I think it is finally here. It has been a long time in coming, but we are finally living in the Post Scanner World.
I’m very fortunate – as part of my job I get to talk to a lot of people and a lot of companies about what they do for application security. Unfortunately, for a long time, I had way too many conversations with information security officers at organizations that went like this:
ISO: We bought Scanner XYZ [could be a black-box scanner or a code analysis tool]
Me: All right. How are you using it?
ISO: I think we ran some scans the week we finalized the license agreement.
Me: Did you find anything?
ISO: Oh yeah! We found all sorts of stuff.
Me: Soooo… What are you doing to address the issues?
ISO: Oh! I emailed the (200+ page) report to the development team and told them to fix it.
Me: And did they fix the issues?
ISO: I don’t know. I guess I ought to check in with them on that.
Me: Aaaaarrrrrrgggggghhhhhh! <weeping>
But I finally get the feeling that things are changing.
First of all – there are not one but two major maturity models for application/software security – the Building Security In Maturity Model (BSIMM) and the Software Assurance Maturity Model (SAMM). These aren’t models built around how well you use a specific scanning technology – they are models that look at a number of facets of an applications application security risk management. They look at what organizations need to do to find defects in software, what they need to do in order to avoid introducing those defects in the first place and the decision-making processes that need to take place so that organizations can make risk-based, value-centric decisions. Over the next week or so I’ll be putting up some more posts that compare and contrast the two models.
Second of all – evaluation standards are starting to develop. OWASP has produced the Application Security Verification Standard (ASVS). This outlines activities to perform in order to verify the security properties of a web application at several levels of assurance. The standard is rushing toward a version 1.0; I’ve been through the drafts and there is good stuff in there. The most important thing at this point is to provide more specific standards for evaluation and guidance on how to perform the verifications. Once the 1.0 version is released and folks start using it I think those will develop quickly. Time-permitting, I’m hoping to run through some example verifications of sample applications and post the results and associated metrics (level of effort, etc) here.
Finally, application security information is becoming less siloed. There are a number of products and services out there that help with application security – black box scanners, source code analyzers, instructor-led training, e-Learning, web application firewalls (WAFs), and so on. While the information produced by these tools and services remains in its own silo it has limited utility. But once this information starts being shared and once these products and services start interacting then mature solutions can start to develop. We have been working on a couple of interesting inititatives in this area and hopefully we can post more information on those here shortly.
I believe the Chinese curse goes “May you live in exciting times.” Yeah, well, I suppose these days qualify. Ding dong – scanners aren’t dead, but the world is finally starting to see them as a portion of the solution as opposed to the end point of the application security problem. That is such a crucial step for this industry to mature. The front-runners in this space like Microsoft have blazed a trail, and thankfully the rest of the industry and learn from their examples.
dan _at_ denimgroup.com