AppSec USA: 5 key trends as app sec gets business-critical

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Technology Journalist, Independent

Over the past decade, the role of software has dramatically changed as code has found its way into myriad devices. Cars now require code as much as they do metal, plastic, and fiberglass. Factories need software just as much as they need humans to produce goods. And homes have an increasing number of devices that manage their own operation as well as their owners' lives.

The tectonic shift from software existing only in the digital realm to software managing and augmenting all aspects of human lives means that securing software has much greater meaning for society, argues Chenxi Wang, founder and general partner of Rain Capital. She will discuss the changing role of software security in society at the OWASP AppSec USA 2018 conference, being held October 8–12 in San Jose, California.

"This new area for application security—one that we absolutely must focus on—is how we make our technology more robust before it creates larger social problems for us."
Chenxi Wang

This changing role of software—and its increasing criticality—will be one of the major themes this year at the conference, which has typically focused on web applications and common vulnerabilities. The role and impact of machine learning and artificial intelligence (AI), both on security and on attackers' techniques. will be another.

Here are the major topics that sessions will address—and that likely will spark lively conversations in the hallways—at OWASP's AppSec USA.

Application Security Research Update: The State of App Sec in 2018

1. The world has changed

In 2011, with tech stock prices still depressed from the Great Recession, Marc Andreessen famously wrote an essay in The Wall Street Journal that explained "why software was eating the world." At the time, Hewlett-Packard, on whose board Andreessen sat, was exploring jettisoning its PC business to focus more on software.

Today, Andreessen's comments are often quoted as fact. Software has eaten the world. Yet the security—or lack thereof—of that software continues to pose challenges for developers, vendors, and society. Moreover, the impact of software's ubiquity and its ability to shape people's views of the world creates a whole new area of trust, security, and vulnerability impact, said Rain Capital's Wang.

"We are living in a super-connected world, where algorithms are getting more and more intelligent and there is more data," she said. "The marriage of a ton of data and the intelligence of these systems gives us a world where you can get information on anyone, or any organization, very quickly."

How bad actors will attack the trust people place in their applications is not clear. But just as software agents are becoming more intelligent, so are the attackers' proxies, she said. How we make decisions on what and whom to trust in this new world will be a key challenge, Wang said.

This change in mindset will be a large leap for many developers focused on creating software, said Alexander Hoole, head of Software Security Research for Micro Focus.

"Will developers focus more on the more traditional issues of web application security or more on the broader trends that we are facing as an industry? Things are changing."
—Alex Hoole

2. Developers need to catch up

While the larger world of software is changing, developers' work landscape is also undergoing significant shifts.

For the average developer, these issues will have a significant impact as companies increasingly "shift left"—that is, push more security checks and tests into the development pipeline to catch vulnerabilities earlier, said Armon Dadgar, CTO at HashiCorp. "We are taking all these issues and dumping them on developers who have never had to deal with them."

In the past, a developer might code an application and then send it out for testing, with security scans conducted as part of that process. Now, software development is increasingly moving toward the ideal of continuous integration and continuous deployment (CI/CD), said Dadgar, who will discuss the changing world of developers in his keynote at the conference.

"Now that my server is ready in three minutes, rather than three weeks, there is less time in between features to reset and learn new concepts. Developers are being asked to take on more and more of the security burden, but … that it is not really sustainable. They were already not able to do everything that we were asking them to do, and now we are asking them to take on more security as well."
Armon Dadgar

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

3. GDPR is going to test developers

Companies scrambled to meet the privacy requirements of the European Union's General Data Protection Regulation (GDPR) by May 2018, but only about a third of firms could demonstrate compliance even three months later.

A significant requirement of GDPR is making sure applications handle consumer data in a managed and secure way. In addition, aside from preventing vulnerabilities that could expose applications to potential hackers, it is not entirely clear what other steps developers need to take, said HashiCorp's Dadgar.

"Even now, companies are only at the beginning of what they have to do to be compliant with GDPR. I think that is a big, big challenge for people. Especially if security testing is not baked into your process."
—Armon Dadgar

Applications—and the data that the software handles—need to have comprehensive encryption and protected databases, which includes traffic among applications. While many companies continue to do only limited static-code analysis, GDPR compliance likely includes extensive code analysis, audit trails, dynamic analysis, and a well-maintained secrets database, Dadgar said.

All this ties into whether software security will end up being regulated, especially as more vulnerabilities can be exploited to impact real-world technology, from self-driving cars to home automation to medical devices, said Micro Focus' Hoole.

"Is software security going to become a legislative requirement for liability at some point in time? I don't know if that is a topic that is going to be discussed at OWASP—it is normally discussed at RSA every year, but it is a concern."
—Alexander Hoole

4. Time to (finally) ditch the perimeter mindset

While most companies realize that a perimeter approach to security is no longer a good model, many have trouble moving away from the focus on locking down the network and allowing developers to assume that the private network is secure.

"This ends up being an all-or-nothing approach to security. When the developers have 500 front doors that they have to secure, and a company's security relies upon all 500 of those doors not being breached, that's a bad recipe for security."
—Armon Dadgar

While most security professionals have moved their focus from perimeter security, developers—focused on getting their applications working—will often assume that the internal network is secure, he said.

"All you need is one person—an insider threat—to go rogue," Dadgar said. "If I give an employee privileged credentials and they turn on me, then they have unlimited access to the network. And then it does not matter how tall the castle walls are because they are already inside."

5. If you're still doing application security manually, you're doing it wrong

All of these changes to how software is used and developed mean that keeping up by using manual processes is a fool's errand, said Rain Capital's Wang. Not only does the workload require automation to manage, but attackers are increasingly incorporating automation into their operations, making it imperative that defenders use automation to keep up.

"The adversaries are getting a lot more automated and using more readily available data and better algorithms, and so the defenders need to get better organized and better automated," she said.

Incorporating automated testing of code and automated configuration analysis is key, she said.

Increasing automation and intelligence is the focus of both DevOps and its security counterpart, DevSecOps, where security is incorporated into the development process. Integrating security into the fast feedback loops of DevOps means making software testing part of the development process, because anything that gets in the way of coding will be far less likely to be adopted, Wang said.

"History has shown us that there is not that much of an appetite for organizations to digest application security as a standalone product. If you throw DevOps on top of everything else, you need to focus on automation and the real-time feedback loop."
—Chenxi Wang