General security

Interview with Caleb Barlow – Director of Application, Data & Mobile Security @ IBM Security Division

October 19, 2012 by Rorot

Caleb Barlow is currently the director of Application, Data and Mobile Security in the IBM Security division. Earlier he acted as the director of Unified Communications and Collaboration, SMB Solutions Development and held several other key positions at IBM. He has a track record of working with various products and technologies. He is an expert in Communications, Internet Security, Database Security, Application Security, SaaS, and Cloud Computing to name a few. Before going ahead, I would like to thank him for his precious time and for sharing his valuable thoughts with us. It’s really an honour to interview the man who is considered to be one of the big heads in the security industry today. Let’s proceed to the interview!

1. Having joined IBM in 1992 and with over two decades of experience under your belt, how do you explain the transition of the field of security from a trivial into a central aspect today?

It is really about two key factors – the first is in the growth of devices connected to the Internet, and this is only continuing to accelerate. Consider this – there are just over 7B people on the planet, but only 2B computers. Yet there are 5-6B mobile devices and over the next few years many, if not most of those mobile devices will become Internet connected smart phones. The simple fact is that there are few parts of our lives that are not directly influenced by connectivity, and this presents a significant opportunity for the bad guys.

The second key factor is the sophistication of the threat. This is no longer just bored teenagers looking for recognition, but activisim, espionage, national security and organized crime. So not only do we have more to protect, but the bad guys are more sophisticated and well funded than in the past. Security has shifted from a defensive, perimeter focus, to a pro-active focus on securing the data, people, applications and infrastructure and as a result is very much a board-level issue.

2. Are there any new additions to the IBM Security Appscan product which is widely acknowledged as one of the best automated vulnerability scanners?

IBM Security AppScan is an incredibly pervasive product that is used to find vulnerabilities in just about every industry and application you can think of. Our development team for AppScan is about more than just writing new features, we even maintain our own dedicated research team that focuses on new ways to identify vulnerabilities and new ways to stay ahead of an ever evolving threat. Here are some of the most recent additions:

Static Analysis for Java Android-based applications

Mobile phones are not only pervasive but they are an ideal target for a hacker as they contain personal, private AND enterprise data. If you break into the phone you can potentially get access to valuable enterprise data, but you can also use the contacts and social information to mount future phishing attacks against friends and colleagues. In the development of this new capability, we have studied and classified the threat profile for over 20k Android APIs that Java applications can be used on the phone. Our Static analysis uses this Android API to help determine if a mobile application is vulnerable to attack.

AppScan – QRadar Security Intelligence integration

As an industry we need to accept that not all vulnerabilities are fixable. Sometimes you simply do not have the time, resources, budget, skill or ability to remediate everything. For applications you have already deployed, you really can’t shut them down, but you do need a way to monitor those vulnerabilities – to understand and monitor the risk and deploy your limited resources to the highest priority issues. By integrating AppScan with QRadar, we can pull application vulnerabilities into the QRadar correlation engine. This allows QRadar to correlate a known application vulnerability with application traffic and raise the threat level if the traffic correlates to a vulnerability. It can also lower the threat level for traffic that does not correlate to a known vulnerability. Sometimes it is about fixing the problem… but often it is about knowing which problems to fix by applying predictive analytics to sort through the massive amounts of data to eliminate false positives and focus on the real threats.

Static Analysis Consumability Features

Professional penetration testers have always been fans of AppScan, but we are finding that more and more of our customers are line developers that want to use AppScan early in the development process. As their primary job is writing code, not security, we have added several new features to make it easier for them to use. For example, a new “Quick Start” area provides links to common operations. A new “Welcome” view provides easy access to important information sources including an RSS feed to IBM X-Force to ensure security practitioners have current security risk information.

One of my, and customers’, favorite features is a new Application Discovery Assistant that will automatically configure an application for security analysis. Users are no longer required to search for all the supporting source code. Advanced dependency analytics will intelligently and automatically identify needed files and libraries to be included in the application configuration. Users need only specify a root directory and the ADA will find all the dependencies. There is even an option to initiate a scan after the configuration is complete.

Next-Gen DAST Engine

The most significant effort in our latest release was the introduction of our next-gen Dynamic analysis engine in AppScan Enterprise. It provides a more scalable, high performing engine as well as new capabilities for our enterprise customers. It includes a Java Script Analyzer for performing Static analysis of client side Java script code. Did you know that many applications tailor java script code based on user input? So to truly analyze Java script code you need to have a running application and capture the Java Script. The JSA does this and then runs static analysis on the code to determine if any vulnerabilities exist.

XSS Analyzer

XSS is one of the top threats today along with SQL injection. This new next gen DAST engine uses a learning system to quickly and efficiently evaluate a website for XSS vulnerabilities. This highly automated “learning system” tailors a unique, custom XSS payload from a knowledge base of millions of potential payloads, rather than relying on a database of predefined tests. Based on what it learns with each test success or failure, it can eliminate various combinations from its knowledge. This XSS analyzer is faster and more accurate than previous approaches.

3. Could you please let us know if there are any efforts being made to reduce the false positives generated by automated tools like Rational Appscan?

Yes, we continue to invest in improving the thoroughness and accuracy of the AppScan test engine. On the Dynamic Analysis (or black-box) side — Our security team constantly updates the test rules we use to eliminate potential false positives. We have also invested in the development of some new testing techniques (e.g. the Cross-site Scripting Analyzer), which make black-box scanning much more efficient and accurate.

Last year we released a new piece of technology which was built on top of our DAST (black-box) engine. We called it ‘glass-box’ testing. In the industry it is also known as Interactive Application Security Testing (IAST). We used the term ‘glass-box’ because the technology includes application server instrumentation, allowing us to look inside of the application as a dynamic analysis is performed. The thoroughness and accuracy that glass-box testing has delivered have been superb. We expect that more and more customers will start adopting this new DAST-based technology.

4. What are the main issues being faced by the organizations around the world today when it comes to the field of Application security?

Without a doubt the biggest challenge are skills and resources. No tool can replace the capabilities of a well trained penetration tester and we are just starting to see budgets shift toward placing more of an emphasis on application security.

5. Do you think automated vulnerability scanners can be a complete solution?

The need for automation surfaced because manual code reviews proved to be: costly, slow, ineffective, and didn’t scale. Automated scanners are fast and effective because the security expertise is built into the solution. However, these automated solutions complement security teams and practitioners; they do not completely replace them. The automated tools allow the security teams to look at entire portfolios of applications — not just a handful of critical applications. The automated application security solutions can be further advanced to help security teams quickly identify security risks and prioritize those applications that require more human intervention and analysis. There are also many benefits to integrating an automated application security analysis solution into the software development life cycle; allowing teams to address security risk early in SDLC.

6. Usage of mobile phones and hand held devices is expanding at a rapid pace. Do you think we need to adopt a proactive approach to mobile security based on our experiences from the early days of personal computers?

In a word, yes, but there are some big differences in the adoption of mobile vs. what we experienced in the past with the PC. First off, mobile deployments already exceed those of PCs, and the adoption of new mobile technologies is consumer vs. enterprise-driven. This places enterprises in a reactive mode from the start. Additionally, mobile devices are more likely to get lost, stolen or shared than PCs. The application model is also very different. In the early days of the PC you had a relationship with every software vendor on the device. With mobile applications you not only have no relationship with the vendor, you probably don’t even know who they are, as you just downloaded the app from a store. You certainly do not have a relationship or a support contract. So yes, a more proactive approach is necessary and I think it has three components – securing the device, securing the network and securing the application itself.

7. IBM created its own appstore for employees to download certain applications based on their corporate role. Do you think the corporate equivalent of privacy can be ensured on a mobile device?

Yes – it can be done at the app level or by segmenting the phone. Privacy is important not only to the user but also to protect the organization. On one hand the organization does not want their enterprise data leaking out. The other challenge is to prevent the enterprise, even with good intentions, from gathering personal data. If you think about it, knowing what applications are installed, the GPS logs and contacts can reveal a good deal of private and sensitive information about the individual that could be subject to inappropriate use or legal discovery.

Posted: October 19, 2012
View Profile

Rorot (@rorot333) is an Information Security Professional with 5.5 years of experience in Penetration testing & Vulnerability assessments of web and mobile applications. He is currently a security researcher at Infosec Institute. Twitter: @rorot333 Email: