Coveros CEO Jeff Payne goes into detail about his upcoming STARWEST 2014 tutorial, the importance of software testing in the mobile age, the most common types of breaches, and how he would have handled the recent security issues that Twitter encountered.
Josiah Renaudin: Today, I'm joined by Jeff Payne, who will be speaking on “Security Testing for Test Professionals” during our STARWEST 2014 showing. For starters, Jeff, can you tell us a bit about yourself and your background in software security testing?
Jeff Payne: Sure, so I've been building and testing software for about twenty-five years now; focusing primarily on software assurance, so testing software and securing software. I run a couple of companies that I founded, the first was a company called Cigital, which focuses specifically on security testing and security analysis. Now I'm running Coveros, which is a secure agile development shop. We build applications using agile that need to be secure.
Josiah Renaudin: Now, what's made so many pieces of software reliant on stronger security? Do you see even greater security requirements being implemented in the future?
Jeff Payne: No doubt. In a word, it's the Internet. We're hooking together more and more things every day, and now we're hooking together, not only systems, but also things like our cars and our homes and all sorts of things. As we do that for good reason, we're trying to collaborate better, communicate better, ease our world, ease our process. Those are all good things, but doing so does introduce some risk. For the first time a lot of applications that have resided in these systems and these things are now exposed to interfaces that anybody can play with and try to break into and gain access to. That's driving a stronger set of security requirements then we've seen in the past.
I think the other thing is some of the highly publicized data breaches that have happen recently. We're seeing executives being fired now when larger data breaches are happening at places like Target and other large corporations. I always joke that maybe we've finally found the driver for application security: it's the risk of a CEO losing his job.
Josiah Renaudin: Now, we have all these greater requirements for security, but why aren't testers being taught how to properly execute security measures for modern software if we need it now more than ever?
Jeff Payne: Well that's a good question, that's definitely what we're trying to do with our security testing tutorial that we're giving in STARWEST and also with a two-day course that we have on security testing. I think historically, security professionals have considered what they do to be a bit of a black art that only a few can really do. To some extent there's some truth in that for particular types of security activity. For instance, if you're doing architectural risk analysis on your software architecture or you're helping design security practices or controls into your design and your architecture, those are really high touch, high expertise types of activities, because you have to both be a very senior level software architect and developer type, but also know a lot about threats and risks and vulnerabilities and things like that.
From that perspective, that philosophy or mentality makes sense; however, there's a lot of different activities in the application security process that developers and testers can be involved in. For instance, testing our website applications for common types of vulnerabilities that are out there, or wielding security tools to effectively test our applications for known vulnerabilities. Doing things like scanning code using tools, working to get our security requirements built better, and making sure that they're most robust and secure; all things that testers can do and should be involved in.
Josiah Renaudin: What do you see as the most common security vulnerability that can be easily avoided through intelligent testing?
Jeff Payne: I'd say it's definitely injection attacks, cross-site scripting, sequel injections, input buffer overflows, cross site-request forgeries; they're all examples of what are called injection attacks, which are attacks on the input into our systems. These attacks are very well documented, they're very easy typically to identify, and there's good tools out there, both open source and commercial tools, for testing these, to identify these types of vulnerabilities. Today, there's really no excuse for not identifying these attacks in your applications. They really shouldn't be found in the wild if almost every day one of them is identified.
Josiah Renaudin: Now, are we seeing more of these attacks and security breaches in mobile or web-based software, and why?
Jeff Payne: I would say more of both, for different reasons, though. The proliferation of web interfaces really means the attack surface for a hacker is a lot greater, there's a lot of ... there's just a lot more things to attempt to break into when you're talking about web-based systems. On the mobile side, the threat model is very different in mobile, and because of that a lot of the attacks and protections aren't well understood yet by software developers. Because of that, we see a lot of issues in mobile applications. A big one is malicious code. We download so many applications for our phone, knowing not very much about them and whether they're secure or not. The app stores don’t really check to determine whether applications are secure, they're not checking to look for malicious code, things like that.
We're downloading all sorts of things, whether they're games or other applications onto our phone. They're sitting there right next to our mobile banking app or our access to our corporate systems, and we're not really sure what those applications are actually doing. We also carry our phones around and we tend to drop them and leave them places. That makes our devices much more susceptible to somebody picking them up and using them as compared to a desktop machine sitting in our office.
Josiah Renaudin: One desktop application I want to talk about is TweetDeck, because recently it was hacked by what we think is just a single teen in Austria. Hindsight’s 20/20, but what would you suggest as the best preventative measure for a breach of this nature, especially for such a popular service. Twitter… it seems like everyone has a Twitter account. What would you suggest for this situation?