Walking In The Application Developers Shoes

  /     /     /  
Publicated : 22/11/2024   Category : security


Walking In The Application Developers Shoes


Security professionals try to go to where the app developers live



No one expects application vulnerabilities to be altogether eradicated. But even with all of the secure coding initiatives and tools out there -- OWASP, Microsofts open Secure Development Lifecycle (SDL) tools and guidance, BSIMM, Rugged, and plenty of application security scanning tools and services and research -- applications are still being written with security flaws. So the stubborn gap between the security and development worlds remains.
That has led some security pros to try a different tack to work with developers: Rather than preaching to the choir in security or trying to attract developers to security conferences, a few have begun stepping into the developers world -- or at least meeting them where they live.
I think to speak with developers is really difficult from a security standpoint, says Chenxi Wang, vice president and principal analyst at Forrester Research. The application security community has been preaching to itself for a number of years.
Wang says application development today is all about features and getting them to market quickly. Today its all about how fast you can push out code. Given that mentality, its difficult to tell them to slow down [for security]. Some dont even do quality testing, let alone security [testing], she says.
Jeremiah Grossman, co-founder and CTO of WhiteHat Security, during the past year has been taking his app security message directly to developers, small developer groups, and various start-ups. Grossman says the case that developers should come to security just isnt compelling.
Developers typically dont have any real incentive to prioritize security, he notes. From their personal perspective, if they want to learn a new technique, it helps their careers and they get promoted. But security is not necessarily that way: Do they get promoted if they write secure code? Not so much. Do they get fired if they write insecure code? Not so much, Grossman says. Theres no carrot and no stick. Wheres the real incentive? The developers are not coming to us because we have nothing to offer [them in light of that.]
I wasnt having the impact I would like in preaching to the choir ... So I started visiting with developer groups in different start-ups and found that when I started doing Web hacking demos, they were all over it. The alternative is to go to them, and they appreciate that.
Grossman has no illusions: He says hes just an outsider at these developer sites bringing some information to them about Web application vulnerabilities and attacks to help them in their jobs. Still, hes taking this new role to heart and has cut the number of security conferences he attends by about 50 percent since 2008, attending about one security conference every two months. I might meet one developer at all of the [multiple] security conferences. Or I can meet 100 developers at 40 different companies ... and make a greater impact that way, he says.
Grossman meets a combination of both developers who havent yet been exposed to the perils of cross-site scripting (XSS), cross-site request forgery (CSRF), or other common Web application vulnerabilities their apps might harbor, as well as developers who already have been schooled about avoiding such flaws.
Others I have visited say, Yes, weve heard about CSRF and cross-site scripting ... and we do care, Grossman says. They just arent given the time or resources to focus on it by their organizations -- theyre often pulled to develop a new feature first, he says.
And some dont care ... they just build, Grossman says.
Grossman says hes not trying to bridge the gap between the two worlds, per se: Security is security, and development is development, he says.
One trend he has noticed is some large organizations take it upon themselves to educate their developers in-house. Were seeing more organizations hosting conferences for themselves: eBay has one, Amazon has one, and Microsoft does. Their security teams bridge their own gap internally and invite their developers internally. That way, developers can go to a conference only for them and about them, and they can talk frankly with one another, he says.
Some larger companies security teams are now starting to compile a set of metrics of where different business units need to improve their security. Grossman says he has seen this strategy at a handful of large companies, where they publish an internal report that lets business units see how they compare security-wise against other units. For those that have the most secure systems and websites, its kudos and reinforcement that they are on the right track. For others, its a wall of shame, he says.
But despite the frustrations with application security flaws, there has been some progress with companies cleaning up their code: Grossman points to WhiteHats latest stats on remediation rates, which have been increasing about 5 percent per year over the past three years. Back in 2007, remediation was at 30 to 35 percent. Now its at 53 percent, he says.
Marisa Fagan, security project manager at Errata Security, is taking it a step further and becoming a developer as well. She says shes hoping to lead developers by example: Ive begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside, she
blogged
today.
Fagan says security has to become a priority. Thats a mindset shift that is hard to do for the development community, she says. But we have seen developers picking up stuff on their own, and fixing problems from the perspective of quality. They add SSL to development because thats what the customer expects, for example, she says.
Like Grossman, Fagan feels that solving the application security problem cant just be solved from the confines of the security community. We need to let developers help themselves, she says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Walking In The Application Developers Shoes