Tackling Application Security
What do Google, RSA, Sony, PBS, Barracuda Networks and numerous other high profile organisations have in common?, Veracode
All have been breached through vulnerabilities in software applications and often by applications that they didn’t develop, but rather purchased from third parties.
Software is the Achilles’ heel of a company’s information security strategy; vulnerable applications represent a critical area of exposure and a highly significant risk to the business.
And yet, while organisations take a rigorous approach to quality assurance of their applications from a functional perspective, very few have anything close to a systematic, policy-based programme for detecting and remediating software security flaws. The state of application security in an organisation is more likely to consist of ad-hoc testing for a few key projects rather than a systematic, cohesive approach in which security is thoroughly baked into business processes.
However, a proactive and programmatic approach to software security is essential in the face of today’s threat environment. Threats are growing rapidly in both the traditional enterprise computing space as well as the mobile device landscape, resulting in record numbers of vulnerable applications being developed and deployed. In both development spheres, sophisticated attacks not only steal custodial data, such as credit card numbers and customer records, but, increasingly, target highly sensitive proprietary corporate information including business plans, and product research and designs.
Security experts and analysts have been talking about the need for testing and remediation of dangerous flaws in existing code bases for more than a decade, but application protection remains lower than it should on many organisations’ security agendas. Although a significant percentage of all security risk is in applications, the majority of the security spending is focused on the network layer.
In its State of Software Security Report (Volume 3), Veracode found that 58 percent of applications revealed unacceptable security quality on first submission to its cloud-based testing platform, and more than 80 percent of all internal and commercially developed web applications failed to meet OWASP (Open Web Application Security Project) Top 10 standards . These results also provide a window into the state of non-compliance with respect to standards such as PCI.
Enterprises should adopt a policy-based software security testing programme, integrated into their development lifecycle, to establish standards and practices for assessing risk and prioritising mitigation and remediation.
The effort required to address the challenges to establishing such an enterprise-level programme will be more than offset by the compelling benefits in efficiency, security and reduced business risk.
These are the first steps that an organisation should take:
Enlist management support. Cross-functional management commitment is essential for a successful software testing programme.
Define roles. One of the key differences between an enterprise-calibre application security programme and reactive, ad hoc testing is the clear delineation of management and operational roles. So, for example, establish who (i.e., security or developers) is responsible for testing applications for vulnerabilities, assessing their risk level, assigning appropriate policies to each application, enforcing policy and measuring progress.
Train developers. Assess their capabilities and provide appropriate training, with the aim of instilling secure development practices as well as vulnerability detection and remediation.
Define and assign security policies. Define policies based on standards such as CWE/SANS Top 25 and OWASP Top 10, as well as company-specific regulatory or customer requirements.
Instill accountability and enforce policy. Make it clear as a matter of corporate policy that the ultimate responsibility for application security lies with the business application owners and they will be held accountable for failure to enforce policy.
Test third parties. Applications are frequently developed in whole or in part by partners, contractors and service providers. Their work should be held to the same testing and remediation standards and policies as internal development.
Centralise findings reporting. The ability to receive test notification, readily access test results and quickly determine compliance status is critical to attaining software security goals while keeping the development process moving.
Use metrics to track progress. The goal of an application policy management programme is continuous improvement in the enterprise application security posture and decreased risk at an appropriate cost level. Determine the metrics you will use, such as frequency of testing and reduction of critical vulnerabilities.
A comprehensive, cost-effective, efficient and scalable application security verification programme is attainable—and essential—in the face of aggressive attacks and software code that is rife with vulnerabilities.