In the second part of this two-part interview, application security expert Dave Ferguson talks about the security testing landscape, top security tools and the job market for AppSec professionals. Be sure to follow Dave on Twitter @dferguson_usa or his blog, and get to know him along with the first part of our interview.
uTest: You tend to hear about breaches and security the most when they hit consumers’ wallets (i.e. Target). Is retail, for instance, more vulnerable than another industry right now?
DF: Higher education has a constant stream of data breaches as well, but retailers are definitely a huge target (no pun intended). Retailers process payments and handle personally identifiable information, but they don’t often have a culture of security like a financial services company, government, or defense contractor. They also don’t have big security budgets or vast resources like those other types of organizations. I have a feeling retailers are starting to devote more attention to security now, though.
uTest: Do you think that something as huge as Heartbleed awakened some organizations that may have otherwise been lax in certain areas of their security strategies?
DF: Absolutely. The Target data breach and the Heartbleed flaw in the OpenSSL library have spurred action within many organizations. Company executives and boards of directors want some assurance that they are not vulnerable. Increased security testing of applications, especially Internet-facing apps, is going to be a major component of that.
uTest: What’s changed the most in the security testing landscape just in the past couple of years?
DF: The most dramatic change is that formal bug bounty programs are now being rolled out by many organizations. This would have been a very radical idea just a few years ago. A bug bounty program defines rules of engagement and offers cash rewards to security researchers who find vulnerabilities and disclose them in a responsible manner. Bug bounties are a welcome change. I wish the streaming media company I had contacted had a such a program back in 2006!
Two other changes I’ve seen are a dramatic increase in the need for security testing of mobile applications, and a realization that the security of third-party software components needs to be verified.
uTest: What are some security tools you use that are a must-have?
DF: By far, the main security assessment tool in my toolkit is Burp Suite Professional. It’s like the Swiss Army knife of application security testing. It’s powerful and intuitive to use.
I also find the Web Developer extension from Chris Pederick to be very useful for simple needs, such as viewing or editing cookies. Other tools I’ll pull out as needed include Wireshark to view raw network traffic, O-SAFT to find weaknesses in SSL/TLS, and DirBuster to find sensitive files and directories on a server.
uTest: What does the security landscape look like right now for job seekers?
DF: It is very hot. Application security testing is a highly specialized skill and in demand. The best candidates tend to be highly technical and have significant application development and coding experience. It is also important to be able to think like a bad guy. You have to use your brain and be creative in your testing. Using a “point-and-click” vulnerability scanner is not nearly good enough.
Developers understand at a deep technical level how applications are put together and how the code works. This is incredibly valuable when it comes to application security testing. In fact, many organizations rightly believe it is more effective to hire a software developer and teach him or her about security principles and vulnerabilities than it is to take network security people and teach them about applications, or QA people and teach them about security vulnerabilities.