Download - Application Security - Making It Work
1 www.iansresearch.com ©2014 IANS
Application Security: Making It Work Diana Kelley
2 www.iansresearch.com ©2014 IANS
Session Overview
Overview of the Challenge
Further Investigation of the Challenge
Options for Addressing the Challenge
Plan of Action
External Resources
Implementation and Next Steps
3 www.iansresearch.com ©2014 IANS
! How do you ensure the investment is being used effectively?
How do you measure the program?
Why does application security receive short shrift from many executives?
How do you justify and allocate funds?
What can you do to address these issues?
Overview - Questions
4 www.iansresearch.com ©2014 IANS
Why Application Security Matters
http://money.cnn.com/2014/01/15/technology/security/starbucks-app-passwords/
http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1
http://www.pcworld.com/article/170457/getting_serious_about_sql_injection_and_the_tjx_hacker.html
5 www.iansresearch.com ©2014 IANS
Impact on the Business
Hard dollar costs - Do you have a spare $256 million?
Legal and regulatory - Do you have time and resources to battle lawsuits and the FTC?
Brand reputation - Can you afford to lose customer trust?
6 www.iansresearch.com ©2014 IANS
Benefits of Application Security
Cost savings
• Legal
• Report and response
• Breach notification
Readiness
• Compliance and regulations
• Faster deployment
Customer trust
• Privacy protection
• Trusted Technology Provider Framework (Open Group)
7 www.iansresearch.com ©2014 IANS
Further Investigation - Sizing
Images and *Content Source: IBM X-Force 2013 Mid-Year Trend and Risk Report September 2013
“SQL injection (SQLi) remains the most common breach paradigm”*
8 www.iansresearch.com ©2014 IANS
Further Investigation - Sizing
Source: WhiteHat Security, Website Security Statistics Report, https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Overall window of exposure to serious* vulnerabilities (2012) - Latest available data
9 www.iansresearch.com ©2014 IANS
Further Investigation - Sizing
Image source: https://www.appthority.com/resources/app-reputation-report
App Reputation Report Highlights
• Overall, 83% of the most popular apps are associated with security risks and privacy issues.
• iOS apps exhibited more risky behaviors than Android apps overall.
• 91% of iOS apps exhibit at least one risky behavior, as compared to 80% of Android apps. 95% of the top free apps and 78% of the top paid apps exhibited at least one risky behavior.
10 www.iansresearch.com ©2014 IANS
Further Investigation – Trends
Development time is accelerating
• DevOps Revolution
Image source: http://dev2ops.org/2010/02/what-is-devops/
11 www.iansresearch.com ©2014 IANS
Further Investigation - Trends
Componentized development
• Applications are up to 90% open source components
12 www.iansresearch.com ©2014 IANS
Further Investigation – Trends
Mobile
• More platforms, faster release cycles, shift to client
Image source: http://www.appcelerator.com.s3.amazonaws.com/pdf/q4-2013-devsurvey.pdf
13 www.iansresearch.com ©2014 IANS
Further Investigation - Trends
Internet of Things (IoT)
• Remote access
• IP enablement
http
://ww
w.fo
rbes.co
m/sites/an
dygree
nb
erg/2
01
4/0
2/0
5/th
is-iph
on
e-sized
-device
-can-h
ack-a-car-research
ers-plan
-to-d
emo
nstrate
/
14 www.iansresearch.com ©2014 IANS
Options for Addressing the Challenge
Do nothing
Do some testing
Testing and mitigation
Build security into the SDLC
15 www.iansresearch.com ©2014 IANS
Plan of Action – Do Nothing
Examples
• Just don’t do anything
• It’s too hard
Pros
• It’s easy!
• And unfortunately – fairly common
Cons
• Lost data
• Legal and compliance issues
• Brand reputation
• For health, automotive and CI – possible loss of life
16 www.iansresearch.com ©2014 IANS
Plan of Action – Do Some Testing
Examples
• Hire a pen-tester to dynamically test applications in production
Pros
• Relatively easy to get started
• Minimal impact on development process
Cons
• Exposure
• Cost to fix
• Lack of collaboration/improvement
17 www.iansresearch.com ©2014 IANS
Plan of Action – Testing and Mitigation
Examples
• Perform dynamic testing
• Use Web application firewalls (WAF) or other app-layer protections
• Test only new, highly sensitive/critical apps
Pros
• Multi-layered approach
• Less time-consuming than testing the full portfolio
Cons
• Blind spots
• False sense of security
• Lack of collaboration/improvement
18 www.iansresearch.com ©2014 IANS
Plan of Action – Build Security In
Examples
• Mature security program from requirements to production
• Integrated approach - Dev to Ops
• Risk management directs testing/remediation activity
• Quantitative analysis of program success
Pros
• High level of application security assurance
• Fosters collaboration and continuous improvement
• Lays groundwork for future
Cons
• Resources for tools, training and program management
• Culture challenges
19 www.iansresearch.com ©2014 IANS
External Resources – Vendor Guidance
Image source: http://www.drdobbs.com/the-7-touchpoints-of-secure-software/184415391
http://bsimm.com
http://www.microsoft.com/security/sdl/default.aspx
20 www.iansresearch.com ©2014 IANS
External Resources - OWASP
More than just the Top 10!
https://www.owasp.org/index.php/OWASP_Project_Inventory#Flagship_Projects
21 www.iansresearch.com ©2014 IANS
External Resources – CWE/SANS Top 25
http://cwe.mitre.org/top25/
22 www.iansresearch.com ©2014 IANS
External Resources – CERT and Open Group
http://www.opengroup.org/getinvolved/forums/trusted
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards
23 www.iansresearch.com ©2014 IANS
Implementation – 3 Gotchas
Trying to boil the ocean!
Geeking out
Getting combative
24 www.iansresearch.com ©2014 IANS
Implementation – 3 Lessons Learned
Cultivate champions
Track success
The right picture’s worth a thousand words
Image source: http://blog.denimgroup.com/denim_group/2013/06/threadfix-12-rc1-now-available.html
25 www.iansresearch.com ©2014 IANS
Next Steps – Top 3 Takeaways
1. Securing applications is a business imperative
2. There are excellent guides, resources and tools to help you build/mature your program
3. Get started building/maturing your program now so you will be ready for tomorrow
26 www.iansresearch.com ©2014 IANS
Questions? [email protected]