Application security testing calls for a change in attitude
A few months back, Tenable's CEO Amit Yoran walked onto the stage at a user conference and castigated the security profession for its attitude of "cyber-helplessness," comparing it to the learned behavior that keeps circus elephants tethered to posts that they could easily break. How can cybersecurity pros possibly prevail against hackers backed by nation-states -- by the North Koreans, the Russians, the Chinese? Time to dump that assumption, was Yoran's theme.
The Cold War ended, in large part, because a seemingly unbeatable nation-state able to channel all assets to one purpose -- military power -- couldn't match the West. As a Soviet expert, during that time, I saw study after study that described Soviet military strength in alarming terms. But the truth -- obvious then to some and now to most -- was that all that concentrated effort proved no match for the ingenuity, inventiveness and can-do attitude free societies foster. It's a good lesson for cybersecurity -- but first, as Mr. Yoran asserted, we must discard the presumption that we're outmatched.
One place to begin practicing a new attitude is in application security testing. Doing app security testing right begins with assuming that everything should be tested. This requires, of course, that you have as complete an inventory of applications at play in your business as possible. Next, require that there be a rock-solid argument for not testing an app before removing it from the to-be-tested list.
After that, what comes next? That's what this three-part guide is about. Kevin Beaver looks at where testing's been neglected and then offers actionable advice, as a top cybersecurity expert, on how to set up your application security testing program for success.
It's human nature to want to deflect responsibility, to avoid conflict. But -- as the Cold War taught us -- resistance is not futile; it's essential.