Looking at What Makes Good Application Security Knowledge

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

What is "security" trying to protect you against?


There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s "security" by definition but are many blinkered in regards to what the full definition of "security" encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

If it stopped there, we’d never be able to stop a lot of breaches, frauds and "non-policy" behaviour. (Gees…..we’re not now are we in a lot of cases?) But, many in our industry, behave and promote the "technical" side as the be-all and end-all and then just want to sell you things that may, (generally not) stop the "technical" side of things.

Have a think about that…..seriously……What a load of BS!

I keep re-linking to this one about Application Security Reviews. I do it for a reason. If you have read through this post and the link(s) in it, you’ll know what I am talking about. I won’t go on about what I have discussed in the links. Have a read again. We’re not going to stop fraud and malicious activity having that narrow focused view on what "Application Security" and "Security" in general is. It just makes no sense.

  – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Building a Web Application Security Program
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

"Systems" view vs "Application view" – holistic view and strategy is key.

Lets look at "Application Security". You can vulnerability test, penetration test, security test, run app scanners…whatever you want to call it…but does that give you a decent level of confidence that you know where your issues may lie to prevent fraud/protect your business? Will fixing those problems identified in these types of testing make your organisation more secure? Yeah? Well to a small degree. BUT, what is "security" trying to protect you against? You’ve done this type of testing, but what about:

– Security Architecture; System Development, System Management
– User Administration and Review; Logical Access, Access Controls, Access Review, Segregation of Duties
– Application Administration and Usage; System Maintenance
– System Security; Network Security, Integrity, Confidentiality, Availability, Non-Repudiation, Physical Security, Third Party and External Connections
– Security Logging and Monitoring; Audit Logs, Monitoring
– System Maintenance and Support; System Access, Change Control
– Handling and Storage of Information and BCP; Backup and Storage, Business Continuity Planning, Destruction of Data
– Legal and Regulatory
– Exception to Policies and Standards; Non-compliance Scenarios

If you’re not doing these things as a minimum as part of your application/systems security reviews, you’ll fail and always be wide open to fraud and business risks.

I question some people’s credentials as "Application Security Experts" when all they can talk about is technical vulnerabilities and attack vectors. That just makes you a coding problem expert who has good hacking skills to break code…not an Application Security Expert. If you want to be an expert in application security, you need to understand a little more and maybe fraud like that mentioned at the start of this post could be averted in more cases. Not sorry if that upsets some "Experts".

Applications/Systems that cannot be hacked into because they have been penetration tested and problems fixed, and are protected by FWs, IDS/IPS and WAFs are easy game if you haven’t really looked at the "security" of the applications/systems.

Drazen Drazic

About Drazen Drazic

Drazen Drazic is the CEO of Securus Global. Securus Global is one of the leading Information Security consulting organizations in the Asia Pacific region - also servicing clients from around the globe. He is directly engaged as a strategic consultant by many organizations, across most industry sectors on matters to do with Information Security policy and strategy. In earlier times, he has headed up Information Security for a large global investment bank and Big 4 professional services firm, worked as a regional IT Director, and has spent many years promoting and talking about Information Security. He is also the chief writer on the IT Security Management site, Beast or Buddha.

, , , , , , , ,

2 Responses to Looking at What Makes Good Application Security Knowledge

  1. Jonas January 28, 2010 at 1:58 am #

    Can we republish this again and again for all the haxors who think a pen test will sort the security issues for applications. This and the links just demo how little a penetration test actually can highlight security issues. I’ve sent this post through to my whole division for education.

    A penetration test is only worth its salt after all of the above has been carried out!

    @Drazen, I would be interested to hear about your experience on what you recommend versus what companies just do at a minimum.

  2. Drazen Drazic February 1, 2010 at 11:47 pm #

    Hello Jonas,

    Thanks for the kind words.

    Your question is an easy one to answer but difficult in application. It’s the old building awareness and understanding issue.

    Even in our own industry, many believe technical level testing, given the expertise required and the awesome results that can be attained (“hey we just hacked you!”) are the be-all and end-all.

    You see it in “our” (security people’s) forums, IRC, Twitter etc all the time. What’s the next big attack vector? That’s good and really cool at times but that mindset that our technical experts and researchers are our saviours alone is just BS.

    In the scope of things, the majority of security risks really lie in the other areas I mentioned. In theory and in practice! We’ve lost focus.

    But, saying that, importance on all levels is key. My point in the post being, don’t forget the key areas and I think we have been for a long time while we try to be all fancy with it!

    If I had to prioritise and I only had to choose between one review – web app pen test vs audit of areas I mentioned, the latter would win out each time! No brainer!

    Ideally organisations think about this and do both but budgets and lack of knowledge/awareness as I mentioned restrict that.

    We as an industry have an obligation to promote a full/holistic view and not a narrow technical focus which pidgeon-holes us further into an area that business has trouble dealing with.


Leave a Reply