In today's Instant-On Enterprise, applications are spun up faster than ever.
While this blistering speed of application development and deployment may enable the business to be more agile and responsive to the changing business climate than ever, it creates unparalleled challenges for anyone with security as part of their job description.
An estimate that I've tossed around based on educated conjecture is that the capabilities to test for security defects in technologies is about 18-36 months behind the release of those technologies.
This means that when a cool, new UI framework is released today, it will likely take 12-18 months for the security community to understand it, find security defects, and build tools to effectively scale the automation of finding these defects on a large scale.
Whether you agree with me on the length of time, everyone can agree that there is some significant lag time.
That means that at a minimum there is some time where technology is deployed into your enterprise without the Information Security organization fully being able to understand and identify security defects in that code.
If that scares you, you're not alone.
I too lose sleep at night to these types of thoughts. Enterprise security is a topic that reaches far outside the realm of Software Security Assurance and rarely gets much air time on my blog - yet securing 'shiny objects' (a term I affectionately use for the bleeding-edge web technologies developers seem to love) requires a full-scale enterprise security approach.
When you have to protect a development technology you can't fully understand, sometimes the only method of protection is at the network layer by identifying known attack patterns and accounting for possible mutations.
Strong network-level technology (*cough* IPS/WAF *cough*) - something we tend to discount heavily in the application security world - may be our only saving grace!
Identifying attacks, and correlating events turns into a stop-gap while the capabilities around testing and development-level analysis play catch-up ... it's a race against the clock for sure.
So... as your developers start to pick up interest in HTML5, and other types of "shiny objects" type technologies think about how you're going to assess and protect those applications in the break-neck pace of business.
Remember, Software Security Assurance is not a stand-alone concept. SSA plays a major role in enterprise security, and the technology-based risk. At the end of the business day, it all rolls up into business risk, and that is what your executives care about anyway, right?
Understanding how these pieces fit together, and how the lagging capabilities of information security can be compensated is key to securing your business in today's "Instant-On Enterprise"...
Good luck! You know where to go if you need help.
References:
- Security attacks hit home, IDM, 4/7/11
- Security Exploits Increasingly Complex, InformationWeek, 3/17/10
- Denial of Service Most Common Attack Vector in Second Half 2010, eWeek.com, 3/15/11