AppSec Is Dead
9 minute read | Last updated 12-Aug-2019 | 
Security, Culture Change
Mornings With Mark no. 0194
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
On this episode of the show. We’re going to talk about how application security is dead. Okay, so when I originally wrote out the title for this episode, I thought it was not quite click baby, but a little controversial to kind of pull in some more views get a discussion going and you know, the more I thought about it the more I went crap.
No, I actually like Dad and this is no offense to owasp which is a phenomenal organization to starting at 18 years ago already, which is crazy. They are the home of the infamous Super Famous owasp top 10 web application vulnerabilities. I have a whole bunch of fantastic Security app open source projects that they host like this attack proxy a security Shepherd on whole bunch of stuff.
Actually go check out a wasp. Org because when I say appsec is dead, I mean the current approach to application security not the concept of securing our applications. So traditionally appsec is all about education developers take a security course and Now they’re writing better cup totally makes sense. However, this is almost always well after they’ve already built up a ton of habits.
This is not integrated when people are starting to learn how to code. This is after the fact this is an advanced advancement in enhancement Hill continuing education. That’s ridiculous. So there was a thread a little while back with some behaviors Community Heroes that are commanded kicked off cuz he’s going through a little bit older man only a year in a bit amplify amplify tutorial and basically it was a web application tutorial that was creating a a photo-sharing site and there’s some really interesting authentication or lack of authentication in deep permissions in the tutorial and he was reaching out to a bunch of the community say hey am I off on this or is this like a bad way to teach people and In fairness with a great discussion, there’s a lot of things that ruled out of that and one of the original authors of that project.
She replied and said, The idea was teaching them later on and that’s the problem teaching them later on doesn’t work. You have to then correct Behavior as opposed to building the proper behavior in the first place. So when I say appsec is dead, let me use unfortunately. I really do like the work you do let me and actually I’m a member of Oso, you know, this is me myself too because this comes down to how the security Community has handled themselves.
And yeah, I think if you follow me for any length of time, you know, I think we have a massive cultural problem in it specifically in cybersecurity around how we perceive the actions required to secure our applications, even that simple golf have a completely different goal for cybersecurity, which is to make sure that whatever you’re building works as intended and all the other as intended and that really ties into this so why proofpoint why apps that his dad is look at the Olaf top 10, it’s been revised three times over the last decade and basically nothing’s changed.
Things move around in order as to what at is the most important or most prevalent and the naming some of the naming is changed to absorb more Concepts, but at the end of the day, we still have basically the funeral 210 standard culprits. We’ve got an injection is always number one.
So either of SQL injection or ldap injection or JavaScript inject some sort of injection attack. There is cross-site scripting continues to be a problem server-side reflection continues to be a problem at there are seen as a great list of things you need to be looking out for it. But why haven’t we gotten better if we were truly making a massive difference in application security and how developers build applications the owasp top-10 should have radically changed over a decade and that’s because our approach is ridiculous.
It is not aligned with our desired outcome. We need to shift to building good habits from day one instead of trying to Change people’s habits later on like security some option that you can just come back in. There’s a lot more coming on this because I think it’s time.
They start discussions. I just had a black hat at based on ongoing discussions. I’ve seen online. We need to change we need to do better. We’re building more and more faster faster, and we’re making the same mistakes over and over again, and that is absolutely the definition of insanity.
And while I have been accused of many things being legit committable. Insane is a rare one. I don’t want to say I’ve never been accused of it, but I think we can do better. I think, you know, we can do better because that goes very simple make sure that whatever you’re building works as intended and only as intended, I think that’s a clear easy understandable definition of done that we can all get behind.
So what are your ideas on how we can change how we secure our applications? Hit me up online at Mark NCAA in the comments down below as always by email me at Mark n. C. I look forward to talking to you about this. Hope you have a fantastic weekend and we’ll see online.
On this episode of the show. We’re going to talk about how application security is dead. Okay, so when I originally wrote out the title for this episode, I thought it was not quite click baby, but a little controversial to kind of pull in some more views get a discussion going and you know, the more I thought about it the more I went crap.
No, I actually like Dad and this is no offense to owasp which is a phenomenal organization to starting at 18 years ago already, which is crazy. They are the home of the infamous Super Famous owasp top 10 web application vulnerabilities. I have a whole bunch of fantastic Security app open source projects that they host like this attack proxy a security Shepherd on whole bunch of stuff.
Actually go check out a wasp. Org because when I say appsec is dead, I mean the current approach to application security not the concept of securing our applications. So traditionally appsec is all about education developers take a security course and Now they’re writing better cup totally makes sense. However, this is almost always well after they’ve already built up a ton of habits.
This is not integrated when people are starting to learn how to code. This is after the fact this is an advanced advancement in enhancement Hill continuing education. That’s ridiculous. So there was a thread a little while back with some behaviors Community Heroes that are commanded kicked off cuz he’s going through a little bit older man only a year in a bit amplify amplify tutorial and basically it was a web application tutorial that was creating a a photo-sharing site and there’s some really interesting authentication or lack of authentication in deep permissions in the tutorial and he was reaching out to a bunch of the community say hey am I off on this or is this like a bad way to teach people and In fairness with a great discussion, there’s a lot of things that ruled out of that and one of the original authors of that project.
She replied and said, The idea was teaching them later on and that’s the problem teaching them later on doesn’t work. You have to then correct Behavior as opposed to building the proper behavior in the first place. So when I say appsec is dead, let me use unfortunately. I really do like the work you do let me and actually I’m a member of Oso, you know, this is me myself too because this comes down to how the security Community has handled themselves.
And yeah, I think if you follow me for any length of time, you know, I think we have a massive cultural problem in it specifically in cybersecurity around how we perceive the actions required to secure our applications, even that simple golf have a completely different goal for cybersecurity, which is to make sure that whatever you’re building works as intended and all the other as intended and that really ties into this so why proofpoint why apps that his dad is look at the Olaf top 10, it’s been revised three times over the last decade and basically nothing’s changed.
Things move around in order as to what at is the most important or most prevalent and the naming some of the naming is changed to absorb more Concepts, but at the end of the day, we still have basically the funeral 210 standard culprits. We’ve got an injection is always number one.
So either of SQL injection or ldap injection or JavaScript inject some sort of injection attack. There is cross-site scripting continues to be a problem server-side reflection continues to be a problem at there are seen as a great list of things you need to be looking out for it. But why haven’t we gotten better if we were truly making a massive difference in application security and how developers build applications the owasp top-10 should have radically changed over a decade and that’s because our approach is ridiculous.
It is not aligned with our desired outcome. We need to shift to building good habits from day one instead of trying to Change people’s habits later on like security some option that you can just come back in. There’s a lot more coming on this because I think it’s time.
They start discussions. I just had a black hat at based on ongoing discussions. I’ve seen online. We need to change we need to do better. We’re building more and more faster faster, and we’re making the same mistakes over and over again, and that is absolutely the definition of insanity.
And while I have been accused of many things being legit committable. Insane is a rare one. I don’t want to say I’ve never been accused of it, but I think we can do better. I think, you know, we can do better because that goes very simple make sure that whatever you’re building works as intended and only as intended, I think that’s a clear easy understandable definition of done that we can all get behind.
So what are your ideas on how we can change how we secure our applications? Hit me up online at Mark NCAA in the comments down below as always by email me at Mark n. C. I look forward to talking to you about this. Hope you have a fantastic weekend and we’ll see online.
