All this chatter doesn’t come as a surprise to me (and likely others) who have been actively involved in the application security business for the past decade. I would argue that the relative constant nature of the top 10 (or at least the top 5), can be interpreted 2 ways. It can be as much of an indicator to poor secure development practices as it can be interpreted that we’ve gotten better at finding the top 5 security issues in the first place. Depending on which day you ask me, I can fall on either side of the line.
For me, one of the more interesting aspects of the latest top 10 is what’s changed. In this case, one of this biggest (and depending on your involvement with the top 10 the most controversial) is the introduction of A9, using components with known vulnerabilities. On the surface, this seems to be a no brainer, some may argue whether something so basic even belongs on this list since it seems so obvious. But the reality is most people simply don’t even know they are using components with known vulnerabilities. . This basic security blocking and tackling is missing from many secure development initiatives (trust me I’ve seen my fare share and this has never been a focus).
All of this discussion surrounding basic security blocking and tackling reminds me of some guidance my son’s teacher gave him and his classmates at graduation day. As you can imagine (and maybe you have heard the same), my youngest child just recently moved from grade school to middle school and his grade school teacher spoke to all the parents on graduation day and reminded the kids (then mostly 10/11 year olds) how important good hygiene is when children are maturing. He reminded us of the obvious but yet a thought that can be so easily forgotten. Reminding us that peers and teachers appreciate a diligent approach to hygiene basics. This approach is like OWASP adding A9 to a security threat list. It’s easy to take these basic principles for granted, but sometimes we just need to be reminded.
Much like you don’t want to start your day without the basic elements of hygiene; you shouldn’t start your application’s journey based on a bad foundation Which is why I’m happy to see that something that on the surface seems so basic is getting the needed attention. Recognizing not to use components with known vulnerabilities starts the right security discussion. I am glad OWASP recognizes the need for basic hygiene.
It may seem ironic that arguably one of the most well-known security lists for web-based vulnerabilities in the world includes language to not use components that are vulnerable. I would argue (and I welcome the argument) this is one of the most important points on the list and one everyone should be aware of. I consider this one of the foundational elements of any secure application development initiative.
Having spent the last decade focused on application security, I can share many lessons learned but one of the biggest lessons I’ve learned is how security professionals can have the greatest influence on development. It’s not as difficult as one may think. It starts by delivering solutions that fit the “practice of the practitioner”. What does this mean? It means not only delivering tools that work within the existing developer ecosystem, almost all would argue they do, but it also means delivering the functionality most useful to that group scaled by their capacity to effectively use it in the first place. I would argue most do not fill this last piece.
One of the benefits of working with Sonatype now, an organization that understands modern software development, is that we aren’t just another security company building security tools for security people. We are an organization with a passion for both security and development and a mindset geared towards helping organizations make sure they don’t leave the house without at least brushing their teeth. A security company that absolutely understands the importance of A9 and good hygiene. Do you?