Boards need to get behind application security, says Owasp

CISOs are becoming more concerned about web application security, but there is still a long way to go, says Owasp

Chief information security officers (CISOs) are more concerned about web application security than in the past, but this area of security is still immature, says the Open Web Application Security Project (Owasp).

“Application security as a concept has been around for little over 10 years and still has a long way to go,” said Justin Clarke, Owasp London Chapter leader and director at Gotham Digital Science.

“CISOs are becoming more aware, and Owasp is focusing on providing guidance for them, but application security still needs to be understood and tackled at the board level,” he told Computer Weekly.

While network security is well-understood and well-funded, information security professionals struggle to make a business case for web application security because it is difficult to quantify the risk.

However, Owasp and a growing number of security industry specialists recognise that web application exploits are relatively easy with readily available tools, making them a popular entry point for attackers.

Information security professionals struggle to make a business case for web application security because it is difficult to quantify the risk

Owasp is a non-profit, volunteer organisation that was set up in 2001 to help make web applications secure by educating users, developers, governments and business leaders.

“Our mission is to make as many people as possible aware that there are tools and techniques businesses can use to ensure they avoid common security pitfalls in web applications,” said Clarke.

Security must race to keep up with technology advances

However, despite Owasp’s efforts, web application security remains a challenge in many organisations for several reasons.

“The main problem is the fact that technology is moving so fast that most developers and organisations struggle to keep up,” said Clarke.

“Since 2001, the web application market has grown exponentially and the security challenges have been further increased with the move to mobile platforms and the advent of the cloud,” he said.

Clarke said an increasing number of web applications need to be able to accept HTML5 or rich content, and to do that securely is “really difficult” which is why even large organisations struggle to get it right.

Added to that is the constant commercial pressure to be first to market with new types of web-based products and services.

Consequently, key performance indicators tend to be based on speed of innovation, with little or no incentives linked to data security.

“Most organisations have also abandoned traditional waterfall models of software development for agile approaches, but this makes involving security teams much more difficult,” said Clarke.

More about web application security

While the largest of organisations typically have enough security experts to draw upon, smaller organisations struggle to get the required expertise within their agile development teams.

“If bridges were built the way a lot of software is built, an awful lot of them would fall down,” said Clarke.

“This is often because IT systems evolve over time and end up being made up of half a dozen things cobbled together as requirements change and functionality is added,” he said.

Although Owasp is aimed at educating developers on web application security, Clarke believes one way forward is application development frameworks that prevent developers from creating insecure code.

Ideally, he said, frameworks should take care of the difficult things so that developers are not tempted to take the easier, faster route to get things done, which is also often the riskier way of doing things.

“Already, there are a few islands of progress where organisations or communities have standardised on custom-built or open source platforms like Microsoft’s LINQ to SQL and Hibernate,” said Clarke.

Such platforms make it difficult to write code that is vulnerable to things like SQL injection or cross-site scripting (XSS) attacks, which feature in Owasp’s top 10 most critical web application security risks.

“The problem is that use of such frameworks is in isolated pockets and there is no central way of pushing them out or driving adoption,” said Clarke.

Share information across teams

Owasp believes another way of tackling the problem is to ensure that the security practitioners and developers learn to communicate with each other more regularly.

“Owasp’s AppSec conferences are the only ones that engage both security professionals and those who build software, and is aimed at getting together those who should be talking to each other,” said Clarke.

In 2014, AppSec Europe is to be held in the UK for the first time in seven years and is scheduled to take place at Anglia Ruskin University, Cambridge, from 23-26 June.

Speakers include Steven Murdoch of the University of Cambridge Computer Laboratory, Wendy Seltzer of the World Wide Web Consortium and Lorenzo Cavallaro of Royal Holloway, University of London.

“The AppSec conferences have become the focus for the industry to hear from the world’s leading experts, harness expert knowledge and stay abreast of the latest technology developments,” said Clarke.

Some of the presentations will discuss the vulnerabilities highlighted in Owasp's recently compiled list of the top 10 methods of breaking into web applications.

These include SQL injection, used by hackers to target Vodafone Iceland; cross-site scripting (XSS), which left Microsoft Office 365 open to attack; open redirects, which presents issues for Facebook; and insecure direct object references, which saw Yahoo's servers open to root access.

“Like the government’s recently launched Cyber Essentials Scheme, the Owasp Top 10 document is aimed at encouraging organisations to take the first step,” said Clarke.

“Those organisations that are getting their arms around this issue are managing and reducing the risk, but my main concern is about those who have yet to take the first step,” he said.

Read more on Web application security