Ben’s Book of the Month: Review of “Hackable: How to Do Application Security Right”

Posted on March 31, 2021

The cause behind many information security incidents is vulnerable networks and applications. In Hackable: How to Do Application Security Right (Lioncrest Publishing), author Ted Harrington has written a helpful guide to slow down this dangerous problem. Harrington is Executive Partner at Independent Security Evaluators, has his hands on the pulse of the industry and has written a pragmatic guide to educate the reader on the importance of application security.

Far too many firms try to do security by following a checkbox-like approach, and that is precisely the approach the book is trying to stop firms from doing. Harrington takes somewhat of a contrarian view in his approach to security testing. Some of his suggestions run contrary to what industry best practices and firms like Gartner^® suggest, and that is not necessarily a bad thing.

An example of his contrarian approach is his disdain for black-box security testing, which he considers a waste of time and money. Black-box testing is an approach that limits the information your penetration testers have to better replicate real-world conditions. A white-box approach is when the firm being tested provides the penetration testing team with information about the systems being tested and administration-level credentials to perform the test. Harrington writes (not incorrectly) that a white-box approach makes the best use of your time and money.

The rest of the book builds on that idea, and he writes of many misconceptions firms have when it comes to security testing. Some of which include firms misunderstanding the difference between vulnerability scans and vulnerability assessments, why bug bounty programs can be of little value to many firms and more.

One of the most insightful points he makes in the book is when he writes that “security is a loop, not a line.” Too many firms think their security process is done after they perform their annual pen test. But the reality is that security is an endless loop of determining your threat model, performing assessments against that model, remediating those threats and then doing that all over again.

Chapter 8 details how to establish your customized threat model. By knowing and understanding what to protect, whom to defend against and where you will be attacked, a firm can ensure they are putting their budgets and efforts in the right places. The chapter details numerous threats, including nation-states, insiders and more, to help you establish a threat model that works for you.

A final important point the book makes is that while many software companies tend to think that security slows down the development process, that is simply not the case. Harrington shows that by building security into the development process, you will get better security that costs less in the end, and due to a formal program to deal with the security issues in the development process, it will, in fact, not slow things down.

For those looking to understand what they need to do around application security, Hackable: How to Do Application Security Right is an excellent high-level guide to start them on their journey.

Anti-Fraud

fraud

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.