security compass whitepaper 2017 6 steps to getting ... › storage.pardot.com › 138371 ›...
TRANSCRIPT
6StepstoGettingStartedwithApplicationSecurityRequirements&ThreatManagement(ASRTM)
Copyright©2017SecurityCompass.Allrightsreserved.
SECURITYCOMPASSWHITEPAPER2017
Copyright©2017SecurityCompass.Allrightsreserved. 1
INTRODUCTION TherearemanybenefitstoimplementinganApplicationSecurityRequirements&ThreatManagement(ASRTM)program,including:
• Loweringcoststobuildsecuresoftware• Makingsecuritymeasurable• Turningunplannedworkintoplannedwork• Freeinguptimeawayfromremediation,andintofeaturedevelopment• Havingasingleprocessthatworkswithin-house,outsourced,andcommercialsoftware• Providingconfidencethatsoftwareissecure,whenrequirementsarelinkedtoverification
Thisguideprovides6simplestepstogetyoustartedonbuildinganApplicationSecurityRequirements&ThreatManagementprogram.Thestepsareasfollows:
1. DefineyourgoalsforadoptinganASRTMprogram.
2. Selectarepositoryforyourre-usablerequirements.
3. Determinethesourcesforyourrequirements.
4. Addrequirementstoyourrepository.
5. Buildalistofapplicationproperties.
6. Deployrequirementstodevelopmentteams.
Copyright©2017SecurityCompass.Allrightsreserved. 2
1. DEFINE YOUR GOALS FOR ADOPTING AN ASRTM PROGRAM Herearesomecommonones:
• Lowerapplicationsecurityrisk:Youviewapplicationsecurityasakeyareaofrisk,andseesoftwaresecurityrequirementsasatooltohelpreducethatrisk.
• Lowercostofapplicationsecurityremediation:Youwanttospecifysecurityrequirementsup-front,therebyreducingtheneedtofixvulnerabilitiesafterthey’vebeenidentified.
• Improvecompliance:Youwishtousesoftwaresecurityrequirementstoimprovecompliancetoandauditabilityofaparticularregulation.
• Understandapplicationrisks:Youwishtounderstandthetypesofrisksaffectingapplications,includingrisksthatexistingassessmenttechniquesmaybeunabletouncover.
• Disseminateguidanceacrosstheorganization:Youwishtocentrallymanagesoftwaresecurityandothernon-functionalrequirementsandautomaticallypushthemtootherteamsorintootherorganizationalprocesses.
• Increasesecurityof3rdpartydevelopedsoftware:Youwishtogeneratedetailedtechnicalsecurityrequirementsfor3rdpartysoftwaresuppliers.
Copyright©2017SecurityCompass.Allrightsreserved. 3
2. SELECT A REPOSITORY FOR YOUR RE-USABLE REQUIREMENTS Astaticdocumentisnotsufficientformanagingsoftwaresecurityrequirements.Somesortoffilteringmechanism,suchasapriority,isessentialforgettingadoptionfromtime-cruncheddevelopers.Hereareafewcommonoptions:
RepositoryType Pros Cons
Spreadsheet
• Cheap
• Easytogetstarted
• Lowfidelity
• Notcentralized
• Hardtomaintain
• Nointegration
SharepointorInternallyDevelopedApplication
• Moreadvancedthanspreadsheet
• Possibilityofintegrationwithcustomdevelopment
• Hardtomaintain
• Maybeexpensivetodevelop
CommercialApplicationSecurityRequirements&ThreatManagement(ASRTM)solution
• Extensivefeatures
• Integrationwithdevelopment&securitytools
• Accesstocontinuousandup-to-daterequirementsfromvendor’sresearchers
• Integratedtraining
• Requiressecuringbudget&buy-infromotherstakeholders
Copyright©2017SecurityCompass.Allrightsreserved. 4
3. DETERMINE THE SOURCES FOR YOUR REQUIREMENTS Hereareafewexamples:
• Complianceregulations:IfcompliancetostandardssuchasPCIDSSisdrivingyoursoftwaresecurityrequirementsgatheringprogram,thenyoushouldreferencethosecomplianceinitiativesandincludeanycode-levelissuesinyourlistofrequirements.
• Internalcorporatestandards:Youmayhavesomeexistingcorporatestandardsforareaslikepasswordmanagementandencryption,soyou’llwanttoatleastreferencetheseinyourrequirementslibrary.
• Securedevelopmentpractices:Yourinternaldevelopmentteamsmayhaveadocumentwithcodesamplestoaddresswell-knownweaknesses.Youmaywanttoaugmentthesesamplesandbestpracticeswiththeinformationavailableonline:
o OWASPSecureCodingPractices–QuickReferenceGuide:APDF/Worddocofconcisesecurecodingpracticesthatcaneasilybeusedasrequirements.
o OWASPApplicationSecurityVerificationStandard(ASVS):Alargesetofverificationrequirementsforwebapplications.WhileASVSstandardsarenotrequirements,youcangenerallyreverseengineerthecorrespondingrequirementfromeachverificationstandard.
o CommonWeaknessEnumeration(CWE):Themostcomprehensivesetofsoftwaresecurityweaknessesavailable.YouwillneedtoinvestasignificantamountoftimeifyouwishtocoverthebreadthoftheCWE.Also,CWEweaknessesdonotnecessarilycovercountermeasures,soyouwillneedtodeterminethecountermeasureforeachweaknessyourself.
IfyouelecttouseacommercialApplicationSecurityRequirements&ThreatManagementsolution,thevendorisresponsibleformonitoringexternalsourcesofsecurityrequirements.AmatureASRTMsolutionwillallowyoutosupplementitslistofrequirementswithyourowncorporatestandardsandcodesamples.
Copyright©2017SecurityCompass.Allrightsreserved. 5
4. ADD REQUIREMENTS TO YOUR REPOSITORY Basedonthesourcesyouselectedfromstep3,buildare-usablerepositoryofsoftwaresecurityrequirements.Includethefollowinginformationforeachrequirement:
• Requirementtitle:Titletodescribetherequirement.• Requirementdescription:Ashortabstractofwhattherequirementis.Rememberdevelopers
areoftentime-crunched,sokeepthedescriptionshortandlinktomoredetailedinformationifyouneedto.
• Vulnerabilitydescription:Abriefdescriptionofwhatvulnerabilitytherequirementismitigating,sothatdevelopersknowwhytheyneedtoperformthisaction.
• Baseriskorpriority:Anumbertohelpteamsunderstandhowurgenttherequirementgenerallyis.
• Verification:howcansomebodyverifythatthisrequirementhasbeenimplemented?• InclusionRule:Whenisthisrequirementrelevanttoanapplication?Whatapplication
propertiesneedtobetrue?Theserulesarebestimplementedusingbooleanlogic.Forexample,arequirementwhichprotectsagainstcertaindatabaseattacks“BindvariablesinSQLstatements”mightapplytoallapplicationswheretheapplicationproperty“UsesSQLdatabase==TRUE”.Keeptrackofallofthepropertiesyoureferenceintheserules.
• InExcel,therulescanbemadeupofsimpleformulasthatreferencethesheetcontainingproperties.
• InacustomapporSharePointsite,therulescanbeconfiguredusinghard-codedlogic.• InacommercialSecurityRequirementsManagementsolution,requirementsshouldalreadybe
populatedandupdatedbythevendors.Youwillhavetheabilitytooverwriterulesifyouwishtocustomizethem.
Copyright©2017SecurityCompass.Allrightsreserved. 6
5. BUILD A LIST OF APPLICATION PROPERTIES Thesepropertiesshouldbebasedonthoseidentifiedinstep4(i.e.“UsesSQLdatabase”intheexampleabove).Somecommonpropertiesare:
• Applicationtype(e.g.webapplication,mobileapplication,etc.)• UsesSQLdatabase• ExposesRESTfulwebservices• ExposesSOAPwebservices• Usespasswordsforauthentication• Stores/transmits/processescreditcarddata
Withasetofapplicationpropertiesandrequirementstiedtothesepropertiesyoucangenerateatailoredlistofsoftwaresecurityrequirementsforanapplication.
6. DEPLOY REQUIREMENTS TO DEVELOPMENT TEAMS Providethedevelopmentteamswiththerequirementstool,fromwhichtheyshouldbeabletogenerateaspecificsetofsoftwaresecurityrequirementsthatappliestotheirapplications.Theycanthenaddtheserequirementstotheirstandardrequirementsgatheringprocess.Arecommendedfinalstepistocollectfeedbackandevaluateagainstthegoalsyououtlinedinstep1.
Copyright©2017SecurityCompass.Allrightsreserved. 7
ABOUT SD ELEMENTS SDElementsistheleadingApplicationSecurityRequirementsandThreatManagement(ASRTM)platform.Startingwithautomatedthreatmodeling,SDElementsgeneratesasetofsecurityrequirementsthathelpsorganizationsmanageriskintheirowninternallydevelopedapplications,orthirdpartysoftware.SDElementsofferseverythingfromintuitiveinstructionsondevelopingcountermeasures,toprojecttrackingandreporting,toofferafullsolutionforefficientlybuildingsecuresoftware.AndwitharichsetofinterfacestomanyALMandtestingtools,SDElementsisanautomatedsolutionenablingsecuresoftwaredevelopmentinaDevOpsworld.