How to get better at web application security

Robert Hansen, Vice President of WhiteHat Security Labs, has more than 20 years of web application and browser security experience. In this interview he discusses the evolution of web application security, offers advice on how to improve web application security practices, recommends tools, and more.

How have web application security challenges evolved in the past decade? What should be on the mind of security teams today?
They’ve changed in innumerable ways, actually. Back in 2005 XSS was not perceived as a real issue and barely anyone knew about it. But that year the Samy worm changed everyone’s mind. It was the fastest growing Warhol worm ever seen at that time – over a million machines infected in less than 24 hours.

Since then the community has really stepped up not just with XSS but the whole landscape of web application security flaws. We’ve uncovered hundreds of new attack techniques and gotten a handle on most of them.

While things are definitely still exploitable, it’s usually not a matter of not knowing how to fix them. Instead it is more a matter of negligence, which is a very different beast than ignorance.

How can we get more developers to start writing secure code?
I think this mostly comes down to changing their incentives. Right now developers are only incentivized to create code that works. They are not incentivized to build code that doesn’t have hidden alternative functionality. Abuse cases are expensive to create and take a lot of skill. Until they have something like liability concerns to worry about, developers will for the most part continue to do what is cheapest in terms of security which is approximately nothing.

What open source web application security auditing tools would you recommend?
It all depends on what source code you’re looking at on the source side. I personally just do it by hand. Things like powergrep make things easier, as do WYSIWIGS. I don’t rely much on automation other than fuzzing (E.g. Peach fuzzer) and home grown versions. However, I’m really far more partial to dynamic scanning because in custom applications it’s far more relevant to your actual threat. Things like ZAP proxy are great because they provide a lot of the same power you find in other commercial tools like Burp.

What advice would you give to organizations planning on improving their web application security practice?
Consider metrics as the number one most important thing to begin monitoring. If your training program doesn’t reduce the number of bugs per line of code, you know you should stop doing it. If your WAF fixes only some small portion of the known issues, you should consider either getting rid of it, or changing how you run it. And so on. The more data you have the more informed you can be about what products are working, who is doing their job, and how to fix the organization in a way that reduces waste over the long term.