IT Risk Management: Guide to Software Risk Assessments and Audits

Transcription

1 IT Risk Management: Guide to Software Risk Assessments and Audits

2 Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5 Software Risk Management... 6 Step 1 Software Risk Assessment: Inventory and Assurance Levels 6 Step 2 Software Risk Assessment: Independent Application Security Testing 7 Step 3 Software Risk Mitigation: Set Acceptance Thresholds 7 Step 4 Evaluation and Assessment 8 How Veracode Can Help... 8 About Veracode Veracode, Inc. 2

3 Overview Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 1 In IT systems, risk can be introduced from the internet, servers, networks, malicious insiders and even lapses in physical security. However, the current rate of newly discovered vulnerabilities in software has risen to the top of the agenda for security professionals striving to control their company s overall risk profile. According to Gartner and the Computer Emergency Response Team (CERT), 75% of new attacks target the application layer and software vulnerabilities have reached an all time high with more than 7,000 new vulnerabilities disclosed over the last year. 2 Executive Summary The software industry is one of the largest manufacturing industries in the world, with $350 billion in off-the-shelf software sold each year and over $100 billion in customized code on top of that. Despite the size, there is no standardized notion of software security quality even though the repercussions include product patches, data breaches leading to massive theft and fluctuations in corporate stock prices. This pushes both costs and liabilities onto the enterprise purchasing the software. In most cases organizations do not have any insight into what vulnerabilities exist in these applications, resulting in an unacceptable level of unbounded risk. Until now, enterprises have lacked an efficient manner to analyze the security of software as part of their risk management processes. Security testing has been limited to manual analysis by consultants, using internal teams with source code tools or trusting the software supplier to test their own code. None of these approaches scale to cover an enterprise s entire application portfolio and can add significant time and costs to projects. In an effort to combat this growing trend, new compliance requirements from the Payment Card Industry (PCI), the Comptroller of the Currency Administrator of National Banks (OCC) along with recommendations from industry groups and analysts call for risk management processes to secure software applications. This whitepaper outlines how new application security technologies enable organizations to meet the growing threat posed by software and provides risk management best practices which enterprises can use to secure their application inventory. 1 NIST Risk Management Guide for Information Systems Special Publication Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 3

4 Software: Today s Biggest Security Risk Today s application has become the enterprise s new perimeter. With better network-level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points the application. While hackers were once satisfied with defacing Web sites, unleashing denial-of-service attacks and trading illicit files through targeted networks, modern attackers are profit-driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year an all time high 3. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software 4, 78% of threats target business information, and 75% of attacks target the application level 5. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security. NIST/Gartner Key Facts CERT Number of Software Vulnerability Disclosures per Year 3 Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 4 Mark Curphey, Software Security Testing: Let s Get Back to Basics October, 2004, SoftwareMAG.com 5 Theresa Lanowitz, Now Is the Time for Security at the Application Level 2005, Gartner 4

5 How Software Risk Enters the Enterprise As the myriad of applications deployed within organizations increases, some developed internally, some brought in from outside the effort needed to manage risk becomes greater. Applications are inherently more complex with many being based on a mixed code base from a wide range of sources, teams, and geographic locations. Gone are the days when companies developed their own source code. Now over two-thirds of the world s largest companies are engaged in offshore outsourcing. 6 Additionally enterprises have lacked an efficient matter to analyze the security of off-the-shelf commercial applications that are purchased further decreasing their security posture. Traditional tools cannot rise to this challenge as they typically require source code which usually isn t available in mixed code based applications. Manual penetration testing is time consuming, costly and simply doesn t scale. Figure 1 below shows how software risk enters the enterprise as today s application development and procurement processes have become increasingly distributed and complex. Figure 1 - Modern Software Risk Landscape Today s applications are made up of multiple pre-compiled components, libraries and open source. The US Department of Homeland Security calls this SOUP or software of unknown pedigree. Simply put, the software supply chain is increasingly complex and whether software is purchased from an established vendor or developed in-house, the liability and risk that the application poses rests with the enterprise and organizations must take steps to test applications for security vulnerabilities prior to accepting and deploying software. 6 Mary Hayes Weier, The Second Decade Of Offshore Outsourcing: Where We're Headed, Nov. 2007, InformationWeek 5

6 Software Risk Management Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions. Overall risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. 7 The following steps detail best practices for implementing a successful software risk management program. Step 1 Software Risk Assessment: Inventory and Assurance Levels While it may seem obvious that as part of a risk assessment organizations need to create an inventory of their applications that are being developed, purchased or maintained by an outsourcing provider, however, in practice it can be a challenging exercise. With the advent of low cost offshore development, open source and low cost commercial software it is common to see application sprawl as individual groups or business units may have contracted work that previously would have required higher capital costs and formal approvals. When conducting an application inventory, involve business units, procurement and vendor management to ensure all software that was or is entering the organization has been identified. Once applications have been identified, organizations need to understand the risk that the application poses to the business. This can be achieved through the assignment of an assurance level for each application based on business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations. Assurance levels are used to determine the extent of testing methods (e.g. higher assurance levels may be tested using multiple techniques) and the overall acceptance criteria (e.g. a lower assurance level application may be accepted with a lower security scores as they do not pose a significant risk to the business). The following chart from NIST provides guidance on selecting an assurance level based on business risk: 7 NIST Special Publication

7 Step 2 Software Risk Assessment: Independent Application Security Testing In order to quantify the risk posed by software identified in step 1, organizations need to conduct security testing in order to determine if the application contains vulnerabilities. However, until now, true testing of software has been difficult due to the high cost and effort required to conduct manual code reviews and the difficulty in obtaining access to of source code. Because of these issues, few companies conduct software testing or are only able to address a small sub-segment of their highest risk applications. Given the current threat landscape, it is imperative that organizations test all of their outsourced applications, ideally using a third party to obtain Independent Verification and Validation (IV&V). New technologies and testing methodologies, e.g. automated security testing services offered by companies such as Veracode, now enable organizations to independently test all of their applications before they are accepted and deployed by the enterprise. Step 3 Software Risk Mitigation: Set Acceptance Thresholds Enterprises can leverage software security ratings to decide which applications are secure enough to be accepted or deployed and which applications need remediation by the provider before software acceptance. To demonstrate setting acceptance thresholds, we will use Veracode s SecurityReview service as an example. Application testing with various testing techniques, combined with a scoring system based on the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) standards, a Security Quality Score (SQS) is derived for each application. The assurance levels the enterprise selected in Step 1 (above) is then applied to incorporate business risk and the output is normalized to an easy to understand letter grade (A, B, C, etc ). Thus, enterprises can set an acceptable grade A for example and software must achieve that grade for the application to be accepted. Setting thresholds and using standard-based scoring removes the subjectivity and gray-area on what constitutes acceptance and clarifies the process for both the enterprise and provider. Below is a chart that demonstrates how organizations can use assurance levels, quality scores and testing methods to achieve an overall rating: 7

8 Step 4 Evaluation and Assessment Security and risk are not a point-in-time, but a continuous process. As the organization grows, new applications are deployed, existing applications are upgraded and new features or functionality is enabled. Additionally, the threat landscape for software vulnerabilities is constantly changing. An application which is secure today may become vulnerable at a future date as new attack vectors and methods are developed. Thus, it is critical that a successful risk management program performs ongoing evaluations and assessments as to the effectiveness and relevance of the controls which are deployed. For software risk management, this means constantly monitoring the threat landscape through formal vulnerability notification programs such as the Department of Homeland Security s National Vulnerability Database or MITRE s Common Vulnerability and Exposures (CVE) service. Additionally, because attacker s methods evolve over time, software risk management programs should use the following evaluation and assessment methods for deployed applications: Re-test applications after upgrades, patches or significant changes prior to deployment Re-test deployed applications at on a quarterly or semi-annually basis, depending on assurance level, in order to determine if new threat models expose the application to vulnerabilities How Veracode Can Help Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve compliance without requiring any hardware, software or training. As an expert in application security, Veracode is uniquely suited to provide independent verification and validation (IV&V) of software applications without the need for costly on-site consultants. Veracode's Ratings System produces a software security rating based on respected industry standards including MITRE s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST s application assurance levels. These universally accepted vulnerability scoring methods provide a clear audit trail enabling enterprises to automate the security acceptance testing of outsourced applications and meet both internal and external security and compliance requirements and reduce their exposure to risk. 8

9 About Veracode Veracode is the world s leader for on-demand application security testing solutions. Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner Cool Vendor 2008, Info Security Product Guide s Tomorrow s Technology Today Award 2008, Information Security Readers Choice Award 2008, AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld Top 10 Security Company to Watch 2007, and Dark Reading s Top 10 Hot Security Startups Based in Burlington, Mass., Veracode is backed by.406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit 9