bootstrapping the application assurance process

Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

AppSec

Europe

May 2006 http://www.owasp.org/

Bootstrapping the Application Assurance Process

Sebastien DeleersnyderBelgium OWASP Chapter Leader

[email protected]

2OWASP AppSec Europe 2006

Sebastien Deleersnyder?

5 years of Developer Experience 5 years of Information Security Experience

Principal Application Security Consultant @ Ascure: Web Application/Services Security Testing Training Web Application/Services Security Initiating & Improving Application Security Assurance

Belgian OWASP Chapter Leader


Agenda

Application Security Assurance? Risk Management Bootstrap Application Security Assurance

Cycle User Story: Mercator Insurances Outsourced Development Roundup


Agenda

Application Security Assurance? Risk Management Bootstrap Application Security Assurance



Application Security Problem

Business demands more: automation availability adaptability

Growing connectivity / user base Increasing complexity of software Rush software out without adequate security

testing Poor security training and awareness

75% of vulnerabilities are application related(Gartner + NIST-ICAT)


Cost of Insecure Software

More maintenance (updates, patches) Lost:

MoneyProductivity Information Image, reputation


DataSoftware

STOP

Network

Unauthorized

access

Application Security AssuranceUnderstand and manage your software security

risk

The Solution


Application Security Assurance

Combination of People,

Processes, and Technology

to identify, measure, and manage Risk

presented by COTS(*), open source, and custom applications.

PeoplePeople

ProcessesProcesses

TechnologyTechnology

Risk MgmtRisk Mgmt

(*) Commercial Of The Shelf


Agenda

Application Security AssurancePeopleProcessesTechnology

Risk Management Bootstrap Application Security Assurance



People

Awareness decision makersBoard of DirectorsAudit and Assurance (Risk Management)CEO/CFO/CIOExecutive(s) responsible for systems

development and change managementSales & Product Management!


People

Teach your developers to “fish”:

Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.

Chinese proverb

Meaning: Developer awareness Secure design guidelines Secure implementation practices


Agenda





Processes

Build security into Development processDeployment process


DesignRequirementsUse Cases

Code Test Deploy

Threat Modeling / Secure Design

Code ReviewRisk Based

Security TestingSecure Config / CM / App FWs

“Integrate” Security within Application Life Cycle

Security Requirements / Abuse Cases


Security Requirements / Abuse Cases

Define “Secure” & “Reliable”Use <-> Abuse Cases

UML basedBetter understanding

Foundation rest AppSec controls


Abuse Cases

Source: Templates for Misuse Case Description, Sindre & Opdahl


Threat Modeling

Select mitigation Strategy & Techniques based on identified, documented and rated threats.

Benefits: Prevent security design flaws Identify & address greatest risks Increased risk awareness and understanding Mechanism for reaching consensus Cost justification and support for needed controls Means for communicating results


Secure Design

Principles (*) Secure the weakest link Practice defence in depth Fail securely Follow the principle of least privilege Compartmentalize Keep it simple Promote privacy Remember that hiding secrets is hard Be reluctant to trust Use your community resources

Future proof security design!

(*) Building Secure Software, Viega-McGraw


Code Review

Security bugs subset of implementation bugs! Static / dynamic analysis tools Requires manual inspection Threat-based Benefits:

Improves code quality Prevents security bugs Increased developer awareness and understanding


Application Security Testing

Focus on application vulnerabilities Tools can do the automated work Experienced Testers Black / White Box security testing


Deployment Process

Ensure the application configuration is secure

Security is increasingly “data-driven”XML files, property files, scripts, databases, directories

How do you control and audit this data?Design configuration data for auditPut all configuration data in CMAudit configuration data regularlyDon’t allow configuration changes in the field

Gap Development - Deployment


Agenda





Technology

Do not develop on islands, but look for company wide:Frameworks J2EE, .NETWeb Services: new ballgame or same thing?Leverage PKI, IAM initiativesVulnerability ScannersApplication level firewalls


Agenda

Application Security Assurance Risk Management Bootstrap Application Security Assurance



Risk Management

Risk Management “Looking both ways before crossing the road”

Risk “The possibility of suffering harm or loss”

Management “The act or art of managing; the manner of treating,

directing, carrying on, or using, for a purpose”


Risk Management?

The process concerned with identification, measurement,

control and minimization

of security risks in information systems to a level commensurate with the value of the

assets protected.


Risk Management

Deeply influenced by business objectives Each business has different risk profile Risk changes over time


The foundation of security

Risk is the combination of a threat exploiting some vulnerability that could cause harm to some asset.

Vulnerability

Risk

Threat


Handling Risks

Methods of risk treatment: Mitigate or suppress Accept Transfer (insurance) Ignore (poor – often used)

Types of countermeasures Preventive Detective Corrective

In case of risk acceptance Request documented justification Get formal approbation (sign-off) by senior management Have the decision reviewed after 6 to 12 months


Residual Risk

Residual Risk is a combined function of (1) a threat less the effect of some threat reducing

safeguards; (2) a vulnerability less the effect of some vulnerability

reducing safeguards and (3) an asset less the effect of some asset value reducing

safeguards.


Risk Analysis – Thread Modeling

Company Level - Risk Analysis: Perform Business Risk AnalysisIdentify Critical Business ApplicationsFocus on Business RisksOwnership?

Application Level -Threat Modeling:What are the real threats against the

application?Focus on Technical Threats


Success Factors

Obtain management support Involve Business and Technical experts Designate focal points Define procedures Document and maintain result


Results

Assurance that greatest risks have been identified and addressed

Increased awareness and understanding of the risks

Mechanism for reaching consensus Cost justification and support for needed

controls Means for communicating results Compliancy & Audit reporting


Cost vs. Security

Security

Maximum viable security

Targeted balance

Sub-optimalSecurity Spending

Maximum allowable cost

Cost

“Maximum allowable cost” is found through Risk Management.


Agenda




How to Start?

No Big Bang approach Trigger can be (bad) result of Web App

Pen Test First business case! Then Bootstrap!


Business Case

For use throughout the lifecycle and the entire software portfolio:Contracting PhaseDevelopment PhaseDeployment/Production PhaseAudit Phase

Benefits:Cost savingsRisk measurement and reductionCompliance reporting


Cost Savings

Significantly reduce the costs associated with new and deployed products :A flaw that costs $1 to fix in the design and

development phase will cost $100 to correct once it is deployed

Reduce development time and number of cyclesPatch management costsContractor and vendor costs

“Removing only 50 percent of software vulnerabilities before use will reduce patch management and incident response costs by 75 percent.” (John Pescatore, Gartner)


Risk measurement and reduction

Eliminate vulnerabilities before they become liabilities

Manage the risks of serious financial loss, negative publicity, legal liability, loss of contracts, erosion of market share, degraded performance or other serious business impact as a result of a failure in security

Set, enforce and report that software assurance thresholds are maintained

Measurable reports prove progress internally and for compliance


Compliance Reporting

Compliance reporting: Comply with legal and regulatory requirements Regularly assess risk, disclose vulnerabilities and

weaknesses, and prove progress both internally and for compliance requirements

Scope & application Risk assessments are mandatory for most regulations,

including application vulnerability detection Example internal control frameworks: CobiT, ISO 17799 Example regulations: Basel II, FISMA (NIST 800-53), DoD

8500.2, Sarbanes-Oxley, FDA, HIPAA …


BootStrap!

Identify current way of working! Set goals and start with phased approach Compare this with security strategy

(can already be set out in a secure development policy)

Perform a gap analysis and proceed with process improvement cycles:Tailor to Company Culture!Driven by Risk Management!


Quality – Application Security Analogy

Quality Application Security

ISO standardsIndustry level

OWASP guidelines / standards ?

Quality AssuranceCompany level

Application Security Assurance

Set up AppSec Assurance Framework for Development & Deployment Process

Quality ControlProject level

AppSec ControlsPart of development and deployment of one application


Driver for Improvement Process

Accountability Organisation Reporting (develop metrics)

Risk Management

Strategy

Governance Development Deployment


Company Wide

Identify Business Critical High Risk projects to focus on. E.g. through BIA

Focus on business risks! Must align Application Security Assurance

with the company's "Risk Appetite"


Process Gateway Checks

Introduce process gateway checks to be formally reported by project manager for project board sign-off (including residual risk!)

Introduce Application Security Controls in phased approach

Requirements phase is key for new projects:Security specifics must be part of functional

requirements (not bolted on later!)Awareness for stake-holders / project sponsors!


“Natural” Allies

QA:Security vulnerabilities are to be considered

bugs, the same way as a functional bug, and tracked in the same manner.

PMO: Factor some time into the project plan for

security.Consider security as added value in an

application.– $1 spent up front saves $10 during development and $100 after release


Application Security Defect Tracking and Metrics“Every security flaw is a process problem”

Tracking security defectsFind the source of the problem

Bad or missed requirement, design flaw, poor implementation, etc…

ISSUE: can you track security defects the same way as other defects?

MetricsWhat lifecycle stage are most flaws originating in?What security mechanisms are we having trouble

implementing?What security vulnerabilities are we having trouble

avoiding?


Roles

Role of security architect (cross-development projects): ensure security goals are reached during all cycles of

the development process create awareness within development teams, business bridge function to "IT Security" mentor the security engineers and project leaders

Role of security engineer (part of project team) SPOC within development team for all security related

matters.

Search for Champions!


Agenda




Bootstrapping User Story – Mercator Insurances

Triggered by application assessment on critical Web Applications

Tailored Best Practices to Mercator Development & Deployment Process Interviews with key actorsSupport by Mercator Security Architect Included PMO

Workshops for developer awareness & involvement in AppSec Assurance process


Split Secure Development Guidelines

Different involved people Different environments


Added Security Checkpoints in phased approach


Lessons Learned

Management support Look for Quick Wins Convince developers + other parties

InterviewsAwareness & empowerment through workshops

Include PMOProvide PM checklistSign-off responsibility!

Identify & leverage existing access control and authorization frameworks

Bridge gap development - deployment


Agenda




Software Security Assurance in Outsourcing

Define security requirements and priorities Assign responsibility for identifying and

remediation of coding flaws Reserve the right to audit

Save money by ensuring that testing eliminates major security issues pre-deployment

Negotiate a more active contract with less time for rework needed at the end


Benefits for Outsourced development

Cost savings: No additional hours and fees to fix software No lost revenue due to delay in deployment

Risk measurement and reduction: Providers understand what’s expected Enforce internal security policies regardless of code

source Reduce patch and fix cycle speeds deployment Set security acceptance and release criteria

Compliance reporting

OWASP Legal Project?


Agenda




Roundup

Embed within complete approach:Educate peopleAdd security best practices to processesTailor secure design guidelines to company

cultureLeverage existing tools & practices

Risk Management is Key!

Get Improvement Cycle going!Cultural changesBridge Building


Gartner 2006(*):

Proper execution: improves application security,

reduces overall costs, increases customer satisfaction and yields a more-efficient SDLC.

(*) Gartner Report - Integrate Security Best Practices and Tools Into Software Development Life Cycle


Thank You

Sebastien Deleersnyder [email protected]

bootstrapping the application assurance process

Documents