Do you ever find yourself driving down the road in an unfamiliar place and you get that gut feeling that you’re headed in the wrong direction? Well, I feel that’s exactly where we are with application security – heading in the wrong direction.
First off, with application security, most things are reactive: “Let’s just get it out and we’ll fix the security stuff later” is the mode of operation. Why is this still the mantra more than 10 years after we started talking about it in the dot-com days? I don’t get it.
Secondly, we’re going about application security for all the wrong reasons. It seems to me we’re not working on the right problem when we spend time, money, and effort on application security so we can say we’re “compliant” or simply to please other people – especially the auditors, regulators, and business partners who are doing nothing more than strong-arming us into submission.
So often I see people in IT, security, development, and compliance working all out on things that aren’t going to make that much of a difference towards minimizing application security risks. Sometimes it’s laziness. Other times its ignorance. Quite often, it’s IT and security vendors who are driving the bus making promises about how their firewalls, encryption, server monitoring, or database security software are all that’s needed to keep things in check. Other times it’s management dictating what needs to be done with application security when they’re often so disconnected from reality they haven’t the slightest clue about what’s really at risk.
Each and every Web applications is unique. They’re ever-changing and infinitely complex. This will only lead to bigger issues down the road because unless we see big changes in the way software works odds are that things will only become more complex over time.
Businesses will see one of the biggest payoffs when application security is not just small talk but rather a way of thinking for developers are and QA professionals. It needs to get to the point where they actually understand in-depth security concepts and flaws rather than the basics of user roles, SSL, and strong passwords. They’re also going to have to think more like the bad guys and use the proper tools so they can find the flaws that really matter. I’m not picking developers but rather pointing out to management a significant business problem.
Unless and until more people are held accountable (preferably by a self-policing marketplace), we’re going to continue down this path spinning our wheels to oblivion. Call me a pessimist. I’m surely coming across that way but eagerly waiting for people to prove me wrong.