No longer is it possible to be an expert in application security without having a deep understanding of the operational aspects of application development. Long gone are the days when a company could have a twelve month release cycle, push numerous security vulnerabilities into production, and then react and fix those problems as time permits. We live in a world with weekly scrums, multiple pushes to production each day, and a build cycle that doesn’t understand the word slow.
Application security has always been more than executing a penetration test and fixing problems. The app sec landscape has changed so drastically that innovative concepts and security techniques are required for any chance at app sec success. With the advent of agile development and continuous delivery, the application security engineer has morphed into a contentious combo platter of development, security, and operational expertise.
As security professionals, software engineers, developers, and executive leaders it’s time we take a step back and look at how we operate and secure our business. The old methods of application security aren’t working. It’s time to try something different. It’s time to try something that is up to date with modern application development models. It’s long time that we created an application security technology with adequate visibility into active attacks allowing us to see the issues in real time. We have more intelligence and attack signal than ever before. It’s time to understand these signals and use them to inform our enterprise security decisions to better protect our business and our customers.
The key to success in application security visibility is knowing what questions you should be asking. What we have traditionally looked for, code vulnerabilities, flaws, weaknesses, while important, do not give us enough signal to make adequate security decisions. The real questions we must ask include:
What attacks are actually happening?
Knowing what vulnerabilities are in your application is important, but which of these vulnerabilities are being attacked? A vulnerability that is never actively exploited can not hurt you. It’s only when the attack against the vulnerability happens that the risk is actualized. Instrument your applications, servers, and operating systems to gain visibility into real time attack data to be successful in a DevOps world.
Where are the attacks occurring in my application landscape?
If there is a high risk SQL injection vulnerability in an obscure section of your application focused on demo data, should that be fixed before the medium risk XSS attack that exists in the most frequently used portion of the web site? Understanding which sections of your applications and code are targeted the most, by who, and via what attack classes helps you understand the practical risk of a vulnerability. Visibility into attack patterns is very important to proper triage and planning.
Are the attacks successful?
Successful attacks left undetected result in severe long-term compromise. The mean time to detection of an attack must be tracked and minimized over time. An attacker with access to you systems for seconds can do far less damage than one who have access for a month. Attacks take time. Use instrumentation and visibility to take away the attackers luxury of time and space.
If application security practitioners, DevOps teams, security developers, and security program operators are able to shift their thinking from traditional security questions to questions that give them better actionable responses we can effectively increase the level of application security in the enterprise. As you make the shift from old business models and development methods to lean business, agile development, and continuous deployment systems make sure you adjust your application security questions to get the answers required for success. Implementing a Next Generation WAF will help you deliver on this more informed and active model for web application security.
Signal Sciences’ industry first Next Generation Web Application Firewall is a SaaS security solution designed to help you prioritize your defensive efforts on the areas of your web site targeted most by attackers. Signal Sciences’ solutions impose practical difficulties on attackers, without breaking real customer traffic. Signal Sciences provides production web security and attack visibility allowing you to improve your application security operations.