application security - making it work

1 www.iansresearch.com ©2014 IANS

Application Security: Making It Work Diana Kelley


Session Overview

Overview of the Challenge

Further Investigation of the Challenge

Options for Addressing the Challenge

Plan of Action

External Resources

Implementation and Next Steps


! How do you ensure the investment is being used effectively?

How do you measure the program?

Why does application security receive short shrift from many executives?

How do you justify and allocate funds?

What can you do to address these issues?

Overview - Questions


Why Application Security Matters

http://money.cnn.com/2014/01/15/technology/security/starbucks-app-passwords/

http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1

http://www.pcworld.com/article/170457/getting_serious_about_sql_injection_and_the_tjx_hacker.html

































Impact on the Business

Hard dollar costs - Do you have a spare $256 million?

Legal and regulatory - Do you have time and resources to battle lawsuits and the FTC?

Brand reputation - Can you afford to lose customer trust?


Benefits of Application Security

Cost savings

• Legal

• Report and response

• Breach notification

Readiness

• Compliance and regulations

• Faster deployment

Customer trust

• Privacy protection

• Trusted Technology Provider Framework (Open Group)


Further Investigation - Sizing

Images and *Content Source: IBM X-Force 2013 Mid-Year Trend and Risk Report September 2013

“SQL injection (SQLi) remains the most common breach paradigm”*



Source: WhiteHat Security, Website Security Statistics Report, https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf

Overall window of exposure to serious* vulnerabilities (2012) - Latest available data

https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf






Image source: https://www.appthority.com/resources/app-reputation-report

App Reputation Report Highlights

• Overall, 83% of the most popular apps are associated with security risks and privacy issues.

• iOS apps exhibited more risky behaviors than Android apps overall.

• 91% of iOS apps exhibit at least one risky behavior, as compared to 80% of Android apps. 95% of the top free apps and 78% of the top paid apps exhibited at least one risky behavior.

https://www.appthority.com/resources/app-reputation-report







Further Investigation – Trends

Development time is accelerating

• DevOps Revolution

Image source: http://dev2ops.org/2010/02/what-is-devops/

http://dev2ops.org/2010/02/what-is-devops/






Further Investigation - Trends

Componentized development

• Applications are up to 90% open source components


Further Investigation – Trends

Mobile

• More platforms, faster release cycles, shift to client

Image source: http://www.appcelerator.com.s3.amazonaws.com/pdf/q4-2013-devsurvey.pdf

http://www.appcelerator.com.s3.amazonaws.com/pdf/q4-2013-devsurvey.pdf








Further Investigation - Trends

Internet of Things (IoT)

• Remote access

• IP enablement

http

://ww

w.fo

rbes.co

m/sites/an

dygree

nb

erg/2

01

4/0

2/0

5/th

is-iph

on

e-sized

-device

-can-h

ack-a-car-research

ers-plan

-to-d

emo

nstrate

/

http://www.forbes.com/sites/andygreenberg/2014/02/05/this-iphone-sized-device-can-hack-a-car-researchers-plan-to-demonstrate/




























Options for Addressing the Challenge

Do nothing

Do some testing

Testing and mitigation

Build security into the SDLC


Plan of Action – Do Nothing

Examples

• Just don’t do anything

• It’s too hard

Pros

• It’s easy!

• And unfortunately – fairly common

Cons

• Lost data

• Legal and compliance issues

• Brand reputation

• For health, automotive and CI – possible loss of life


Plan of Action – Do Some Testing

Examples

• Hire a pen-tester to dynamically test applications in production

Pros

• Relatively easy to get started

• Minimal impact on development process

Cons

• Exposure

• Cost to fix

• Lack of collaboration/improvement


Plan of Action – Testing and Mitigation

Examples

• Perform dynamic testing

• Use Web application firewalls (WAF) or other app-layer protections

• Test only new, highly sensitive/critical apps

Pros

• Multi-layered approach

• Less time-consuming than testing the full portfolio

Cons

• Blind spots

• False sense of security

• Lack of collaboration/improvement


Plan of Action – Build Security In

Examples

• Mature security program from requirements to production

• Integrated approach - Dev to Ops

• Risk management directs testing/remediation activity

• Quantitative analysis of program success

Pros

• High level of application security assurance

• Fosters collaboration and continuous improvement

• Lays groundwork for future

Cons

• Resources for tools, training and program management

• Culture challenges


External Resources – Vendor Guidance

Image source: http://www.drdobbs.com/the-7-touchpoints-of-secure-software/184415391

http://bsimm.com

http://www.microsoft.com/security/sdl/default.aspx

http://www.drdobbs.com/the-7-touchpoints-of-secure-software/184415391



















External Resources - OWASP

More than just the Top 10!

https://www.owasp.org/index.php/OWASP_Project_Inventory#Flagship_Projects








External Resources – CWE/SANS Top 25

http://cwe.mitre.org/top25/





External Resources – CERT and Open Group

http://www.opengroup.org/getinvolved/forums/trusted

https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards













Implementation – 3 Gotchas

Trying to boil the ocean!

Geeking out

Getting combative


Implementation – 3 Lessons Learned

Cultivate champions

Track success

The right picture’s worth a thousand words

Image source: http://blog.denimgroup.com/denim_group/2013/06/threadfix-12-rc1-now-available.html

http://www.denimgroup.com/blog/denim_group/2013/06/threadfix-12-rc1-now-available.html











Next Steps – Top 3 Takeaways

1. Securing applications is a business imperative

2. There are excellent guides, resources and tools to help you build/mature your program

3. Get started building/maturing your program now so you will be ready for tomorrow


Questions? [email protected]

application security - making it work

Software