AppSec: How Do You Know Your app is 100% Secure? You Don’t

Insecure applications come with a cost that can be measured in billions of dollars of losses.

I recently spoke with Brook Schoenfield, a distinguished engineer who quietly describes himself as an “Elder AppSec Diplomat,” on the eve of the RSA Conference. Schoenfield is the quintessential walking, talking go-to resource on anything involved with application security (AppSec). When asked about the most important takeaway with respect to AppSec, he replied, “It is impossible to prove software doesn’t have bugs.”

Expanding upon this, he explained the role of technological evolution. Perhaps when an application was launched, it appeared bug-free; six months later, technology advances introduced a previously unknown, undetectable bug that becomes a vulnerability. Highlighting the need to ensure applications are continually maintained during their lifespan via dynamic review and testing. The launching of an app as a static action is no longer a viable option.

Attackers are continually sweeping IP addresses to find new machines. The question is not if the machines will be found, it is when they will be found; that could be within the first minute and happens generally within 18 hours. Every device should be considered a target, Schoenfield said.

An offensive strategy in which organizations fight back isn’t a great idea. “Why? Such actions will create bigger problems. Leave the offensive responses to the government, and do not place your company at greater risk,” he said, such as the risk of becoming inadvertently engaged in the Russian cyberwar against Ukraine, especially if your organization is small. The bigger companies like Google, Microsoft and others have the resources to brunt an onslaught against their corporate infrastructure that most companies could not withstand.

He advised organizations to keep closing the deltas of vulnerability; in doing so, you harden your posture as a target. That could encourage broad-based attacks to move along. In essence, it is transferring risk to those who don’t have a dynamic program in place.

Here is the AppSec dilemma, as explained by a recent blog post on Security Journey. While organizations have covered the basics of having people trained, processes in place and the right technology aligned, the following observations are still true:

  • Ever-evolving security concerns – 59% increase in new vulnerabilities from 2021 – 2022.
  • Growing demands on developers – 51% of developers have 100 times the volume of code they did ten years ago.
  • Lack of security training – None of the top 50 university coding programs require secure coding training.

Developers must bake security into their applications from the get-go. Security can longer be a luxury or an afterthought, nor should developers rely solely on third-party scanning tools to check their work. The marketplace calls this shift left. This writer calls it common sense.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher