Web application security - or lack of security because companies don't pay enough attention to protecting their internet applications -was a topic of debate at the Black Hat Briefings Thursday in Las Vegas.
Enterprises are still held up by not doing the basics correctly when developing web applications, said Paul Proctor, analyst at research firm META Group. "They're not even looking at security as part of the development lifecycle," he said.
Caleb Sima, CTO and co-founder of web application security provider SPI Dynamics, said the fundamental problem stems from the pressure placed on developers to meet deadlines and focus on features rather than security. Tools that assess the security of web applications can help identify a majority of vulnerabilities, he said.
"That assumes they use the tools properly," Proctor responded. Jerimiah Grossman, CEO of WhiteHat Security, said, "Running a tool on your site isn't necessarily due diligence," but Sima countered that it shows initiative on the part of the company to address the issue.
Assessment services, or penetration tests, are another system companies rely on for securing their web applications but companies often don't bring in consultants to perform security assessments until the application is already going live, panelists said. "It's always the last check mark they have," noted Frank Lam, senior manager, Deloitte & Touche.
Panelists agreed that developers need security training, but Sima said that many companies don't have the money or time to train all their developers. "The easiest way to train developers is to make it easier for them" to implement security, he added. Performing input validation on web applications can eliminate many vulnerabilities, he said.
Designing web applications securely from the start is key, Proctor said. The cost of fixing security flaws after an application is released is 60 times more than the cost of fixing it in development, he said.