This is the second in a series of "Ask the Expert" articles where we chat with leaders in the software development and application security space. Our guest is Chenxi Wang, Ph.D., who is Vice President and Principal Analyst at Forrester Research. A leading expert on content security, application security, and vulnerability management, Chenxi leads the effort at Forrester to build the application security and Web 2.0 security research portfolio.
Chenxi will be delivering the keynote at the SANS AppSec Summit in Las Vegas on May 1. Here are her thoughts on application security.
1) How big is the AppSec problem that we are all facing today?
In my opinion, Application security is the number one problem in the security industry today. Doesn't matter how good your security processes are, if you have one critical vulnerability in your code, all bets are off. Until we can consistently produce better and more secure code, the security problem will not getter fundamentally better.
So, in short, the AppSec problem is huge and is one of the most under-rated aspects of computer security.
2) The software community is made up of a lot of smart people. Why haven't we been able to solve the problem of writing secure software?
It's an economics problem. Until software consumers are willing to pay more for secure code, software producers will not invest significant resources. Think about it, the most brilliant technology minds of our generation are working on how to better serve ads to users - simply because the Internet advertising market is a huge market and remains largely untapped still.
3) Is the problem solvable? Is it really possible for developers to write secure software? If so, where should developers and businesses start? What are the first changes that they need to make?
I believe the problem is solvable, but not without significant changes to mentality, processes, and technologies. I believe the most efficient place to start is for companies to establish the right processes and incentive structures to foster behaviors towards generating secure software artifacts. This includes having the right collaboration structure (a small, elite set of software security experts working with a satellite group of associates who are software engineers themselves), processes and gatekeeper functions to adopt software security measures in development.
I also think current technologies has a lot of room for improvement. Innovations are needed to make automated analysis technologies more precise, more accessible to developers.