// JSON-LD for Wordpress Home, Articles and Author Pages. Written by Pete Wailes and Richard Baxter. // See: http://builtvisible.com/implementing-json-ld-wordpress/

At Last, My Web Applications Will Be Totally Secure!?

Yet another vendor attempts to reduce application security to something that can be purchased.

How to Hacker-Proof Your Web Applications,” was the amusing subject of an email I received recently.  I’m sure that it wasn’t meant to be amusing.  I suppose I just have a strange sense of humor.

The source of the email was a company that I consider to be reputable, though this could lead me to reconsider that opinion.  I won’t single out the organization since hyperbole apparently continues to be a requirement to sell most anything.

I have to wonder though, does anyone actually read a subject line like that and then open the email fully expecting to be presented with a product or service that does what the subject states?  I certainly hope not.  Let’s explore the meaning of the message and then we’ll see if the email content led me to such a nirvana.

Your Web Applications” covers every piece of software I have that presents a web interface.  This includes my traditional HTTP/HTML-based applications as well as web services.  These applications may be based on a variety of technologies such as .NET, Java, PERL and Ruby.  They include third-party libraries and frameworks.  Further, they are hosted on some form of hardware running some operating system.  Clearly this claim applies to a wide and deep world of application infrastructures and architectures.

Hacker-Proof” means that no attacker will be able to successfully exploit the applications.  That is quite a promise.  By opening this email I’m going to find out what is necessary to prevent all successful exploits for my entire set of web facing applications?  This is great news!

So what did I find when I opened the email?  It contained a somewhat watered-down description of the offering.  In fact the term “Hacker-Proof” did not appear anywhere in the email text or the referenced materials.  What was provided were three components that made up the solution to all hacking of my web applications.

First, I got a white paper that explained “common hacker strategies” and the “new MOs of hackers.”  Right off the bat I’m a little concerned.  After all, this isn’t a white paper that gives me ALL hacker strategies.  If not ALL the strategies are defined then how can the result lead to a “Hacker-Proof” solution?  At best, wouldn’t it be a “common strategies and new MO Hacker-Proof” result?  Also, it was only discussing strategies not the fixes for my applications.

Next, I was provided with access to a webcast that described solutions available to identify vulnerabilities and defend against breeches.  The webcast was very generic and didn’t actually help me make my applications invulnerable.  So far, I’m not feeling like all my web application vulnerabilities are about to be mitigated.  Perhaps the third aspect of the offering would do the job?

In this case the final part of arriving at the “Hacker-Proof” destination was to have a scan done on a set of my web applications and a report of vulnerabilities provided.  The scan wouldn’t cover all my applications and it wouldn’t tell me specifically how to fix the issues that were found.  Of course this is a marketing ploy. Scare me with a report full of vulnerabilities and I’ll be more likely to purchase some service to scan all my applications.

My point in discussing this email is to reinforce what so many security professionals continue to try and communicate; there is no silver bullet when it comes to securing web applications or any other computer system-based solutions.  What do exist are best practices, techniques, and tools to significantly reduce the number of vulnerabilities and the likelihood of a successful exploit.  The challenge is determining the correct ones to apply to a given situation and then using them effectively.

That collection of options cannot be reduced to a single product or service offering.  Rather they require risk assessments, budgeting, planning, and constant review.  They also do not lead to a “Hacker-Proof” set of applications.  What they do is allow businesses to define their risk tolerance, understand their current risks and work to bring the two into alignment.

Emails like the one I received serve to create confusion between business leaders trying to successfully operate a profitable operation and security personnel who have the responsibility of assuring that the business is making informed decisions concerning risk.  Promising a “Hacker-Proof” result simply leads executives to believe that such a result is feasible within a reasonable budget.  It isn’t.

My security vendor advertisement wish is for fewer absolutes and more education.  By helping business leaders understand the true process around securing their information assets I believe these vendors would foster a meaningful dialog between themselves, business leadership and IT security departments.  I would expect this to increase the odds of gaining material meetings with prospective customers that more likely result in successful sales.

The flip side, such as presenting “Hacker-Proof” claims, will just lead to an internal conversation where the CEO asks if the company should buy the product while the frustrated security leader yet again has to explain that application security is an on-going process.  Now, please excuse me while I add another email to my spam training software.

ns? That is great news!

So what did I find when I opened the email? It contained a somewhat watered-down description of what was being offered. In fact the term, “Hacker-proof” did not appear anywhere in the email text or the referenced materials. What was provided were three components that made up the solution to all hacking of my web applications.

First, I got a white paper that explained “common hacker strategies” and the “new MOs of hackers.” Right off the bat I’m a little concerned. After all, this isn’t a white paper that gives me ALL hacker strategies. If not ALL the strategies are defined then how can the result lead to a “Hacker-Proof” solution? At best wouldn’t it be a “common strategies and new MO Hacker-Proof” result?

Next, I was provided with access to a webcast that described solutions available to identify vulnerabilities and defend against breeches. The webcast was very generic and didn’t actually help me make my applications invulnerable. So far, I’m not feeling like all my web application vulnerabilities are about to be mitigated. Perhaps the third aspect of the offering would do the job?

In this case the final part of arriving at the “Hacker-Proof” destination was to have a scan done on a set of my web applications and a report of vulnerabilities provided. The scan wouldn’t cover all my applications and it wouldn’t tell me specifically how to fix the issues that were found. Of course this is a marketing ploy. Scare me with a report full of vulnerabilities and I’ll be more likely to purchase some service to scan all my applications.

My point in discussing this email is to reinforce what so many security professionals continue to try and communicate; there is no silver bullet when it comes to securing web applications or any other computer system-based solutions. What do exist are best practices, techniques, tools and products to significantly reduce the number of vulnerabilities and the likelihood of a successful exploit.

That collection of options do not lie in a single product or service offering and they do not lead to a “Hacker-Proof” set of applications. What they do is allow businesses to define their risk tolerance, understand their current risks and work to bring the two into alignment.

Emails like the one I received simply lead to confusion between business leaders trying to successfully operate a profitable operation and security personnel who have the responsibility to assure that the business is making informed decisions concerning risk. Promising a “Hacker-Proof” result simply leads executives to believe that such a result is feasible within a reasonable budget. It isn’t.

I know that my security vendor advertisement wish is for fewer absolutes and more education. By helping business leaders understand the true process around securing their information assets I believe these vendors would foster a meaningful dialog between themselves, business leadership and IT security departments. I would expect this to increase the odds of gaining a meaningful audience with the prospective customer and more likely result in a sale.

The flip side, such as presenting “Hacker-Proof” claims, will just lead to an internal conversation where the CEO asks if the company should buy the product while the frustrated security leader yet again has to explain that application security is an on-going process. Now, please excuse me while I add another email to my SPAM training software.

Tags: , , , ,

Leave a Reply

You must be logged in to post a comment.