LAS VEGAS—Not enough CISOs understand the limits of application security or the tools to execute them, a panel of security experts said Thursday.
Too many customers are treating so-called “pen scans” as the latest buzzword, without knowing how to apply the results to improve their security, according to panelists at the Black Hat security briefings here. Meanwhile, corporations still arent paying enough attention to application security in the design and rollout phases, leaving security analysts with little time to analyze the code before it is shipped to customers.
“My world is one-hour phone calls saying what the hell do we do about this problem,” said Paul Proctor, vice president of security and risk strategies for The Meta Group. “Fundamentally, we find that enterprises are still … not doing the basics correctly.”
No application is totally secure, and the Black Hat briefings this week dealt with the thrust and parry of IT security. But recent leaks of private customer data by the Victorias Secret and Virgin Records Web sites were accessible by the layman, and thus attracted the attention of the layman. The Virgin Record “hack,” which exposed confidential customer information, was actually first reported not to Bugtraq or other mailing lists, but to the discussion forums of a music site, members of the panel said.
“The reason application security is such a huge problem is that there really is no history,” said Caleb Sima, co-founder and chief technology officer of SPI Dynamics. “Webmasters know nothing about security. Instead, theyre focused on network security.”
More and more corporations are requesting penetration, or “pen,” tests, which either pit automated tools or a security professional against the security of a Web site. The problem is that many look at the test as a checkmark item that needs to be completed, with no knowledge of what to expect or how to apply the results. “It doesnt solve the fundamental reaction that I see with a lot of tools,” said Frank Lam, a CISSP and senior manager with consultant Deloitte & Touche. “They tend to blame the tools, saying, I ran the tools and the tool said I was fine.”
Furthermore, corporations expect those pen tests to list the available vulnerabilities, which the corporation can then fix. That doesnt happen, Proctor said. Instead, the test lists a few high-risk vulnerabilities, not all of them. “The pen test shows you are vulnerable,” Proctor said. “It doesnt close all of the problems.”
Automated tools dont necessarily solve the problem. The panel noted that an automated tool or suite may not search for vulnerabilities such as SQL injection, which attempts to find or break SQL code to learn additional data through error codes. In that case, a corporation may be stuck hiring a consultant as well as pay tool costs, according to the panel of security experts, which lacked a representative from the automated security tools industry.
The problem, Sima and Proctor said, is that security vulnerabilities are not treated the same as more traditional software bugs, which break features. “A bug is a bug, whether it be a feature thats not working or an unintended security flaw,” Proctor said.
Companies rarely give consultants the time necessary to correct code before rolling it out to customers, often granting them the wee hours of a weekend morning to make the necessary corrections. In a Meta Group study, a bug discovered in the implementation phase costs 6.5 times as much as a bug found in the software design. In testing, that bug costs 15 times as much as the design bug, and a post-release fix can cost 60 times as much, measured in lost revenue and resources but excluding legal fees. Shrink-wrapped code likely costs even more, Deloitte & Touches Lam estimated.
One audience member defended the developers writing the code, however. “Theyre always going to be a step behind the curve,” he said. “Theyre always up against a deadline.”