I think it’s sort of human nature to be uncomfortable with the unknown and with the things that aren’t under our control. That might be one of the reasons so many software quality professionals try to skate around doing security testing. Obviously there are other factors – getting caught up in pressing functionality or usability issues for one – but I think security is secretly scary for some of us. That fear is probably tied mostly to the number of aspects of application security that are out of our own reach.
The security of the application code is by no means the only thing that effects how secure an enterprise application is perceived to be. Three other major factors include network security issues, insecure cloud services, and vulnerabilities lurking in Web and mobile client applications. Coincidentally, SearchSoftwareQuality.com just posted three expert answers to questions on these very topics from enterprise, Web, and information security guru Kevin Beaver.
Beaver explained that network issues are well-understood and that because they are seen as a problem that’s already been solved, sometimes they don’t get enough attention. “Although, I find fewer vulnerabilities below [the application layer],” Beaver said, “They still exist and are often waiting to be exploited.”
Beaver says there are often security problems with databases, weak passwords, gaps in malware protection, misconfigured firewalls and lack of both insight and oversight into security events. These are all problems that pop up because the network security pros are human, just like the rest of us, so they sometimes make mistakes. Beaver points out that it’s not the development team’s job to fix the network; just like the network folks’ job to develop and test the applications. But, we can still help keep network security on the radar – and more importantly development teams should focus on making the application security layer as strong as possible.
Similarly, when cloud computing resources get introduced into enterprise applications, the development team loses some portion of their ability to ensure the app is secure. This might give you a creepy feeling when it comes to security testing, and Beaver wouldn’t blame you. However, you don’t necessarily have to give up on security once cloud resources come into the picture.
Beaver says when it comes to securing applications in the cloud, it’s important to keep the right focus. First security testers will want to apply the 20/80 rule to their testing effort. Find the 20% of your vulnerabilities that are likely to result in 80% of your problems and focus most of your energy there. Check out the widely recognized top-ten lists for threats. Common vulnerabilities make it onto those lists for a reason – they’ve already caused some trouble and are likely to cause more.
On the other side of the coin, mobile applications can be directly under the development team’s control – unless mobile projects are all outsourced – but the field is so new that many of the threats aren’t well-defined yet. “Web application security is a relatively new frontier,” Beaver admits, “But mobile app security is entirely new.”
The areas Beaver points to for mobile app security include input validation, session management, encryption, and authentication. These are probably familiar concepts if you’re used to Web security testing, but Beaver says that mobile testing is another ballgame because you can’t run traditional testing tools on the mobile devices. Beaver says the tools and techniques for testing mobile application security are often unfamiliar to Web-based testing folks. Still, Beaver says – even in the newest devices and browsers – “Just stay true to the basics we’ve known all along: finding and fixing the basic flaws can provide a ton of value.”
I hope if there are folks reading this who were tentative about digging into application security, that it gives them a place to dig their feet in and get started. So until next time, remember to fix the bugs you have the power to fix, work around the bugs you can’t, and be smart about figuring out the difference.