are maturing at a great rate - and businesses should understand the purpose of each

Tools are a support mechanism for automation, standardization, and repeatability - they do not replace people
Services allow for independent 3rd party verification (satisfying some regulatory and compliance requirements)
Neither of the above will magically "make your applications secure"

SaaS (Software as a Service) for web app security provides immediate ROI, implementation, and won't use up your CapEx (instead uses OpEx) spending
You can't use the Ostrich approach (head in the sand, ignoring what's around you)
Right now, someone is hacking either your applications, your users or both

The bottom line from the experts? The web is more dangerous than the wild-west; and things are going south fast. There is hope.

From the audience

Managers and practitioners alike are confused and disheartened when it comes to security ... specifically web application security
Despite wanting to do the right thing, managers facing insecure (or worse, unknown) web applications are finding it difficult to implement a program
Between integrations, acquisitions, and poor oversight security teams are struggling to keep up with the avalanche of published web apps
Overwhelming numbers of vulnerabilities presents itself in a feeling of "we're powerless, why not just give up" as one person put it...
Managers are confused on where, when, and how to apply tools to web application security programs
Some managers have their hands tied by long-term contracts with outsource developers which do not properly include information security components

When code is finally turned over to them, are faced with checking the security of that code on their own
... that code, if found defective, will then require re-work at their cost!
Ineffective contractual obligations are making it impossible to have an effective security program

Security metrics are typically a problem...

Some companies don't know what metrics to collect
... others collect them and manually try to make sense of them
... still others have intelligent metrics but haven't been able to translate them into actionable items yet
... still haven't figured out how to take raw metrics and model them for upper-management consumption

Security outsourced services are still too confusing
Compliance is causing more headaches than it is solving
Companies are striving to be compliant... but are still terribly insecure - and managers are getting that but feel powerless to change

The bottom line from the audience? Make security simple, actionable, and consumable for my organization... and do more than just sell me tools or services - help me build a program.

There is good news, and bad news.
The good news is that I feel very strongly that we (HP Application Security Center) can help you accomplish your goals.
The bad news is ... it's still going to be your job to sell it to your upper management and execute...

Following the White Rabbit Blog : Computer Security Institute

CSI Annual Conference - Highlights on Web App Security