Speed Up AppSec Improvement With an Adversary-Driven Approach

Stop overwhelming developers and start using real-world attack behavior to prioritize application vulnerability fixes.

Application developers are drowning in work. Simply keeping up with business demands for new features and functionalities keeps their backlogs full of work. So it should come as no surprise why they struggle to make a meaningful dent in the vulnerabilities that give bad guys a pathway to break into valuable software and data. Applications are more vulnerable than ever today, and the breach statistics just keep going up.
The dilemma has application security (AppSec) pundits thinking hard about the fundamental ways todays typical AppSec program is broken. According to researchers James Wickett and Shannon Lietz, AppSec faces an epistemological problem for developers and security to figure out.
Whats the problem? We dont even know if were chasing the right things, said Wickett, researcher with the firm Signal Sciences. We have to ask the question, Is what were testing driving us toward finding the right issues?
Wickett stepped up to the podium with Lietz last week at DevOps Enterprise Summit to describe to a developer-heavy audience why they believe organizations need to start refocusing security fix priorities based on adversary behavior—rather than sticking solely with standards like the OWASP Top 10, which often dont account for the exigencies of real-world attack patterns.
When we think about things from the adversary perspective, we talk about means, motives, and opportunities, said Lietz, who works as the leader and director of DevSecOps for Intuit and also was the person responsible for coining the term DevSecOps to describe the mashup of security principles and DevOps. Whats happened to the application security industry is we focus a lot on opportunities. If we can block out the opportunity, then bad guys are going to go away. But the truth is, as an industry were not really driving those bad guys away.
Instead, the bad guys adjust and keep coming. This is a key point that people in the security world and the development community need to sit with for a minute, Wickett said, explaining that it is incorrent to think that if developers could somehow start building a perfect system, itll be unhackable.
That is a fallacy, he says.
Its this type of mentality that has built up a situation where developers have a huge backlog and no truly effective way to prioritize what they fix first. Sure, there are vulnerability characteristics—like how severe the flaw is or how critical the application is in which a given flaw is found—but most security scan data offers no context about where that flaw falls within the pantheon of most popular tactics, techniques, and procedures of the bad guys hammering applications.
Ultimately, what happens is we overwhelm our development partners by not focusing on the stuff that bad guys actually focus on, Lietz said. Essentially, you got to have some way to have a conversation about whats real and whats perceived.
They suggested organizations work to come up with what they call a Real World Top 10 for developers to get started. These top issues home in on more adversary-relevant flaws, such as those that enable common attacks, like direct object reference, forceful browsing, and null byte attacks.
This requires security organizations to instrument for and collect telemetry that helps them determine basic patterns in adversary data to start figuring out who the top adversaries are, how they typically operate, how often they change up their TTP, how often they return to an application, and even how confidently theyre operating based on how much it costs the enterprise to fix a problem.
Most adversaries will go after your most important weakness based on how much it costs you to fix, and they know that because they know somethings really deeply ingrained, how youve built your application theres actually long-term debt, Lietz explained. Theyre surfing for your long-term debt just as much youre trying to get rid of it.
Ultimately, the goal is to find flaw characteristics contextualized by adversary interest. This can help the development team forecast the most important issues to fix based on adversary relevance, so they can stay ahead of the bad guys.
Ive made a lot more friends in our developer community because Ive found a way to be valuable, Lietz says. I care deeply about making these tactics more visible, making it easier for them to digest and making it faster for developers to get them sooner in the pipeline.
Related Content:
7 Ways an Old Tool Still Teaches New Lessons About Web AppSec
AppSec is Dead, but Software Security Is Alive & Well
Taming the Chaos of Application Security: We Built an App for That
Not Every Security Flaw Is Created Equal

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Speed Up AppSec Improvement With an Adversary-Driven Approach