following is a short interview with Succinctly
series author Stan
latest book Application Security in .NET
Succinctly was published on Tuesday, October 12. You can download the book here.
What should people know about application
security in the .NET Framework? Why is it important?
Microsoft’s .NET Framework ushered
a new era of rapid application development that was almost as powerful as C/C++
development on one hand, but did not have as many sharp edges and opportunities
to "shoot yourself in the foot" on the other hand. The unfortunate
side effect was that .NET developers' efforts were mostly spent discovering and
calling the APIs provided by the .NET ecosystem, not learning how to use these
APIs correctly. Many of the .NET security-related APIs are not safe to use by a
casual .NET developer. This book tries to raise awareness of many important
application security topics that most .NET developers are bound to run into.
The importance of understanding
the challenges and pitfalls of application security is hard to underestimate.
The security breaches are happening weekly if not daily, and their scope and
magnitude continue to grow as users entrust (or are forced to entrust) more of
their information to digital repositories and their operators.
When did you first become
interested in application security?
I became interested in application
security through a fascination with cryptography when I was 15 years old. I
wrote an "unbreakable" XOR-based encryption mechanism in Turbo Pascal
that I was very proud of. As laughable as it is now, I'm sure many folks in the
security field have a similar story to share. The writings of Bruce Schneier
fueled my interest and made me realize that the information security domain is
too focused on cryptographic tools and primitives, and not focused enough on
how to use these tools to engineer secure systems.
By writing this e-book, did you
learn anything new yourself?
I learned that application
security and security in general are difficult topics to write about. Unlike
basic things like math or computer science, application security is a rapidly
moving and evolving field, with new threats, vulnerabilities, exploits, and
countermeasures arriving nonstop. The prescriptive "do X, Y, and Z to be
safe" approach to security might work today, but is inadequate tomorrow.
Rather than "giving readers a fish," I’ve tried to "teach them
how to fish" in hopes that a foundational understanding of core concepts
will provide longer-term value.
How will application security change
over the next few years?
I think the security field has
come to a threshold where it will start to be regulated. The amount of
incompetence and negligence in this field is only matched by the magnitude of
damages, and that creates a lethal combination that everyone in our digital economy
suffers from. We already regulate doctors, lawyers, pilots, and many other
professions, as well as organizations employing them.
I think that the regulatory
changes will affect not only the technical in-the-field professionals, but will
also impact the C-suite, and force senior leadership to give security pros a
seat at the table. One of the highlights of this profound lack of senior-level
understanding was in the Equifax Personnel-Change statement that
followed the recent massive Equifax data breach. Equifax appointed a new Chief
Security Officer (CSO), and made the CSO report to the CIO. When the
just-been-breached Equifax does not understand why the CSO must report to the
CEO and not the CIO, that's another sign that executive leadership still does
not have the right perspective on security.
Another industry-wide change in
perspective that I’m anticipating is a shift from “defend the castle” to
“inmates are running the asylum.” Insider threats are already among the main security threats
of 2017, and yet most security efforts are still just building walls.
Do you see the application
security as part of a larger trend in software development?
I believe that thinking of
application security as a larger trend in software development is like thinking
of mathematics as a larger trend in physics, or thinking of backups as a larger
trend in disaster recovery. Not everyone must be a highly skilled
application-security professional, just like not everyone must be a
highly-skilled accountant, lawyer, or engineer. Yet most IT companies rely on
professional services of a relatively small number of skilled experts with
unique domains of expertise. As software continues to "eat the world,"
software development as a field has long been vast enough and important enough
to warrant domain specializations. Boeing does not advertise "full-stack aerospace
engineer" positions, and yet one of the core "career areas" for
Boeing is "cybersecurity." Ten years ago, every company became a
software company. In 2017, every software company must become a
cybersecurity-focused company. Cybersecurity begins in the C-suite.
What other books or resources on application
security do you recommend?
Development Lifecycle book is a
good read for software development managers and architects. Those interested in
the foundations of cryptography may find Crypto 101 or the Serious Cryptography book suitable. Those interested in the fundamentals of TLS, the largest
application of cryptography to the web, should check out Bulletproof
SSL and TLS. Tangled Web
is another favorite of mine, which covers the insanity of the modern web.