Abigail: Welcome to the second series of our podcast, the new realities of cyber security. I’m your host, Abigail Wilson. Each episode of this podcast series we’ll be inviting along some of our colleagues who are each experts in their fields to discuss what they do here and what they’re focusing on at the moment in the ever changing world of cyber security. Today’s conversation is centred around untrusted apps and why this has been such a major issue for organisations. Our guests here today are Will Semple, who leads our software assurance and dev sec ops business, and Steve Morrow, our technical lead. Will and Steve, thanks for joining us today. Could you tell us a bit more about yourself and what kind of work you do with our clients?
Will: Good morning Abi. So what we do is help our clients understand the software that’s running inside their business. This is the software that is helping the business to process their finances, to manage their HR, to interact with their customers and their client base, basically representation of how a modern business works today.
Abigail: Great, awesome. And Steve, can you tell us a bit more about what you do?
Stephen: So, I focus in on the technical side of things, actually looking for the vulnerabilities and implementing the tools to identify them and helping translate the technical issues into business risks that the C level can understand and develop appropriate remediation plans.
Abigail: Great. So more the technical deep dive in that area. I’m wondering if you could both tell me what are the top three issues you’ve been seeing working with clients over the year?
Will: Well, I think over the last twelve months we’ve seen one real serious trend appearing in the market across all industries and that’s really about software supply chain. That’s where our clients are bringing in software from open source, software from third parties that may have developed or built some piece of proprietary code or application for use in their business, or even partnering with well-known household vendors who provide frameworks that wrap around some of their larger services that might be available from different software or service providers. And that software supply chain issue has come about through the adoption of bigger macro trends such as cloud adoption, the ability to bring through more rapid access to markets, the ability to get faster to react to their clients’ demands, and as a result of that the demand that businesses are placing for software and bespoking software and third party support around that software has grown hugely and with that has come a serious risk.
Abigail: Yeah, it sounds like the wider ecosystem of applications has expanded, especially with third parties and the risks attributed to those. I’m wondering if you could tell us more about the third party side?
Will: Yeah, there’s been a number of really interesting incidents over the last three to six months with some household names where they’ve had some serious breaches and loss of data, and even when their applications were being scanned regularly the third party code risks weren’t being discovered. The dependencies that these codes, that these applications require were the things that were actually compromised and the testing tools and the testing regime that were in place was pretty robust but the legacy tools and legacy approach really was not focussed on third party code dependencies frameworks that modern web applications and applications in general require to run. As a consequence of that these breaches have succeeded. Stephen, maybe you can tell us a little bit about the likes of the Node.js vulnerabilities that are out there at the minute in terms of being able to take down frameworks?
Stephen: So, essentially this particular issue manifests itself through code, java script being rendered within the browser of a particularly sensitive payment channel and the java script was sitting on every page that was rendered to all users and anybody who entered in their personal details and their payment details, the script was basically harvesting that information and relaying it back to the attacker and harvesting that information for use downstream.
Abigail: So, even when organisations are seeking to make their applications more secure and regularly pen test them, do vulnerability scanning, they also need to understand what other third party services are running on their infrastructure and make sure they’re also as secure as they’re expected to be.
Stephen: Absolutely. With the standard pen testing approach, it will not identify these particular problems. The pen test is normally trying to find vulnerabilities and exploit them in a direct fashion. These attack vectors are much more subtle in the way that they are brought through and take effect against the organisation. Things that would prevent this are good security standards, software security standards to prevent untrusted code being displayed on sensitive pages where sensitive information’s captured. That would prevent it. You may also put in place a process to certify or verify a piece of code that you’re using is secure and hasn’t been modified and always use that rather than just taking the publicly sourced version and pulling it through into your estate, your ecosystem, and that would prevent the attack or the malicious code making it through.
Will: Yeah, and if we just think a little bit more about that, we break it down. How did that use of that library get into these web applications to begin with? We actually need to walk it right back down into where the developers are operating. Typically, at the minute, a lot of the application security functions are bolted on at the end of the development lifecycle, at the end of the deployment lifecycle and it’s very much cliché, it’s afterthought.
Abigail: Of course, and retrofitting security is going to be costly and really difficult at that stage so late.
Will: Exactly Abi. There are some really strong financial benefits to moving the process much further down into the developers’ lifecycle, getting into the developers’ processes and how they think about building their applications for the business. The other mega trend that goes beside cloud is dev ops and we’re seeing a lot of very big, very long established conservative enterprise businesses adopting dev ops and agile methodologies and along with that comes the developers’ ability to construct applications in a very different way. This is where this onboarding of third party code into the application right at the very source comes into play. If we can find a way to bring, as Stephen mentioned, things such as attestation, verification and certification inside the developers’ work flow as they build, deploy, manage and run the applications we can actually reduce the costs to the client in terms of bolting on security at the end versus bolting on security.
Abigail: And help them manage that risk from the start.
Will: Exactly. Also it helps manage the risk down at where it actually enters into the business to begin with.
Abigail: So moving forward, as organisations look to roll out more apps and have more of their services based on applications and online, are there any actions that they should take to remain secure from the design stage onward or before they deploy applications?
Will: So, I think really where I tend to start my thinking around this is we need to really broaden the understanding and the definition of what an application actually is. Traditionally we’ve thought of an application as being a web app and I’m pretty sure people who are listening to this podcast, as soon as we say application they immediately say web app in their head. Applications appear on your mobile device, on your smart watch, on your laptop, they, the applications, are what you use to tap on to the tube system, to buy a plane ticket. They are everywhere. They are literally embedded and part and parcel of our digital life. So that definition of applications and understanding the consequences of when you lose trust in an application is really significant. The second thing is really around how do we adopt and adapt ourselves to the developers work flow? We in security tend to, we tell you what to do and we’ve got to really move into more of a coaching and mentoring aspect for the developers, integrate into their workflow, understand that activities such as compliance and governance and risk management can be really dull for developers so we’ve got to put it into something that is really interesting to them. We call that codifying it and building it directly into their build pipelines and their workflows and that helps us get that assurance overlay across the entire lifecycle where it’s appropriate for the client itself. So, Stephen, you used to be a developer a long time ago. What’s your thoughts on how we should approach engaging with developers rather than security people for this problem?
Stephen: Yeah, I’d just like to pick up first on what you’re saying there about how we understand apps these days. You’re quite right, people will think about the word processors, the Microsoft Office type solutions, online streaming, all that good stuff, but there’s a lot of new solutions coming out with software very much at the centre of that. Chat bots are software solutions, blockchain, robotic process automation, AI, all of those things. There’s all of the software that’s common place that’s used to build software too. It’s the standard stuff like web servers, databases, the collaboration platforms and so on. So, to try to come back to Will’s point, how do we, how should we approach this? Well, Will’s quite right. We can’t try to force the old security processes on top of the way developers work these days. Agile and dev ops are major movements, we can’t ignore them. Continuous delivery is the new norm.
Will: So, Abi, security is really a process. Whatever branch you’re interested in is fundamentally a process of activities that need to be carried out. It’s never more truer when we’re talking about how do we help get untrusted applications into a trusted state. We have to break about the process of application security. We have to help the developers and the business work together to know the code, what’s in it, how do we codify compliance, and governance and risk into the developers’ work flow to get that process embedded in so that it’s more about coaching and mentoring from the security teams as opposed to forcing old school, do as we say type approaches to the developers which is guaranteed to be rejected.
Abigail: Yeah, to ensure there is a mutual understanding to the business risk and the technology risks. So, thanks both for coming along today to talk to us. I’m just wondering if there’s a key takeaway point you could give our listeners of something you think you’ll see in the future?
Will: For me, the only thing I can see really bearing down on the horizon right now is the understanding of the exposure third party code is bringing into businesses. We’re coming off the back of a golden period of open source software, even Microsoft has open sourced a lot of its software now. That movement’s out there, the horse has bolted. It is the obvious new vector for the bad guys to undermine our business.
Abigail: Sounds like we’ll be seeing this trend. It won’t be going away any time soon. Great, thanks. And Steve, any last words?
Stephen: I think it’s not just about the tech. When organisations start to move through dev ops, dev sec ops, agile and so on, there’s a whole cultural shift where organisations have been struggling in the old way. It’s going to be difficult for organisations to bring through security into the new way of delivering software at velocity, so consider the software side of things too. It’s not just about the tech.
Abigail: Great, and that leads back to what Will was saying about the mutual understanding between the business and the risk teams and also the tech teams, the engineering parts. That’s great, thanks again guys. It’s been a really great discussion.
Will: Thank you Abi.
Stephen: Thank you.
Abigail: Thanks for listening today. Don’t forget to subscribe so you don’t miss out on future episodes. Next episode we’ll be answering the core question “why are companies still suffering from breaches?”
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680