Tools dont make people smarter. Nor do they improve the process through which solutions are built and deployed. Tools simply make people more efficient in jobs they are trained to do.
|View the Entire Series|
The Five Most Common Misconceptions of Enterprise Security Misconception No. 2: Believing the Hype of Technology and Tools Misconception No.4: Assuming Secure Software is Costly
Tools dont teach a surgeon how to operate or a road worker how to jack-hammer a hole. I didnt become a better mechanical design engineer because I learned how to use AutoCAD, it just made me more efficient in the job I was already trained to do.
This is especially true of application security tools. The market here is still nascent and users need more education before tools can be truly useful. Network security tools are similar but luckily the market, purpose, and limitations of the tools here are better understood and much more mature.
When using a scanner (source code or Web) remember that they are just that, scanners. They will create false positives and they may very well miss a lot of serious vulnerabilities that do exist. Scanners are also impossibly flawed at catching business logic vulnerabilities, often the most damaging of all.
These are vulnerabilities that exploit acceptable behavior to steal or circumvent checks in your system. Take the example of a negative-integer attack on an ecommerce site. If the site uses client-side validation (all too many sites do, mainly for performance reasons), its easy to poison a cookie and turn the price of an item from positive to negative.
And because our business systems are so compartmentalized, most of these attacks go un-noticed. The account group just gets a notice that says debit this persons account -$74.99, while the shipping department just gets a message that instructs them to ship the item to the user. There is often no correlation between the business functions and tools cant help.
Tools need to be worked into your risk management and audit management cycles. This is something consulting companies can help you do if you do not know how. There is a large translation problem right now in a lot of organizations where a risk management team may define a problem and must translate that to actionable activities for the software development and network operations teams.
You need to take a three-pronged approach and integrate tools with your processes and your training so you can help your staff understand whats expected of them and use the right tools to help them accomplish the job at hand while adhering to both corporate and industry processes and regulations.
Many organizations simply insert a tool into the software development or deployment process and require an application pass some arbitrary, predetermined score. This is dangerous in both context and user interpretation.