Web Application Security - from the start: ISSS Security Lunch - October 2010

Update 10/10/2010: ISSS sent on a link to the presentation slides which I have included in the Links section at the bottom.

I attended the Information Security Society Switzerland (ISSS) Security Lunch in Zürich on October 6, 2010. It was a civilised affair consisting of a sit down lunch, with a security presentation given between the first and main courses. About 20 people were present. I didn't know that ISSS existed until a few weeks ago.

The president of the ISSS, Thomas Dübendorfer gave a brief introduction to the speaker, Prof. Dr. Hartmut Pohl. Prof. Pohl is the CEO of softScheck which is a spin-off from the Hochschule Bonn-Rhein-Sieg in Germany. Peter Sakal was also there to answer questions.

In his talk, Prof. Pohl gave an overview of their Secure Development Life Cycle (SDLC) which is called Rapid in-Depth Analysis (RiDA). The approach is similar to the Microsoft Secure Development Lifecycle (SDL). This is perhaps not surprising, since Microsoft is one of their partners. RiDA places great emphasis on Threat Modelling, Fuzzing and Static Analysis. An important goal is to identify vulnerabilities before the project is actually launched. To achieve this, RiDA employs best-of-breed fuzzing tools to get the optimum results. Code coverage is a significant driver. In their testing, softScheck aims to cover between 75% and 85% of the actual codebase.

Prof. Pohl provided statistics which show, that RiDA identifies on average 50 critical vulnerabilities per application tested.

RiDA is a sound approach, as it provides a formalised SDLC methodology. But I can imagine that it is not cheap as, for example, the fuzzing tools require a lot of manual interaction. However, Prof Pohl argued that it is still a lot more cost effective to identify the vulnerabilities during the development phase than to wait until they are found in the wild.

As an aside, I wonder if that is always the case - especially in the web environment. A few weeks ago, a Cross Site Scripting (XSS) vulnerability was discovered in Twitter. While this was no doubt a bit embarrassing for Twitter, and perhaps did some reputational damage, they did have it fixed in a day or two. So it didn't cost too much and the issue itself will be quickly forgotten - except by us information security people.

Rapid in-depth Analysis is a contender in the drive to minimize security bugs, but you will probably need deep pockets to derive all the benefits. This implies serious commitment to security from company management.

Links: