Coveros CEO Jeff Payne goes into detail about his upcoming STARWEST 2014 tutorial, the importance of software testing in the mobile age, the most common types of breaches, and how he would have handled the recent security issues that Twitter encountered.
Josiah Renaudin: Today, I'm joined by Jeff Payne, who will be speaking on “Security Testing for Test Professionals” during our STARWEST 2014 showing. For starters, Jeff, can you tell us a bit about yourself and your background in software security testing?
Jeff Payne: Sure, so I've been building and testing software for about twenty-five years now; focusing primarily on software assurance, so testing software and securing software. I run a couple of companies that I founded, the first was a company called Cigital, which focuses specifically on security testing and security analysis. Now I'm running Coveros, which is a secure agile development shop. We build applications using agile that need to be secure.
Josiah Renaudin: Now, what's made so many pieces of software reliant on stronger security? Do you see even greater security requirements being implemented in the future?
Jeff Payne: No doubt. In a word, it's the Internet. We're hooking together more and more things every day, and now we're hooking together, not only systems, but also things like our cars and our homes and all sorts of things. As we do that for good reason, we're trying to collaborate better, communicate better, ease our world, ease our process. Those are all good things, but doing so does introduce some risk. For the first time a lot of applications that have resided in these systems and these things are now exposed to interfaces that anybody can play with and try to break into and gain access to. That's driving a stronger set of security requirements then we've seen in the past.
I think the other thing is some of the highly publicized data breaches that have happen recently. We're seeing executives being fired now when larger data breaches are happening at places like Target and other large corporations. I always joke that maybe we've finally found the driver for application security: it's the risk of a CEO losing his job.
Josiah Renaudin: Now, we have all these greater requirements for security, but why aren't testers being taught how to properly execute security measures for modern software if we need it now more than ever?
Jeff Payne: Well that's a good question, that's definitely what we're trying to do with our security testing tutorial that we're giving in STARWEST and also with a two-day course that we have on security testing. I think historically, security professionals have considered what they do to be a bit of a black art that only a few can really do. To some extent there's some truth in that for particular types of security activity. For instance, if you're doing architectural risk analysis on your software architecture or you're helping design security practices or controls into your design and your architecture, those are really high touch, high expertise types of activities, because you have to both be a very senior level software architect and developer type, but also know a lot about threats and risks and vulnerabilities and things like that.
From that perspective, that philosophy or mentality makes sense; however, there's a lot of different activities in the application security process that developers and testers can be involved in. For instance, testing our website applications for common types of vulnerabilities that are out there, or wielding security tools to effectively test our applications for known vulnerabilities. Doing things like scanning code using tools, working to get our security requirements built better, and making sure that they're most robust and secure; all things that testers can do and should be involved in.
Josiah Renaudin: What do you see as the most common security vulnerability that can be easily avoided through intelligent testing?
Jeff Payne: I'd say it's definitely injection attacks, cross-site scripting, sequel injections, input buffer overflows, cross site-request forgeries; they're all examples of what are called injection attacks, which are attacks on the input into our systems. These attacks are very well documented, they're very easy typically to identify, and there's good tools out there, both open source and commercial tools, for testing these, to identify these types of vulnerabilities. Today, there's really no excuse for not identifying these attacks in your applications. They really shouldn't be found in the wild if almost every day one of them is identified.
Josiah Renaudin: Now, are we seeing more of these attacks and security breaches in mobile or web-based software, and why?
Jeff Payne: I would say more of both, for different reasons, though. The proliferation of web interfaces really means the attack surface for a hacker is a lot greater, there's a lot of ... there's just a lot more things to attempt to break into when you're talking about web-based systems. On the mobile side, the threat model is very different in mobile, and because of that a lot of the attacks and protections aren't well understood yet by software developers. Because of that, we see a lot of issues in mobile applications. A big one is malicious code. We download so many applications for our phone, knowing not very much about them and whether they're secure or not. The app stores don’t really check to determine whether applications are secure, they're not checking to look for malicious code, things like that.
We're downloading all sorts of things, whether they're games or other applications onto our phone. They're sitting there right next to our mobile banking app or our access to our corporate systems, and we're not really sure what those applications are actually doing. We also carry our phones around and we tend to drop them and leave them places. That makes our devices much more susceptible to somebody picking them up and using them as compared to a desktop machine sitting in our office.
Josiah Renaudin: One desktop application I want to talk about is TweetDeck, because recently it was hacked by what we think is just a single teen in Austria. Hindsight’s 20/20, but what would you suggest as the best preventative measure for a breach of this nature, especially for such a popular service. Twitter… it seems like everyone has a Twitter account. What would you suggest for this situation?
Jeff Payne: Well, as far as I've been able to read on the attack on TweetDeck is it was a cross-site scripting problem, just what we were talking about, an injection attack. There's no reason for that type of an issue to get out there into the world, there's just too many tools to protect against that stuff. That's just inexcusable. Twitter obviously either didn't do security testing on the application, didn't run web application security test tools. Maybe they didn't think it was critical enough of an application. I don't know exactly why they didn't do it, but that type of an issue is very easily identified. In fact, if you read the account of what the teen did, it was simple to break into the system, which shows you that really Twitter didn't do anything to do that.
Now, in terms of what do you do about those things. Well, first you do security testing. If they had just done simple security testing on the system, it wouldn't have had this problem.
Josiah Renaudin: Absolutely. As someone with experience speaking in front of congress, like yourself, about critical software issues, do you think we've instituted enough federal policies to mitigate cyberterrorism and security breaches in critical software?
Jeff Payne: Well, first of all, I don't really personally believe policies and procedures are the answer for improving security. I guess in my experience, and I've worked with a lot of the standards and policies and procedures that are out there, what they typically do a good job of is establishing a low bar so that you're not just criminally negligent, we'll call it, in terms of your security protection. My personal belief is, if you want to improve security and the federal government wants to do that, they need to start firing people when things happen – it gets down to that. We need to start being serious enough about these types of things that when someone is not diligently trying to protect systems, they need to suffer and pay consequences with losing their job. That's the only thing you're going to do to get the attention of people.
Back to policies and procedures for a minute. I've seen the way these things have been developed, and they're by committee, which means usually it's a low-bar consensus, what everybody agrees to. I'm likening it to, if you're twenty years old and you got a C on a fifth grade math test, it's a passing grade, but did you really pass?
Josiah Renaudin: Exactly.
Jeff Payne: We can't look at these policies and procedures as the passing grade for security. Unfortunately, a lot of times in the federal government that's exactly what we do.
Josiah Renaudin : All right. This is the last question, since I don't want to give too much of your talk away. What do you see as the main sticking point of your upcoming presentation? What do you really want your audience to remember about software security?
Jeff Payne: Yeah, so there's many aspects obviously that a software testing organization can be involved in. My goal in the tutorial that I'm giving is to really talk about what it is a tester can do and how they can help this process, so things like the TweetDeck problem don't occur. There's no reason for those things to occur, and software testers are more than capable of doing security testing to make sure those things don't occur.
The second other things I always try to get across to the audience is having security on your resume is a great thing. It helps your career, it gives you upward mobility, maybe it gives you some more dollars in your organization. From a career perspective, it's a great thing to learn and know and it's now going away anytime soon. A good place to invest some time and energy.
Josiah Renaudin: All right, Jeff, well I appreciate your time. I'm looking forward to your tutorial, and it was really nice talking to you.
Jeff Payne: Thank you very much, it was fun.
Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and was recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality