“What we need is more action” – Contrast’s CTO on tackling cyber security faults

Security
Jeff Williams

With over 20 year in the cyber security industry, it feels fair to describe Jeff Williams, Co-Founder and Chief Technology Officer of Contrast, as an expert in his field. Williams claimed to have reached his position as leader through following his interests in “solving problems that others had not”, taking a well-judged risk, and started a company that set about solving problems in application security. Examining security in depth, Williams discusses why he is so big on open source projects and his advice for IT professionals.

Why does web security mean what it does to you?

Everyone banks online and puts their personal information online at the drop of a hat. Even worse, the world’s defences, power systems, factories and just about everything else that can be deemed as critical infrastructure is managed by software. Unfortunately, we are generally terrible at writing secure software; and attackers are increasingly creative and persistent. The average application today contains 27.6 serious vulnerabilities, with each and every one being attacked on at least a monthly basis. Those aren’t good odds. For me, working on web security is a way for me to help make the world a better place.

What is having the biggest impact on online security today?

The widespread move to the cloud has meant that a lot of systems get updated and maintained faster, which used to plague organisations in the past. The cloud does introduce some new risks, but on balance I think it’s been good for security.

However, the fact that almost no web applications or APIs can detect that they are under attack and protect themselves is a disaster.  I think people would be surprised just how easy it is to attack web applications and APIs without being detected. Most application attacks should be obvious to developers, but they simply don’t look for them.

You have created many free and open projects, why is it important to you to make your software available on a wider scale?

In my opinion, the only way to be effective at application security is to turn it into software. With roughly 30 million developers in the world, the amount of new code being created every single day is unbelievable. There will *never* be enough security specialists to handle that. The only sane thing to do is to empower ordinary developers with tools, frameworks and libraries that will allow them to create secure code on their own… without having security experts on the critical path

What is the one piece of advice you can give to prevent people from becoming a victim of hackers?

The advice I’d give ordinary people on home computers (be super-careful about what software you install) is different from the advice I’d give developers charged with defending a web application or API. I tell developers to get their security story straight. There’s a bit to unpack there. A good security story establishes a clear line-of-sight from the threats you care about, through simple and strong defences, through evidence that those defences are correct and effective, to runtime exploit protection. There’s nothing scarier than development teams not being able to explain their security story in simple and clear terms.

Why is cyber security particularly impactful on coders?

Software is eating the world. As businesses transform their processes into software at an increasing rate, the burden on security teams is well past the breaking point. To combat this, the world is trying to “shift left” – meaning pushing security onto development teams. But those teams are generally already overworked and don’t have the skills to use legacy security tools like SAST and DAST.

Briefly, what is the difference between DAST (Dynamic Application Security Testing), SAST (Static Application Security Testing) and Interactive Application Security Testing (IAST)?

SAST tools build a model from source code and then examine the model for potential flaws. SAST tends to take a long time to run and reports large numbers of false positives that require expert triage.

DAST tools generate malicious web requests, send them to web apps and attempt to infer flaws by examining the responses. DAST tends to take a long time to run and often misses large numbers of real vulnerabilities that require experts to find.

IAST tools instrument applications with sensors and then monitor application behaviour, reporting vulnerabilities as the application is exercised. IAST runs in real time as part of the application and reports few false positives while making it easy to cover the entire application.

*AST tools (“Star AST”) combine SAST, DAST, IAST, and other forms of analysis into a single agent that can be deployed with an application. *AST uses all these techniques together, rather than running multiple tools and attempting the futile task of post-analysis correlation.

What makes *AST stand out from other types of security testing?

The key advantage of *AST is delivering instant and accurate findings to developers. With *AST, developers can fix their own vulnerabilities as part of their normal development process, without going through a security team bottleneck. This means that all application teams can use *AST in parallel across their entire portfolio; achieving far faster progress than with legacy SAST and DAST tools that require experts.

With coding being available to a much wider group of people than ever, do you feel that security protection needs to be a subject that is discussed more?

I’m not sure it should be discussed more… What we need is more action. We cannot continue to build trivially attackable software and use it for critical tasks. We need dramatic improvements in assurance; the world is building critical infrastructure out of toothpicks.

What do you think needs to be done to increase web security globally?

The simplest, most effective, action we can take would be to make security visible. Currently, nobody has any idea whether their online bank is secure. Nobody knows who built it, how they were trained, how it was tested, what tools were used, what defences were in place, what libraries were used, and whether it has been hacked. When people can’t make informed choices, there is no way for the market to support those with better security. By requiring “Security Facts” labels that disclose this type of information, market forces can work to correct the software market.

Do you think it’s possible to totally eliminate online security problems?

I’m not sure we can ever eliminate security problems. It’s been over 20 years since SQL injection was discovered, studied and understood. Yet, it is still one of the most prevalent vulnerabilities and one of the most common targets for attackers. We will never train, pentest or scan our way out of this problem. But we can make serious progress by deploying technologies that make exploiting whole classes of vulnerability impossible. ASLR and DEP made buffer overflows significantly harder for attackers to exploit. Similarly, RASP and REP make web application and web API vulnerabilities much harder to exploit.

The smart companies understand that their industries are being converted into software. They understand that to win in the new economy, they must be great at software. They also know that they must not be breached, or they risk undermining consumer confidence. The great companies of tomorrow will be great at DevSecOps and know how to build great software fast, without compromising security. They will be focused on building software pipelines that not only pump out high quality code, but also deliver assurance that the software has all the right defences in place.

What is around the corner for cyber security?

Unfortunately, a lot more of the same. I wrote the OWASP Top Ten in 2002, and here we are 17 years later, and the latest version has basically the same things in it. This means that we will continue to see a lot of high-profile breaches that stem from web app vulnerabilities. I seriously doubt that governments will do anything to improve the software market with respect to security. That means that industry will continue to take reckless chances with the software we all rely on.

The CTO recently spoke in-depth on his expertise at the European Digital Transformation Expo.

Related Posts

Menu