Wednesday, December 8, 2010

One Click Application Security - How did we get here?

As you are looking towards next year and are reviewing your application security plan please remember that there is no single magic tool to solve all of your application security issues.  Any product that is touted to "automate" your security review process  or "find all security problems in your application" is just fluff.  The sales person will tell you that their product is the latest and greatest, that it can perform "deep packet inspection" or "successfully detects all X top attack techniques". But remember, this is all just talk.

The reality is this. Your application is a custom piece of software that supports unique functionality and is designed in a unique way.  However, the security product is a single piece of software and is claiming to be able to detect flaws in any custom web application. Here lies the problem. A generic piece of security software cannot reliably detect security issues in custom designed software.  A generic scanner does not understand your application's workflow or access control - two areas where critical vulnerabilities are often located.

Why do we even think that one-click security is possible to begin with? Let's step back about 10 years. At this point web applications were static and boring. You were lucky (or unlucky) to find a page that even had scrolling marquee text going across the screen. At this time, attackers focused on network and operating system attacks because this is where the sensitive data was at.  Most often attackers exploited poorly configured or outdated networking devices and Windows based servers/desktops.  This created a great market for security vendors and tools. Vendors created tools that would scan for known vulnerabilities in the most commonly deployed products (Cisco routers, Windows servers/desktops, firewalls, etc) and then issue a vulnerability report to the user. The security team then took this report and patched or reconfigured the vulnerable devices. Presto! The security product has solved the company's security concerns.

Fast forward to the present. Now attackers have shifted to web applications. Why the shift? For one, network security got a heck of a lot better. Its not as easy for the attacker to get in through this attack vector. Second, and more importantly, why bother trying to get in to the network when the data you want is accessible through the vulnerable web application that is sitting right on the Internet?

Security vendors realize that application security is the next great security frontier and have begun creating new products with their old scan and report approach. Unfortunately we've conditioned ourselves to accept that this antiquated approach works for all security issues. It worked for networks right?  But the reality is that this approach can only catch the most common issues in web applications.  (Read: Most Web Application Scanners Missed Nearly Half Of Vulnerabilities) All of the deeper (and more critical issues) are going to require custom testing to detect.  This is the problem. People buy web scanning tools believing the tools is easy to use and that it will result in secure web applications.  The reality is that the tool is easy to start up, difficult and time consuming to interpret the results, and will likely only find some common security issues in the application.

A scanning tool does have its place in a robust application security program, but it is only to double check that the most basic security issues have been addressed.  Any reliance on a generic scanning tool as your primary security control is nothing more than a false sense of security and a disaster waiting to happen.

-Michael Coates - @_mwc