6StepstoGettingStartedwithApplicationSecurityRequirements&ThreatManagement(ASRTM)

Copyright©2017SecurityCompass.Allrightsreserved.

SECURITYCOMPASSWHITEPAPER2017

Copyright©2017SecurityCompass.Allrightsreserved. 1

INTRODUCTION TherearemanybenefitstoimplementinganApplicationSecurityRequirements&ThreatManagement(ASRTM)program,including:

• Loweringcoststobuildsecuresoftware• Makingsecuritymeasurable• Turningunplannedworkintoplannedwork• Freeinguptimeawayfromremediation,andintofeaturedevelopment• Havingasingleprocessthatworkswithin-house,outsourced,andcommercialsoftware• Providingconfidencethatsoftwareissecure,whenrequirementsarelinkedtoverification

Thisguideprovides6simplestepstogetyoustartedonbuildinganApplicationSecurityRequirements&ThreatManagementprogram.Thestepsareasfollows:

1. DefineyourgoalsforadoptinganASRTMprogram.

2. Selectarepositoryforyourre-usablerequirements.

3. Determinethesourcesforyourrequirements.

4. Addrequirementstoyourrepository.

5. Buildalistofapplicationproperties.

6. Deployrequirementstodevelopmentteams.

Copyright©2017SecurityCompass.Allrightsreserved. 2

1. DEFINE YOUR GOALS FOR ADOPTING AN ASRTM PROGRAM Herearesomecommonones:

• Lowerapplicationsecurityrisk:Youviewapplicationsecurityasakeyareaofrisk,andseesoftwaresecurityrequirementsasatooltohelpreducethatrisk.

• Lowercostofapplicationsecurityremediation:Youwanttospecifysecurityrequirementsup-front,therebyreducingtheneedtofixvulnerabilitiesafterthey’vebeenidentified.

• Improvecompliance:Youwishtousesoftwaresecurityrequirementstoimprovecompliancetoandauditabilityofaparticularregulation.

• Understandapplicationrisks:Youwishtounderstandthetypesofrisksaffectingapplications,includingrisksthatexistingassessmenttechniquesmaybeunabletouncover.

• Disseminateguidanceacrosstheorganization:Youwishtocentrallymanagesoftwaresecurityandothernon-functionalrequirementsandautomaticallypushthemtootherteamsorintootherorganizationalprocesses.

• Increasesecurityof3rdpartydevelopedsoftware:Youwishtogeneratedetailedtechnicalsecurityrequirementsfor3rdpartysoftwaresuppliers.

Copyright©2017SecurityCompass.Allrightsreserved. 3

2. SELECT A REPOSITORY FOR YOUR RE-USABLE REQUIREMENTS Astaticdocumentisnotsufficientformanagingsoftwaresecurityrequirements.Somesortoffilteringmechanism,suchasapriority,isessentialforgettingadoptionfromtime-cruncheddevelopers.Hereareafewcommonoptions:

RepositoryType Pros Cons

Spreadsheet

• Cheap

• Easytogetstarted

• Lowfidelity

• Notcentralized

• Hardtomaintain

• Nointegration

SharepointorInternallyDevelopedApplication

• Moreadvancedthanspreadsheet

• Possibilityofintegrationwithcustomdevelopment

• Hardtomaintain

• Maybeexpensivetodevelop

CommercialApplicationSecurityRequirements&ThreatManagement(ASRTM)solution

• Extensivefeatures

• Integrationwithdevelopment&securitytools

• Accesstocontinuousandup-to-daterequirementsfromvendor’sresearchers

• Integratedtraining

• Requiressecuringbudget&buy-infromotherstakeholders

Copyright©2017SecurityCompass.Allrightsreserved. 4

3. DETERMINE THE SOURCES FOR YOUR REQUIREMENTS Hereareafewexamples:

• Complianceregulations:IfcompliancetostandardssuchasPCIDSSisdrivingyoursoftwaresecurityrequirementsgatheringprogram,thenyoushouldreferencethosecomplianceinitiativesandincludeanycode-levelissuesinyourlistofrequirements.

• Internalcorporatestandards:Youmayhavesomeexistingcorporatestandardsforareaslikepasswordmanagementandencryption,soyou’llwanttoatleastreferencetheseinyourrequirementslibrary.

• Securedevelopmentpractices:Yourinternaldevelopmentteamsmayhaveadocumentwithcodesamplestoaddresswell-knownweaknesses.Youmaywanttoaugmentthesesamplesandbestpracticeswiththeinformationavailableonline:

o OWASPSecureCodingPractices–QuickReferenceGuide:APDF/Worddocofconcisesecurecodingpracticesthatcaneasilybeusedasrequirements.

o OWASPApplicationSecurityVerificationStandard(ASVS):Alargesetofverificationrequirementsforwebapplications.WhileASVSstandardsarenotrequirements,youcangenerallyreverseengineerthecorrespondingrequirementfromeachverificationstandard.

o CommonWeaknessEnumeration(CWE):Themostcomprehensivesetofsoftwaresecurityweaknessesavailable.YouwillneedtoinvestasignificantamountoftimeifyouwishtocoverthebreadthoftheCWE.Also,CWEweaknessesdonotnecessarilycovercountermeasures,soyouwillneedtodeterminethecountermeasureforeachweaknessyourself.

IfyouelecttouseacommercialApplicationSecurityRequirements&ThreatManagementsolution,thevendorisresponsibleformonitoringexternalsourcesofsecurityrequirements.AmatureASRTMsolutionwillallowyoutosupplementitslistofrequirementswithyourowncorporatestandardsandcodesamples.

Copyright©2017SecurityCompass.Allrightsreserved. 5

4. ADD REQUIREMENTS TO YOUR REPOSITORY Basedonthesourcesyouselectedfromstep3,buildare-usablerepositoryofsoftwaresecurityrequirements.Includethefollowinginformationforeachrequirement:

• Requirementtitle:Titletodescribetherequirement.• Requirementdescription:Ashortabstractofwhattherequirementis.Rememberdevelopers

areoftentime-crunched,sokeepthedescriptionshortandlinktomoredetailedinformationifyouneedto.

• Vulnerabilitydescription:Abriefdescriptionofwhatvulnerabilitytherequirementismitigating,sothatdevelopersknowwhytheyneedtoperformthisaction.

• Baseriskorpriority:Anumbertohelpteamsunderstandhowurgenttherequirementgenerallyis.

• Verification:howcansomebodyverifythatthisrequirementhasbeenimplemented?• InclusionRule:Whenisthisrequirementrelevanttoanapplication?Whatapplication

propertiesneedtobetrue?Theserulesarebestimplementedusingbooleanlogic.Forexample,arequirementwhichprotectsagainstcertaindatabaseattacks“BindvariablesinSQLstatements”mightapplytoallapplicationswheretheapplicationproperty“UsesSQLdatabase==TRUE”.Keeptrackofallofthepropertiesyoureferenceintheserules.

• InExcel,therulescanbemadeupofsimpleformulasthatreferencethesheetcontainingproperties.

• InacustomapporSharePointsite,therulescanbeconfiguredusinghard-codedlogic.• InacommercialSecurityRequirementsManagementsolution,requirementsshouldalreadybe

populatedandupdatedbythevendors.Youwillhavetheabilitytooverwriterulesifyouwishtocustomizethem.

Copyright©2017SecurityCompass.Allrightsreserved. 6

5. BUILD A LIST OF APPLICATION PROPERTIES Thesepropertiesshouldbebasedonthoseidentifiedinstep4(i.e.“UsesSQLdatabase”intheexampleabove).Somecommonpropertiesare:

• Applicationtype(e.g.webapplication,mobileapplication,etc.)• UsesSQLdatabase• ExposesRESTfulwebservices• ExposesSOAPwebservices• Usespasswordsforauthentication• Stores/transmits/processescreditcarddata

Withasetofapplicationpropertiesandrequirementstiedtothesepropertiesyoucangenerateatailoredlistofsoftwaresecurityrequirementsforanapplication.

6. DEPLOY REQUIREMENTS TO DEVELOPMENT TEAMS Providethedevelopmentteamswiththerequirementstool,fromwhichtheyshouldbeabletogenerateaspecificsetofsoftwaresecurityrequirementsthatappliestotheirapplications.Theycanthenaddtheserequirementstotheirstandardrequirementsgatheringprocess.Arecommendedfinalstepistocollectfeedbackandevaluateagainstthegoalsyououtlinedinstep1.

Copyright©2017SecurityCompass.Allrightsreserved. 7

ABOUT SD ELEMENTS SDElementsistheleadingApplicationSecurityRequirementsandThreatManagement(ASRTM)platform.Startingwithautomatedthreatmodeling,SDElementsgeneratesasetofsecurityrequirementsthathelpsorganizationsmanageriskintheirowninternallydevelopedapplications,orthirdpartysoftware.SDElementsofferseverythingfromintuitiveinstructionsondevelopingcountermeasures,toprojecttrackingandreporting,toofferafullsolutionforefficientlybuildingsecuresoftware.AndwitharichsetofinterfacestomanyALMandtestingtools,SDElementsisanautomatedsolutionenablingsecuresoftwaredevelopmentinaDevOpsworld.