Code & Data Security
A quick analysis on why Code Security does not mean a lot to anybody who’s not involved with it – and why we all have to understand that it’s all about the data.
I’ve been involved in application security most of my career. I’ve had the opportunity of working it from almost every angle – consulting, penetration testing, code review, research, working on a WAF product, working on a scanner product, and over the recent few years, developing a new approach for application security testing.
I’ve seen this market evolving, changing, growing, and at the same time trying to reinvent itself and give new names to old concepts. In the recent years, it appears that “Code Security” has surpassed “Application Security” as the right buzzword in our space, and that had me wondering – who cares about code security anyway?!
Code security is something only application security vendors and experts care about. Most developers usually don’t care about it too much, at least no more than the minimum they need to do to get the security people off their backs. Executives sure as hell don’t care about code security, and why should they? It’s a really technical matter. More surprising is that even security managers don’t care about it that much. This can be a frustrating reality for people who are trying to sell code security, but when thinking about it, it actually makes sense.
Security is all about risk management. Security managers do not care about code security, much as they don’t care about patch management, or anti viruses. Security managers care about reducing the overall risk to the organization, and to paraphrase a known saying – It’s all about the data, baby. Unlike what application security experts might make you believe, application attacks do not target the application. They target business data. Do you ever see a newspaper title saying “Hackers broke into the Pentagon website and gained access to insecure libraries”? Or do you see “Hackers stole 5 Million user records from John Doe’s website”.
And while the hackers are targeting credit card information, personal user records, classified information, customers order details, the vast majority of our industry, is focused on code security, insecure coding practices, hundreds of different ways to perform reflected cross site scripting attacks (which look cool, but could be often replaced with simple phishing attacks), etc.
We must focus on what’s real. 99% of our customers do not care about code security. They don’t want to fix all the insecure coding practices. They don’t want to turn their organization from a development organization producing software, to a crippled development organization that spends 25% of its energy on fixing irrelevant things. They want to manage the risk that are part of the applications that process their most sensitive data and operations.
For this, Application Security, or Code Security, or however you want to call this industry, must focus on risk management – help our customers create code which hackers cannot abuse to gain access to their most sensitive data. Through this, we can build trust with our customers, not just with the Application Security people, but with the security management, and with the application development organization.
This post is also available in: French