I S S U E N U M B E R 2 3

An (ISC)2 Digital Publication www.isc2.org

NO SUCH THING AS ONE SIZE FITS ALLSECURE BYOD

( ISC)2 MILESTONE:

100 CHAPTERS!

PAGE 22

16 INFOSECURITY PROFESSIONAL ISSUE NUMBER 23

DEVELOPING HACK-PROOF SOFTWARE FOR BUSINESS-CRITICAL APPLICATIONS IS ONLY THE BEGINNING. BY PETER FRETTY

HIGHLY SECURE SOFTWARE: A HOLISTIC APPROACH

ISSUE NUMBER 23 INFOSECURITY PROFESSIONAL 17

!e result is quite evident when look-ing at the 2013 HP Cyber Risk Report. For instance, vulnerabilities across the board continue to rise—up 19 percent in 2012. In addition, vulnerabilities in SCADA systems are up 768 percent over the past "ve years. When adding mobile so#ware applications into the equation, the num-bers escalate further. For example, 77 percent of mobile applications demon-strate vulnerability to data leakage.

“In this environment, so#ware has become the conduit to the data that is collected, processed and stored for busi-ness purposes. And, insecure so#ware paints a bull’s-eye for hackers who aim to breach your company,” says Mano Paul, CEO of SecuRisk Solutions and author of The 7 Qualities of Highly Secure Software and Official (ISC)2 Guide to the CSSLP.

Any business that uses so#ware for critical business functions is already way behind, explains Jeff Williams, CEO and co-founder of Aspect Secu-rity, a Columbia, Md., U.S.A.-based application security consulting firm. “Last year, we verified thousands of applications, and on average, they had 22.4 vulnerabilities. Considering that these organizations typically have an established application security pro-gram and that these applications are the ones with the most critical security requirements, that’s a shocking num-ber,” he says. “So, for the CISO, the pri-mary concern should be eliminating the most common, most critical risks from their application portfolio. !ey may not want to proceed one applica-tion at a time, but instead have a push to eliminate a certain critical risk like SQL injection.”

FINDING RELIEFAccording to Paul, one key component in addressing this issue is to focus on devel-oping highly secure so#ware, which is

IN A WORLD WHERE CLOUD COMPUTING, BIG DATA, AND MOBILITY HAVE BECOME COMMONPLACE, the pace of technological advances is mind-boggling. Unfortunately, security continues to struggle keeping pace with the evolving threat landscape. Traditional perimeter defenses such as firewalls and host protections have become insufficient to protect against application (software) threats such as injection attacks, cross-site scripting (XSS), cross-site request forgeries, insecure direct object references, buffer overflows, and more.

“Highly secure software is a cultural issue, and the CISO plays a critical role in establishing a culture where security is a key part of the design, implementation, test, and operation of every application.”

—JEFF WILLIAMS CEO AND CO-FOUNDER

ASPECT SECURITY

either hack-proof or onerously di$cult for a hacker to break through the protec-tion pro"le. “Highly secure so#ware has followed a structured secure develop-ment lifecycle (SDL) methodology and has secure features built in proactively, as opposed to bolted on at a later stage,” he says. “In addition, functionality of the so#ware is mapped not only to func-tional requirements, but also to assur-ance requirements that are identified and tracked using a security plan: the software should assure confidential-ity, integrity, and availability; identify threats; and implement controls.”

Unfortunately many companies have taken a very myopic view of building highly secure so#ware. “!e approach of buying security tools for vulnerability analysis and penetration testing doesn’t work if companies don’t address the problem holistically and proactively by building secure features into the software they architect and build.” he says. “!e problem of inse-

cure so#ware is as evident today as it was over a decade ago. !is means that the security tools alone do not address the root problem. What we need is not incident management, but problem management.”

ADDING ASSURANCEIn order for CISOs to have con"dence in how so#ware handles sensitive data, testing procedures need to follow suit, explains John Dickson, principal of the Denim Group in San Antonio, Texas, U.S.A. “It’s important to look at who is testing it and the internal processes for testing rigor. Are you relying on source code analysis? Is there third-party vali-dation? And, how frequently does this happen?” he says. “!ere is also a full spectrum of invasiveness. Are you just pointing an automated scanner to "nd low hanging fruit or is there a manual source code review process to "nd vul-nerabilities, malware, and backdoors? Understanding the testing is crucial when embracing so#ware that needs to be highly secure.”

!roughout the testing process, Dick-son also recommends looking at multiple roles. “Is the application pervious to peo-ple with low-level users making lateral moves? CISOs need to know that protec-tions exist to prevent users from moving horizontally within the system to access areas they shouldn’t. !is could be crip-pling if it means gaining access to sensi-tive client data,” he says.

At every stage from concept and development through deployment and maintenance, protecting data always should drive criticality and intensity of testing e%orts, explains Dickson. “In a world where we have limited resources it’s not always possible to conduct security testing at this level across the board,” he says. “Instead, you need to take your resources and apply them properly. Automated testing is often IL

LUST

RAT

ION

BY

BR

IAN

STA

UFF

ER

18 INFOSECURITY PROFESSIONAL ISSUE NUMBER 23

what takes up the slack. Most compa-nies do not have the resources to test everything.”

FALLING SHORTAccording to Williams, buying a tool and expecting it to improve things is just about the biggest mistake an orga-nization could make. “Highly secure software is a cultural issue, and the CISO plays a critical role in establishing

a culture where security is a key part of the design, implementation, test, and operation of every application,” he says. Williams adds that in many organiza-tions, the problem around highly secure so#ware is intractable with too many apps and vulnerabilities, and it’s lacking the resources to address the issue.

Businesses need to attack the prob-lem one bite at a time. “We believe the future is in establishing an infrastruc-

ture for monitoring applications as they are designed, built, tested, and oper-ated, he explains. The infrastructure can start small, with one simple sensor to measure and monitor something very simple. But when distributed across the entire application portfolio, that one sensor provides a useful dashboard, he says. “And then more sensors can be deployed and the platform extended until you achieve a measure of assur-ance in your application infrastructure. This vision takes commitment and energy to create, but it’s the only way application security and highly secure so#ware can scale.”

Dickson adds that many fall short in the planning stages with faulty qualita-tive business logic. For instance, mak-ing a decision at the whiteboard stage to send payment processing to a third party is shortsighted logic. “Conceptu-ally, they fail to ask the security ques-tions around these decisions, such as what vulnerabilities exist with the ven-dor,” he says. Other questions IT fails to ask are, what testing are they doing? How secure is the entry point into their organization and how secure is data coming back? “O#entimes people will make the mistake at the front end, and that error will cause massive problems.”

A divergent mindset also creates issues, according to Paul. “Developers build so#ware to speci"cations that are usually functionality related and not necessarily assurance related. However, infosec professionals aim at attesting the security of the so#ware before the hackers do,” says Paul. “!is builders vs. breakers mindset should be understood by both the development organization as well as the security organization in order to develop highly secure so#ware. What we need are developers with a security mindset and security profes-sionals with a developer mindset.”

Unfortunately, this is a predacious problem that will require spectacular issues before the public forces change, explains Dickson. “We have not yet seen disruptions at a level that truly impact the work environment for two days.”

Peter Fretty is a freelance business and technology journalist based in Michigan.

BUILT-IN SUCCESS To holistically build highly secure software, in addition to security tools, a structured security development lifecycle must exist, and the people, from the builder to the boardroom, must be educated to make information risk-based decisions, explains Mano Paul, CEO of SecuRisk Solutions.

1. Identifying external and internal requirements. 2. Implementing a Security Development Lifecycle. 3. Thinking strategically when building applications: “Development

needs to look to the future, not just from a business direction standpoint, but also from a changing threat landscape,” he says.

4. Investing in your people. “Move beyond compliance-driven information security awareness programs to make sure team members not only know what to do, but know how to protect applications,” Paul adds.

5. Training people in software security. 6. Implementing security processes, such as threat modeling,

secure code reviews, penetration testing, etc. in the software development lifecycle.

7. Deploying software to run on top of secure technologies on their hosts and their networks.

Key strategies to building highly secure software include:

IdentifyImplement

Strategize

Invest

Train

Implement

Deploy

STRUCTURED SECURITY

DEVELOPMENT LIFECYCLE