Last month we launched our 2017 CISO Investment Blueprint which analyzes survey responses from 100 security decision makers regarding the current state of application security. In addition to the survey results, we’ve chatted with several innovators in the security industry to get their thoughts on appsec today and the future.
In the past several weeks we’ve been publishing these interviews, filled with insights around the challenges and opportunities present for security decision-makers in 2017. We welcome your feedback and observations as well! Tweet us or shoot us an email to share your thoughts.
Our last Q&A is with Josh Sokol who is an OWASP Board of Directors member and brings an interesting perspective to our application security challenges conversation. OWASP has run several bounties and responsible disclosure programs with Bugcrowd. Read more about their programs here.
Jason Haddix: How did you first get introduced to security?
Josh Sokol: As a kid, I was always interested in computers and learned to write code at a fairly early age. I played around with using other peoples’ hacking scripts on AOL and IRC. When I graduated high school, I knew that I wanted to do something with computers, but wasn’t exactly sure what, so I went to school for Computer Science. After graduation, I spent about 8 years working as a Unix and Linux Systems Administrator with a side-passion for security. Occasionally, in my spare time, I would do some light penetration testing on the systems I was working on. I was working as a Web Systems Engineer at National Instruments when I got involved with OWASP. It was my involvement with the OWASP Austin chapter that really gave me the skills I needed to advance my career and focus full time on InfoSec. Eventually, I made the business case to my management to be the first full-time security professional at National Instruments.
JH: What are you most proud about in 2016 that you’ve accomplished?
JS: The thing that I am most proud of accomplishing in 2016 is the tremendous growth of my open source side-project, SimpleRisk. When I first released it back in 2013, I did it with the goal of making basic risk management obtainable for organizations of all sizes. There was a huge gap between the few who could afford $500k+ GRC suites and everybody else who was using Excel spreadsheets to manage their risks, or in some cases, nothing at all. Last year, we saw about a 5x growth rate over the previous year, with installations of SimpleRisk now numbering in the thousands. I have no formal business training, so building a company from nothing, with an open source tool, has been a huge learning experience for me.
JH: You also sit on the board at OWASP. How is OWASP shaping the future of appsec?
JS: OWASP is the largest community of application security professionals in the world. There are hundreds of chapters holding meetings multiple times a year with the mission of spreading knowledge on application security. There are projects spanning everything from documentation on how to build secure applications and test them to tools for penetration testing and defending your web applications. There are conferences, summits, mailing lists, hack-a-thons, and dozens of other ways to get involved. The future of application security is in the community coming together to discuss the challenges and come up with solutions for them and OWASP is leading the way for that.
JH: From your unique perspective with close proximity OWASP, what do you think the biggest challenges have been for appsec over the past year?
JS: From a pure development perspective, I think that AppSec is in pretty much the same place as it has been for years. The community around OWASP and similar organizations is pretty amazing in terms of creating tools and documentation to make secure software. Unfortunately, we often have difficulty getting our message out outside of the echo chamber. We continue to preach about application security, hoping that the right people will listen, but the reality is that we need to actively seek out the developers whom we are targeting.
That is why, in 2017, the goal of the OWASP Foundation is to do four very large (~500 developers) application security trainings. Instead of waiting for the developers to find us, OWASP will be going out and promoting these low-to-no-cost trainings in strategic locations around the globe. If things go as expected, we will look to expand upon this program in 2018 and beyond.
JH: In addition to closing that gap between developers and security folks, how can we improve appsec in the near future?
JS: In the near future, I think that the key to improving application security lies in the security community increasing its level of engagement with universities and the students who attend them. Back when I was studying Computer Science, there was no formal training on security. The closest we ever got was a networking class where we learned about firewall ACLs. Can you imagine being tasked with building a skyscraper when you’ve only ever built houses? While both involve construction, the methods and materials are vastly different, and the building will come crashing down due to your lack of knowledge and experience. These future developers are being put in situations where they will be tasked with building massively complex applications without the knowledge and experience to do it safely. While a few schools are now introducing students to security-related topics, the experience is still broadly inconsistent. As members of the security community, we need to start working with these schools to develop the curriculum so that students are prepared to write secure code when they enter the workforce. As employers, we need to start letting these schools know that we need this formal security training in order for their students to be able to contribute effectively from day one.
JH: We work with many universities across the country exposing them to bug bounty programs and real-world security challenges. How have you seen bug bounties fitting into appsec in the past?
JS: Traditionally, when a company wanted to see if their application had vulnerabilities, they would hire a company to do a penetration test of that application. It was a point-in-time snapshot of the security of that application and was subject to the skills and experience of the person assigned to the test. The challenge, however, is that most applications are constantly evolving. Especially now, with the rise of agile development, some companies are deploying code multiple times an hour or more. It is impossible to fully validate your applications when things are changing so quickly. Bug bounties are a way to encourage new and different people to be testing your applications every day.
JH: Do you think that will change in the future?
JS: As your applications continue to change and evolve, so will the testing of the security of your application. While I don’t necessarily see bug bounties as a replacement for hiring a third-party penetration tester, I do think it’s an excellent way to get more eyes on your applications in the meantime and to incentivize the people testing it anyway to do a responsible disclosure.
JH: What’s in store for the coming year?
JS: 2017 is going to be an amazing year full of trials, tribulations, and triumphs. My goal is to approach each trial with the determination to give it my best, each tribulation with the resolve to keep on fighting through, and each triumph with the humility to acknowledge all of those around me who continue to contribute to my success.
To read more about appsec challenges and opportunities facing security orgs, download our recent report that distils survey findings from 100 CISOs.