application risk prioritization - overview - secure360 2015 - part 1 of 2

37
App Security? There is a metric for that! by Yan Kravchenko

Upload: netspi

Post on 03-Aug-2015

73 views

Category:

Technology


1 download

TRANSCRIPT

App  Security?  There  is  a  metric  for  that!  

 by  Yan  Kravchenko  

About  Me  

Yan  Kravchenko,  CSSLP,  CISSP,  CISA,  CISM,  QSA  Compliance  Advisory  PracDce  Lead    [email protected]  612-­‐455-­‐8485      TwiOer:  @yanfosec  Contributor:  hOps://www.netspi.com/blog/  

Agenda  

•  Background  –  Why  is  this  necessary?  •  Defining  Risk:  ‒ Value  /  PotenDal  Impact  ‒ Maturity  /  SuscepDbility  

• Why  Open  SAMM?  •  Dashboards  –  Decision  Support  Systems  •  Demo  

Background  –  Why  Apps?  

•  Data  perimeter  is  no  longer  networks  and  firewalls  •  ApplicaDon  Security  has  evolved  to  the  keystone  of  organizaDon’s  security  strategies  •  ApplicaDon  security  is  complex  and  involves  many  aspects  of  security  &  technology  •  ApplicaDon  security  has  been  the  cause  of  a  significant  percentage  of  security  breaches  

AlternaDves  

•  BSIMM  –  expensive,  cumbersome,  proprietary  • Microso_  SDL  -­‐  heavyweight,  limited  to  MS  •  Touchpoints  -­‐  high-­‐level,  not  enough  details  to  execute  •  CLASP  -­‐  Large  collecDon  of  acDviDes,  but  no  priority  ordering  •  All  alternaDves  are  based  on  a  concept  that  all  applicaDons  have  the  same  threat  and  risk  profile  

Risk  Measurement  Challenges  

•  ApplicaDons  can  be  developed  with  different  SDLC  methodologies  •  Inconsistent  maturity  of  the  design  and  embedded  security  mechanisms  •  ApplicaDons  range  in  size,  complexity,  and  percepDon  of  risk  •  ApplicaDon  security  /  maturity  is  difficult  to  normalize,  contrast,  and  compare  

Defining  ApplicaDon  Risks  

Defining  Risk  

•  Significance  /  Impact  ‒ What  an  applicaDon  is  ‒ Does  not  change  without  significant  changes  to  the  nature  of  the  applicaDon    

• Maturity  /  SuscepDbility  ‒ Maturity  of  the  applicaDon  ‒ Can  be  changed  by  implemenDng  addiDonal  security  controls  

‒ Based  on  OWASP  So_ware  Assurance  Maturity  Model  (SAMM)  

Significance  /  Impact  (StaDc)  

•  Customized  for  each  organizaDon  •  Should  not  change  unless  the  applicaDon  or  the  organizaDon  undergoes  big  changes  •  Focuses  on  applicaDon  risk  categories  and  aOributes  that  are  significant  and  meaningful  •  StaDc  risks  can  be  used  for  risk  calculaDon  or  presenDng  correlated  risk  scores  as  they  relate  to  each  staDc  risk  •  StaDc  risks  can  be  used  to  pivot  data,  highlighDng  internal  iniDaDves  

Maturity  /  SuscepDbility  (Dynamic)  

•  Based  on  OWASP  So_ware  Assurance  Maturity  Model  (SAMM)  •  Uses  SAMM’s  quesDonnaire  for  determining  the  maturity  model  •  Answers  to  quesDons  help  calculate  numeric  dynamic  risk  score  as  well  as  determine  control  maturity  levels  •  In  addiDon  to  establishing  the  maturity  level,  SAMM  provides  detailed  control  implementaDon  requirements  

Why  Open  SAMM?  

So_ware  Assurance  Maturity  Model  

Design Build Test Production

vulnerability scanning  -­‐‑ WAF

security  testing  dynamic  test  

tools

coding  guidelines    code  reviews    static  test  tools

security   requirements  / threat  modeling

reactive proactive

Secure  Development  Lifecycle (SAMM)

SAMM  

Secure  Development  Lifecycle (SAMM)

Governance  

•  Strategy  &  Metrics  -­‐  PracDce  is  focused  on  establishing  the  framework  within  an  organizaDon  for  a  so_ware  security  assurance  program.    •  Policy  &  Compliance  -­‐  PracDce  is  focused  on  understanding  and  meeDng  external  legal  and  regulatory  requirements.  •  EducaDon  &  Guidance  -­‐  PracDce  is  focused  on  arming  personnel  involved  in  the  so_ware  life-­‐cycle  with  knowledge  and  resources  to  design,  develop,  and  deploy  secure  so_ware.  

ConstrucDon  

•  Threat  Assessment  -­‐  PracDce  is  centered  on  idenDficaDon  and  understanding  the  project-­‐level  risks  based  on  so_ware  funcDonality  and  the  runDme  environment.    •  Security  Requirements  -­‐  PracDce  is  focused  on  proacDvely  specifying  the  expected  behavior  of  so_ware  with  respect  to  security.    •  Secure  Architecture  -­‐  PracDce  is  focused  on  proacDve  steps  for  an  organizaDon  to  design  and  build  secure  so_ware  by  default.    

VerificaDon  

•  Design  Review  -­‐  PracDce  is  focused  on  assessment  of  so_ware  design  and  architecture  for  security-­‐related  problems.    •  Code  Review  -­‐  PracDce  is  focused  on  inspecDon  of  so_ware  at  the  source  code  level  in  order  to  find  security  vulnerabiliDes.    •  Security  TesDng  -­‐  PracDce  is  focused  on  inspecDon  of  so_ware  in  the  runDme  environment  in  order  to  find  security  problems.    

Deployment  

•  Vulnerability  Management  -­‐  PracDce  is  focused  on  handling  vulnerability  reports  and  operaDonal  incidents.    •  Environment  Hardening  -­‐  PracDce  is  focused  on  building  assurance  for  the  runDme  environments  hosDng  so_ware.    •  OperaDonal  Enablement  -­‐  PracDce  is  focused  on  gathering  security  criDcal  informaDon  from  the  project  teams  building  so_ware  and  communicaDng  it  to  the  users  and  operators  of  the  so_ware.    

OWASP  SAMM  –  Maturity  Levels  

•  SAMM  Maturity  Levels:  0  -­‐  Implicit  starDng  point  represenDng  the  acDviDes  in  the  PracDce  being  unfulfilled  1  -­‐  IniDal  understanding  and  ad  hoc  provision  of  Security  PracDce  2  -­‐  Increase  efficiency  and/or  effecDveness  of  the  Security  PracDce  3  -­‐  Comprehensive  mastery  of  the  Security  PracDce  at  scale  

OWASP  SAMM  -­‐  Guidance  

•  Guidance  for  each  level  includes:  ‒ ObjecDve  ‒ AcDviDes  ‒ Results  ‒ Success  Metrics  ‒ Costs  ‒ Personnel  ‒ Related  Levels  

See:  h&p://www.opensamm.org/  

SAMM  Assessment  Process  

•  Supports  lightweight  and  detailed  assessments  •  Lightweight  assessment  can  be  complete  in  less  than  one  hour  per  applicaDon  •  Assessment  worksheet  is  comprised  of  simple  Yes  /  No  quesDons  

Sample  Dashboards  –  SAMM  Scores  

Applica+on  1   Applica+on  2   Applica+on  3   Applica+on  4   Applica+on  5   Applica+on  6  

Governance:    Strategy  &  Metrics   0+   2+   0+   0+   0+   0+  

Governance:  Policy  &  Compliance   0+   1+   0+   0+   0+   0+  

Governance:  Educa+on  &  Guidance   0+   2   2+   2+   2+   2+  

Construc+on:  Threat  Assessment   0+   1+   1+   0+   1+   1+  

Construc+on:  Security  Requirements   0   2+   0+   0+   1+   0+  

Construc+on:  Security  Architecture   1+   2   1+   1+   1+   1+  

Verifica+on:  Design  Review   1+   0+   1+   0+   1   0+  

Verifica+on:  Code  Review   1   2   3   1+   0+   3  

Verifica+on:  Security  Tes+ng   1+   1+   1+   0+   1+   0+  

Deployment:  Vulnerability  Management   1+   2+   1+   1+   1+   1+  

Deployment:  Environment  Hardening   0   2   0+   0   0   0+  

Deployment:  Opera+onal  Enablement   0   2   0+   0+   0+   0+  

Correlated  Risk  Analysis  /  Dashboards  

Risk  CorrelaDon  

Value  *  Maturity  =  Correlated  Risk    

•  Value  /  Impact  factors  generate  a  numeric  score,  normalized  against  all  applicaDons  •  SAMM  acDviDes  generates  a  numeric  score,  based  on  answers  provided  as  part  of  the  SAMM  assessment  •  Provides  a  single  measure  of  security  for  each  applicaDon  •  Can  be  applied  uniformly  across  all  applicaDons  •  Provides  a  “true”  value,  allowing  a  side-­‐by-­‐side  comparison  of  all  applicaDons  

Sample  Dashboards  

 -­‐‑      

 5.0  

 10.0  

 -­‐‑        5.0    10.0  

SDLC  Maturity  Risk  

Business  Impact  Risk

Correlated  Application  Security

App  1

App  2

App  3

App  4

App  5

App  6

App  7

App  8

App  9

App  10

App  11

App  12

Sample  Dashboards  

0.0

2.0

4.0

6.0

8.0

10.0

Governance   Construction Verification Deployment

Maturity  Rating  (10  point  scale)

Overall  Maturity  Categories

Sample  Dashboards  

0.0

2.0

4.0

6.0

8.0

10.0

Strategy  &  Metrics

Policy  &  Compliance

Education  &  Guidance

Governance  

0.0

2.0

4.0

6.0

8.0

10.0

Threat  Assessment

Security  Requirements

Security  Architecture

Construction

0.0

2.0

4.0

6.0

8.0

10.0

Design  Review Code  Review Security  Testing

Verification

0.0

2.0

4.0

6.0

8.0

10.0

Vulnerability  Management

Environment  Hardening

Operational  Enablement

Deployment

Sample  Dashboards  

 -­‐        

 10    

 20    

 30    

 40    

 50    

 60    

 70    

 80    

 90    

 100    

App  1   App  2   App  3   App  4   App  5   App  6   App  7   App  8   App  9   App  10   App  11   App  12   App  13   App  14   App  15  

Applica+on  Risk  Scores  

Sample  Dashboards  

0.0  

5.0  

10.0  

0.0   5.0   10.0  

SDLC  M

aturity

 Risk    

Business  Impact  Risk    

Average  Revenue    

Very  Large  

Large  

Moderate  

Minimal  

Sample  Dashboards  

0.0  

10.0  

20.0  

30.0  

40.0  

50.0  

60.0  

70.0  

80.0  

90.0  

100.0  

Very  Large   Large   Moderate   Minimal  

Average  Revenue  Scores  

Sample  Dashboards  

0.0  

10.0  

20.0  

30.0  

40.0  

50.0  

60.0  

70.0  

80.0  

90.0  

100.0  

Yes   Somewhat   No  

Materially  Significant  

 -­‐‑      

 10  

 20  

 30  

 40  

 50  

 60  

 70  

 80  

 90  

 100  

0 2000 4000 6000 8000 10000 12000

Cumulative  Risk  Score

Number  of  Clients

Number  of  Clients  Risk  Datagram

App  1

App  2

App  3

App  4

App  5

App  6

App  7

App  8

App  9

App  10

App  11

App  12

App  13

App  14

App  15

Sample  Dashboards  

Excessive  Risk  

Acceptable  Risk  

 -­‐‑      

 10  

 20  

 30  

 40  

 50  

 60  

 70  

 80  

 90  

 100  

0 100 200 300 400 500 600 700 800 900

Cumulative  Risk  Score

Average  Number  of  Users  per  Clients

Average  Number  of  Users  per  Client  Risk  Datagram

App  1

App  2

App  3

App  4

App  5

App  6

App  7

App  8

App  9

App  10

App  11

App  12

App  13

App  14

App  15

Sample  Dashboards  

Excessive  Risk  

Acceptable  Risk  

Time  for  a  quick  demo…  

“Hands-­‐On”  Demo…  

Tomorrow  at  9:45am  in  Room  10  

Summary  

•  Enhanced  ability  to  manage  the  enDre  applicaDon  security  porvolio  •  Normalizes  risk  scoring  between  different  applicaDons  •  Allows  applicaDon  security  opDmizaDon  through  efficient  “what-­‐if”  calculaDons  •  Helps  idenDfy  insecure  applicaDons  • Metrics  support  ability  to  make  applicaDon  security  decisions  • Measures  accomplishments  and  highlights  applicaDon  risk  reducDon  acDviDes  

QuesDons?  

•  ApplicaDon  Value  /  PotenDal  Impact  • Maturity  /  SuscepDbility  •  Open  SAMM  •  Risk  CorrelaDon  •  Dashboards  

Yan  Kravchenko  –  612-­‐455-­‐8485  [email protected]  

Thank  you!