OWASP founder: Focus on the top issues

Veracode’s strategic VP, also known as OWASP founder Mark Curphey, said at a conference on the use and risk of open source software libraries that we are at a fundamental turning point in application security.

He believes that this change stems from three major trends:

1. The cloud: Using the cloud will fundamentally change the way we think about security.

2. The use of open source: Similarly to the cloud, the shift to open source both creates greater security risks, but also an opportunity to change and improve security. When everyone is re-using one central resource, if we focus on securing that one resource – we have a big opportunity to change the security landscape.

3. DevOps: This model’s focus on automation and continuous delivery will shift the way we think about security and how to embed it into developers’ processes.

On the open source side, Curphey emphasises that there is a continually changing trend in open source production and consumption. On the consumer side, it is difficult to find a company that does not use the open source code to build products and services. His data from SourceClear shows that up to 95% of customer code libraries are open source. On the other hand, on the production side, we can see that the number of open source libraries being created has increased, and they are being distributed faster and smaller. The increase in quantity and speed ultimately means that it is more difficult to check carefully which are safe and which are not. At the same time, development speeds are increasing, which means that any security checks that slow or interrupt the developer’s workflow will not work. Today’s application security needs to be unimpeded and straightforward, which primarily means automation.

Curphey pointed out that today we need to change the way we think about application security, to ensure that developers understand how to encode and scan their code securely is not enough, which brings great security risks. More important is to consider the open source libraries that developers use in their code. Open source is now the key to innovation, and there are effective ways to use it safely, which requires changing our security thinking to adapt to this new reality, rather than being afraid of it. 

On the other hand, attackers not only attack open source libraries, but they also create malicious open source code, and the organisation unknowingly incorporates it into its system code base, which is also a significant trend.

But Curphey also pointed out that there is no need to worry too much. The solution is to focus on the top issues. He explained that in many cases when developers introduce open source libraries, they only use a small part of the code, maybe just one of them. A feature. Therefore, even if the open source library is marked as vulnerable, the organisation using the organisation may not be attacked. In such cases, the security team needs to help the development team determine acceptable risks and prioritise remediation or mitigation, focusing on the primary security issues.

Via: dzone