isaca app sec presentation - v3
TRANSCRIPT
5MajorApplicationRisksToSecureandAudit
PRESENTED BY:
KY LE LA I
PRES IDENT & C I SO
KLC CONSULT ING
7 /21 /2017
KLCCONSULTINGPUBLICINFORMATION
KLCCONSULTINGPUBLICINFORMATION 2
AboutMeKyleLai• CertifiedSecurityProfessional(CISSP,CSSLP,CISA,CIPP/US,CIPP/G,ISO27001LA)
• 25+yearsinIT|20yearsinInformationSecurity(Pentest,Third-partyRisk,Compliance,Engineering…)
• ExperienceinDoD,Financial,Energy,Healthcare,HighTech,Consulting…
• HaveconsultedatMicrosoft,PwC,Boeing,HP,FidelityInvestment,Akamai,CathayPacificAirlines,LeadingOil&Gasfirm
• Currently- SecurityAdvisoryConsultantforalargeglobaloil&energycompany
• FormerCISOofPactera,aGlobal100ITConsultingfirm,ABlackstone/HNACompany
• FormerCISOofBrandeisUniversity– HellerSchool
• AuthorofSMACMACAddressChangerTool– Over2.5millionusersworldwide
• Run3LinkedInGroups(i.e.CybersecurityCommunity)
LinkedIn:https://www.linkedin.com/in/kylelai Twitter:@KyleOnCyber
KLCCONSULTINGPUBLICINFORMATION 3
MostDevicesAreApplicationDriven
KLCCONSULTINGPUBLICINFORMATION 4
Agenda
• WhyTalkAboutApplicationSecurity?• WhatisApplicationSecurity?• Risk1:IncompleteApplicationAssetInventory• Risk2:LackofSecureCodingPractice(Training)• Risk3:SecurityThreatModeling/Requirements• Risk4:InsufficientSecurityTesting• Risk5:LackofApplicationSupplyChainManagement• Q&A
KLCCONSULTINGPUBLICINFORMATION 5
RecentHeadlines
Source:VerizonDataBreachInvestigationReport2016,2017
WannaCry
KLCCONSULTINGPUBLICINFORMATION 6
ApplicationDevelopmentTrend:DevOps
MoreFrequentApplicationReleases
MoreAutomationinContinuousIntegration/ContinuousDelivery(CI/CD)
Reduceunplannedworkthroughautomation
KLCCONSULTINGPUBLICINFORMATION 7
WhyTalkAboutApplicationSecurity?
Source:VerizonDataBreachInvestigationReport2016,2017
…60%ofbreachesinvolvedwebapplicationseitherasasseteffected,and/oravectortotheaffectedasset.
Itisquitepossible,andactuallycommon,forabreachtofeatureawebapplicationasthevectorandtheassetaffected.
2016
2017
33%JumponWebAppRelatedAttackin1year!
KLCCONSULTINGPUBLICINFORMATION 8
WhatisApplicationSecurity?
Applicationsecurity,or“AppSec,”issecuritymeasuresto
• protectitscriticaldatafrominternalandexternalthreatsbyensuringthesecurityofallofthesoftwareusedtorunthebusiness,whetherbuiltinternally,boughtordownloaded.
• helpidentify,fixandpreventsecurityvulnerabilitiesinanykindofsoftwareapplication.
ImageSource:Veracode
KLCCONSULTINGPUBLICINFORMATION 9
EnterpriseApplicationSecurity
1%ofSecurityBudgetFocusesonApplicationSecurity
Gartnerdescribesapplicationsandsecuritywiththeanalogyofacrownjewelinatreasurechest:• Thesensitivedataisthecrownjewel• Theapplicationsarethetreasurechest
Note: ApplicationsincludemorethanjustWebApplications.
ITBudgetDevotedtoSecuringApplications
KLCCONSULTINGPUBLICINFORMATION 10
Risk1:IncompleteApplicationAssetInventory• Youcannotprotectanapplicationwhichisnotaccountedfor,orhaveinaccurateinfo.• Inputandoutputofanapplicationmaycomefromotherapplications…Usuallynottracked...• Owneroftheapplicationisusuallynotaccuratelydocumentedduetopersonnelmovement...• Someofthefollowingmightbemissingintheassetinventory:• Typeofapplication:customdeveloped,CommercialOffTheShelf(COTS),oropensourcesoftware?
• Isitakeycomponentsofotherapplications?(i.e.OracleDatabase,SAP,SQLServer)
• Isitinternaluseonly,externaluseonly,andboth?
• Isitusedonservers,desktops,mobile,infrastructure,etc.?
• Ownername
• Whattypeofdataiscollected/handled/processed?
• AnyPII,PHI,PrivacyInformation?
• Whatisthedataclassification- highlyconfidential,confidential,internal,public,etc.…?
KLCCONSULTINGPUBLICINFORMATION 11
Risk1:Recommendation• Automatedscanfornewwebapplicationsdiscovery• Establishandcontinuouslyupdateapplicationassetinventoryviatools• Updateownershipinformationasownerchanges• Definelistofinformationtobegatheredforeachapplication(mightuseforapp
riskevaluationaswell),suchas:• Customdeveloped,COTS,Open-Source• Dataclassification• Numberofusers• Internal,external(Internet),both• Mobile• Technologystack(ifdevelopedinternally)• Relationshipwithotherapplications
KLCCONSULTINGPUBLICINFORMATION 12
Risk2:LackofSecureCodingPractice(Training)
Source:SonatypeDevSecOpsCommunitySurvey2017
KLCCONSULTINGPUBLICINFORMATION 13
Risk2:LackofSecureCodingPractice(Training)cont.• Developersdonothaveadequatetrainingonsecure
codingpractices• DevelopersarenotfamiliarwiththeOWASPTop10
vulnerabilities
• Developersnotfamiliarwithsecurecodingpracticeinnewenvironmentorfornewtechnologies,i.e.Cloudbasedplatforms
• Companieslimitthebudgetforsecurecodingtraining• Developerswanttodoagoodjobbutnot
empoweredtodoso• Fixingcodeduring/postproductioncosts100times
morethanfixingcodeduringthedesignphase(Risk)• DevOpsMovement – AutomationwithIncreasedapp
releasefrequency,makingsecurecodingpracticeandappsecuritytrainingmorecritical
KLCCONSULTINGPUBLICINFORMATION 14
Risk2:Recommendations
• ContinuetotrainthedevelopersonSecureCodingPractice(inclassorCBT)• Existingdevelopmentlanguagesandplatforms
• Newdevelopmentlanguages,platform,technologies,i.e.Cloudspecificsecurityfeatures
• EnsuredevelopersunderstandtheOWASPTop10vulnerabilities,andhowtocodeproperlytoavoidthem• OWASPTop10WebApplicationVulnerabilities
• OWASPTop10MobileApplicationVulnerabilities
• OWASPTop10IoTVulnerabilities
• Providesecuritytools(i.e.InteractiveApplicationSecurityTesting(IAST)tool)toyourdevelopers;enablethemtocheckandfixtheircodesecurityissuesduringthedevelopmentphase.
KLCCONSULTINGPUBLICINFORMATION 15
OWASPTop10WebAppVulnerabilities
KLCCONSULTINGPUBLICINFORMATION 16
OWASPTop10MobileAppVulnerabilities
KLCCONSULTINGPUBLICINFORMATION 17
OWASPTop10IoTVulnerabilities
KLCCONSULTINGPUBLICINFORMATION 18
Risk3:SecurityThreatModeling/Requirements
• Whatarethesafetycoderequirementstobuildacar?(Defined)
• Whatarethesafetycoderequirementstobuildahouse?(Defined)
• Whataresecuritycodingrequirementstobuildanapplication???
OR
KLCCONSULTINGPUBLICINFORMATION 19
Risk3:SecurityThreatModeling/Requirements
• Industryhasnocommonsecurityrequirements
• Manydevelopersarenotdoingsecuritythreatmodeling–• DataFlowDiagramAnalysis– Wherecandatabe
stolenandsystembehacked?
• Protocolcommunicationbetweensystems– Cansomeonetamperwiththemycommunications?
• Possiblethreatsintheprocesses–
• Whatarethedifferentsecurityboundariesduringdataflow?
KLCCONSULTINGPUBLICINFORMATION 20
Risk3:Recommendation
• InvestthetimetodoThreatModeling
• Developsecurityrequirementstoreducethreats
• Developerfriendlythreatmodelingtools:SDElement,Irius Risk
• MicrosoftoffersfreeThreatModelingTool(Abitmoretechnical)
KLCCONSULTINGPUBLICINFORMATION 21
AnExampleofSDElement(CommercialTool)
KLCCONSULTINGPUBLICINFORMATION 22
AnExampleofMicrosoftThreatModelingTool2016
KLCCONSULTINGPUBLICINFORMATION 23
Risk4:InsufficientSecurityTesting• Manycompaniesdonotperformenoughapplicationsecurity• StaticCodeAnalysis(SAST)– Scanyoursourcecode
• DynamicAnalysis(DAST)– Scanyourwebapplication
• InteractiveTesting(IAST)– Developerstotestcodeinteractivelyinthedevelopmentenvironment
• RuntimeAppSelf-Protection(RASP)- Interceptandscanapprequesttraffic
• MobileAppSecurityTesting– Testmobileapplicationbinary,API,andback-endserverinteraction
KLCCONSULTINGPUBLICINFORMATION 24
Risk4:Recommendation• Investinexperiencedsecurityprofessional• Investinapplicationsecuritytestingtools• Iffundingisverylimited,investineitherIASTorDASTtostartwith,togetthemostvalue
• Expandthetoolsetastheapplicationsecurityprogrammatures
Sorry,ThisOneIsNotCheap…
KLCCONSULTINGPUBLICINFORMATION 25
Risk5:LackofApplicationSupplyChainManagement
Arecentsurvey2,292ITprofessionalsfoundthat80- 90%ofanapplicationnowconsistsofcomponentparts.
386applicationsfoundsimilarresultswith82% oftheapplicationsbuiltfromopensourcecomponents.
Source:2017StateofTheSoftwareSupplyChainbySonatype
KLCCONSULTINGPUBLICINFORMATION 26
Risk5:LackofApplicationSupplyChainManagement
Source:SonatypeDevSecOpsCommunitySurvey2017
• Companiesareusingopensourcecomponentsbutonly6outof10organizationshaveanopensourcegovernancepolicyinplace
• Increasinguseofopensource/third-partycomponentsmakestrackingofbillofmaterials difficult!
• Ifthere’sanewvulnerabilityfoundinanopensourceorthird-partycomponent,wouldyouknowifanyofyourapplicationisimpacted?
KLCCONSULTINGPUBLICINFORMATION 27
Risk5:LackofApplicationSupplyChainManagement
Source:2017StateofTheSoftwareSupplyChainbySonatype
KLCCONSULTINGPUBLICINFORMATION 28
Risk5:Recommendation
• Establishanauthorizedlistofopensourcecomponents• Makesuretoestablishanassetmanagementprocessforopensource• EstablishanOpenSourcepolicy(ifnotdonealready)-• Evaluateneedsandbenefits
• Ensurenoequivalentsoftwarealreadybeendeployedin-house
• Verifythereisanactiveusercommunitysupportingtheapplication.
• Performqualityandsecuritytestingandvalidation
• Definedquickapprovalprocess
• Ifbudgetallowed,investigateintotoolstomanageopensourcecomponents(i.e.Free:OWASPDependencyChecker;Commercial:BlackDuck,Sonatype)
KLCCONSULTINGPUBLICINFORMATION 29
Note:HowMatureisYourApplicationSecurityProgram
• BuildingSecurityInMaturityModel(BSIMM)• MeasurematurityofSoftwareSecurityInitiatives
• http://www.bsimm.com
• Freetooltoassessyourself
Source:Sonatype
KLCCONSULTINGPUBLICINFORMATION 30
Q&A
Source:Sonatype
KyleLai
CISO
KLCConsulting
Klai[@]klcconsulting.net
@KyleOnCyber
https://www.Linkedin.com/in/kylelai
Thankyou!