Best Practices for a Mature Application Security Program

About the PresenterEd Adams, CEO of Security Innovation

• Ponemon Institute Distinguished Research Fellow• Privacy by Design Ambassador• CEO by trade; engineer by heart• In younger days, built non-lethal weapons systems for

Federal Government

About Security InnovationSpecialization

• 15 years research on software vulnerabilities• Security testing methodology adopted by SAP,

Symantec, Microsoft, and McAfee• Authors of 19 books; 10 co-authored with Microsoft

Products & Services• STANDARDS: best practices adoption• TRAINING: eLearning & instructor-led• ASSESSMENT: software and SDLC

Reducing Application Security Risk• Uncover critical vulnerabilities• Roll out a secure, repeatable SDLC• Build internal competency

Agenda• Industry Research & Insight: Where do Companies

Struggle?• Understanding Threats and Attacks to Software Applications

as well as Various Platforms and Languages• Optimizing your Software Development Lifecycle (SDLC)

Understanding Root Cause of Vulnerabilities

• Failure to set requirements and standards

• Not enough training and education

• Lack of process

• Vulnerabilities are unintended functionality

Disconnect Between Security and Software TeamsPonemon Application Security Research Study:

There are ample resources to ensure all IT security requirements are accomplished

IT security can hire and retain knowledgeable and experienced security practitioners

The IT security leader is a member of the executive team

IT security responds quickly to new challenges and issues

The IT security function is able to prevent serious cyber attacks such as advanced persistent threats

Appropriate steps are taken to comply with the leading IT security standards

IT security strategy is fully aligned with the business strategy

Security & data protection policies are well-defined and fully understood by employees

Security technologies are adequate in protecting our information assets and IT infrastructure

Application security is a top priority in my organization

0% 10% 20% 30% 40% 50% 60% 70%

36%

40%

41%

42%

46%

48%

50%

53%

54%

58%

34%

35%

35%

31%

33%

41%

39%

37%

44%

38%

Developers SecurityCisco report indicates that Applications (32.6%) and Infrastructure (41.9%) were the top categories exploited.*

*Cisco 2015 Annual Security Report

The Organizational DisconnectIT/GRC/InfoSec historically focused on network/endpoint security• Developers and SDLC are now “in scope”

Tools are a typical first step• Both have different perspective on what policies and procedures are in

place

How did we handle performance, reliability?• Security needs to be a standard part of the process

Implications: Aligning Management & Staff

Developers don’t always understand policieso “Ensure applications are coded so as not to be susceptible to OWASP Top 10”

what does this mean to a an ObjectiveC iOS developer?

Lack of policy enforcement renders mandate invisible

Management, security and engineers all speak different languages

o “Confidential data must be protected” Protected from what? How do I protect it?

• Architecture guidance?• Coding standards? • Remediation specifics once vulnerabilities are found?

• e.g., user input sanitation…. how do I do that in ASP.NET 3.5?

Organizations Don’t Have a Defined SDLC

SDLC Still Lackingo Tools aren’t integrated into the SDLC o Security automation often used after deployment (too late?)o Policies and standards are still rare

Forrester“Organizations implementing an SDLC showed better ROI than the overall population”

AberdeenAdopting a formal SDLC process increases security and reduces severity and cost of vulnerability incidents while generating a 4x ROI than other application security approachesThere are well-known and widely adopted secure SDLC practices – it’s a matter of pulling it all together

Building Security InDepartment of Homeland Security“Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment*”

Gartner “Finding bugs at operations time costs you up to 100 percent effort”

Source: National Institute of Standards & Technology (NIST)

*DHS: Estimating Benefits from Investing in Secure Development

Relative cost of fixing security flaws during the different development phases

Implementation6.5

Testing15

Post Release60

Design1

0

10

20

30

40

50

60

70

Time

Cost

Comprehensive & Specialized Skills Mature organizations have application security training programs in place for their developers to focus on:

o Specific role-based responsibilitieso Offensive and defensive tacticso Applications security policieso Areas of vulnerabilityo Best practices for standards to be followedo Various platforms and languages

19% of developers believe their organizations training program is up-to-date

- Ponemon Institute

An effective training program can reduce vulnerabilities by

25%- Forrester

Does Application Security Pay?Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal SDLC program:

o Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 dayso Observed that repeat vulnerabilities dropped from 80% to 0%o Operational improvements led to expense benefits valued at more than $2

million per team over the course of 2 years

Source: Mainstay Partners/HP – Does Application Security Pay?

Agenda• Industry Research & Insight: Where do Companies Struggle?• Understanding Threats and Attacks to Software

Applications as well as Various Platforms and Languages

• Optimizing your Software Development Lifecycle (SDLC)

The Connected WorldConnected homes, medical equipment, transportation are ALL vulnerable to software attacks

Language, Platform & Framework Nuances

Each language has unique idiosyncrasies and syntax issues• C++ developers need to worry about memory-usage vulnerabilities• Java and .NET have different security architectures and libraries• Scripting languages such as Python can be difficult to secure

Each platform is unique• Mobile – rogue client/server issues; data caching on device• Cloud/Web – Authorization issues; web services particularly vulnerable• Embedded – breach hardware root of trust and game over

Security policies are not enough• Follow through with architecture and development standards• Must explain “how” and “why,” not just “what”• Must tie to specific roles and technologies

All software-born exploits

Network boundary plays key role in “defense-in-depth”, but….

oMisses the majority of security vulnerabilitieso Ineffective when applications are internet facingo Attackers can/will break through

With Internet, applications become the perimeter

We still invest exponentially more in network defenses

Security is Ultimately a Software Problem

* source: Gartner and NIST

70-92% of vulnerabilities exist in the application, not network layer*

* source: Gartner and NIST

…. and a Human ProblemVulnerabilities are frequently the result of a failure in the engineering process

Developers have an implicit trust in the usero Often think of functionality rather than securityo Not common to consider abuse cases

Education tailored to each environment is requiredo Particularly in requirements and design phase where few tools

available o Wide range of technologies and platforms is overwhelming

Agenda• Industry Research & Insight: Where do Companies Struggle?• Understanding Threats and Attacks to Software Applications

as well as Various Platforms and Languages• Optimizing your Software Development Lifecycle

(SDLC)

Typical Maturity ProgressionTools are an important part of an AppSec programTools SUPPORT a solid FOUNDATION of people and process

Investment in people and process yields the most leverage

The Pitfalls of AutomationFirst instinct is “what tool can we buy”?

It can do a lot of heavy lifting faster than humans; but they….o Only find KNOWN vulnerabilities/patterns and can miss important issueso Don't teach you how to fix vulnerabilities or prevent them in the futureo Useful as part of an assessment program, but shouldn’t be your sole solution

Analyzing results is time consuming and requires skill

Results:o Tools often become shelf-wareo Dev team pushes back against vulnerability management

in the SDLC

Secure at the Source Find & Fix Protect in Play

InfoSec Standards Secure Coding Standards Key activities Know-how

Web Application Firewalls

Application Whitelisting RASP DLP

Vulnerability Scanning Penetration Testing Manual or Automated Code or in Production

Skills Development Skills and Tools Tools for Defense in Depth

Securing at the Source Cannot be Driven by Technology

Reducing Application Security Risk at the SourceStandards & Policies: set goals and be explicit

o Create security requirements for your teams (insource or outsource)o Align development activities with policies, compliance mandates, and

requirements

Education: equip teams to make good decisionso Technical and awareness training o By roles, technology, and platformo Training drives effective assessments and help meet standards

Assessment: understand the gapso Audit your team against standards and policieso Results drive policy, standards, education and tools usage improvements

Rolling Out a Secure SDLCA mature SDLC has formal requirements, designs, implementations and testing procedures in place

View security as yet another aspect of software quality

You Don’t Have to Change Your Process

Simply augment it with a set of high-impact security activities and the knowledge to execute

Activities Work TogetherDesign reviewSets team up for success and finds problems before they propagate into difficult and expensive problems

Threat Modeling Ensures key threats are considered during design, coding and testing

Code ReviewOne of the highest impact activities, but doesn’t consider as-deployed stateManual penetration testing Requires deep knowledge of application and technologies in the environmentScanning toolsProvides broad coverage quickly to augment these activities

Secure, Repeatable Development Works

Major Challenges• Needed to roll out the Microsoft Security Development

Lifecycle (SDL) to hundreds of dev teams• Internal instructor-lead training was effective, but not

scalable and couldn’t be repurposed for new employees• Needed a way to train vendors to ensure software was

built with security in mind

Security Innovation Solution• Customized 14 eLearning courses specific to the Microsoft SDL

Within 2 years, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)

Investing in Your SDLC Works!

Consistent application of sound security practices during all phases of development will facilitate compliance and result in fewer vulnerabilities

Secure Software Development Principles

Executives & Managers• The importance of building secure applications from the start• Equip dev teams with the necessary tools, training and resources scalable

and couldn’t be repurposed for new employees

Architects• Threat modeling, architecture risk analysis and attack surface reduction

Developers• How to code securely, avoid vulnerabilities and find and fix security

defects in code

Testers• Vulnerability classes, attack techniques and secure coding principles

In SummaryApplication security know-how is the foundation of a mature AppSec program

o You can’t operate tools or conduct key activities effectively otherwise

Vulnerabilities are a human created problemo Fill the skills gap and you fill the vulnerabilities gap

Remember the 3 Pillars of Success for secure developmento Standards & Processo Educationo Assessments

Let tools, technology & humans do what they do best

Questions?

Thank You!Ed Adams, eadams@securityinnovation.com

Additional educational webinars :https://www.securityinnovation.com/knowledge-center/webinars Free reports and guides:https://www.securityinnovation.com/knowledge-center/reports-guides