Tommi - Fotolia
- Mike Chapple, University of Notre Dame
Web application security is one of the trickiest issues facing information security professionals in organizations of all sizes. Security professionals, who often rise through the ranks of system and network engineering, find themselves bewildered by the world of application development and the web security issues it brings. Faced with this unfamiliar turf, they may cite the poor web security skills of application developers and throw vulnerability reports over the cubicle wall to those developers, demanding that they resolve vulnerabilities.
Unfortunately, the same situation exists on the other side of the cubicle wall. Developers who receive vulnerability reports may not understand the security jargon in them and try to tweak their code just enough to make the reports go away. This fundamental lack of understanding between developers and security professionals leads to a significant increase of web security issues.
Fortunately, groups like the Open Web Application Security Project (OWASP) exist to help bridge that divide and foster secure coding practices in enterprises around the world. Their lofty core purpose is to "be the thriving global community that drives visibility and evolution in the safety and security of the world's software."
Understanding web app security issues
Josh Sokol, information security program owner at National Instruments, serves on the OWASP board of directors. According to Sokol, the inherent nature of web applications makes them a source of risk. "The fact is that web applications are designed as an intentional bypass of an organization's perimeter defenses," Sokol says. "Every time you open up a hole in your firewall to allow web app connectivity, you are effectively saying that 'this is an approved way to access these network resources.' If a web application is exploitable, the attacker is now inside your network and can spread to other systems or escalate privileges from there."
The challenge Sokol points out is compounded by the fact that many of the application developers who spend their time building web applications simply don't understand what they need to do, according to Matt Konda, CEO of application security consulting firm Jemurai and chair of the OWASP board. "The truth is that security still isn't part of the basic education that developers receive, nor is it frequently built into the requirements of systems or features," Konda says.
Expert advice on web security issues
To meet the challenges, OWASP provides both developers and security professionals with educational materials and guidance designed to bridge the knowledge divide and facilitate the development of secure software. One of the most visible ways that they do this is through the publication of the OWASP Top Ten Project that highlights the major risks facing web applications in the current environment. OWASP publishes this list every few years and is currently in the process of developing the 2017 release. The current list, last updated in 2013, includes a hit parade of common risks (see "OWASP's Current Top 10").
One major change in the Top 10 development process this time is that the OWASP team is seeking input from a much broader base of experts. According to Sokol, "The original Top 10 was based on a small dataset from a limited number of participants. It is still an excellent document, but there were questions about the transparency behind it. For the latest OWASP Top 10 list, the project leaders put out a formal 2016 Data Call in order to collect data from as many different organizations as possible."
OWASP also runs several other projects that help developers and security professionals incorporate web application security into their business processes. For example, the OWASP Top Ten Proactive Controls counterbalances the list of top risks with a set of controls that developers should implement to help solve web security issues in applications. The current list covers a number of best practices (see "OWASP Proactive Recommendations").
These tools provide a good foundation of expert knowledge to use when building an enterprise web application security program, and sharing them throughout the company can help bridge the divide between developers and security professionals. Matt Konda believes that "application security is best solved through education and bringing information to developers. It is no coincidence that many of OWASP's most important projects strive to provide access to awesome open information."
Assessing your environment
The OWASP Top Ten initiative is widely popular, and many automated scanners now include OWASP scans in their standard set of security checks. Tom Brennan, founder of Proactive Risk and member of the OWASP Board, is quick to point out that simply scanning for the OWASP Top Ten is not sufficient to provide assurances of application security. According to Brennan, businesses must "understand that [the] 'check box' test of the OWASP Top 10 can and will leave organizations vulnerable should they fail to examine all classes of attack."
Of course, automated scans will continue to form an important part of most application security programs. Automated scanners provide a relatively inexpensive way to detect common vulnerabilities and are effective against many of the most common risks. According to Sokol, organizations that run web application security scans for the first time are almost always overwhelmed by the results. He offers some parting advice to businesses that find themselves in this situation.
"You need to figure out how to prioritize the results that you have," Sokol says. "Maybe it's based on the vulnerability risk score, on the data criticality, or some formula that you use across multiple data points, but the process is the same. He adds, "Start with one issue, fix it, move on to the next. It will take plenty of time and massive amounts of patience, and you may never even fully mitigate all of the items on that list. But with each issue addressed, you make your organization a little bit more secure and the internet a little bit safer for your users. Use those small wins to motivate you to keep doing what you're doing."
About the Author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including several CISSP prep guides and Information Security Illuminated.
Learn how to apply the OWASP Top 10 list to improve Web app security
Learn core concepts in CISSP software development online security training
Get some expert guidance on how to buy a web app scanner