In this interview, Guido discussed OWASP application security, what organizations can do to ensure their web application is secure, automated software testing, and the best ways to secure cloud applications.
Prof. Dr. Guido Salvaneschi is a researcher and cybersecurity enthusiast, leading the Programming Group at the School of Computer Science, University of St. Gallen. His research has been supported by the Swiss National Science Foundation (SNSF).
Guido was leading a track session at the Global Cyber Conference on the topic of “OWASP application security guide for CISOs”.
To begin with, could you please share with us your top 3 reasons for participating in the Global Cyber Conference in Zurich?
First, this is a great opportunity to remain updated with the most recent trends in cybersecurity. Threats to digital infrastructures are evolving at an unprecedented pace and staying up to speed is crucial to conceiving an effective defense strategy.
Second, the conference has a strong focus on concrete applications. Collecting first-hand experience from colleagues that are committed every day to protect IT infrastructures is invaluable. Also, this first-hand experience is a kind of knowledge that is hard to gain otherwise.
Finally, I think it is of fundamental importance that we further raise awareness around cybersecurity in many organizations. The Global Cyber Conference is the opportunity to build a community that can act in this direction, promoting support for cybersecurity investments and education.
You will be speaking about OWASP application security. Please tell us what organizations can do to ensure their web application is secure.
Web application security is crucial because a web application is often the main front-end an organization provides to the clients. As a consequence, a web application being compromised can easily result in a loss of customer trust, and ultimately a loss of revenue, not to mention the issues connected with compliance and data breach penalties.
In securing web applications, there is a number of technical aspects to consider. Many of them have been discussed extensively, for example, encryption, exception management, and authentication. Regular auditing by a third-party testing team with skills in penetration testing is also a must. Other important solutions involve socio-technical aspects, for example, properly using role management and access control by giving each user as few privileges as possible (i.e., the principle of minimal privilege) and matching their role in the organization.
However, as often in cybersecurity, the human factor and the culture of the organization play an essential role. For example, many organizations are starting only now to introduce multi-factor authentication even if its benefits have been known for a long time.
Testing applications during the development phase is a critical part of the development lifecycle and one approach to testing is automated testing. Is automation in software testing reliable?
Testing consists of executing an application to ensure that the execution does not result in an error in unexpected behavior. Of course, testing provides guarantees only for certain inputs. Since the possible inputs are usually infinite, one cannot exhaustively explore all possible executions. For this reason, testing becomes a trade-off between quality and the resources (like time and budget) available for the testing activities.
Nevertheless, testing remains one of the most effective ways to ensure software quality. Crucially, security testing ensures that vulnerabilities are discovered already in the development phase. To make testing effective, however, automation is essential because automated testing guarantees that tests are executed on every single software version.
With the spreading of DevOps (and SecDevOps) techniques and the wide adoption of CI/CD pipelines, new software versions are released at a much higher pace than before – once a day or even multiple times a day. As a result, test automation is the only way to ensure consistent software quality over all releases.
More and more workloads are moving to the cloud. What are the best ways to secure cloud applications?
Cloud computing is on the agenda of many organizations that are committed to innovating their IT processes. In many aspects, securing cloud computing is no different than traditional applications. Even in the cloud, the classic ingredients of software security remain crucial, such as encryption of data both in transit and at rest, execution and traffic monitoring, as well as vulnerability testing. There are, however, some fundamental challenges that one must keep into account.
Compliance, for example, might be problematic because cloud platforms weaken the control that users have on the physical location of data. This might conflict with certain compliance requirements such as those defined by GDPR.
Another aspect to consider is that many organizations adopt a hybrid cloud configuration, for example, because they choose a strategy of gradual migration to a cloud computing model. In such a mixed configuration, where on-premise and cloud resources are combined, it is relatively easy to lack a global view of resource usage. Also, account management can be an issue: one needs to keep track of different management mechanisms and put in place policies for accounts removal, migration, and consolidation.
These observations should not discourage the adoption of cloud infrastructure. The opposite is true: the cloud can be a great opportunity to increase software security, for example, thanks to centralized patch management. In software as a service, centralized patch management ensures that software applications are directly patched by the cloud provider, guaranteeing that they benefit from all updates against recent vulnerabilities.