The following is a short interview with Succinctly series author Stan Drapkin, whose latest book Application Security in .NET Succinctly was published on Tuesday, October 12. You can download the book here.
What should people know about application security in the .NET Framework? Why is it important?
Microsoft’s .NET Framework ushered a new era of rapid application development that was almost as powerful as C/C++ development on one hand, but did not have as many sharp edges and opportunities to “shoot yourself in the foot” on the other hand. The unfortunate side effect was that .NET developers’ efforts were mostly spent discovering and calling the APIs provided by the .NET ecosystem, not learning how to use these APIs correctly. Many of the .NET security-related APIs are not safe to use by a casual .NET developer. This book tries to raise awareness of many important application security topics that most .NET developers are bound to run into.
The importance of understanding the challenges and pitfalls of application security is hard to underestimate. The security breaches are happening weekly if not daily, and their scope and magnitude continue to grow as users entrust (or are forced to entrust) more of their information to digital repositories and their operators.
When did you first become interested in application security?
I became interested in application security through a fascination with cryptography when I was 15 years old. I wrote an “unbreakable” XOR-based encryption mechanism in Turbo Pascal that I was very proud of. As laughable as it is now, I’m sure many folks in the security field have a similar story to share. The writings of Bruce Schneier fueled my interest and made me realize that the information security domain is too focused on cryptographic tools and primitives, and not focused enough on how to use these tools to engineer secure systems.
By writing this e-book, did you learn anything new yourself?
I learned that application security and security in general are difficult topics to write about. Unlike basic things like math or computer science, application security is a rapidly moving and evolving field, with new threats, vulnerabilities, exploits, and countermeasures arriving nonstop. The prescriptive “do X, Y, and Z to be safe” approach to security might work today, but is inadequate tomorrow. Rather than “giving readers a fish,” I’ve tried to “teach them how to fish” in hopes that a foundational understanding of core concepts will provide longer-term value.
How will application security change over the next few years?
I think the security field has come to a threshold where it will start to be regulated. The amount of incompetence and negligence in this field is only matched by the magnitude of damages, and that creates a lethal combination that everyone in our digital economy suffers from. We already regulate doctors, lawyers, pilots, and many other professions, as well as organizations employing them.
I think that the regulatory changes will affect not only the technical in-the-field professionals, but will also impact the C-suite, and force senior leadership to give security pros a seat at the table. One of the highlights of this profound lack of senior-level understanding was in the Equifax Personnel-Change statement that followed the recent massive Equifax data breach. Equifax appointed a new Chief Security Officer (CSO), and made the CSO report to the CIO. When the just-been-breached Equifax does not understand why the CSO must report to the CEO and not the CIO, that’s another sign that executive leadership still does not have the right perspective on security.
Another industry-wide change in perspective that I’m anticipating is a shift from “defend the castle” to “inmates are running the asylum.” Insider threats are already among the main security threats of 2017, and yet most security efforts are still just building walls.
Do you see the application security as part of a larger trend in software development?
I believe that thinking of application security as a larger trend in software development is like thinking of mathematics as a larger trend in physics, or thinking of backups as a larger trend in disaster recovery. Not everyone must be a highly skilled application-security professional, just like not everyone must be a highly-skilled accountant, lawyer, or engineer. Yet most IT companies rely on professional services of a relatively small number of skilled experts with unique domains of expertise. As software continues to “eat the world,” software development as a field has long been vast enough and important enough to warrant domain specializations. Boeing does not advertise “full-stack aerospace engineer” positions, and yet one of the core “career areas” for Boeing is “cybersecurity.” Ten years ago, every company became a software company. In 2017, every software company must become a cybersecurity-focused company. Cybersecurity begins in the C-suite.
What other books or resources on application security do you recommend?
Microsoft’s Security Development Lifecycle book is a good read for software development managers and architects. Those interested in the foundations of cryptography may find Crypto 101 or the Serious Cryptography book suitable. Those interested in the fundamentals of TLS, the largest application of cryptography to the web, should check out Bulletproof SSL and TLS. Tangled Web is another favorite of mine, which covers the insanity of the modern web.