Who is Erik Peterson [email protected] @silvexis (twitter) I am a Application Security Evangelist for Veracode with 15 years of application and information security industry experience and a contributing member of the Cloud Security Alliance. I’ve worked for the following organizations: Most of past has been spent as a product manager for Application & Information Security Companies silvexis.com (blog)
What is The Long Con? • There are 27 dynamic web application security scanning products available today1
‣ 17 are commercial products, the rest open source
• Most claim to fully automate the process of finding web vulnerabilities
‣ An educated guess says that all of the Fortune 500 own or use one of these tools
• Yet, Web Sites are still vulnerable, people are still getting hacked, and we don’t seem to be any better off 1. The History of Web Application Scanning Project, http://silvexis.com/research/hwas/
A Never Ending Battle A scanning tool has to keep up with two things
‣ The technology platform (e.g. “standards”)
‣ The attacks and weaknesses
The Web technology platform is moving as fast or faster than the attacks and weaknesses
‣ Other than the web, Is there any other area in security technology where the platform has consistently moved faster than the threat landscape?
‣ This is also why web applications are consistently the source of the majority of the defects1,2
Nobody can exactly agree on just what a Web Application is
‣ It’s a moving target, yesterday it was a collection of web pages, today its multi-headed monster 1 2 1. Majority of vulnerabilities found were web vulnerabilities, Veracode State of Software Security Report, Vol 2 2. 54% of hacking breaches we targeted at web applications, Verizon data breach report, 2010 3
Accept that Automated Crawling is Dead • Really, it’s dead. • If you are a vendor, stop offering this as an viable option, you are lying to your customers
‣ Using only an automated crawler is just asking for it, demand that they record the important test cases
• Ultimately, Web security testing will look a lot like desktop application testing
‣ There is no such thing as a automated crawler for desktop applications
‣ This requires you must get to know the application in advance
‣ BTW, The application owner would be much better at this than you
Figure out how to get out of the testing business Unless you happen to be in the Testing Business • You have 3000 applications, your small team of 3 will never scale1
• You want to manage the process, not be the process
• If you or your application development org can’t handle security testing consider a managed security testing service 1. Actual size of one Fortune 100 company’s application security team