We recently attended two key security conferences, OWASP AppSec EU and Black Hat USA to talk about web application security and the benefits of automation in this industry. The increasing need for security champions outside of the core IT security team was just one of the 4 takeaways we brought back with us. Let’s go into each takeaway in detail:
1) Building up security champions and educating employees
We heard speakers at both events talking about the need for security outside of the security team or pentesters. This can be done through continuous educational training for all employees and especially for developers. Tanya Janca, senior cloud developer advocate at Microsoft, spoke about how Security is everyone’s job…literally at AppSec EU and urged the audience to start thinking about security earlier in the design phase and continue with “pushing left” to have a pro-active relationship with security rather than reactive.
One CISO we spoke with at AppSec said, “I don’t have time to explain what an XSS is to every single person”. As a result, he appointed a dedicated security champion on the developer team to encourage a security-first mindset and security knowledge sharing. More investments in security education and transparency with knowledge sharing is needed in order to encourage everyone to work together, build security champions outside of the core security roles and make security part of the culture, all contributing to the ultimate goal of making the end-users safer.
One way to encourage learning could be to gamify it with Jeopardy-style Capture the Flag (CTF) competitions. At AppSec, Max Feldman and John Sonnenschein of Slack presented how they’ve gained employee buy-in for security awareness through Jeopardy CTF events. To appeal to people outside of security, they encouraged participation by adding more pop-culture references, fun trophies to serve as desk swag like Raspberry Pi and designing the event to not require too much extra time outside of work hours for maximum participation.
2) Offensive vs defensive security
At BlackHat, Google’s Director of Engineering Parisa Tabriz set the tone during the plenary session and reminded us that cybersecurity isn’t only about the offense. Many Black Hat goers echoed concern that the defensive side of security doesn’t get enough credit. While it may not be as appealing, it is pivotal for any organization. A big hurdle could be lack of interest or incentive from teams, or bigger structural issues in a team.
Parisa explained how Google started a paradigm shift for more interest in defensive security with Project Zero. In this project all zero-day vulnerabilities are reported to the vendor and in turn they have 90-day deadline to fix it. The vulnerabilities are only made public once it has been patched or if it is not fixed by the deadline. It requires teams to take time to look back at their work to figure out what is the root cause of the problem, and decide whether a structural change is needed to make everything more secure. Parisa reminded the crowd that it is up to everyone working with applications to defend end-user safety.
“I don’t have time to explain what an XSS is to every single person”
— CISO attending AppSec
3) Automation with education
Not every IT security professional has the possibility to educate all the developers in their workplace about OWASP Top 10 and other product specific vulnerabilities. One way to trickle this information down is to provide security education resources, as well as automation tools to scale security activities and make it accessible and user-friendly to anyone.
At Detectify, we believe automation is the key to scaling up security activities in companies, regardless of size. There is a high demand for security professionals, but not enough human resources to go around. Besides showing what security risks exist, our tool also shows where it is found and how the user can remediate the issue. We provide educational content in our tool Knowledge Base, as well as publish original research on Detectify Labs for anyone interested in bettering end-user security. Our security research team is continually working to build new modules into our tool to keep our automated scanner tool on the forefront such as misconfiguration reports on CORS and Amazon S3 buckets.
4) Bug bounty programs are not a silver bullet
There was a common belief at Black Hat that adding a bug bounty program could be the silver bullet for stopping black hat hackers and prevent newsworthy data breaches since it is hacker-vs-hacker. But besides creating the program itself, companies also have to be ready to reward ethical hackers for each finding with notable swag or money. Without a sufficient budget, this may not be a sustainable for all companies to run long-term to keep up with new vulnerabilities.
In addition to this, bug bounty programs may not provide a platform for security teams and developers to learn how to write secure code. It cannot replace having an in-house security specialist either. Bug bounties show a company that something is broken, but there is still an education gap to be filled to coach developers and IT teams to design with security in mind to reduce the frequency of insecure code. They can be effective when complementing existing security measures.
Closing thoughts
After these events, we can see a clear demand for more employee education on web security to understand why and how vulnerabilities emerge, as well as how to defend against them with more secure design. A bug bounty program may not be a silver bullet, but it can be an effective part of a larger security strategy. These can be combined with having employee education events, recruiting champions to promote a security mindset in the organization and implementing automation tools to make a scalable strategy that promotes security awareness and adoption in an organization. Sharing knowledge in the organization and web application community makes security more accessible to everyone. Security can be a fun topic, and it is should be part of every employee’s concern.
If you’re interested in adding an automated web vulnerability scanner to complement manual pentesting, bug bounty and other security tools, give Detectify a try today. Sign up here for a free trial and start scanning now.