Last Thursday, we hosted our monthly Twitter #SecChat on Application Security. We did things a little differently this time and instead of having McAfee folks choose a trending topic, we chose the topic based on feedback from 451 Analyst Josh Corman – a frequent #SecChat participant and security expert.
A topic near and dear to his heart, @JoshCorman was an active participant along with many others as we discussed the current state of application security and the related issues. The conversation began with @labnuke’s comment, “Application developers don’t know the power of the platforms they develop on” which spurred comments around the education and nature of being an application developer. @DaveMarcus chimed in to suggest that application developers are not incentivized to develop secure apps but just apps in volume – especially since time-to-market will always trump secure development and good QA. @danielkennedy74 suggested that less programming skills required to build an app could be a good thing so long as the built in functions are written properly. He also mentions that having use cases for application developers are hard enough but to add in abuse cases and you have a very difficult requirement for developers. However, most participants agreed in the importance of constant testing of apps and further education for application developers. Perhaps even a Manga Guide to secure app development, as suggested by @451Wendy.
The conversation also touched on topics of legacy code versus building new code. @JoshCorman brought up the idea that it is hard to go back and retrofit legacy code when the developer team is focused forward. In which he made the case that it is easier to build more rugged software on new code rather than to retrofit old code. @DanielKennedy74 pointed out that if anyone wants to drag their legacy app into the interconnected Internet age, they would need to be prepared to fix it. On the other hand, @DaveMarcus said it best – “the attack only needs to be as sophisticated as the target requires – i.e. SQLi = kids stuff”.
While the chat touched on the problems of app security, @Joshcorman asked where people are having the most success in driving better app security. @SecurityNinja suggested to speak to developers in their language and give them processes, tools and ideas that actually help them. Whereas @coverity thought that strong contract terms need to be industry standards to make third parties accountable for code and quality security. Finally, it was widely agreed that the key might be in teaching the importance of application security outside the immediate security community as we keep talking amongst ourselves.
What are you thoughts on application security? What are the ways in which you’ve been most successful in driving better application security? Leave your comments below!
If you missed the chat this month, be sure to join us next month as we tackle the next topic. As always, we’re open to hearing from you so tweet @IntelSec_Biz if you have a topic suggestion.