1. Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC http://www.owasp.org Emerging Trends in Application Security John Viega viega@securesoftware.com

2. OWASP AppSec 2004 2 What is Gartner saying?  Biggest problems are in the patch race  Internal software is not yet the worry  Time to exploit is getting faster (30% in 2006)  Targeted attacks are going to supplant random ones Incidents vs. patch lifecycle Days between patch and exploit

3. OWASP AppSec 2004 3 The Security Industry Today  Treating the symptoms  Firewalls, intrusion detection, anti-virus  Low hanging fruit  Industry is narrowly focused  High-profile vulnerability classes  True in vulnerability research and academia  Simple problems, big impact  Much less focus on the mundane risks  Proper use of crypto not well understood  Access control, authentication, availability  No focus on broader view  Management impact and cost  End customer impact (usability, etc.)  Impact on people and processes for development

4. OWASP AppSec 2004 4 Mature Problem, Early Market  Customers don’t know what to demand  Don’t know what to expect from open source, offshoring & ISVs  Security is a “nice to have”  Functionality is more important  Security issues are almost expected  Products steer the market  Firewalls, IDS, Java, SSL  Used to software being buggy  Easy to meet check-boxes  Still, wrecks havoc in business processes  Willingness to cross fingers  Many assume the problem isn’t that bad  Awareness  Formal education for development teams

5. OWASP AppSec 2004 5 Market drivers  Fear  Outsourcing  Awareness  Awareness programs are prevalent  Early solutions  Product focused, not business process  Education  Policy construction  Measurement / Business Metrics  Compliance  Certification  Mandate Early Adopter Late Majority

6. OWASP AppSec 2004 6 A Rapidly Evolving Market  In 2000: no application security startups  In 2004:  At least 20 startups  Lots of activity in venture community  Big firms have made big pushes (Microsoft, Oracle)  Accounting firms and big services firms with growing practices (EY, IBM)  Web app scanners are everywhere  Traction in audit services  Move towards more automation

7. OWASP AppSec 2004 7 Early Adopters  Risk-aware verticals are tracking the space  Financial companies  Have internal audit teams  Use AppScan extensively  Are evaluating early technologies  Formulating regulatory requirements  Government / Critical Infrastructure  Would like to require secure products  Need to define what this means  Would like to have a certification process  Also evaluating early technologies  DHS and NIST launching a policy initiative  Widely believed that technology isn’t enough

8. OWASP AppSec 2004 8 Immediate Challenge  Development is feature driven  Application security just emerging as a req  Many dev orgs assume security is “good enough”  No budget for security yet  Developers don’t want to be blamed  Awareness is growing  Can’t be a focus for every developer  Security decisions domain of architects / designers  Developers need process and tools to implement decisions

9. OWASP AppSec 2004 9 The Product Market  Dynamic Analysis  Subcategories: developer-driven and black-box  Cenzic, IBM/Rational, Sanctum  False positives and false negatives  Dev-driven tools must be low-effort, high value  Static Analysis  With or without source  @Stake, Fortify, Ounce Labs, Secure Software  Less resource-intensive, more accurate  Compliance / Metrics  Jack discussed extensively  Metrics must be low-effort, high value  Process  More important as AppSec becomes a business imperative  Needs to be industry-supported  IBM Rational Users Conference

10. OWASP AppSec 2004 10 Other Predictions  Sizable market opportunity  SIs are establishing practices  Startups have about 3 years  Fortune 100 companies will look to the “final four”  Security won’t slow down outsourcing  Outsourcers will adopt solutions  Government is going to drive standards  Vendor liability is far off