In Application Security, Good Enough Isn’t

SAN FRANCISCO–There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets.

George HulmeSAN FRANCISCO–There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets.

That’s a dangerous assumption today, as attacks become more targeted and the attackers more skilled. Indeed, software security experts now say that building more secure applications from the start would create software that is more sustainable, resilient from attacks, and even more cost effective. Unfortunately, the focus of many software creators is to ship code that is ‘good enough.’ 

“Good is better than nothing,” said Josh Corman, research director, enterprise security practice at the 451 Group. “Let’s use the Three Little Pigs analogy. In that analogy ‘good’ is the straw house, and ‘better’ is the stick house, while ‘best’ is the brick house – sometimes good enough isn’t.”

That’s especially so with so many wolves targeting software flaws in applications that are built like straw houses. That’s because, when it comes to our IT systems, “the notion of having a defensible infrastructure almost never comes up in our acquisition negotiations,” Corman said to the audience during a panel on application security at the RSA Conference here. And those expecting new technologies, such as cloud computing, to auto-magically solve the problem are going to be disappointed.

“If we are not happy with how we secured on-premise software, virtualization, or our browsers- cloud computing isn’t going to be much fun,” said John Diamant, HP Secure Product Development Strategist.

To succeed, what is going to have to change is not only the current mindset toward software security, but also where and how software makers focus their attention.

“You get what you measure. If your manager wants as many lines as possible, and that’s what is measured in performance that is what you will get: a lot of lines of code as quickly as possible,” said Hugh Njemanze, chief technology officer and executive vice president of research and development at ArcSight. “That doesn’t mean the software will run fast, or that it will be effective,” he said.

And, all too often, lots of lines of code developed quickly with little quality oversight means lots of programming mistakes. This lack of secure software development hasn’t been for a lack of awareness or knowledge argued Corman, as there are awareness initiatives such as Rugged Software and widely known secure code development initiatives such as OWASP. “

We have plenty of supply. The real bottleneck has been sufficient demand [for secure software],” Corman said.

How do security and development teams get the funding and management buy-in for their secure software development initiatives? By aligning the business self-interest with the impact of insecure code, panelists agreed.

“Talk to management about the cost of poor quality,” said HP’s Diamant. “A security defect can be an order of magnitude more expensive by catching it late in development or in production,” he said. Diamant also pointed to the high costs of downtime, cost of data breaches, regulatory findings, and the potential impact on a company’s brand as potential motivators that would make management listen.

Dan Holden, director of DVLabs at TippingPoint said that “any way you can tie the importance of secure software with your customers always resonates with management.” Holden pointed to recent security incidents that involved web browsers visiting e-commerce sites only to be redirected someplace else and infected with malware.

“That’s certainly not part of their customer satisfaction program,” he said.

ArcSight’s Njemanze noted that security and development teams don’t have to argue for more money, but can often successfully allocate existing budget more effectively. The panel also made it clear secure software development itself is not enough. To successfully protect applications and the underlying systems requires a multi-faceted defense that should include secure software development, web application firewalls, anti-malware defenses and continuous monitoring.

Suggested articles