As software grows in complexity, the chance that vulnerabilities are present increases.
Experiencing some software vulnerabilities is almost inevitable, but you shouldn’t need to experience the same well-known vulnerabilities appearing over and over again in the same application.
Your company probably undergoes penetration tests. Hopefully you have a bug bounty program as well. But what happens with that information?
HackerOne recently released the Hacker Powered Security Report for 2018. In it, HackerOne describes common vulnerabilities found across industries which use bug bounty programs.
According to HackerOne, XSS is the number one vulnerability found across industries.
XSS is easy to fix. So why is it still so common?
Developers who are responsible for the vulnerable code often don’t get to learn from these findings. If developers don’t receive the information gained from penetration tests and bug bounty programs, meaningful change can’t happen.
Getting information into developers’ hands is the key to more secure software.
The Benefit of Strong Feedback Loops
Sharing relevant results with your developers means you don’t waste time, money, and resources repeating the same mistakes.
Developers are ultimately the people with the power to control the code. Larger companies have more separation and security teams don’t have the ability to commit code. Some security teams at mid-size or smaller companies may commit fixes on behalf of the developers.
However, if the security team fixes vulnerabilities, this doesn’t help developers write more secure software. The information of how to fix vulnerabilities still stays within the security team and is not shared with developers. Good feedback loops will help developers to learn along with the security team.
Strong feedback loops lead to measurable results. Over time the results of pen tests and bug bounties should change to reflect the knowledge you’ve gained.
Different problems may surface but the same issues over and over shouldn’t.
Strong feedback loops build a culture of security where developers care about the security of their products. Make security a normal part of the day-to-day work of developers. This builds strong relationships between developers and security teams.
The Challenge of Strong Feedback Loops
As companies grow larger, communication becomes a challenge. Large companies tend to introduce bureaucracy and organizational barriers in order to increase efficiency of one department.
Unfortunately, this doesn’t increase efficiency of the organization. It only optimizes for the efficiency of the one department.
Be careful not to introduce silos or organizational boundaries between development and security. This reduces their ability to share information.
Larger companies do have to deal with regulations requiring separation of duties or other workflows to remain compliant. However, separation of duties does not mean a siloed organization, only that you have necessary access control on your systems. Regulations aren’t an excuse for poor communication.
For example, if a development team requires the security team to perform a service, a developer may have to submit a ticket in a ticketing system such as Jira. Then the developer waits for the ticket to be completed according to the priority of the security team.
This type of working does not encourage feedback loops, but instead encourages separation and animosity between teams. It makes the security team’s services seem mysterious or arcane, as if no developer should gain access to the “secret vault” of security.
In fact, the opposite should hold true. While developers don’t need to be security experts or do the job of the security team, they should understand what the security team’s job is and why it’s important. Teamwork is the end goal.
It’s also important to avoid a culture of blame – instead we’re talking about sharing knowledge across the team or organization.
Build a culture that embraces feedback and continuous learning. Developers should be craving this information and security teams should be happy to give it. Developers and security must work together with a common goal of protecting valuable assets and customer data.
How to Establish a Strong Feedback Loop
First, if you don’t do penetration tests or a bug bounty program, do it. Having outside experts look at your code is a great way to find problems the team didn’t notice before.
Next, the method of communication is important. PDF reports probably aren’t enough to make real change. Bug tracking systems can be used but are dependent on project priorities and may not be done in a timely fashion.
The DevOps Handbook speaks at length about good feedback loops and organizational learning. Even though it concentrates on development and operations for most of the book, the same principles apply well to application security practices.
One point which stands out is the theme of Chapter 20 of the book, “Convert Local Discoveries into Global Improvements.” The book outlines strategies for organizational learning. In terms of security, companies can turn local vulnerability discoveries into global security improvements using strong feedback loops.
The HackerOne report shows that information disclosure is a big vulnerability in the healthcare industry. If a penetration test or bug bounty shows that you have S3 buckets open to the Internet containing sensitive data, how can this be fed back to developers?
You can tell existing teams to fix the problems. This is necessary so that nobody can exploit the vulnerability that already exists. Companies can also launch an initiative for other teams to try to find the same problem in their apps. Creating boilerplate user stories for common security bugs can also help to share knowledge.
Developers often have too much work to do and too little time to do it. Make sure you give developers the time and incentives to fix the vulnerabilities you find. It’s up to the leaders in the organization to make sure security is given the attention it deserves.
To prevent the bugs from happening again, make it a part of onboarding engineering teams. Make sure the secure use of cloud resources is required training for new developers. The same goes with XSS, CSRF, authentication and authorization.
Any bugs that are found in several different applications should be incorporated into onboarding and training of engineers. Over time the number of occurrences of these repeat bugs should go down, showing clear results from the training being implemented.
Make sure you measure your results over time. Create a system for tracking bugs, such as tags in Jira tickets. This allows you to watch how bugs change over time. The vulnerabilities discovered should become less critical, less frequent, and more advanced over time. If a specific vulnerability, such as XSS, increases suddenly, you can react quickly.
Hunter2 can help close the feedback loop with your development team. We offer training that specifically matches the topics you need to target. We can customize lab scenarios based on the vulnerabilities you may have uncovered in your own applications. If you want to learn more, check us out here.
Continuous learning is an important part of software development in today’s fast-paced world. The same learning culture is necessary for application security activities such as penetration testing and bug bounties. Feedback loops from security to development is necessary.
Only then can we finally stop seeing the same problems over and over again.