In this podcast recorded at RSA Conference 2017, Jason Kent, VP of Web Application Security at Qualys, illustrates how web application security is complex due to the continuously evolving threat landscape, the diverse nature of the web, mobile and IoT applications, and the broad range of systems needed to manage security across them.
Here’s a transcript of the podcast for your convenience.
As we approach the market for web application security, we’ve realized that organizations are having lots of difficulty, not only reining in the numbers of apps that they have, but being able to easily identify the problems that they have in their application infrastructure, and then be able to fix those problems.
Remediating problems is something that most organizations have a difficult time with. So what we did is we combined a couple of technologies. We wrote some interesting code on our backend in order for us to have an application security assessment done through our web application scanning solution, as well as correct the problems when we find them. We call this activity ‘virtual patching’, but if I find a flaw out on a website, I can easily just go into our backend and say, ‘I want to fix that flaw’, and it will write a custom rule that will apply on to that application firewall in one click. This allows for you to have time to go remediate these problems.
What we’re seeing in the industry is anybody can find the problems, but not everybody can solve them. And often times, the code that was written for an application was written by a contractor or somebody that’s no longer with the organization. And getting that kind of code remediated is near impossible. What we can do is put a stopgap measure in place with virtual patch and say, ‘Here’s your problem. We’ve found it easily. And now, you can easily fix it.’ And the great thing about the way that we’ve approached this is you can do it at any scale. So, if you have ten thousand applications, you can scan all of them. You no longer have to say, ‘Oh, we only do an annual pen test on our two apps.’ You can look at all of your applications in a very automated way. And it allows for you to easily find problems and solve those problems with this virtual patching.
What we’ve been trying to do is figure out where are the other places that applications are hiding. So another piece of the technology that we released this last week is the ability to look at API services and run scans or run security assessment against them. And again, we can use the same techniques to virtually patch them.
What we’re seeing as organizations are developing applications for mobile infrastructure, for instance, ‘I’ve got a mobile app that allows for you to book hotel rooms or get a flight.’ That application is not unlike the website that you would go to. It communicates to their backend and interacts with it, but it does it through API calls. What we’ve – in the past – had trouble with is those API calls are very bespoke, they’re written for the application, they’re not published anywhere. So, being able to scan these things is near impossible. You have to have a human sit down and interact with the application.
What we’re going to do, and what we have done, is allow for somebody to interact with the application just one time, give us those endpoints that are out on that ReST service, and then we can go test them. And this applies to anybody with a mobile app. IoT organizations have ReST back-ends that everything communicates with, and testing the security of those things is becoming more and more important.
The research that I’ve done in just looking at IoT endpoint and mobile app services has really taken us to the point where we understand the kinds of problems that are out there. Our research teams are focused on looking at more problems, but we need a good automated way to assess all of the infrastructure, no matter if it’s a client application or if it’s a mobile application or a web application, if it’s communication that’s just computer to computer, all of these things need to be tested. And in order to do that, you got to bring in automation.
And the last piece of it is being able to understand how to remediate problems there. A lot of the security on IoT backend or on mobile app backend is predicated on this concept of, ‘I secure it through my SSL tunnel.’ So, here we go again. We all need to be looking at SSL more closely, we got to figure out how we encrypt those communication channels. If they can be broken, there’s tremendous problems that lay right inside of the communication itself.
We’re testing those things as well as the application infrastructure, and what we’re going to be moving toward in the future is, ‘How do we solve this problem at an even greater scale?’ So, ‘How do I drop automated testing suite into a continuous delivery model, for instance?’ And that’s going to be our focus as we move forward.
Source: Help Net Security – News @ February 27, 2017 at 12:09AM