Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
On this episode of the show, we're gonna talk about how application security is dead. OK. So when I originally wrote out the title for this episode, I thought it was not quite Clickbait, but a little controversial to kind of pull in some more views, get a discussion going.
And you know, the more I thought about it, the more I went, oh crap. No. A pe C is actually like dead. Uh And this is no offense to OAP, which is a phenomenal organization that started uh 18 years ago already, which is crazy.
They are the home of the uh infamous super famous OAP top 10 web application vulnerabilities. They also have a whole bunch of fantastic security uh open source projects that they host like the Z attack proxy uh security shepard.
Um A whole bunch of stuff actually go check out oap.org because when I say apps se is dead, I mean, the current approach to application security, not the concept of securing our applications. So traditionally apps se is all about education, developers take a security course and now they're writing better code and I get it.
That totally makes sense. However, this is almost always, well after they've already built up a ton of habits, this is not integrated when people are starting to, uh learn how to code. This is after the fact, this is an advanced, an advancement in enhancement, you know, continuing education.
That's ridiculous. So there was a thread a little while back, um, with some of the Aws community heroes that Eric Hammond had kicked off because he was going through a little bit older. Um you know, only a year and bit amplify, um Aws amplify uh tutorial and basically, it was a web application tutorial that was uh creating a photo sharing site.
Um And there was some really interesting authentication or lack of authentication and deep permissions uh in the tutorial. And he was reaching out to a bunch of the community saying, hey, am I off on this or is this like a bad way to teach people?
And in fairness, we had a great discussion. There was a lot of things that rolled out of that and one of the original authors of that project actually replied and said, no, the idea was, you know, teaching them later on and that's the problem teaching them later on doesn't work.
You have to then correct behavior as opposed to building the proper behavior in the first place. So when I say a PEC is dead, let me use unfortunately, sorry. O API really do like the work you do.
Um Let me and actually, I'm a member of O A. So, you know, this is me just kind of beating up on myself too. Um because this comes down to how the security community has handled themselves.
And I think if you followed me for any length of time, you know, I think we have a massive cultural problem in it specifically in cybersecurity around how we perceive the actions required to secure our applications.
Even that simple goal, I have a completely different goal for cybersecurity, which is to make sure that whatever your building works as intended and all as intended. And that really ties into this. So my proof point of why A S A is dead is look at the o of top 10.
It's been resi revised three times over the last decade and basically nothing's changed, things move around in order as to what uh is the most important or most prevalent. Um The naming, some of the naming has changed to absorb more concepts.
But at the end of the day, we still have basically the, you know, the 10 standard culprits we've got uh injection is always number one. So either SQL injection, um or LDA injection or uh javascript injection, some sort of injection.
Uh There is um cross site scripting continues to be a problem. Server side reflection continues to be a problem. There are, you know, the OS top 10 is a great list of things you need to be looking out for.
But why haven't we gotten better if we were truly making a massive difference in application security and how developers build applications. The O A top 10 should have radically changed over a decade. It hasn't. And that's because our approach is ridiculous.
It is not aligned with our desired outcome. We need to shift to building good habits from day one instead of trying to change people's habits later on, like security, some option that you can just come back in.
There's a lot more coming on this because I think it's time based on discussions, I just had a black hat uh based on ongoing discussions, I've seen online, we need to change, we need to do better. We're building more and more faster and faster and we're making the same mistakes over and over again.
And that is absolutely the definition of insanity. And while I have been accused of many things being legit, committal insane is a rare one. I don't want to say I've never been accused of it, but I think we can do better.
I think, you know, we can do better because that goal is very simple. Make sure that whatever you're building works as intended and only as intended. I think that's a clear, easy, understandable definition of done that we can all get behind.
So what are your ideas on how we can change how we secure our applications? Hit me up online at Mark NC A in the comments down below as always by email me at Mark N dot Ca. I look forward to talking to you about this.
Hope you have a fantastic weekend and we'll see you online.
