Chris Wysopal shared a historical lesson on the evolution of application security and advice on how to make all apps more secure.
In December 1996, application security expert Chris Wysopal published his first vulnerability report. He found that Lotus Domino 1.5 could edit or delete data if the permissions were not set properly or the URL was edited.That security risk-broken access control-is the biggest risk. OWASP 2021 Top 10 List Of the security risks of the application.
“We really know about this problem, and knowledge about it doesn’t solve it,” he said.
Wysopal, CTO and co-founder of Veracode, shared a short history from his time as an application security researcher. L0ft hacker group Testify in front of Congress that you had security consulting with Microsoft in the early 2000s. Wysopal spoke during the keynote at OWASP 20th Anniversary Event, A free live 24-hour event on Friday.
Wysopal said his start as an outsider in the tech world gave software engineers, corporate leaders, and government officials a unique perspective on issues that weren’t seen. Over the last 25 years, appsek researchers have moved from outside critics to expert colleagues working with software engineers to improve security.
“As William Gibson said,’The future is unevenly distributed. I think we can learn from the past and learn from those who are already living in the future,'” he said.
He shared advice on how to build a closer partnership between developers and security professionals, and how the appsec profession has evolved over the years.
Building relationships to improve security
Wysopal said security experts are seeing the latest evolution in appsec by becoming an official member of the software development team.
“Success is part of a team that ships secure code on time, continually improves the process, and does less work to achieve the same secure results,” he said.
Wysopal said a strong relationship between the two teams is another key to making appsec work. Individual developers and members of the security team need to review these questions and find answers.
- Who are your development or security buddies?
- Do you meet them?
- Do you understand each other’s goals?
- Do you sympathize with each other’s struggle?
Another key to success is sharing accountability with both security and software engineering groups.
- How can you establish a common goal of shipping secure software on time?
- What can the security team do to make sure the development team doesn’t have to slow down?
- What can the development team do to help the security team test faster?
“Also, this accountability must be measured and reported,” he said.
Wysopal said that by its very nature, some applications are more difficult to protect than others. His team considers both the nature and development of each application when working to improve security.
The ideal environment for an easily protected application would be:
- Small organization
- Small application
- Low defect density
- New app
According to Wysopal, it’s difficult to protect old, large, defect-dense applications built by large companies.
When it comes to developing secure applications, development teams use frequent scans and different scan types. Static and infrequent scans make it difficult to improve the security of your application.
Wysopal also shared advice on how changing security practices can improve appssec, whether it’s easy or difficult to secure your application. In a good environment, security best practices can reduce the half-life of a vulnerability from 25 to 13 days. In less than ideal environments, improved security practices can reduce the half-life of a vulnerability by more than four months.
Evolution of appsec
After publishing the first vulnerability report, Lotus recognized the issue on its home page, explained how to fix it, admitted that it found the issue, and thanked him for doing so, Wisopal said.
“Even in 1996, there was a new feeling that some developers really valued vulnerability research, and I started thinking that I should talk to them,” he said.
He and his fellow hacker Peiter Zatko have begun talking to software companies, including Microsoft, about investigating vulnerabilities. In May 1998, he and his L0ft colleagues testified at a parliamentary hearing that “government computer security was weak.”
“This has awakened the world where industry and government need to work with vulnerability researchers,” he said.
Then, in November 2001, Wysopal received an email regarding the launch of OWASP. The next phase was working with Microsoft engineers, and the next challenge was to move from outside critics to collaborating with developers.
Wysopal said the early tools were built for appssec researchers rather than developers, so developers didn’t use these tools to improve security.
The Appsec team had to do more than just find the flaws. That approach offended developers and stagnated progress.
“I had to step lightly, otherwise nothing would be fixed,” he said. “This approach may have taken a step back in the early days of automation.”
He said the focus then shifted to fixing problems with a focus on training, sample repair, and secure libraries. This was the beginning of modern appssec.
“One of the best things that happened to appsec is that the process turns agile and
“This was a compulsory feature to modernize the behavior of appsek,” he said.
How to improve the relationship between developers and security teams and increase the security of your applications
https://www.techrepublic.com/article/how-to-improve-relations-between-developers-and-security-teams-and-boost-application-security/#ftag=RSS56d97e7 How to improve the relationship between developers and security teams and increase the security of your applications