When an enterprise suffers an application security incident, a whirlwind of activity takes place to triage the immediate problem. Application and security teams work side-by-side to identify the damage, implement a quick fix to prevent further losses, and perform a root-cause analysis to determine why the vulnerability existed in the first place. Savvy information security teams can leverage the root-cause analysis as a catalyst to enhance the assessment of applications and improve an inconsistent and underdeveloped application security program. However, more often than not, these fledging improvements can get crushed under the inertia of the organization. It can be difficult to shift people's attention from the "quick-fix" to "fix-the-root-cause" once the initial damage has been mitigated. The complexities of implementing an application security program can frustrate even experienced practitioners and the difficulty in establishing a business case can create stall-out, due to the large costs that many of these initiatives carry. I will share some experiences, strategies, and approaches to overcome these challenges and introduce sustainable and measurable improvements into your application security program after an incident has occurred.
Cory Scott is a director at Matasano Security, an independent security research and development firm that works with vendors and enterprises to pinpoint and eradicate security flaws, using penetration testing, reverse engineering, and source code review. Prior to joining Matasano, he was the Vice President of Technical Security Assessment at ABN AMRO / Royal Bank of Scotland. He also has held technical management positions at @stake and Symantec. He has presented at Blackhat Briefings, USENIX, and SANS, and leads the local Chicago OWASP chapter.