This post is the fourth in a 5-part series on Application Security, or “AppSec”. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk. Taken together, they are a primer on AppSec best practices that will help organizations build the business case for further investment in this critical IT security discipline.
As we have examined in this series, the information security practice called Application Security (or “AppSec”) seeks to protect all of the software that runs a business. It has three distinct objectives:
1) Measurable reduction of risk from existing applications
2) Prevention of introduction of new risks
3) Ensuring compliance with regulatory mandates
It’s important to understand that an effective software security strategy addresses both immediate and systemic risks with a sustained program and investment – one that can be reactive at first and then proactive over time. Best practices not only find and fix existing security vulnerabilities, but also improve the organization’s overall approach to ensuring secure software.
When considering investment in an AppSec program, security professionals must balance people, process and technology to accomplish their strategic goals. In many companies this decision falls to the Chief Information Security Officer (CISO), or equivalent head of cybersecurity. There are a myriad of choices of products and services in the AppSec market – each with its own pros and cons. AppSec technologies are at divergent levels of maturity, and the deployment options available cover a wide range: from professional consulting to open source tools, from installed software to cloud-based services. Each organization must strive to optimize its own AppSec investments, aligned against the reality of today’s cyber threats.
Before we begin, one caveat: the AppSec products and services included here is not meant to be an exhaustive list. I included product categories with a substantive market and ecosystem. The categories listed are the ones you find in industry analysts taxonomies of the AppSec landscape. Please list products and categories that I’ve missed in the comments section at the end of this post. Now let’s examine the various AppSec investments competing for a CISO’s attention.
“Pen testing” is often where most organizations start the process of reducing the risks caused by their software. These methods manually evaluate the security of an application by running simulated attacks against it. The “white hat” tester mimics the behavior of a malicious hacker by exploiting the software’s potential vulnerabilities, whether in a staged or production environment. As with all the software testing methods mentioned the tester provides a report that prioritizes flaws that were found by potential exploitability. Organizations pay per application tested, depending on the number of pen tests required over time. Pen testing is a very mature and established marketplace.
Because pen testing can be labor-intensive and expensive, many organizations choose to test only the most critical applications. The last few years have witnessed an explosion in automated software scanning, the evolution of source code analysis tools. Two kinds of automated testing have become increasingly popular among distributed development teams, given the proliferation of commercial vendor software, outsourced development and open source projects. They allow development teams to scale testing regimens to cover the complete software portfolio, scanning more often and more affordably.
Automated Scanning – Static Analysis
Static analysis is a software testing technique that can be used to scrutinize all code paths and data flows that a program will execute without actually running the program. It does away with the need to build a potentially complex and expensive environment in order to analyze a software program for many classes of quality and security defects. Static analysis can also be performed early in the development lifecycle since it doesn’t require a fully functioning program or test data.
A Static Analyzer can have the methodology of the world’s best security and quality code reviewers encoded into software to provide the depth of a manual code review with the accuracy, repeatability, and speed of automation. Static Analysis can be performed on either a program’s source code or its binary executable. Both source code and executable will contain all of the semantics and logic that define the software’s functionality.
Automated Scanning – Dynamic Analysis
Dynamic Analysis is an easy to use and popular type of automated web application testing that doesn’t require access to source code or the compiled application. Dynamic Analysis treats the application as a black box. In a Dynamic Analysis an application is typically crawled and then the applications inputs and outputs are tested for security vulnerabilities. Popular with web apps, dynamic scanning is used either during development in a staged environment or for production applications. These services are now available as popular Software-as-a-Service (SaaS) offerings, with testing environments operating in the Cloud.
Web Application Firewalls
Web application firewall (WAF) is a software or hardware device that filters input to and output from a Web server. WAF blocks malicious input and unintentional data leaks to protect the Web server and internal data. It is often deployed as an explicit proxy or a bridge in front of the Web server or as an offline device that sniffs Web traffic. WAF capabilities are often bundled with solutions for database monitoring, load balancing, application delivery and intrusion detection. This method of application protection is akin to a moat around a castle – repelling common attacks and alerting the guards. As a boundary defense, it takes a reactive approach to software protection.
Software Protection Technology
This category is a collection of technologies that help protect software intellectual property (IP) from piracy, make tampering more difficult, and protect code and cryptographic keys from attacks such as malware insertion. Software obfuscation makes IP theft more difficult by obscuring software logic and algorithms. In addition, license checking can enforce valid software licenses to prevent revenue loss. The underlying software code is not touched. Software protection is perimeter security at the application layer – akin to locking the software’s front door to prevent unauthorized access.
Once software flaws are found and reported by any testing tool, they still need to be fixed. Vulnerability management systems help software developers track flaws, remediate fixes, and verify secure processes. They integrate with the team’s chosen development environment, tools and programming languages to ensure application security throughout the software lifecycle. The better solutions provide a shared workspace with role-specific project management and a robust knowledgebase. Fixing vulnerabilities in all deployed applications should be considered a mission-critical step to defend intellectual property, protect customer privacy, or meet regulatory compliance obligations. When rigorously practiced, vulnerability management improves the overall security posture of an organization’s entire software portfolio.
New software vulnerabilities continue to emerge due to the near constant rate of innovation by hackers and cyber criminals. Without an ongoing threat intelligence capability, enterprises risk falling behind and leaving the business vulnerable to new kinds of attack. This intelligence should include research on the latest threat trends and techniques being employed by hackers, organized crime, rogue governments and other adversaries. Typically these systems categorize vulnerabilities by language or platform, and automatically update remediation knowledge-bases.
Governance, Risk & Compliance (GRC)
A plethora of industry mandates and government regulations compel the security of sensitive or confidential data, such as personally identifiable information. GRC solutions abound in the wider infosec marketplace. The more mature AppSec vendors have added policy management functions to their own offerings. Capabilities include risk-based application portfolio management, policy enforcement, audit tracking and certification, history and trending, dashboards and reporting, among other functions. For larger organizations with thousands of simultaneous development projects or companies in highly regulated industries like Financial Services, enterprise AppSec programs can be better managed using GRC products.
APPSEC CONSULTING SERVICES
This is where the tools of AppSec meet the people that define its strategic goals. AppSec solutions benefit from the services of professional consultants that help an organization augment its internal security expertise. Expert consultants typically focus on manual code reviews and penetration tests, developer training programs, security architecture reviews, threat modeling, and AppSec process management. In addition to independent consulting firms, many AppSec solution vendors offer consulting services to ensure customer success with their technologies. Engagement models range from one-off or routine test regimens to long-term strategic relationships costing millions of dollars per year.
When undertaken correctly, AppSec takes a systematic, programmatic approach to hardening business-critical software, from the inside. As an organization’s approach evolves, the practice should become more routine and impact software development, procurement and acceptance processes. Cross-functional software security teams learn to anticipate specific attacks, understand harmful impacts, and define countermeasures in advance. Software developers are trained and certified in secure development techniques to promote the ongoing development of better, more secure code. Today’s governance, risk and compliance mandates routinely inform information security policy. A CISO’s ability to enforce policies and procedures across the enterprise is key to sustained software risk mitigation.
In our last post in this series, we will offer some guidance to CISOs and other senior cybersecurity professionals on how to cost-justify their AppSec investments.
Webinar with Wendy Nather, 451 Research: Penny Wise, Pound Foolish: Avoiding Security Spend Pitfalls
Whitepaper: Policy Driven Software Security