cse june 2016: best practices for a mature appsec program
TRANSCRIPT
Best Practices for a Mature Application Security Program
About the PresenterEd Adams, CEO of Security Innovation
• Ponemon Institute Distinguished Research Fellow• Privacy by Design Ambassador• CEO by trade; engineer by heart• In younger days, built non-lethal weapons systems for
Federal Government
About Security InnovationSpecialization
• 15 years research on software vulnerabilities• Security testing methodology adopted by SAP,
Symantec, Microsoft, and McAfee• Authors of 19 books; 10 co-authored with Microsoft
Products & Services• STANDARDS: best practices adoption• TRAINING: eLearning & instructor-led• ASSESSMENT: software and SDLC
Reducing Application Security Risk• Uncover critical vulnerabilities• Roll out a secure, repeatable SDLC• Build internal competency
Agenda• Industry Research & Insight: Where do Companies
Struggle?• Understanding Threats and Attacks to Software Applications
as well as Various Platforms and Languages• Optimizing your Software Development Lifecycle (SDLC)
Understanding Root Cause of Vulnerabilities
• Failure to set requirements and standards
• Not enough training and education
• Lack of process
• Vulnerabilities are unintended functionality
Disconnect Between Security and Software TeamsPonemon Application Security Research Study:
There are ample resources to ensure all IT security requirements are accomplished
IT security can hire and retain knowledgeable and experienced security practitioners
The IT security leader is a member of the executive team
IT security responds quickly to new challenges and issues
The IT security function is able to prevent serious cyber attacks such as advanced persistent threats
Appropriate steps are taken to comply with the leading IT security standards
IT security strategy is fully aligned with the business strategy
Security & data protection policies are well-defined and fully understood by employees
Security technologies are adequate in protecting our information assets and IT infrastructure
Application security is a top priority in my organization
0% 10% 20% 30% 40% 50% 60% 70%
36%
40%
41%
42%
46%
48%
50%
53%
54%
58%
34%
35%
35%
31%
33%
41%
39%
37%
44%
38%
Developers SecurityCisco report indicates that Applications (32.6%) and Infrastructure (41.9%) were the top categories exploited.*
*Cisco 2015 Annual Security Report
The Organizational DisconnectIT/GRC/InfoSec historically focused on network/endpoint security• Developers and SDLC are now “in scope”
Tools are a typical first step• Both have different perspective on what policies and procedures are in
place
How did we handle performance, reliability?• Security needs to be a standard part of the process
Implications: Aligning Management & Staff
Developers don’t always understand policieso “Ensure applications are coded so as not to be susceptible to OWASP Top 10”
what does this mean to a an ObjectiveC iOS developer?
Lack of policy enforcement renders mandate invisible
Management, security and engineers all speak different languages
o “Confidential data must be protected” Protected from what? How do I protect it?
• Architecture guidance?• Coding standards? • Remediation specifics once vulnerabilities are found?
• e.g., user input sanitation…. how do I do that in ASP.NET 3.5?
Organizations Don’t Have a Defined SDLC
SDLC Still Lackingo Tools aren’t integrated into the SDLC o Security automation often used after deployment (too late?)o Policies and standards are still rare
Forrester“Organizations implementing an SDLC showed better ROI than the overall population”
AberdeenAdopting a formal SDLC process increases security and reduces severity and cost of vulnerability incidents while generating a 4x ROI than other application security approachesThere are well-known and widely adopted secure SDLC practices – it’s a matter of pulling it all together
Building Security InDepartment of Homeland Security“Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment*”
Gartner “Finding bugs at operations time costs you up to 100 percent effort”
Source: National Institute of Standards & Technology (NIST)
*DHS: Estimating Benefits from Investing in Secure Development
Relative cost of fixing security flaws during the different development phases
Implementation6.5
Testing15
Post Release60
Design1
0
10
20
30
40
50
60
70
Time
Cost
Comprehensive & Specialized Skills Mature organizations have application security training programs in place for their developers to focus on:
o Specific role-based responsibilitieso Offensive and defensive tacticso Applications security policieso Areas of vulnerabilityo Best practices for standards to be followedo Various platforms and languages
19% of developers believe their organizations training program is up-to-date
- Ponemon Institute
An effective training program can reduce vulnerabilities by
25%- Forrester
Does Application Security Pay?Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal SDLC program:
o Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 dayso Observed that repeat vulnerabilities dropped from 80% to 0%o Operational improvements led to expense benefits valued at more than $2
million per team over the course of 2 years
Source: Mainstay Partners/HP – Does Application Security Pay?
Agenda• Industry Research & Insight: Where do Companies Struggle?• Understanding Threats and Attacks to Software
Applications as well as Various Platforms and Languages
• Optimizing your Software Development Lifecycle (SDLC)
The Connected WorldConnected homes, medical equipment, transportation are ALL vulnerable to software attacks
Language, Platform & Framework Nuances
Each language has unique idiosyncrasies and syntax issues• C++ developers need to worry about memory-usage vulnerabilities• Java and .NET have different security architectures and libraries• Scripting languages such as Python can be difficult to secure
Each platform is unique• Mobile – rogue client/server issues; data caching on device• Cloud/Web – Authorization issues; web services particularly vulnerable• Embedded – breach hardware root of trust and game over
Security policies are not enough• Follow through with architecture and development standards• Must explain “how” and “why,” not just “what”• Must tie to specific roles and technologies
All software-born exploits
Network boundary plays key role in “defense-in-depth”, but….
oMisses the majority of security vulnerabilitieso Ineffective when applications are internet facingo Attackers can/will break through
With Internet, applications become the perimeter
We still invest exponentially more in network defenses
Security is Ultimately a Software Problem
* source: Gartner and NIST
70-92% of vulnerabilities exist in the application, not network layer*
* source: Gartner and NIST
…. and a Human ProblemVulnerabilities are frequently the result of a failure in the engineering process
Developers have an implicit trust in the usero Often think of functionality rather than securityo Not common to consider abuse cases
Education tailored to each environment is requiredo Particularly in requirements and design phase where few tools
available o Wide range of technologies and platforms is overwhelming
Agenda• Industry Research & Insight: Where do Companies Struggle?• Understanding Threats and Attacks to Software Applications
as well as Various Platforms and Languages• Optimizing your Software Development Lifecycle
(SDLC)
Typical Maturity ProgressionTools are an important part of an AppSec programTools SUPPORT a solid FOUNDATION of people and process
Investment in people and process yields the most leverage
The Pitfalls of AutomationFirst instinct is “what tool can we buy”?
It can do a lot of heavy lifting faster than humans; but they….o Only find KNOWN vulnerabilities/patterns and can miss important issueso Don't teach you how to fix vulnerabilities or prevent them in the futureo Useful as part of an assessment program, but shouldn’t be your sole solution
Analyzing results is time consuming and requires skill
Results:o Tools often become shelf-wareo Dev team pushes back against vulnerability management
in the SDLC
Secure at the Source Find & Fix Protect in Play
InfoSec Standards Secure Coding Standards Key activities Know-how
Web Application Firewalls
Application Whitelisting RASP DLP
Vulnerability Scanning Penetration Testing Manual or Automated Code or in Production
Skills Development Skills and Tools Tools for Defense in Depth
Securing at the Source Cannot be Driven by Technology
Reducing Application Security Risk at the SourceStandards & Policies: set goals and be explicit
o Create security requirements for your teams (insource or outsource)o Align development activities with policies, compliance mandates, and
requirements
Education: equip teams to make good decisionso Technical and awareness training o By roles, technology, and platformo Training drives effective assessments and help meet standards
Assessment: understand the gapso Audit your team against standards and policieso Results drive policy, standards, education and tools usage improvements
Rolling Out a Secure SDLCA mature SDLC has formal requirements, designs, implementations and testing procedures in place
View security as yet another aspect of software quality
You Don’t Have to Change Your Process
Simply augment it with a set of high-impact security activities and the knowledge to execute
Activities Work TogetherDesign reviewSets team up for success and finds problems before they propagate into difficult and expensive problems
Threat Modeling Ensures key threats are considered during design, coding and testing
Code ReviewOne of the highest impact activities, but doesn’t consider as-deployed stateManual penetration testing Requires deep knowledge of application and technologies in the environmentScanning toolsProvides broad coverage quickly to augment these activities
Secure, Repeatable Development Works
Major Challenges• Needed to roll out the Microsoft Security Development
Lifecycle (SDL) to hundreds of dev teams• Internal instructor-lead training was effective, but not
scalable and couldn’t be repurposed for new employees• Needed a way to train vendors to ensure software was
built with security in mind
Security Innovation Solution• Customized 14 eLearning courses specific to the Microsoft SDL
Within 2 years, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)
Investing in Your SDLC Works!
Consistent application of sound security practices during all phases of development will facilitate compliance and result in fewer vulnerabilities
Secure Software Development Principles
Executives & Managers• The importance of building secure applications from the start• Equip dev teams with the necessary tools, training and resources scalable
and couldn’t be repurposed for new employees
Architects• Threat modeling, architecture risk analysis and attack surface reduction
Developers• How to code securely, avoid vulnerabilities and find and fix security
defects in code
Testers• Vulnerability classes, attack techniques and secure coding principles
In SummaryApplication security know-how is the foundation of a mature AppSec program
o You can’t operate tools or conduct key activities effectively otherwise
Vulnerabilities are a human created problemo Fill the skills gap and you fill the vulnerabilities gap
Remember the 3 Pillars of Success for secure developmento Standards & Processo Educationo Assessments
Let tools, technology & humans do what they do best
Questions?
Thank You!Ed Adams, [email protected]
Additional educational webinars :https://www.securityinnovation.com/knowledge-center/webinars Free reports and guides:https://www.securityinnovation.com/knowledge-center/reports-guides