Industry Observations-Web Application Security

An Open Letter to Our Next President

Dear Future President,

Thank you so much for using computer security as a talking point in your campaign this season. Allow me to personally say that, as a computer security professional, your bringing this issue more firmly into the spotlight can only be a good thing. If I may be so bold as to speak for many of my past, present, and future colleagues, having our industry made a conversational piece in homes has done more than any awareness campaign our marketing departments could have dreamed up. (Though IBM deserves a nod a few years back for running the topic of computer security as a Superbowl Ad.) We appreciate the current President’s initiatives to bring cyber security for our country up to a common standard, and I particularly appreciate Initiative 8’s intent to work on education.

So now that you have the nation’s full attention, and our sector has your attention, I’d like to bring up a few special requests from my part of the security ecosystem.

On the most official side, could you share your data classification schema more widely? Data classification standards in an organization are the key to beginning to plot out a security strategy and plan. Many companies don’t realize that security meta data is considered by your office as being Sensitive But Unclassified – because a website’s IP can fairly easily be determined through usually legal means via a simple ping or other discovery protocol. Security data is all about what is going on within a system – fragments of bytes, offending scraps of an attacker’s code, anti-virus reports on which bit of malware they’ve quarantined. Without this guidance on what constitutes security meta data as being separate and very different from your real data (PII, intellectual property, payment card information) some companies are paralyzed with indecision about outsourcing any part of their security operations, scanning, or monitoring because they don’t understand the difference. This keeps them from asking for help when they need it. A firm guideline document from you would help a lot.

In security, we talk all the time about the weakest link being people, with all of the social engineering attacks that arrive via emails and embedded in files. Given that just under half of all successful breaches involve an insecure web application, I think we as security professionals owe it to people to make those applications more secure. I’d like to live in a world where my mom can click the wrong things, or accidentally paste those long lectures she sends me into the entry blank on a form, and not have things go terribly wrong for her or for the site she’s visiting.

I’ve been pondering how to approach this part of the awareness issue, where I might ask your help. I’d love to see people start referring to the cyber-security discipline as “network and application security” as a whole. Just that much will help people start thinking about their applications and prioritizing a security review.

There is good work being done by organizations like Oasis, who are working to make standards for our security community. They’re creating guidelines for how to formulate and transmit security and threat data, so that we vendors can integrate more quickly with one another in creating a fabric of security. For years, it’s taken manual work most times and integration from one part of network security to another, and most of them haven’t talked to application security tools at all. Your encouragement in this area will make a difference.

Finally, I’d like to talk about people. Computer security people can come to this career from all walks of life. Security as a discipline is made up of tools, processes, and people. Some people specialize in building tools, some use the tools, some monitor the tools. Some investigate what happened and do troubleshooting. Believe it or not, currently these people come from all walks of life. I visited a customer site once where the woman who ran the end point security system had started life as a very proactive secretary, with solid project management skills. She did a good job. I don’t know that anyone with a computer science degree could have run that system more efficiently.

For those people in IT that need to know more about security, and here I’m talking the people who make applications and write programs, they need to know how to do so securely. Now, I know there’s a lot of training that exists out there, from company to company. There’s tool-specific training and computer-based scenario training. There’s professional organizations like SANS and ISC(2) which exist to try and reach more future security individuals. I’d really love to see the U.S. Department of Education committees reaching out to organizations that provide different kinds of training, and help them build connections with high schools, trade schools, community colleges, universities and veterans organizations alike.

As a woman in security, I want other women and girls to see that they have options, to do things they never dreamed about before. When I was in school, I wrote down what I wanted in a job: I wanted to travel widely, making decent money while I helped make the world a better place. I found that in security. With your help, more people might be able to share that kind of dream, and help our industry close an ever-widening gap of capable job candidates.

Thanks, and best wishes.

Jeannie Warner. 


Originally published on the RSA Conference Blog

Tags: Compliance, Education, Government, Healthcare, security