The truth about Application Security
- From: manu <manu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 May 2007 13:26:02 -0700
There is a problem with Application Security today, It is really in bad shape.
As a security consultant my customers are software companies that develops
products for other companies to use.
Those companies use those products to supply services for their final
customers. If there are security issues those customer are the ones to
actually suffer.
Today The awareness for security is rising but still most people believes
that security is somewhere between the OS and the firewall server.
Application Security is unknown and untouched. The result is no surprise.
Many products are dangerously unsecured, breaches are everywhere.
If you supply a service to a customer you do not want to raise his
awareness to security, especially when you know that you use unsecured
products.
The result is silence – You know there is a problem but you do not say or do
anything.
As a software developer you do not want to raise your customer awareness to
security.
You know that for years you create unsecured products, but nobody has to
know about this…
To start developing secure products a great deal of effort is needed. If
your customers will see that suddenly you invest in security they will
immediately understand that the product they just bought from you is
unsecured.
The result again is silence – You know there is a problem but you do not say
or do anything.
But attacks happen…
Especially for that issue, The idea of "Insurance" was invented.
Instead of dealing with the problem everybody insure themselves.
The final customer does not want to know that there is a problem. He is
happy with the silence around. If he happens to think about it for a minute
the thought immediately disappears when he is told he is insured.
Lets us take as an example the credit card business.
Your credit card number is everywhere! You give it to the guy in the gas
station when he fuels your car or to the young waitress in the restaurant,
not to mention internet shopping…
For that reason they tell you to check you monthly bill.
You know that there are credit card thefts, but there is insurance . We are
happy to pay the insurance fee and not to deal with the security problem.
Application security is something new.
No body really understands it and can tell you exactly how much it will cost.
Application security is not easy, especially when dealing with legacy code.
Application security is a huge challenge for management, architects
,developers and testers.
It is no surprise that most managements decide not to invest in it.
The insurance solution looks a much easier and cheaper…
As security professionals we understand that this situation must change.
How to do it ? This is a great question for us to answer.
We need to give answers to the management when they ask us "why to bother
with Application Security when we are insured"
And then there is standardization.
Today there is no clear standard that can identify a properly secured
application.
If a customer want to demand a secure product from a vendor he has to
understand the mechanics of security. With standardization he can just demand
a product that follow the standard.
Standardization will bring a huge push to the application security issue.
I believe that when a proper application security standard will exist we
will see many organizations demanding the vendors to develop application that
apply to it.
There is a lot to do
So let us get to work.
manu
.
- Prev by Date: Security Testing tools & links
- Next by Date: Re: Authenticating NT Credentials in C#
- Previous by thread: Security Testing tools & links
- Next by thread: Re: Should Framework 2 to set same rules?
- Index(es):
Relevant Pages
|
