The truth about Application Security
There is a problem with Application Security today, It is really in bad shape.
As a security consultant my customers are software companies that develops products for other companies to use.
Those companies use those products to supply services for their final customers. If there are security issues those customer are the ones to actually suffer.
Today The awareness for security is rising but still most people believes that security is somewhere between the OS and the firewall server. Application Security is unknown and untouched. The result is no surprise. Many products are dangerously unsecured, breaches are everywhere.
If you supply a service to a customer you do not want to raise his awareness to security, especially when you know that you use unsecured products.
The result is silence – You know there is a problem but you do not say or do anything.
As a software developer you do not want to raise your customer awareness to security.
You know that for years you create unsecured products, but nobody has to know about this…
To start developing secure products a great deal of effort is needed. If your customers will see that suddenly you invest in security they will immediately understand that the product they just bought from you is unsecured.
The result again is silence – You know there is a problem but you do not say or do anything.
But attacks happen…
Especially for that issue, The idea of "Insurance" was invented.
Instead of dealing with the problem everybody insure themselves.
The final customer does not want to know that there is a problem. He is happy with the silence around. If he happens to think about it for a minute the thought immediately disappears when he is told he is insured.
Lets us take as an example the credit card business.
Your credit card number is everywhere! You give it to the guy in the gas station when he fuels your car or to the young waitress in the restaurant, not to mention internet shopping…
For that reason they tell you to check you monthly bill.
You know that there are credit card thefts, but there is insurance . We are happy to pay the insurance fee and not to deal with the security problem.
Application security is something new.
No body really understands it and can tell you exactly how much it will cost.
Application security is not easy, especially when dealing with legacy code.
Application security is a huge challenge for management, architects ,developers and testers.
It is no surprise that most managements decide not to invest in it.
The insurance solution looks a much easier and cheaper…
As security professionals we understand that this situation must change.
How to do it ? This is a great question for us to answer.
We need to give answers to the management when they ask us "why to bother with Application Security when we are insured"
And then there is standardization.
Today there is no clear standard that can identify a properly secured application.
If a customer want to demand a secure product from a vendor he has to understand the mechanics of security. With standardization he can just demand a product that follow the standard.
Standardization will bring a huge push to the application security issue.
I believe that when a proper application security standard will exist we will see many organizations demanding the vendors to develop application that apply to it.
There is a lot to do
So let us get to work.