2016 State of Application Security: Skills, Configurations, and Components

The 2016 SANS State of Application Security Survey analyst paper and webcast are complete. This year, Johannes Ullrich, dean of research at the SANS Technology Institute and instructor for DEV522: Defending Web Applications Security Essentials, led the project by analyzing the survey results, writing the whitepaper, and delivering the webcast.

We had 475 respondents participate in this year’s survey, and Johannes identified the following key findings to discuss in the whitepaper:

38% have a “maturing” AppSec program

40% have documented approaches and policies to which third-party software vendors must adhere

41% name public-facing web apps as the leading cause of breaches

For more details, the webcast and whitepaper can be found here:

2016 State of Application Security: Skills, Configurations and Components

Managing Applications Securely: A SANS Survey

Thank you to all of the sponsors for bringing this content to the SANS community: Checkmarx, Veracode, and WhiteHat Security.

Also, a special thank you goes out to the webcast panel: Amit Ashbel (Checkmarx), Tim Jarrett (Veracode), and Ryan O’Leary (WhiteHat).

We will see you next year for the 2017 State of Application Security Survey!

2015 State of Application Security: Closing the Gap

The 2015 SANS State of Application Security Analyst Paper and webcasts are complete. This year, Jim Bird, the lead author of the SANS Application Security Survey series, Frank Kim, and I all participated in writing the questions, analyzing the results, drafting the paper, and preparing the webcast material.

In the 2015 survey, we split the survey into two different tracks: defenders and builders. The first track focused on the challenges facing the defenders who are responsible for risk management, vulnerability assessment, and monitoring. The second track focused on the challenges facing the builders responsible for application development, peer reviews, and production support.

Overall, we had 435 respondents, 65% representing the defenders and 35% representing the builders. Based on the results, the communication barriers between defenders and builders are shrinking. But, there is still work that needs to be done:

Defenders and builders are focused on where the greatest security risks are today: 79% web applications, 62% mobile applications, and 53% private cloud applications.

Managers are becoming more aware of how important – and how hard – it is to write secure
software. Today, application security experts are reaching out to builders and speaking at their conferences. As a result, builders are more aware of risks inherent in the same applications that defenders are concerned with.

Management needs to walk the talk and provide developers with the time, tools and training to do a proper job of building secure systems.

For more analysis, the webcasts and analyst paper can be found below:

2015 State of Application Security Analyst Paper: Closing the Gap

Webcast Part 1: Defender Issues

Webcast Part 2: Builder Issues

Thank you to all of the sponsors for bringing this content to the SANS community: HP, Qualys, Veracode, Waratek, and WhiteHat Security.

Also, a special thank you goes out to our webcast panel: Will Bechtel (Qualys), Robert Hanson (WhiteHat Security), Bruce Jenkins (HP Fortify), Maria Loughlin (Veracode), and Brian Maccaba (Waratek).

Happy reading!

About the Author
Eric Johnson (Twitter: @emjohn20) is a Senior Security Consultant at Cypress Data Defense, Application Security Curriculum Product Manager at SANS, and a certified SANS instructor. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. Eric’s previous experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.

Survey on Application Security Programs – Webcast and Paper

For the second year in a row Jim Bird and I have helped SANS put together a “Survey on Application Security Programs and Practices”. We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to be published paper, include the following:

– There was a significant improvement in the number of organizations implementing application security programs and practices. The percentage of organizations that have an active Appsec program increased from 66% last year to 83% this year—and many of the organizations that do not have a program in place yet are at least following some kind of ad hoc security practices.

– Organizations are testing more frequently. In this year’s survey, more than one-third are doing continuous, ongoing security testing of their applications, whereas only 23% indicated doing so in our previous survey.

– Organizations continue to face the same kinds of challenges in getting management buy-in for application security programs. But the leading inhibitor for putting effective Appsec programs in place is now a shortage of application security skills, whereas in last year’s survey, the leading inhibitor was management buy-in and funding. In this year’s survey, organizations also ranked technical resources to maintain security in production their fourth most difficult problem.

To find out more please register for our complimentary webcast on Wednesday, February 12 at http://www.sans.org/info/150770

If you register for the webcast you’ll get an advance copy of the paper that will be published in the SANS Reading Room at http://www.sans.org/reading-room/analysts-program

To find out more about Software Security Awareness training for developers please visit SANS Securing the Human at http://www.securingthehuman.org/developer. Information about longer developer security training courses is available at https://www.sans.org/courses/developer.

SANS Appsec Survey

SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people  have found are most effective in managing appsec problems.

Please follow this link and take 5-10 minutes to answer the survey questions:


Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!

Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related webcast.

To register for that webcast, follow this link: https://www.sans.org/webcasts/survey-application-security-policies-enterprises-95622

Free AppSec Webcasts

Here are some recent appsec webcasts for your viewing pleasure:

Web Application Threats: Combining XSS and CSRF to own the world!
Kevin Johnson covers Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Specifically, “how they can be used to exploit users and applications, how to find them and what their combined power can accomplish.”

Innovation in Application Security: Application Risk Management
John Sapp discusses “business critical application security trends and the need for comprehensive approaches to secure software development” including coverage of what “application attacks are most prevalent now, the importance of the secure development lifecycle (SDL), and cost-effective methods to implement a program-level commitment to security throughout the SDL.”

Trust and Verify: Securing Client Side Code in Web Services Oriented Applications
Johannes covers new threats and mitigation strategies architects and developers need to be aware when “a variety of different web services using client side scripting languages like flash or javascript” are used and “services are not authenticated and messages with critical content are forwarded without sufficient protection.”

Trio of AppSec Webcasts Next Week

We have three cool webcasts lined up next week:

1) SQL Injection for the Penetration Tester on April 27
Eric Conrad will kick off the week of webcasts with something every penetration tester should know about. “Both normal and blind SQL attacks will be described, including reading and altering databases, creating local files, and gaining command shell access to the database server.”

2) Defending Web Applications: Going back to to First Principles on April 28
In this talk Johannes and Jason “will outline current attacks against web applications, why they evade detection by network defenses and how to build defensible applications by going back to simple defensive principles. Each of the attacks will be illustrated from a defensive as well as offensive point of view showing the strength and weakness of each defensive measure.”

3) The Growing Threat and Impact of Web-Based Malware on April 29
Finally, Johannes and Neil Daswani will finish off the week with a talk on the growing threat of web-based malware. “The way malware is being distributed has undergone a fundamental shift, With attackers focusing on planting ‘drive-by downloads’ on legitimate sites in an automated fashion, taking advantage of vulnerabilities in hosting platforms, web applications, and structural vulnerabilities in web sites. The impact is quite significant — end users can get infected simply by visiting affected web sites, and webmasters lose their traffic due to having their infected sites blacklisted by search engines and browsers.”

Webcast on Manipulating Web Application Interfaces

Felipe Moreno will be giving a webcast on Groundspeed, a Firefox add-on that allows penetration testers to manipulate the interface of web applications in order to adapt it to penetration test needs, removing the annoying client-side limitations and making the test more efficient.

“Not much has changed since the beginning of the web application penetration testing in terms of process for performing manual input validation tests. Place a client proxy between the browser and the application, generate requests, intercept them and modify the HTTP parameters. It’s true that we have seen some nice improvements at the client proxy level (compare the old Achilles to the last version of the Burp suite), but the general approach still remains the same. This webcast will propose a new way to look at input data and a new approach to manually test it.”

Sign up here for the April 19 webcast!


Social Zombies: Your Friends Want to Eat your Brains Webcast

Kevin Johnson will be giving a cool webcast called “Social Zombies” where he “explores the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues. We discuss how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.”

Sign up here!


Mobile Application Security Webcast – Win a Free Book

The good folks at iSec Partners have written a new book called “Mobile Application Security” and one of the authors, Chris Clark, will be giving a webcast on that very topic.

“The day when everyone has a PC in their pocket has arrived and developers are rushing to create mobile applications to meet demand. This talk presents the security challenges facing mobile application developers and how to best manage mobile application security risks. Limited memory and CPU, multiple security models, and an always on network create a daunting security challenge. Knowing the risks and how to respond to them is the only hope for creating secure software.”

One lucky listener will also be chosen at random to receive a free copy of the book!

Sign up here


Webcast on Next Gen Application Attacks

I’m really looking forward to a webcast titled “The Porous Castle: Next Generation Application Attacks” by Nitesh Dhanjani.  I spoke to Nitesh and he said it was OK for me to say that he’ll be revealing details of a very cool zero-day on an extremely well known web site.

Nitesh will discuss the impact of some emerging application level attacks including the following:

* Setting the stage for Inside-Out attacks: Cross Site Request Forgery
* The web browser as the new operating system and what it means to application security
* Case Study: Safari Carpet Bomb and file stealing
* Cloud computing and web application security
* Case Study: The Amazon EC2 platform
* Mashup galore: The next generation web platforms
* Case Study: Facebook API security vulnerability

Sign up here!