The good news: network security has been figured out. That doesn’t mean that information security professionals can pat themselves on the back, put their feet up on their desks and take a nap, but it does mean that securing network infrastructure for most organizations should be a fairly mechanical, standardized undertaking. Any competent system administrator knows to install a firewall, patch their systems, and turn off services that aren’t in use and they understand how to combine people, processes and technology to accomplish their goals. The battle hasn’t been won, but at least it is a fair fight.
The bad news: the security battle has shifted from the perimeter infrastructure to the applications running on the infrastructure and most organizations are still wide open. The problem is that the people who are now responsible for security have not yet been informed that they are responsible. Even the strictest of firewall configurations has ports 80 and 443 open so that users can have web access to portals, email, e-commerce and other applications. That means that the folks writing those applications are now responsible for dealing with malicious traffic from the Internet at large and unfortunately these folks writing the applications are typically untrained in security techniques, under extreme deadlines and have probably not even heard security mentioned as a goal during the course of their work. The organization’s walls are thick and strong, but the front door is open.
So what is the solution? Application development organizations need to undergo the same transformation that infrastructure organizations have already undergone: they need to adopt security as a goal and align their people, processes and technologies accordingly.
First the people in a development organization need to understand that security isn’t something that is handled by the “security group.” Developers, development managers and quality assurance personnel need to understand that the responsibility for security extends throughout the application development organization. Management must understand that they need to foster awareness and training so that individuals have the required skills. Security cannot be an unfunded mandate.
Also, development organizations need to integrate security concerns into their processes – specifically the software development lifecycle. Security goals need to be outlined during business analysis and requirement gathering. Valuable information assets need to be identified and threats to those assets need to be cataloged. Throughout the architecture, design, development, integration phases these threats needs to be taken into account and explicit measure must be put in place to defend against their exploitation. Procedures for handing builds over to the operations team must be crafted with security in mind. It is the development of an adherence to these processes where security is truly implemented for application development organizations.
Finally, development organizations need to adopt technologies that help them accomplish the goals set out by their security procedures. I have worked with far too many organizations where the attitude has been “we ran a web application scanner, so we are now secure” or “we are implementing a web application firewall and that is how we are handling security.” These technologies are an important part of a comprehensive application security program, but they are limited in the types of vulnerabilities they can detect and exploits they can prevent. A lack of understanding of what technologies can and cannot do leads to a false sense of security. Technology can help organizations accomplish their security goals, but technology on its own or for its own sake is a dangerous placebo.
“People, processes and technology” is hackneyed advice for seasoned security professionals. Unfortunately, the threats have shifted and application developers are a new breed of “security professionals” and they have yet to take this advice to heart. Until they do the information security of organizations will suffer as crackers come through the open front door.