Appsec industry trends - looking forward

Recently, it has come to my attention that industry people I respect (and vice versa) have desired me to re-post some comments I've made on other blogs.

It's also high-time that we at TS-SCI/Security begin writing again. I can tell you that since March (our last post), Marcin and I have been involved heavily in our day-to-day work at client-sites and other community efforts/projects.

A lot of new research is going to begin to become available from BlackHat/Defcon. It's just that time of year where everyone starts to share their work with others. While we can't exactly reveal everything that we're working on quite yet, be sure to check in for updates. I have been begging Marcin to post something on an HTTP-related argument we got into about the Post/Redirect/Get pattern, as one example.

Comment gone wrong #1

There was some interesting discussion lately on the OWASP News Podcast, in particular, Podcast 32. This is the first News Podcast that I missed (I was on a plane at the time we recorded), and having just listened to it -- I certainly think it's worth your time to listen to.

This particular News Podcast set off a blog post from Jeremiah Grossman where he says OWASP Podcast #32 pulls no punches. I attempted to comment, but the comment eventually disappeared -- perhaps Jeremiah didn't appreciate my insights. Others did, so here it is:

on the appsec market maturity and potentiality prediction -- i rate [discount black-box appsec SaaS] as low-value, and in the future, will continue to be low-value.

selling discount app pen-tests hurts infosec management as a whole because you're trying to tell ciso's that they can buy some freedom for $25k/yr (or whatever it is). in reality, they need to spend millions of dollars over several years.

discount app pen-tests need to go out of style. here's why: because the middle-ground and potential high-value comes from partnering with a trusted adviser (i.e. an appsec consulting company), or attempting to retain this talent in-house (which most companies -- including Microsoft who built lists of individual talent to target -- have pretty much failed).

every BPO (business process outsourcing) expert knows that the ideal is to avoid "discount" shops and focus on real partnerships, but don't give any single one partnership everything.

for example, attempt to retain 20% of your appsec program internally ASAP (this does take time -- don't expect it to happen overnight), while outsourcing initially 20% to one minor company (e.g. Gotham Digital Science, Aspect Security, Denim Group, Matasano, Independent Security Evaluators), then adding a bigger company (e.g. Accenture/McAfee/Verisign) for another 20% to take over the smaller company's 20% if [expectations are not met -- or major changes occur, such as buyouts]. The next step is to figure out a balance of adding more consulting companies somewhere in the 40-80% range, while growing your internal talent.

investing in this model is extremely expensive and extremely difficult to manage. ciso's are having problems finding/retaining talent, drafting RFI's, reading RFP's, following up on references, and deciding who is really talented and how that talent applies to the applications in their appsec programs. most can't or won't even draft an appsec policy.

[low-bid/low-value app pen-test houses, especially SaaS-based ones] convolute and diminish the returns that are necessary to build or even start an efficient appsec program. that's EXACTLY what Andrew van der Stock was trying to say.

if you want software security ROI, go read Sadbury, Soo Hoo, and Jacquith's "Tangible ROI through secure software engineering" or follow any of the work that Steve McConnell has done, which this referenced paper was based on.

if you want to keep selling the idea that your McDonalds solution is the bread-and-butter of modern appsec innovation... best of luck to you. there's plenty of analysts, whole appsec consulting businesses, bloggers, and podcasters that are all saying that a) you're wrong, b) you sell a one-size-fits-all solution to companies that "don't get it" which almost forces them to stay in the "don't get it" mode near-permanently, and c) the jury is out and the case is closed: appsec consulting is the correct path and one-stop-shops that do one-off, cheap app pen-tests are so 2008.

Aftermath and reasoning

My comments were due in part to actual recent industry analyst research, so they were not unfounded or inappropriate. More to the point, they were factual and unbiased.

Chenxi Wang, Ph.D., Robert Whiteley, and Margaret Ryan of Forrester Research published a report entitled TechRadar For SRM Professionals: Application Security, Q3 2009 Application Security Comes Of Age Despite A Slowdown In Security Spend. The date on the report was July 18th, 2009.

In the report, several technologies were evaluated, including:

1. Application scanning
2. Application security consulting
3. Application security SaaS
4. Penetration testing
5. Protocol testing
6. Software protection
7. Source code analysis
8. Web application firewall

These topics and research are not new to our blog, where we have discussed many of them. Take these examples:

• Software Security: a retrospective
• Security in the SDLC is not just code review
• OWASP Hartford tomorrow
• Why pen-testing doesn't matter
• Why crawling doesn't matter
• Baby steps with web application security scanners
• Post to webappsec mailing-list on WAF and pen-test: dead again
• Guests on OWASP Podcast #6
• Web Application Security Tomorrow
• What web application security really is
• Week of War on WAF's: Day 1 -- Top ten reasons to wait on WAF's
• Week of War on WAF's: Day 2 -- A look at the past
• Week of War on WAF's: Day 3 -- Language specific
• Week of War on WAF's: Day 4 -- Closer to the code
• Week of War on WAF's: Day 5 -- Final thoughts
• Web application firewalls: A slight change of heart
• Short-term defenses for web applications

Posted by Dre on Saturday, July 25, 2009 in Security.