Securing Applications at High Velocity

Wednesday, May 11, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

In today's Instant-On Enterprise, applications are spun up faster than ever. 

While this blistering speed of application development and deployment may enable the business to be more agile and responsive to the changing business climate than ever, it creates unparalleled challenges for anyone with security as part of their job description.

An estimate that I've tossed around based on educated conjecture is that the capabilities to test for security defects in technologies is about 18-36 months behind the release of those technologies. 

This means that when a cool, new UI framework is released today, it will likely take 12-18 months for the security community to understand it, find security defects, and build tools to effectively scale the automation of finding these defects on a large scale. 

Whether you agree with me on the length of time, everyone can agree that there is some significant lag time. 

That means that at a minimum there is some time where technology is deployed into your enterprise without the Information Security organization fully being able to understand and identify security defects in that code.

If that scares you, you're not alone. 

I too lose sleep at night to these types of thoughts.  Enterprise security is a topic that reaches far outside the realm of Software Security Assurance and rarely gets much air time on my blog - yet securing 'shiny objects' (a term I affectionately use for the bleeding-edge web technologies developers seem to love) requires a full-scale enterprise security approach. 

When you have to protect a development technology you can't fully understand, sometimes the only method of protection is at the network layer by identifying known attack patterns and accounting for possible mutations. 

Strong network-level technology (*cough* IPS/WAF *cough*) - something we tend to discount heavily in the application security world - may be our only saving grace! 

Identifying attacks, and correlating events turns into a stop-gap while the capabilities around testing and development-level analysis play catch-up ... it's a race against the clock for sure.

So... as your developers start to pick up interest in HTML5, and other types of "shiny objects" type technologies think about how you're going to assess and protect those applications in the break-neck pace of business.

Remember, Software Security Assurance is not a stand-alone concept.  SSA plays a major role in enterprise security, and the technology-based risk. At the end of the business day, it all rolls up into business risk, and that is what your executives care about anyway, right? 

Understanding how these pieces fit together, and how the lagging capabilities of information security can be compensated is key to securing your business in today's "Instant-On Enterprise"...

Good luck!  You know where to go if you need help.

References:

Cross-posted from Following the White Rabbit
Possibly Related Articles:
8902
Webappsec->General
Information Security
Enterprise Security Software Application Security SSA Software Security Assurance HTML5
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.