Vandana Verma, security architect at IBM India Software Labs and web application security expert, shares her advice on tools, training, and shifting left.
Application security, as we often say, is not a destination but a journey. And as is the case with most journeys, it helps to have a map or a guide. Vandana Verma has spent her still-expanding career becoming one of the best guides in the field—particularly for web application security.
Her list of qualifications is long and lengthening, starting with her “day job” as security architect at IBM India Software Labs. But her extracurricular activities could amount to a couple more full-time jobs.
She is an OWASP Bangalore chapter leader and was recently elected to the OWASP global board. (OWASP is the Open Web Application Security Project.) She has been a speaker and trainer at the DEF CON AppSec Village and an assistant trainer at Black Hat, the OWASP AppSec conferences, and others. She is a member of the review board at the Grace Hopper Celebration of Women in Computing, BSides Ahmedabad, and OWASP Global AppSec.
And yes, there’s more: Women in cyber security advocate. Recipient of a 2019 Cybersecurity Influencer award from IFSEC Global. Winner of the 2019 Secure Coder of the Year award from the Women’s Society of Cyberjutsu. And she is on Instasafe’s list of the Top Women in Cybersecurity in India.
Even with everything Verma is doing, she still has plenty of energy left over. A primary reason she is passionate about web application security, she said in a recent interview, is that when it comes to cyber security, that’s where the action is.
“Web applications, if we include cloud-based applications, are the front-facing surface,” she said. “Companies don’t open their internal networks to everyone, but they open web applications. With cloud, you can’t prevent applications from being public. That’s why web apps are the most lucrative and most common attack surface.”
So the obvious goal for defenders is to make them a more difficult attack surface. And to do that, Verma says, takes coordination of both tools and skilled people.
By now, the list of application security testing tools that analyze software throughout the software development life cycle (SDLC) is well established. It includes static and dynamic analysis, interactive application security testing, and software composition analysis to track open source code.
Verma said she is a fan of those tools. But she cautions against letting their use alone give anyone a false sense of security. “The tools are good and need to be used,” she said, “but it doesn’t mean they will give you 100% coverage. If you say you have used the tool and then you are done, you will be in big trouble. You have to put in efforts to use them properly.”
Not to mention that not everybody uses them, given that development teams still see security testing as something that will slow them down.
“With vulnerability management, every new tool added in the cycle means a delay in the process,” Verma said. “Every tool will have a report, and if you don’t act upon the critical bugs and don’t fail the build, reports will just be useless artifacts that are generated and discarded.”
But another element of the problem, she said, is that those on development teams aren’t always trained in web application security. By contrast, many of those on security teams don’t know how to code—a reality noted in a recent 451 Research report titled Designing a Modern Application Security Program.
“If we train the developers and operations people in how to do good security, the applications will come out better,” she said. “Someone who knows how to code can embrace security easily.”
Finally, she said, the reason that some organizations fail to embrace the “shift left” philosophy of embedding security testing throughout the SDLC is because they neglect the “Ops” portion of DevSecOps.
“Organizations need to be in DevOps mode,” she said. “If you have DevOps and integrate security, it will be good. Operation is a key piece. Until all three are in sync and on good terms, you can’t have ‘shift left.’”
How can we achieve better web application security, and better cyber security as a whole? Verma said she thinks both government and the private sector have a role to play in setting security standards. The European Union’s General Data Protection Regulation (GDPR), while its main focus is privacy, has an obvious security component. You can’t keep something private if it’s not secure.
“And any organization that deals with European citizens has to comply with the GDPR,” she said. “This changed the whole paradigm.”
Many pending privacy laws in the U.S. also mirror, or in some cases go beyond, GDPR requirements.
On the private side, she said, one example of setting baseline web application security standards is Google’s mandate that “you have to use HTTPS, and if you don’t, your ranking will go down.”
Security advocacy organizations like OWASP also offer plenty of advice and information on application security. OWASP is known for its Application Security Verification Standard (ASVS) and the OWASP Top 10 list of the most often observed application security vulnerabilities.
But Verma noted that the organization also offers API (application programming interface) testing and regular conferences and summits, which “bring people together to share knowledge and continuous learning.”
Verma said she views her personal role as not just an ambassador and advocate for more diversity in InfoSec, through her work with Infosecgirls, WoSEC (launched by Tanya Janca), and others, but also as an instructor for those looking to break into the field or sharpen their skills.
She offers a training course in web application security through colleges and universities in multiple countries and at conferences. So far, she has trained more than a thousand students, all for free.
“As a trainer and international speaker, my goal is to grow the community,” she said.
Find Vandana Verma on Twitter at @InfosecVandana.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.