Back to newsletter
Governing Appsec Effectively
How to prevent a security debacle
by Barbara Morris, Editor, Secure Software Advisory
In February, President Obama ordered the National Security Agency and Department of Homeland Security advisors to conduct an immediate 60-day review of the U.S. government's cyber-security plans, programs and activities. He remarked, "We need to build the capacity to identify, isolate and respond to any cyber-attack. And we need to develop new standards for the cyber-security that protects our most important infrastructure, from electrical grids to sewage systems, from air traffic control to our markets." The cyber-security initiative comes on the heels of major security breaches at the Pentagon, in the Department of Justice and in the State Department.
While the President has made cyber-security a high-level national security issue, other organizations have suffered the loss of proprietary and/or personal information, along with revenue. Recently, for example, a data breach believed to be the largest in U.S. history unfolded as Heartland Payment Systems, which processes over 100 million credit card transactions per month, found evidence of malicious software. The application compromised the card data that crossed its network, and was possibly the work of a global cyber-fraud operation.
Complimentary White Paper
A CISO’s Guide to Web 2.0 Security
Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs and that they need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community-controlled content as opposed to publisher consumer model. Both have serious security issues.
Download your complimentary white paper.
The complex threat landscape
As software has become more complex, compliance has become stricter. As more applications have been exposed to the Internet, the threat landscape, too, has become more ominous. Moreover, due to vulnerabilities that occur throughout the software development lifecycle (SDLC), applications have inherent security exposure. This all means that security will continue to move up the lifecycle of application development, and both application development and security will become more integrated.
Barmak Meftah, senior vice-president of products and technology at Fortify Software, Inc., notes, "The biggest hole left in IT enterprise and the industry as a whole are the applications themselves. For any company or organization that relies on software to automate business processes, there are points of exposure. In recent years, we have seen the accelerated acquisition and growth of software products, as well as solutions that fix the holes."
The role of compliance
Regulations form the basis of compliance processes in many areas of enterprise governance, from The Health Insurance Portability and Accountability Act (HIPAA) in health care, to the Federal Information Security Management Act (FISMA) in federal government standards, which are enforced by the Office of Management and Budget (OMB), to the Payment Card Industry Data Security Standard (PCI DSS) in the commercial sector that handles credit card transactions.
To date, PCI DSS compliance provides baseline security as a first step for companies to take. As Fritz Young writes in PCI Compliance Guide, "Unfortunately, no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses ... But it is critical to implement both the spirit and the letter of the standard."
Meftah, however, believes that the subcommittees of the PCI Security Standards Council that deal with enforcing and mandating software security need to tackle the issue head-on, despite an acceleration of PCI compliance in the past year. The recent breach at Heartland Payment Systems seems to give validity to his concern.
The good old days
Meftah also relates an interesting story of how security has evolved over the past decades. Thirty years ago, security was a different species. In the mainframe era, computers ran in secure physical areas to which only a few authorized people had access, and enterprises only had to worry about that handful of people. Twenty years ago, the client-server era emerged, opening up systems to a greater number of users. In a bank, every employee would have access to the server, and that's when security measures became more advanced. Since financial institutions couldn't limit the number of people with access, they introduced strong authentication, cryptography and obfuscation routines.
Meftah continues, "Around 15 years ago, companies began to adopt Web-facing applications to automate business, making applications more vulnerable to hackers. You can't lock down applications like you could lock up the room with the mainframe computers, nor are network firewalls fool-proof in today's reality."
Solutions for today and tomorrow
While every software product has lots of bugs, Meftah believes that quality is not the main problem -- it's security. He explains, "Quality is a cumulative problem; security is an absolute problem. One exploitable vulnerability could put you on the front page of The Wall Street Journal."
To prevent that from happening, enterprises need to put in place the most secure development lifecycle that they can. Since no two applications carry the same amount of risk, enterprises need to assess the risk inherent in each application, put their threat model and risk and abuse models in place, and set up a development lifecycle that incorporates security. Since Web application security and security in general are relatively new concerns, training developers and operators is key to securing software.
Once a company analyzes the gravity of the problem, it has to move to remediation, according to Meftah. "The first step is to put a process in place to audit and triage security; after peer assessments, the next move is to decide how to address the vulnerabilities. Even though most companies may be at the risk-assessment step, they need to move on to do source code analysis, using static application security testing (SAST) and/or dynamic application security testing (DAST) of their code to see if they have a problem.
Finally, developers, quality assurance (QA) staff and operators, as well as upper management, all have to be on board with security to bring about proactive prevention, the Holy Grail of security. Meftah adds, "You can't use the manufacturing model for software development. QA can't wait until the end of development; you have to put processes in place upstream to prevent problems."
SAST and DAST
Although enterprises' network, desktop and server infrastructures are more secure today, the move to application-level attacks has brought about effective solutions for application security: SAST and DAST.
According to Gartner's first-ever Magic Quadrant report on SAST, "SAST for security vulnerabilities should be a mandatory requirement for all IT organizations that develop or procure applications … (E)nterprises must adopt SAST technologies and processes because the need is strategic."
Although the government is reviewing and beefing up its cyber-security efforts, enterprises need to look out for their own interests and stay aware of security trends. Using tools like SAST and DAST may help them protect their organizations. But to really reduce risks, application security has to become an enterprise-wide priority, not just the IT department's concern. That way, the enterprise will make the front page of The Wall Street Journal on account of its solidity and growth -- not because of a security debacle.
Barbara Morris is a freelance writer living in New York City.