This morning at RSA, I attended a session focused on doing application security in a more intelligent way. The presentation, given by Julian Cohen of Flatiron Health, focused on the inadequacies of manual penetration testing. He listed issues such as human error and bias as well as the tendency to scope projects incorrectly, which leaves much of the application untested.
The comment that most stood out to me was that attackers are no longer unorganized. They strategize and behave like a business. This makes them more effective at finding vulnerabilities than manual penetration testers, who view application security testing as a hobby rather than a business strategy.
For me, the main takeaway from this session was that our adversaries are motivated, yet they don’t have to be. Cybercriminals are still breaching organizations through easy to find and fix vulnerabilities like SQL injection or Cross-Site Scripting (XSS). We are making it too easy for them.
Yes, they are motivated, and the general consensus at RSA this year is that it is a matter of when, not if, you will be breached. However, that does not mean we give up on protection and move on to simply detecting and responding. We need to also protect, and, thus, we should look at application security as a business strategy, a process, that can reduce risk and make the effort cybercriminals need to go after your business not worth it. Perhaps they will move on to another target, perhaps not. It all depends on their motivation. But at least you didn’t make it easy for them.