With limited budgets, and thus fewer new projects, we'll finally have some free time to step back and take a clearer look at security and compliance. This will be an opportune time to test your applications using automated scanning tools and manual hacking techniques and then map out where you truly are with regards to all the laws and regulations that apply to your business.
Take them or leave them, here are my Web security trend predictions for 2009:
1. We're going to hear and talk more about code reviews -- something I deem static source code analysis. The vendors will start to wise up and market their static analysis tools to the people they should have been marketing them to: security professionals. After all, it's the security pros using the penetration testing tools. Why can't we be the ones using the static analysis tools as well?
2. We'll continue to complain about developers not understanding security concepts and colleges/universities not teaching enough about application security. That's fine. Untrained developers are always a good excuse for covering up the real issues. The reality is that developers can't be expected to know everything about secure coding. That'd be like expecting every network admin to truly understand every protocol, every application and every OS on the network. It's just not going to happen.
I think we'll start to realize that developers can't be held 100% accountable for secure applications -- especially when the basics of Web application security don't even exist. In the end, the security buck should stop with management. However, based on what I see in my work and according to a recent study on IT security risks, there is no real accountability, so we're sort of on our own.
3. We'll see training budgets shrink and more IT professionals having to foot the bill for their self-improvements. Savvy IT pros won't have a problem with this, because they know it will pay for itself over and over again down the road. Plus, it will help keep them valuable in the eyes of their employers, and most importantly, with IT hiring in a slowdown, employed. In the end, if you're not learning more to move forward, you're moving backwards, and no goals were ever achieved going in that direction.
4. In the name of PCI DSS (or whatever other regulation du jour), we're going to receive even more marketing push from the Web application firewall (WAF) vendors. The mantra will be, "Install our product and you won't have to worry about Web security issues." The fact is, installing a technical control in front of junk code may only serve to perpetuate the underlying problems and isn't going to fix anything long-term.
Like SSL, WAFs aren't going to protect against people problems that can really make or break the security of your website/application. Case in point: During a recent Web security assessment, I found a file stored several layers down in a Web server's directory structure. I thought the file looked interesting so I tried opening it, only to find out it was password-protected. A few milliseconds later, using a password cracking tool, I had the password, opened the file, and voila! I found tons of sensitive personal information that everyone else in the world could access. Can you say security breach waiting to happen? This is something that a technical control (or automated scanning tool for that matter) would never be able to protect you against. Don't get me wrong -- WAFs do have their place -- but only after you've done your due diligence with everything else.
5. Web security is going to be a big focus in 2009. Bigger than ever before. Be it all the social networking we're doing, Web-based malware exploits, or Microsoft's push to get more businesses online, this thing we call the Web is where we're going to have to focus a large part of our security efforts. Like it or not, it's the part of everyone's network that's open. It's also where business logic is exposed and where the system complexities and subsequent vulnerabilities are simply waiting around to be exploited.
Those are my predictions for next year's major Web security trends. Happy 2009!
About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.