From the course: CSSLP Cert Prep: 1 Secure Software Concepts
The goals of application security
From the course: CSSLP Cert Prep: 1 Secure Software Concepts
The goals of application security
- [Instructor] I have pretty strong opinions on the importance of the concepts laid out by the CSSLP, above and beyond the value that the cert can provide for your career. Application security is one of my favorite areas within info sec. I've been doing it for years and I'm yet to get bored, far from it. Technology continues to change at a break neck pace and so do the apps that enable us to interact with that tech. Take the video game industry for example. Over a few decades, the industry has evolved from Pong, a simple paddle and ball game that you played on a single computer, to a multi-billion dollar industry with competitive multiplayer games that rely on Internet connected applications to work. With all that money on the line, attackers know that finding and exploiting an application's security weakness could lead them to a quick payday. If a criminal exploits an app's sec weakness in a video game, they might be able to cheat or to get virtual loot that they didn't pay for. But what happens when that same criminal turns their attention to critical national infrastructure? The industrial control systems that control power, water, and public communications have become more and more reliant on applications. While consumer facing apps have been modernized to keep pace with consumer expectations, the same can't be said for the apps controlling our infrastructure. If an attacker were to exploit a weakness in one of these systems, the end result could be loss of life on a massive scale. And have you thought about how much software is running in modern automobiles? Two security researchers, Charlie Miller and Chris Valasek, were featured in a 2015 Wired article, where they demonstrated how they were able to remotely hack into a vehicle and take control. As more and more self-driving vehicles find their way onto public roads, folks like you and me are really, really hoping that the people creating the software in those cars are doing their best to secure those apps. Physical safety concerns aside, I also believe that we have both an expectation of and a right to digital privacy. That said, how do yo think organizations manage our healthcare data, or financial data, or personally identifiable information? Exactly, software. Hundreds of millions of records have been compromised since we started tracking those numbers in publicly disclosed data breaches. How many of those breaches could've been mitigated with stronger application security controls? Application security is just one of multiple domains necessary for protecting the systems and data that process and store all of this information, but make no mistake, it's a really important one. At the end of the day, protecting apps isn't just about the technical ones and zeros, it's about protecting the people who might be impacted by a criminal who might be able to exploit an application's security weakness and do harm. By improving your application security knowledge, you'll be able to tip those scales in favor of the good guys.