Application security testing will become as common as quality testing
BYOD trend will push mobility security further
COMPUTERS function by software dictating how they work and perform certain tasks. Known as programs, these lines of codes have in the past 30 years evolved from rudimentary forms to what are now complex mazes of logic that perform very complicated tasks and/ or roles.
For the most part, software programs of old were purposefully built on platforms that resided on single or a handful of computers. But as the world embraced the Web more, new kinds of programs – web applications as they are now known – began to pop up.
With the advent of web apps, information security has never before been more important, and one area that is growing is what is known as application security testing.
According to Chris Wysopal (pic), co-founder and chief technology/ information security officer of Veracode, security testing is heading towards being standardized just like how quality testing is done in various industries today.
Speaking to Digital News Asia exclusively, Wysopal says: “Customers will begin to expect it and seek evidence that it was performed and any issues found fixed. This is going to go for desktop applications, server applications, Software-as-a-Service (SaaS) offerings, and [also] mobile apps. And there will be more rigid screening processes around app stores, both public and private.”
Veracode claims to be one of the world’s leading Application Risk Management Platforms. Its patented cloud-based capabilities allow customers to govern and mitigate software security risks across a single application or an enterprise portfolio in a simple way. The company says its aim is to make it simple and cost-effective for organizations to accurately identify and manage application security risks.
Wysopal, who started his career in software development after college, worked as a developer for about 10 years in desktop software and web applications. He says that towards the end of those 10 years, he started researching vulnerabilities in software with his colleagues at The L0pht.
“It became quickly apparent to me that most software developers, including myself, had no understanding of security and were building software that had unintended vulnerabilities.
“I started Veracode because I wanted to make it as easy as possible for the vulnerabilities in software to be discovered and fixed by developers.
“It is very difficult to secure vulnerable software with security products. Veracode makes it possible for the developer to discover the vulnerabilities and fix the software itself before delivering it to the customer.”
Asked what were his thoughts about the future of software and Internet security, Wysopal notes that for Internet security in general, there is going to be a greater push for stronger authentication using mobile devices as a two-factor authentication tool.
“We will also see better screening of compromised sites that are serving malicious content through information sharing so that search engines and cloud gateways can inform the end-user that they are going to visit a malicious site.”
Besides this trend, Wysopal also notes that web applications have been growing in number, size, and complexity. Driving this trend is SaaS, which is being adopted for many services that used to be taken care of by desktop or enterprise software.
He believes that online backup, chat, and financial processing have all joined the ranks of email and moved to the cloud, and this means that there is a growing number of vulnerabilities out on the web.
The rise of mobile app vulnerabilities
One trend that Wysopal believes is even more troubling is the fact that mobile apps are growing faster than web apps. Due to the rush to get mobile apps out to the market, there is little or no minimal security testing that occurs.
“We are working with our customers to make it as fast and easy to test the security of the mobile apps they are building and buying. [Trends] like bring-your-own-device (BYOD) adds extra challenge to this because the mobile apps are purchased by individuals but yet they may put the data they use, often belonging to their employers, at risk.
On what best practices exist for enterprises and businesses to adhere to, Wysopal suggests that organizations make an inventory of what applications they have and look at the business criticality and risk that the application poses.
“Ask yourself is it exposed to the Internet? Does it process regulated data, such as credit cards, personally identifiable information (PII), financial data, health care data?
“Then rank the application by criticality. Next, start looking at where the app came from, how it was built, and ask if it was tested. Then perform security testing on the apps that are riskiest.”
Wysopal is down for HITBSecConf, taking place from Oct 8-11 at the InterContinental hotel, Kuala Lumpur, and will speak on the topic, “Data Mining a Mountain of Vulnerabilities,” at 10.45am today (Oct 10).
The conference will see over 42 of its most popular speakers over the years return to the stage in celebration of its 10th anniversary, and DNA is one of the official online media for the event. For more on HITB, click here.