SPICON: The Importance of Application Security

Live Q&A

  • Rhonda MacLean, former CSO of Bank of America and Founder of MacLean Risk Partners, LLC;
  • Caleb Sima, Co-founder & CTO, SPI Dynamics;
  • Guy Denton, Associate Partner, CISSP, CISM, ICEH, IBM Certified Professional, Ethical Hacking WW Compentency Leader/PCi/Wireless Security, IBM;
  • Mike Gailey, Managing Director, Global Security Solutions, CS Consulting;
  • Matthew Morgan, Director of Product Marketng, Mercury;
  • Shirley Wyatt, CISSP, Strategic Security Advisor, Microsoft Corporation;
  • Closing Comments by Crian Cohen, President & CEO, SPI Dynamics
Maclean: App security became one of three priorities in security at Bank of America.

Morris: Q/A is moving more to application readiness, rather than just core functionality.

Wyatt: Role is to help customers to develop a secure environment.


Sima: Background in Pen-testing/consulting


How do you find app sec on the radar screen?
Morris: Mercury-con - 80% of their customers stated security as their top priority over the next 12 months. Customers want to bring security into the lifecycle and into QA in particular.
Wyatt: Talks to CSO - App security is in the top 5 disciplines to add emphasis on.
Lowe: Issue of awareness. Initiatives are derived from that. App Security isn't worse or better now, it's just that there's awareness.
Audience: Do you see security moving more into QA? Or is it just a security role?
Morris: He's starting to see that people are understanding it's an application problem.
Wyatt: Seeing Security Departments writing policy, but the people to carry it out are in the appdev department.
Gailey: Much more awareness - unfortunately, it's not a quick fix, so it's not central on the radar screen.
Sima: It only makes sense that testing is moving toward QA. But scanning will always be in IT, not in development. Ideally, web scanning is just to validate the work of the development and QA groups.
Lowe: Assurance and checks and balances need to be in place. QA Testing groups will never go away.
Morris: QA folks are generalists, not specialists, but they're being asked to do really expert stuff - like security.
Wyatt: At Microsoft - a security advisor is assigned to every development task - from requirements and throughout the life-cycle.
Maclean: Lifecycle. There's not a mature lifecycle for development in general. How do you apply security to that when it's a moving target.
Morris: It has to be dealt with, or it hits the WSJ.
Wyatt: MS has developed the SDL internally, working with customers in helping them. It's important to define a process so it can be followed.
Gailey: You have to push these policies out early to be adopted. You have to work through the lifecycle hurdles.
Sima: in an SDLC, they try to do everything right and completely all at once. His recommendation is to do one thing - something small, then build upon that. Implementing an entire SDLC at once is overwhelming. Take baby-steps.
Audience: What doesn't work - security as a function of audit - it's too late by that point. Management doesn't know where to place Information Security, however.
Morris: There are ways for security to add gates throughout the process.
Wyatt: A company that has defined a working plan, and it includes gates throughout the process.
Gailey: Do customers have to do what Microsoft did by shutting down for weeks?
Maclean: Training is needed. What are others doing?
Lowe: A huge difference between in-house and off-shore development. There's a lot of desire to help internally, but not to outsourced because of the high turnover. So they're applying very strict process and tools to compensate for the lack of training.
Morris: Training is a challenge - how do you give the intelligence to a generalist. Tools have to abstract the knowledge to help make the needed ideas accessible.
Maclean: Where are the challenges?
Audience: Push by management to rush to market
Audience: Org charts - different groups have different goals.
Audience: Who receives the ultimate benefit and who's ultimately responsible?
Audience: Lack of understanding is slowing the adoption process.
Gailey: What are the impacts if you don't do these things.
Audience: Where are we in getting this done in design? Security is too late.
Morris: Lines of business finally identify that it "has to be secure" but they don't know what that means.
Wyatt: Promotes SDL because it defines where security is involved in the whole lifecycle.
Maclean: So many problems are a change management issues - legacy systems being exposed more (web interface added to already insecure code).
Lowe: Using tools such as threat modeling to apply to legacy systems to deal with these early. We still have to take baby steps. One approach he's seen work is to implent a whole SDLC in pilot over a single LOB.
Morris: When new concepts become standards, the tools become a part of the process.
Audience: How is a professional supposed to help QA, or what is QA supposed to use as a checklist to check for?
Morris: Successful company - using their products, they are forced to follow a process. Security tools are integrated into that whole process.
Maclean: Are there specific compliance standards that are forcing this to happen?
Morris: HIPAA, SOX, have to prove that they're doing this, and they have to have sign-off that they're being done.
Wyatt: Anybody dealing with PCI is really being forced into this.
Maclean: PCI just got updated to enforce software assurance
Gailey: Privacy standards are starting to enforce things, too. Things work when security is seen as an engager, not an inhibitor.
Lowe: PCI is a strong driver, but it's not a core reason that security is implemented. PCI is just a checkbox, so people will go no further. Business is the real driver for doing things right.
Wyatt: Metrics are helping to drive some of these.
Maclean: We used to reward developers on the number of lines of code they wrote. Are we measuring the wrong things all over again?
Audience: A lot of development is done outsourced. There's a dramatic increase in the number of backdoors. Is there an increase in risk because of the backdoors added by outsourced?
Morris: 40% of their customers are outsourcing a part of their development. Make sure security is part of the requirements so they're contractually obligated. Then validation.
Lowe: This underscores the importance of having separation of duties. You can't outsource security.
Sima: A blatant back door is usually not the problem - these things are usually leftover development artifacts.
Maclean: There are lots of insider threats
Morris: If you're letting strangers build your apps, you're letting strangers build your business. this discipline can't be outsourced.
Maclean: Some organizations don't have what they need to get the best in the business. Some organizations have to go outside to get their security expertise. You need a really good liason, and good folks on your side to drive things.
Morris: He didn't mean don't outsource, but the business still has to own everything.
Audience: Companies that know what they're doing and bring in outsourcing, it's successful. If you truly partner, they're not strangers.
Gailey: Background checks don't help much overseas.
Maclean: NASCOM has created a database of when people are let go in India - so when there are other issues, we might not see it, but we can see it when they're let go. Offshore companies know that this is an inhibitor, so they've come up with some creative ways to deal with this.
Audience: How do you assess the quality of an offshore company prior to engaging them? NASCOM is helping.
Maclean: You have to work with the offshore companies to figure this out. There is a tiering of companies in India. Who are your companies sourcing to? Governance and oversight. Trust but verify.
Morris: There will be malpractice with software where exposed defects fall into a civil liability.
Wyatt: Microsoft is working to try to get SDL in part of the curriculum.
Maclean: Innovation is going to be a big push coming soon
Audience: What steps short of malpractice canwe do?
Lowe: We have to make security a requirement. Make security a measure of how you're doing your job.
Maclean: We will start to see some financial ties to security requirements. Some legal drivers are going to push it. Too much opportunity for lawyers to make money for it not to.
Audience: Some of the high-risk security components are being given over to security - is that a trend?
Morris: Having a security center of excellence is very helpful.
Wyatt: Having a security buddy is helping in
Audience: Who is the owner of specific security components. Re-use of security components.
Lowe: Has done the security CoE model. Working in teams really improves the effectivencess of security.

What are the best practices to keep in mind?
Gailey: Get started. Don't try to do everything at once. Work on one department or one idea and show success.
Sima: Train developers. Don't try to teach them all about security - try to teach them about input validation and make a policy. (I say output filtering, too, but I digress). Input validation will make the app 80% more secure. (If input validation solves all these things, why do we tell developers they have SQL Injection, XSS, buffer overflows, etc. instead of just telling them they have failed input validations.)
Lowe: Investing in your people is the most important thing. When Microsoft shut down, it was to train people.
Wyatt: Start simple. Work on policy and process to make security a standard part of your business. Show cost benefit to management.
Morris: Evangelism is key - proving that security reduces risk and ultimately reduces cost.

Brian Cohen:
Thanks everybody.