This is not to be meant to be a bash on security tools. My consulting company partners with security tool vendors and we believe they are valuable components to a mature security posture. But here are a few things to remember:
Tools don’t make people smarter. Nor do they improve the process through which solutions are built and deployed. Tools simply make people more efficient in jobs they are trained to do.
| View the Entire Series | |
|
The Five Most Common Misconceptions of Enterprise Security Misconception No.1: Over-Relying on Network Defenses Misconception No. 2: Believing the Hype of Technology and Tools Misconception No.3: Too Many People Assumptions Misconception No.4: Assuming Secure Software is Costly Misconception No.5: The “Recency” Trap If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading. – Allen Bernard, Managing Editor.
|
Tools don’t teach a surgeon how to operate or a road worker how to jack-hammer a hole. I didn’t become a better mechanical design engineer because I learned how to use AutoCAD, it just made me more efficient in the job I was already trained to do.
This is especially true of application security tools. The market here is still nascent and users need more education before tools can be truly useful. Network security tools are similar but luckily the market, purpose, and limitations of the tools here are better understood and much more mature.
When using a scanner (source code or Web) remember that they are just that, scanners. They will create false positives and they may very well miss a lot of serious vulnerabilities that do exist. Scanners are also impossibly flawed at catching business logic vulnerabilities, often the most damaging of all.
These are vulnerabilities that exploit acceptable behavior to steal or circumvent checks in your system. Take the example of a negative-integer attack on an ecommerce site. If the site uses client-side validation (all too many sites do, mainly for performance reasons), it’s easy to poison a cookie and turn the price of an item from positive to negative.
And because our business systems are so compartmentalized, most of these attacks go un-noticed. The account group just gets a notice that says debit this person’s account -$74.99, while the shipping department just gets a message that instructs them to ship the item to the user. There is often no correlation between the business functions and tools can’t help.
Pass/Fail
Tools need to be worked into your risk management and audit management cycles. This is something consulting companies can help you do if you do not know how. There is a large translation problem right now in a lot of organizations where a risk management team may define a problem and must translate that to actionable activities for the software development and network operations teams.
You need to take a three-pronged approach and integrate tools with your processes and your training so you can help your staff understand what’s expected of them and use the right tools to help them accomplish the job at hand while adhering to both corporate and industry processes and regulations.
Many organizations simply insert a tool into the software development or deployment process and require an application “pass” some arbitrary, predetermined score. This is dangerous in both context and user interpretation.