Can you smell that? sssnnnnnnifffffff..... Aahhhh yes. It's that time of year. Yeah, regardless of what Punxsutawney Phil might have had to say, it's springtime! (You folks in the colder parts of the Northern Hemisphere that won't thaw until June will just have to bear with the analogy - sorry). Yeah - it's the time of year when we clean up and clean out. Black Hat is about to start their rounds, SchmooCon just wrapped up, and all the new sales pitches start.
But I think this spring is bound to be a much more delightful one. I've become somewhat disgruntled in the AppSec industry because for a couple of years, we've not been focused on app security, but app insecurity. I think we left short. I personally think that finding weaknesses is only good if you have one of two end goals in mind: either you intend to exploit the weakness for fun and profit (or friends), or you identify them so that you can fix them. For a couple of years, the industry has grown rapidly, but sadly, mostly to the end that we're getting really good at identifying weaknesses, but leaving developers with no indications whatsoever about what to do about their problem. With no solutions, we've left our developers with two options: give up and cross your fingers hoping the bad guys never find out, or second, give up and pull the plug on your project.
But there are lots of things going on in AppSec right now which are very promising for those of us who actually want things to get better:
- Gartner is releasing a Magic Quadrant on Static Analysis tools. While static analysis tools identify weaknesses, they identify them in such a way that developers can actually do something about the problems. (Please don't read that the wrong way. I'm not arguing that static analysis is "better" than blackbox/greybox testing. Lots of other people have those fights. Not for me). This is great news because an industry researcher has put a lot of effort into finding out from the industry what the best tools are in particular areas.
- WhiteHat Security is providing WAF integration as one of their many services. While WAF's are not a silver bullet, when you don't have the source code, or a lot of cycles to fix issues, WAF's are a good stand-up solution to many semantic types of flaws, and a few logical ones, too. It's a step in the right direction.
- Gary McGraw, Brian Chess, and Sammy Migues spent a great deal of time working with businesses learning about how they're dealing with application security, and have put together a Software Security Maturity Model to help businesses identify where they are in terms of baking in security, and where they need to go next. My favorite surprise of their investigation? The one thing that all their subjects said was most important in their program was training. And not just training on identifying weaknesses, but developing solutions.
- RSnake and others are working with browser vendors to work out solutions to the whole clickjacking thing. I hate to see the standards-compliant focus of the browsers over the past few years go to back to the browser wars, but the slow-movement of the standards have crippled the advancements of browsers that are helpful in protecting users.
- I'm personally doing a little bit of research on developing securely, and might actually get some work done on the project at some point and have a paper to prove it. But right now, it's all just theoretical.
If you're new to the blog, I'm passionate about fixing issues. Certainly, the first step to recovery is admitting you have a problem, but at some point you have to move beyond admitting you have a problem, and working on overcoming the problem.