Another year has gone by, and looking back at 2009 it certainly was one to remember in the application security world. There were more notable newsworthy incidents than in previous years. Major attacks took place on nearly all major social networking sites, plenty of financial institutions, and tons of government sites. Application security has finally taken center stage, and rightfully so. Nearly everything we do nowadays happens on the web. As more of our routine functions both from a business perspective as well as in our personal lives shift to the web, the criticality of these vulnerabilities will grow more and more. If your organization relies heavily upon web-based technologies and you haven't begun taking security seriously yet, its never too late to start!
Putting it all into perspective, what should we take away from the events of 2009?
1- Solid application security is not, and will never be as simple as pressing a button and letting someone else worry about it. Throwing money at a problem is not the same as solving it. While the art of security can never be deemed a "perfect science" there are plenty of things we can do to get close. Running a simple scanner (source code or runtime) against a pre-production application is not the same as building security into your architecture and design. Implementing a web application firewall is not the same as identifying the root cause of your vulnerabilities and ensuring that your developers learn from their mistakes and begin writing more secure code.
2- A major incident is extremely expensive to triage. If your company is an e-commerce company, have you REALLY crunched numbers to estimate how much money it'll cost to be down for 4-5 days? If you estimate your losses to be upwards of a million dollars a day yet bringing on 2-3 additional full-time application security engineers would cost a few hundred thousand, why on earth would you take such a risk? Everyone thinks "it won't happen to us" until it actually happens to them. The numbers don't lie....if it hasn't happened to you yet, it will. It may already have happened but your attackers weren't interested in raising any red flags.
3- Web technologies are moving at the speed of light right now, and will continue to do so for the foreseeable future. Things moved fast in 2009, and will do the same in 2010. With the emergence of the HTML 5 standard, 2010 is going to be a very interesting year.
Happy New Year to all of you!!
-Jack
1 comments:
Jack-
Your first point is something I've been beating on time and time again. Sadly, you can't imagine how frustrating it is trying to explain to large enterprises and small that you can't just magically buy tools and software to "make your web apps secure"... but still they try!
Anyway, thought I'd share the 3-part series in case you missed it titled "Can't I just poin-n-click?" ... enjoy!
1) http://bit.ly/YQcsJ
2) http://bit.ly/1ofYHv
3) http://bit.ly/AaFoX
Post a Comment