This is the first in a series of "Ask the Expert" articles where we chat with leaders in the software and application security space. Our first guest is Jeremiah Grossman who founded WhiteHat Security in August 2001. A world-renowned expert in Web security, Jeremiah is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense.
Jeremiah will be delivering the opening keynote at the SANS AppSec Summit in Las Vegas on April 30. Here are his thoughts on application security.
1) How big is the AppSec problem?
Big, really big. The answer also depends on how you measure. Let's start by looking only at websites, where I specialize, and the total number of them. Right now there are around 677 million on the Internet -- growing at tens of millions per month. Obviously not all of those websites are important from a security perspective, but maybe those supporting SSL are, which is about 1.2 million.
If you are already familiar with application security, then you already know the vast majority of websites contain serious vulnerabilities, whether they support SSL or not. Presently, far more websites and source code is being deployed each month than is being reviewed for security. Web security will progress only when that divide is addressed and eventually changes.
While the precarious state of Web security has been known for some years, it has only been within the last few that the bad guys exploiting these issues have given urgency to the problem. The best way to characterize today's threat is by quoting Verizon's Data Breach Investigations Report (2012): "Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector."
If we expand the scope to all forms of software, which includes desktop, mobile, Web services, etc. Like I said, BIG.
2) The software community is made up of a lot of smart people. Why haven't we been able to solve the problem of writing secure software?
It's true. There are a lot of smart software security people out there, but no matter how many exist right now, more are needed -- thousands -- tens of thousands more will be needed.
To provide some context, through his BSIMM research of 35 large software security shops, Gary McGraw (CTO at Cigital) recommends roughly 2% of all programmers should be software security pros. With a world-wide population of 17 million programmers, eventually the industry will need 340,000 software security pros.
I do not believe anyone has a strong idea of what it takes to produce "secure software" and keep it secure while in a business production environment. At least, there's little representative data that supports what security controls actually make a measurable impact on the security posture of an application. All the data available is largely limited and anecdotal. The smart software security people should be able to find a way to make acceptably secure software on a deadline and without breaking the bank, but a lot more research is going to be required.
3) Is the problem solvable? Is it really possible for developers to write secure software? If so, where should developers and businesses start? What are the first changes that they need to make?
If the definition of "secure software" is one in which no vulnerabilities exist, then no, the problem is not solvable. Software will always have bugs, and by extension, security vulnerabilities. This by no means makes the challenge a fools errand because perfect software is not the goal, nor does it need to be. If the definition of secure software, or secure-enough software, is one in which facilities business with an acceptable level of risk, then the problem is absolutely solvable. The challenge is outcome measurement. We're talking about constantly measuring security postures and mapping those outcomes to security controls relative to the business value being generated.
This process can only be started with buy-in from the business stakeholders. Once security is valued and is required by the business, then for a development team, finding the best place to start becomes easy.