App Security Still Misunderstood

Not enough CISOs understand the limits of application security or the tools to execute them, nor are companies paying enough attention to app security in the design and rollout phases, according to a Black Hat panel of security experts.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

LAS VEGAS—Not enough CISOs understand the limits of application security or the tools to execute them, a panel of security experts said Thursday.

Too many customers are treating so-called "pen scans" as the latest buzzword, without knowing how to apply the results to improve their security, according to panelists at the Black Hat security briefings here. Meanwhile, corporations still arent paying enough attention to application security in the design and rollout phases, leaving security analysts with little time to analyze the code before it is shipped to customers.

"My world is one-hour phone calls saying what the hell do we do about this problem," said Paul Proctor, vice president of security and risk strategies for The Meta Group. "Fundamentally, we find that enterprises are still … not doing the basics correctly."

No application is totally secure, and the Black Hat briefings this week dealt with the thrust and parry of IT security. But recent leaks of private customer data by the Victorias Secret and Virgin Records Web sites were accessible by the layman, and thus attracted the attention of the layman. The Virgin Record "hack," which exposed confidential customer information, was actually first reported not to Bugtraq or other mailing lists, but to the discussion forums of a music site, members of the panel said.

"The reason application security is such a huge problem is that there really is no history," said Caleb Sima, co-founder and chief technology officer of SPI Dynamics. "Webmasters know nothing about security. Instead, theyre focused on network security."

More and more corporations are requesting penetration, or "pen," tests, which either pit automated tools or a security professional against the security of a Web site. The problem is that many look at the test as a checkmark item that needs to be completed, with no knowledge of what to expect or how to apply the results. "It doesnt solve the fundamental reaction that I see with a lot of tools," said Frank Lam, a CISSP and senior manager with consultant Deloitte & Touche. "They tend to blame the tools, saying, I ran the tools and the tool said I was fine."

Furthermore, corporations expect those pen tests to list the available vulnerabilities, which the corporation can then fix. That doesnt happen, Proctor said. Instead, the test lists a few high-risk vulnerabilities, not all of them. "The pen test shows you are vulnerable," Proctor said. "It doesnt close all of the problems."

Next Page: Are automated tools the answer?