The security industry is a funny one. Every year we see more and more threats pop up, new forms of malware, increasingly sophisticated attacks, sometimes developed by whole teams of experts. But as advanced as things get, sometimes a sheer lack of security basics means age-old techniques still get through and wreck even the biggest companies.
“I was talking to Jeramiah [Grossman, White Hat Security founder], and he was finding holes in applications before a lot of the vulnerabilities that we are all familiar with such as SQL injection had those names,” says Gareth O’Sullivan, EMEA Director of Solutions Architecture at White Hat Security.
For example, SQL injections and Cross-head scripting didn’t have names. According to O’Sullivan, Grossman said it was ‘just a thing, and it worked’.
“We still see cross-head scripting all the time. We still see a lot of the same stuff cropping up.”
But given the increasing sophistication (and not to mention cost) of security techniques, surely attacks from the 1990s and early 2000s should be long gone by now, right?
“A lot of these problems have been around for many years, they're only really there a lot of the time because of complacency, or because of the age old problem that developers are not trained in security,” he says. “There's pressures internally within most organizations to build applications fast to support the business, any controls need to be done in the context of supporting the bottom line of business.”
While it’s unsurprising that he thinks there needs to be more effort directed towards application security, O’Sullivan is used to seeing resistance. “You'll see pushback, either because organizations don't have time or there’s a misconception that introducing security controls at a code level is going to impact performance of applications. Maybe not as frequently as a lack of funds and stuff like that but it is also another concern.”
“To fix it, I’d like to see a certain amount of regulation being brought into to regulate how applications are built.”
A GDPR for Application Development?
While he admits the likes of PCI compliance or the incoming GDPR are starting to help, none of them go deep enough down into the code level for O’Sullivan’s liking, and instead he would like to see new rules that focus on secure code development.
“If the regulations just went a little bit deeper - to kind of look at a granular level where the problems really are - and mandated using certain types of frameworks and using certain types of controls at a code level, that would help.”
“There's all sorts of controls built into your code, they're out there, OWASP [a non-profit repository of security information] is a great resource for that type of thing. There's cheat sheets for avoiding certain vulnerability types. Use them, put them in your code. Mandate that they get used, build that into regulations.”
Despite his call for regulation, O’Sullivan is aware that compliance can become a mere tick-box exercise if implemented incorrectly, and understands that regulations have to balance controls with making sure they are too onerous or expensive to implement.
“Security shouldn't get in the way of the organization conducting business, so it needs to be done in a measured way. But we need to look at bare bones practical basic secure code practices, that's really what it needs to boil down to.”
IoT industry is in “for a big wakeup call” if security isn’t addressed
The IoT “time bomb” report: 49 security experts share their views
The future of machine learning in cybersecurity: What can CISOs expect?
PREVIOUS ARTICLE«Typical 24: Scotty Morgan, Adapt