DC Application Security 2010

Application Security Executive Breakfast on Friday February 26th starting at 8am

Keynote Speaker

Don Gray, Solutionary

Featured Speakers

Steve Wolford, Oracle

Ryan Berg, IBM

Roger Thornton, Fortify

Featured Member

CSO Breakfast Club Member Cathy Hubbs Discusses Application Security           

Websites have emerged as the leading attack surface.  In response, Cathy Hubbs, Chief Information Security Officer (CISO) at American University (AU), is focusing on web application security as one of the primary security fronts.  Her security team has partnered with the development and engineering staff to clearly define standard repeatable practices for the enterprise refresh and development life cycle. Fulfilling this mature and standard process required buy-in from the University’s business officers to provide funding to routinely establish three distinct computing environments when establishing new enterprise services.

 While the conscientious CISO is establishing the proper controls internally, there is a constant vulnerability presented by the world of insecure code purchased from others.  How does one address the issues raised by both internal custom code and third party application development?

For Cathy, good application security is multifaceted.  First, make sure there is a standard practice in place and that all stakeholders are committed to following it.  Second, it is absolutely critical that detective controls be in place.  As Cathy notes, “hackers are performing the same tricks cross-site scripting and SQL-injection, taking advantage of the complexity of web applications.”  Third, don’t forget to use your tools to assess your third-party code; it is being rushed to market with vulnerabilities.

So, how did Cathy assure application security at AU?  She started with an evaluation of existing staff resources and expertise; crafted requirements; and, finally, evaluated tools and services.

In the end, she chose a web-based service from WhiteHat Security, Inc..  WhiteHat offers proprietary network scanning plus a premium service that includes continuous testing of technical and business logic to manually uncover business logic flaws.  In this way, the scans are tuned to the customer’s specific environment.  Cathy finds this service very attractive for a number of reasons: she pays an annual subscription fee and nothing else – no hardware purchases, no appliance fees; her internal staff resources  act as liaisons between the service and development staff, there are no false positives because the findings are validated before forward. To top things off WhiteHat ends up training her organization’s developers to avoid making the same mistakes over and over again.

In summarizing her thoughts on application security, Cathy notes that “building strong partnerships with your developers is the best way to win.”  Her advice to CISO’s new to application security is “partner with your developers and work toward documented, consistent, repeatable code practices.”

Cathy Hubbs is Chief Information Security Officer at American University in Washington, DC.  She has been in a dedicated information security role for 8 years.  Cathy serves on the CSO Breakfast Club Advisory Council.