Industry Trends

App Security Wins Move at Snail's Pace

By Stefanie Hoffman | July 30, 2012

Of 200 enterprise security professionals recently surveyed by Enterprise Strategy Group, 79 percent report Web application security attacks in the past year. In a late April Network World blog on the topic, Jon Oltsik, a principal analyst at ESG, said the study also found thieves attacked Web application features and functions such as application authentication, configuration management, application authorization and session management.

Oltsik says the good news is that there's more emphasis on secure software development lifecycles, developer security training and Web application security testing. The bad news: These changes are moving at a glacial pace. The slow pace of gains is also being lamented this week by Jeff Williams, a founder of the Open Web Application Security Project (OWASP), a community dedicated to enabling organizations to develop, purchase and maintain trusted applications.

In a May 7 BankinfoSecurity blog, Williams iterates his 2003 case that application security is just as important as network security. Williams created the OWASP Top Ten list of risks "with the hope that it might be the start of an industry standard that could bootstrap the legal system into encouraging more secure software."

Since that time, the OWASP Top Ten has been used by millions of people, he said, and the FTC has even referenced the OWASP Top Ten in several of its actions.

"That being said, it's disappointing to note that a decade later, we haven't really stamped out any of the major vulnerabilities - quite the opposite," said Williams.

For instance, SQL injection attacks appeared in 1998 and remain prevalent, he says, accounting for 83 percent of breaches since then that compromised hundreds of millions of records. So, as Williams and OWASP release the 2013 Top Ten, Williams says he's disappointed it hasn't evolved much from the 2003 edition.

Today's OWASP Top 10 is based on risk data from eight firms that specialize in application security; those include four consulting companies and four tool vendors. Collectively, the data spans more than 500,000 vulnerabilities across hundreds of organizations and thousands of applications.

Williams reports on the three major updates to the OWASP Top Ten 2013:

  • Using Known Vulnerable Components. Applications frequently have more than 200 frameworks, utilities and other components. As software development moves toward component assembly rather than writing custom code, he says, the research shows many of these libraries have known vulnerabilities. So, the gains that come from this revolution bear a cost: ensuring the components you use are up-to-date and secure.

  • Missing Function-Level Access Control. When developers create their user interface in the presentation layer, they have to restrict which users can see various links, buttons, forms and pages. Developers usually get this right because it's visible, says Williams. They often forget they also have to put access controls in front of the functions, and that means an attacker can forge the required HTTP requests needed to invoke them.

  • Sensitive Data Exposure (Encrypt Everything). The items pertaining to encryption in transit and encrypted data storage in the old OWASP Top Ten were combined, according to Williams. The sensitive data exposure item focuses development teams on a unified strategy to identify sensitive data and ensure it's always encrypted.

Williams cautions the new Top Ten is only a first step. There is no "right" way to create your application security program, so don't compare cases. The effort should instead focus on your organization's culture and selection of tools and techniques that make the most sense. Then you can measure whether your work is improving application security, and that is the only metric that matters, says Williams.

Join the Discussion