Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Transcription

1 From Security Assessment to Vulnerability Remediation: The Realities of Deploying a Cloud-Based Application Risk Management Solution Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

2 Setting the Tone The dramatic rise in cyber crime and web application security threats make it more important than ever to know the security state of the essential business applications that run your operations. But software testing can involve time, expertise, and software investments that make it impractical for many IT organizations. Deploying a Cloud-based Application Risk Management Solution can provide a way to quickly, accurately, and affordably test the security of applications without any software to install or manage. This automated, turnkey service requires no special security assessment expertise. When it comes to IT security, it is painfully obvious that both government and industry focus too heavily on the perimeter and endpoint protection network security, host security, virus protection, trusted internet connections, core configurations, firewalls and identity management. Meanwhile, the applications that protect vital information and automate critical processes remain too vulnerable.

3 Poll the Group How many with me today are deploying a cloud based SSA Solution? One Yes, Everyone else NO And how many are considering it? None What about just an SSA Solution? Fortify, IBM-Appscan, Coverity, WebInspect

4 Key Definitions Static Analysis Users simply and securely upload either source code or executables and SSA Cloud Application completes a static analysis detecting more than a myriad of vulnerability categories. Dynamic Analysis Users provide the URL of any application either in QA or production and test is scheduled automatically at via different levels of service.

5 Discussion Point #1 Who is at Risk? Overlooking vulnerabilities within software that already has been deployed puts government agencies and industry at tremendous risk for attacks, data loss and process interruption. Research by both US- CERT and a 2009 government study found that 79 percent or more of the attacks that led to data loss in 2009 were on applications.

6 Discussion Point #1 Who is at Risk? - Comments COST What is Priority Focus has been on Network Security Physical Firewalls, IDS No Policy Guidance No Metrics Education long term benefit into frontloading security in to SDLC Pull out of Contract too costly Old School Mentality ; Need new wave of thinking

7 Discussion Point #2 Software Superiority? One needs to look no further than the attack on Google by hackers in China that enabled by a zero-day vulnerability in Microsoft's Internet Explorer, for a sobering reminder of how even the biggest software companies with the best processes can produce insecure code. According to evidence from code-level analysis performed for a recent study published in SC Magazine, automated static and dynamic security testing on nearly 1,600 applications over 18 months prior to February 2009, half of all government applications failed to demonstrate acceptable security, compared to slightly more than half for all applications.

8 Discussion Point #2 Software Superiority? - Comments No Way more people to test larger applications like Microsoft that identify vulnerabilities GOTS Limited Funding, limited documentation, limited resourcesx COTS Continuous funding What's the level of the program Different reqs for different apps A lot of apps have no specific STIG

9 Discussion Point #3 Dispelling the Myths of Perimeter Security to Promote SSA Data breaches are shifting more to the application layer, putting software at the root of federal cyber vulnerabilities. Economic and time-to-value imperatives have driven agencies to reuse code and purchase software wherever possible. Vulnerabilities in any piece of software can be a door that bypasses network and endpoint controls and gives an attacker access to everything. Until government agencies and industry secure both their application development efforts and their software supply chain, they're vulnerable. We patch software with known vulnerabilities because we know our perimeter and endpoint security cannot protect from many software vulnerabilities. The only solution is fixing the root cause in the software with a patch.

10 Discussion Point #3 Dispelling the Myths of Perimeter Security to Promote SSA Culture Change SSA will take a long time to move Don t agree with the Myth of Perimeter Security C&A Network Security Education Develop Process Software driven by schedule IA & Security Moving on to software from Network oh no not another IA thing that I have to do Industry is doing this; DOD needs to be doing this. Huge money going into Software Security

11 Discussion Point #4 Advantages and Disadvantages of SSA in the Cloud I think we have heard today that it is not possible to know the security state of all our critical software. And the idea that application risk management is time-consuming, complicated and disruptive is anchored in an outdated understanding of what is possible. With cloud-based security testing and revolutionary technical innovations that enable automated testing on software in its final form rather than in source code, it is possible to assess hundreds of applications within one year or even a few months. By prioritizing applications based on each one's level of business criticality, government agencies quickly can test the most mission-critical applications. The right application risk management solution can fit easily into current internal certification and accreditation processes and integrate easily into the many different software development lifecycles (SDLC) used across the enterprise, without causing disruptions. Third-party applications and code can be evaluated, too, so that agencies can cost-effectively evaluate the security of every application behind the firewall. Application risk management solutions delivered through a cloud-based model and able to evaluate every application regardless of its supplier are able to scale globally across teams and geographies without the need for any hardware or software, leading to lower operational expenditures, more complete coverage and a more accurate understanding of risk and compliance.

12 Discussion Point #4 Advantages and Disadvantages of SSA in the Cloud Gov t Provided Cloud might work would be difficult to have contractors pushing / pulling software up because of intellectual property Time Increase ; Issues with NDA ; Stingy ; Vendor Black Box Virtualization Intellectual Property Life of company may come into play; what if they are bought out by another company? Third Party Start chucking code over the fence Who Coded the cloud? Is it secure? How do I know? Pro s On cloud, could have version control & geographically dispersed units Pro s less internal resources / service licenses Many thought this was the first time this concept was introduced to them Providing data to next contract could be an issue; may not be held accountable

13 Discussion Point #5 Concluding Thoughts Complying with Government Standards Without a change in the way government agencies and industry are protecting themselves from the exploitation of software vulnerabilities, progress can't be made. Patching quicker and updating anti-virus and IDS/IPS signatures faster is not stemming the tide. The threat space moves too quickly. And, while no software will ever be perfectly secure, understanding the nature of software vulnerabilities across your entire portfolio of critical applications and how they contribute to enterprise security risk is crucial for protecting your organization.