Skip to main content
February 25, 2014

Application Security at RSA: The Coming Storm

The push for more and better application security bumps up against another trend: data ambition.

North America’s information security royalty will be in San Francisco next week for The RSA Security Conference. It’s the security industry’s biggest, annual conference. And, like the information security industry itself, RSA is booming. The topic of application security – a side-discussion ten years ago - now warrants its own, separate track at RSA. That’s a good thing. High visibility at RSA sends a message that application security is an important area that warrants attention from investors and from larger technology firms that might otherwise sniff out some black-box “magic bullet” security story. But the discussion of application security that will take place at RSA is changing also, to reflect what I would call subtle, but a radical change in the way that software is created and delivered. Though estimates vary, there is agreement that the next decade will see billions (tens of billions? Hundreds of billions?) of Internet-enabled devices come online, the vast majority will look nothing like the desktop PCs, laptops and servers that dominated the Internet landscape in the last 20 years.  Already, those software-powered devices are proving themselves to be just as unreliable as the Windows-based desktops and servers of the last twenty years – if not more so.
Some examples? On my blog this week, I reported on research by the security firm IOActive about serious security holes affecting WeMo home automation products from Belkin, including poor design and implementation of SSL that could allow anyone to impersonate Belkin’s cloud based management servers and remotely control WeMo devices in a home. Also this week, the security firm Rapid7 warned of a point-and-click exploit for a long-patched vulnerability in Android’s WebView programming interface that could allow attackers to take control of a healthy chunk of all deployed Android mobile devices. The message: software application development is happening across a much wider population of platforms, while software powered devices are cropping up in unexpected ways in both homes and workplaces. However, few of the hard-learned lessons of the last decade appear to be making the journey. After its software became synonymous with worms and viruses, Microsoft poured billions into hardening its operating system and making technologies like Address Space Layout Randomization and Data Execution Protection standard fare on its operating system. Microsoft’s Windows still runs most of the world’s computers. But aspiring hackers today are far more likely to poke around non-Windows systems including mobile OSs like Android and iOS and embedded devices, especially when smart device makers see fit to launch poorly secured, loosely configured Linux devices (with cloud back-ends) into the mass market and hope that nobody notices. Why is that? Writing this week on IOActive’s blog, researcher Cesar Cerrudo blamed what he termed “data ambition” for increasing the attack surface of smart devices. For example, Cerrudo smart device makers such as NEST often force management of remotely deployed devices to be routed through their ‘vendor cloud,’ rather than allowing customers to connect directly to- and manage their devices locally. That provides the device maker with a wealth of information about how its customers interact with its product. However, it also creates a huge target for malicious actors as hacking the vendor’s cloud would give an attacker access to thousands- or tens of thousands of devices and customer information. RSA hasn’t fully embraced the shift but there are a few talks worth seeking out where experts will be discussing issues that I think are germane to where the application security conversation is going.

  • Ryan Berg, the CSO of the firm Sonatype will give a talk on Thursday titled “The Game of Hide and Seek, Hidden Risks in Modern Software Development.” Berg notes that modern software development is heavily component-ized, resulting in software that is more “assembled than built.” Among other things, Berg will be talking about research he’s done into global software supply chain risks and how to adapt standard infosec approaches to the new world of modular, outsourced software development.
  • Panel: “Evaluating the Security of Purchased Software: Can We Find Common Ground?” I ’d be remiss if I didn’t call attention also to the session on assessing the security of third party software. This panel, which features Veracode’s own Chris Wysopal, will echo some of the same issues as we raised in our discussion of software security, Talking Code. The issues facing organizations that consume software – including software as a service- are complex. Chris will be joined by Howard Schmidt of Ridge-Schmidt Cyber (former White House cyber security czar), Steven Lipner, Microsoft’s Director of Software Security, Nadya Bartol, the Senior Cybersecurity Strategist at the Utilities Telecom Council and Eric Baize, the senior director of EMC’s Product Security Office.

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.