Podcast

For years it seems the IT industry has focused on security as a level of the network, the operating system or the user end point. And while there are still a great many truly pernicious threats targeting the user today, application vulnerabilities are becoming increasingly exploited—the recent Twitter cross-site scripting worm being a perfect example.

Chris Eng (Veracode): Simply put, the traditional perimeter doesn’t exist anymore. You can’t solve everything at the network layer because you have to allow traffic to reach the applications, particularly the web applications, in order to conduct business. The frightening thing about application security is that most developers don’t understand secure coding and most of them have no incentive to learn about it. Even for the ones who do, the only thing they’re being held accountable for is functionality and time to market, so it’s not surprising that security isn’t top of mind when they’re churning out a new feature.

Roger Thornton (Fortify): Back in the 70s and 80s when organizations started to network things, there was a network security problem, and it was trivial to log into the network. If there was direct access to your network and the machines on your network then it would be very easy to steal all your data. But over the last 20 or 30 years we’ve done a good job to the point where breaching the network directly and logging into the computers on your network is really tough—unless you’ve made a bad mistake. But if you think about, and as Chris mentioned, the networks and the machines themselves need to allow access to software programmes.

Ari Takanen (Codenomicon): If you look at application security I think that, especially with our background, the biggest challenge is to understand what application means. When we look at testing, the service delivery platform people are actually worried about applications built on top of social media, email and instant messaging besides pure web applications. For example, in telecommunications and especially mobile communications, next generation systems like VoIP come with a wide range of XML-based services and applications that are now tailored to enterprise needs. Then of course the latest trend which is even more critical today is all those applications that are downloaded to mobile devices. So application security today comes with much more complex technologies, including XML-based communications, client side code, and lots of new challenges that didn’t exist only two years ago.

Ryan Berg (IBM Rational): Software has been ubiquitous. We like to say that software is the invisible thread that ties all these components together. You look at IBM; smarter planet and smart grid—these are old legacy systems. Normally, when you go home at night, you expect the power to be on so you can plug something in and there will be power. The smart grid allows you to put data back into the grid. Right now I’m not just a consumer of power; I’m a producer of power. I need to be able to connect my power system back into the grid, so it’s not just data or power pulling one way—now I have information flowing both ways. And it’s that mutual communication of data that allows all these security weaknesses to occur. The minute you allow someone to have access to your internal systems there are a lot of attacks. So software has become very ubiquitous and it’s the invisible thread that ties all these things together that makes it the new platform for attack.