Will we trade freedom for application security?

Application security is a hot and huge field. At OWASP, Dan Geer gave the keynote speech 'Application Security Matters' in which he discussed the many problems and proposed solutions to secure software that we are critically dependent upon for almost every aspect of life.

Without applications, why would you get online? What could you do? Even in the real world, there is very little we could purchase that couldn't be traced back to software that is running it. Apps are everywhere, from the smartphone to the smart grid. The world has a "critical dependence" on applications, but only too often those apps are riddled with security vulnerabilities and shoddy or bloated code. According to Verizon's 2012 Data Breach Investigations Report [PDF]: "Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector." That data loss is also silent failure in part due to "digital physics." As security guru Dan Geer pointed out, "If I steal your data, then you still have them, unlike when I steal your underpants."  

Once upon a time Geer presented a paper called "CyberInsecurity: The Cost of Monopoly"; it argued that "Microsoft's dominance of desktop computer operating systems is a threat to national security." It also cost Geer his job when the paper went public. But now Geer is the information security chief at CIA investment arm In-Q-Tel. At the recent Open Web Application Security Project (OWASP) AppSec conference in DC, Geer gave the keynote speech Application Security Matters.

As we've seen again and again, it doesn't work well to wait and bolt security onto applications after finding out if the software is a big selling success. "Applications," Geer stated, "are the skin on the data -- some more erotic than others," but the Internet was not designed for security and neither were most apps. The end-to-end principle "was the single most important technical decision made in building out the Internet." However Geer suggested that perhaps end-to-end should be reframed as trust-to-trust. "What began as 'You're OK, I'm OK, but the network is dangerous' has become 'I hope I'm OK, I have to assume that you are hosed, and the network may make this worse'."

He added:

The present day drumbeat to put control policy into the network fabric itself is so blatantly stupid that it isn't even wrong. Those who propose making the network itself contain security policy are just another breed of Communists, this time with the effete subtlety that neither our Chief Executive nor our Congress has to nationalize critical infrastructure, they just have to deputize it, by force and in private.

Too often poor and bloated code is a real issue in application security since programmers unnecessarily link to entire libraries. In 2011, the average size of a web page increased by 25% and the average size of JavaScript grew 45%. Geer added that "because security is not composable (and may never be), be very careful where the code you reuse comes from. Every time I see a page larded up with more domains than I have fingers, I plan never to visit them again."

As "Brian Kernighan, the co-inventor of C, said: 'Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it'."

Some people, like Joshua Corman, Director of Security Intelligence for Akamai Technologies, believe "Security is Dead, Long Live Rugged DevOps IT at Ludicrous Speed. The theory behind DevOps is "that all elements of a technology infrastructure can be controlled through code." If you are a code junky, but also security-minded, app security is a red-hot field. Cigital CTW Gary McGraw advised, "With a world-wide population of 17 million programmers, eventually the industry will need 340,000 software security pros."

Geer mentioned that some folks believe the Software as a Service (SaaS) model may be a better approach to security since instead of asking users to update software - "you can just force it down their throat. Think of that as fluoridating the water supply instead of begging people to not eat sweets." He stated, "SaaS can single-handedly demote the decompiler as the best attack tool and put the fuzzer in its place."

Yet Geer also referenced Cory Doctorow's keynote at the 28th Chaos Communication Congress about geeks under fire in the coming war where all control over computing devices will be taken from us. What is the net but an ecosystem of apps? "Security is about control and governments everywhere want more of it." When that control is taken from us, Geer said, "Let me remind you that this is absolutely an example of trading freedom for security and if you are widely read, then you will have absolutely zero confusion as to how that trade will eventually play out whether your muse is Benjamin Franklin, Emiliano Zapata, or Edward Gibbon."

There may be varying opinions on how to best approach application security, but most experts agree it's a huge problem. Jeremiah Grossman, who founded WhiteHat Security in August 2001, said the AppSec problem is "Big, really big." Chenxi Wang, Vice President and Principal Analyst at Forrester Research, told SANS Institute "In my opinion, application security is the number one problem in the security industry today. Doesn't matter how good your security processes are, if you have one critical vulnerability in your code, all bets are off." 

Apps are everywhere; in the smartphone market we've seen developers too often ask for overreaching permissions that the app doesn't need other than for spying purposes, paving the way to more vulnerabilities and more users at risk. And McAfee recently reported on finding 15 malicious apps in the Japanese Google Play market which were downloaded by at least 70,000 people. 

If you are interested in being a software security professional, then when applying security to applications please do keep in mind what Geer and extremely wise people before him said:

Benjamin Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

Emiliano Zapata: "Better to die on one's feet than to live on one's knees."

Edward Gibbon: "In the end, more than freedom, they wanted security. They wanted a comfortable life, and they lost it all -- security, comfort, and freedom. When the Athenians finally wanted not to give to society but for society to give to them, when the freedom they wished for most was freedom from responsibility, then Athens ceased to be free and was never free again."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

SUBSCRIBE! Get the best of CSO delivered to your email inbox.