At RSA this year, Howard Anderson, News Editor for the Information Security Media Group interviewed Chris Wysopal, CA Veracode CISO and Co-Founder. In the interview, Chris talked about application security, the future of AppSec, and what he believes to be the next major hot topic in this space. Chris also outlined why organizations now need their comprehensive data leakage protection programs to include application security.
View the podcast below.
We also added in some key highlights of the interview.
Q: What do you think is the hot topic on the application security arena?
Chris: One of the things that I am really focusing on, because I think it’s an area of a lot of unknowns with risks and a lot of growth, is mobile app security. We’re starting to see enterprises build their own apps that access really sensitive data within the organization. Things internal applications used to manage like financial data, healthcare data, patient data, are now being extended out to iPods, iPads, Androids, and devices that are leaving the organization. When this happens, there’s a chance that there are other apps that are outside the control of the company running on those devices, which could be malicious or have vulnerabilities. We are trying to figure out what is the real risk there and what are good solutions.
Q: Is application security sometimes an afterthought or a secondary priority?
Chris: Yes, it really is because it’s more of a new paradigm. Perimeter security really was the first security we saw, then we saw network security and network intrusion detection, and then we saw host based security with anti-virus, and all kinds of host and endpoint security. Now those things are working, and in general, they are doing what they were meant to do, but we are still seeing attackers bypass them and they are going directly to the applications because you have to go to an application to get data, so the attackers have clamped on to this as an attack method to get at what they want. Companies are waking up to that and beginning to realize that they need to actually fix the code in the applications.
Q: What’s it going to take to put application security on the list of priorities for organizations?
Chris: It’s been creeping up – I’ve seen some questions to CIO’s or CISO’s that say it’s up near number four now. Number one is data leakage protection (DLP) which I think is good because that’s the major problem we’re seeing right now, whether its PII data or its intellectual property data, but you can’t have data leakage protection without application security. Typically the way it works is you’re granting applications access to the data because that’s how the data is managed, updated, viewed, and reported on, so if an attacker can find a vulnerability in the application they can typically bypass any kind of DLP controls. So I don’t think you can have a full DLP program without covering all the bases where you might have data leakage. So you have to have laptop encryption, you have to have device controls, but you also are going to have make sure that your applications don’t have easy to exploit vulnerabilities.
Q: How do you think application security will look in a couple of years?
Chris: I think the big change is it's going to become programmatic. A lot of companies do it on a few critical applications, for a compliance reason like PCI, and retailers do application security on things that take credit cards. In future, it’s going to be part of the software development process, part of acquiring software, part of deploying software, that you have some level of application security testing in that process.