Application Security 101. A primer on Application Security best practices

Transcription

1 Application Security 101 A primer on Application Security best practices

2 Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration Testing...3 Automated Scanning Static Analysis...4 Automated Scanning Dynamic Analysis...4 Web Application Firewalls...4 Software Protection Technology...5 Vulnerability Management...5 Threat Intelligence...5 Governance, Risk & Compliance (GRC)...5 AppSec Consulting Services...5 AppSec Technology Recommendations...6 Conclusion...7 Learn More...7

3 Introduction The business software ecosystem of today has evolved to the point where organizations sensitive data is no longer safe without the implementation of an Application Security program. Building a successful Application Security program begins with learning the discipline s fundamentals and understanding the different technologies and services available. Security teams that are educated in these areas will be able to make well-informed decisions on how they should design and grow their Application Security programs. This paper will provide nascent security professionals the information and guidance they need to build an affective Application Security program for their enterprises. Defining Application Security The practice of Application Security, or AppSec for short, protects an organization s critical data from external threats by removing security vulnerabilities from the software used to run a business. Just as Quality Assurance (QA) is the operational solution to the problem of product quality, AppSec is the operational solution to the problem of Software Risk. Application Security helps identify, fix and prevent security vulnerabilities in any kind of software application no matter the function, language, or platform. It is important to understand the concept of a software vulnerability. A software vulnerability is a programming error that produces unintended behavior in the application which allows a malicious actors to bypass the security features built into the application. Once the application s security features are bypassed, malicious actors can use the application as a gateway for stealing sensitive, protected, or confidential data. A number of respected security research groups publish guidance on common insecure programming errors. The guidance includes classifying different types of vulnerabilities and the level of software risk that is incurred when the vulnerabilities are present in an application. Two of the most well known are the SANS Top 25 and the OWASP Top 10. As a best practice, AppSec programs employ proactive, preventative methods to manage software risk and align an organization s security investments with the reality of today s threats. AppSec programs have three distinct benefits: 1. Measurable reduction of risk in existing applications 2. Prevention of introduction of new risks 3. Ensuring compliance with software security mandates The severity and frequency of security attacks on applications are exploding. As a result, the practice of AppSec is only growing in importance. Additionally, AppSec as a discipline is becoming more complex as the variety of business software available continues to proliferate. Here are some of the reasons why: 1

4 Today s enterprise software comes from a variety of sources in-house development teams, commercial vendors, outsourced solution providers, and open source projects. This means that the AppSec program must encompass all applications from a variety of sources. Software developers have an endless choice of programming languages to choose from Java,.NET, C++, Ruby, PHP, and more. As a result, the AppSec technology must support a wide range of programming languages. Applications can be deployed across a myriad of platforms installed to operate locally, over virtual servers and networks, accessed as a service in the cloud, or running on mobile devices. Therefore, the AppSec program must encompass all applications regardless of how those applications are deployed. Each of these development and deployment options can introduce security vulnerabilities, so application security products must provide capabilities for managing security risk across all options. It is also important to understand that an effective software security strategy addresses both immediate and systemic risk. Managing Risk So, which applications are at risk of attack? Unfortunately, the risk of attack is not limited to organizations critical apps all applications are at risk. The past few years have shown that attackers will target any applications they can find, even applications that are not mission critical. The non mission critical applications are often less protected than critical apps, meaning attackers can more easily find vulnerabilities that can be exploited to gain access to the company s network. Once a malicious actor has breached the company network it can run attacks targeting company data. Since even non-critical applications can be used as a gateway to sensitive company data it is important that organizations begin their application security efforts by knowing all the different applications that are running on their network. Once all of an organization s applications have been accounted for, the organization can begin detecting and remediating vulnerabilities. Any organization can get started in application security, the key is to start at a comfortable, manageable level and scale the program over time. Organizations often start with automated techniques that quickly identify and assess all of their externally facing applications for the most common vulnerabilities. When a company is ready to build up its application security program, it can move on to more indepth assessment methods to test for additional vulnerabilities. The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a wellestablished roadmap. Once an organization has found and assessed its potential vulnerabilities it can move on to: 2

5 Following remediation procedures to prioritize and fix them Training developers on secure coding practices Leveraging ongoing threat intelligence to keep up-to-date Developing continuous methods to secure applications throughout the development lifecycle Instantiating policies and procedures that instill good governance Application security is an orderly process of reducing the risks associated with developing and running businesscritical software. Properly managed, a good AppSec program will move an organization from a state of unmanaged risk and reactive security to effective, proactive risk mitigation. Weighing Application Security Technology Options When considering investment in an AppSec program, security professionals must balance people, process, and technology to Organizations have to find a way to test all accomplish their strategic goals. In many companies this applications quickly to manage risk from this exposed decision falls to the Chief Information Security Officer (CISO) or layer of their infrastructure. Leveraging automation to achieve scale and applying multiple testing techniques equivalent head of security. There are a myriad of choices of is the key to success. products and services in the AppSec market, each with its own Sam King pros and cons. AppSec technologies are at different levels of EVP of Corporate Development maturity, and the deployment options available cover a wide Read the full press release at: range: from professional consulting to open source tools, from installed software to cloud-based services. Each organization must strive to optimize its own AppSec investments, aligned against the reality of today s security threats. Note: the AppSec products and services detailed below do not represent an exhaustive list of options for AppSec. This list includes product categories with a substantive market and ecosystem. The categories listed are the ones found in industry analysts taxonomies of the AppSec landscape. Penetration Testing Penetration Testing methods manually evaluate the security of an application by running simulated attacks against it. The tester mimics the behavior of a malicious hacker by exploiting the software s potential vulnerabilities, whether in a staged or production environment. The tester provides a report that prioritizes discovered flaws by potential exploitability. Organizations pay per application tested, depending on the number of penetration tests required over time. Penetration testing services are a mature and established in the security marketplace, as such many organizations are familiar with penetration testing services and are already using these services. Because penetration testing can be labor-intensive and expensive, many organizations choose to test only their most critical applications. 3

6 The last few years have witnessed an explosion in automated software testing products and services (also known as automated scanning). Two kinds of automated testing have become increasingly popular among distributed development teams: static and dynamic analysis. These techniques allow development teams to scale testing regimens to cover the complete software portfolio, scanning more often and more affordably. Automated Scanning Static Analysis Static analysis is a software testing technique that can be used to scrutinize all code paths and data flows that a program will execute without actually running the program. It does away with the need to build a potentially complex and expensive environment in order to analyze a software program for many classes of quality and security defects. Static analysis can also be performed earlier in the development lifecycle since it does not require a fully functioning program or test data. A static analyzer can have the methodology of the world s best security and quality code reviewers encoded into software to provide the depth of a manual code review with the accuracy, repeatability, and speed of automation. Static analysis can be performed on either a program s source code or its binary executable; both will contain all of the semantics and logic that define the software s functionality. Automated Scanning Dynamic Analysis Dynamic analysis is an easy to use and popular type of automated testing that is performed against a running instance of the application. Dynamic analysis treats the application as a black box in that it only tests webaccessible application interfaces. In a typical dynamic analysis websites are investigated (or crawled ) to discover accessible application interfaces. The inputs and outputs of these accessible interfaces are tested for software vulnerabilities. Dynamic analysis can be used during development on a staged website environment or on live production applications accessible from the company s URLs. These scanning techniques have become popular to assess Software-as-a-Service (SaaS) and Cloud-based solutions that deliver application capabilities through web URLs. Web Application Firewalls A Web Application Firewall (WAF) is a software or hardware device that filters input to and output from a Web server. WAFs block malicious input and unintentional data leaks to protect the Web server and internal data. A WAF is often deployed as an explicit proxy or bridge in front of the Web server or as an offline device that sniffs Web traffic. WAF capabilities are often bundled with solutions for database monitoring, load balancing, application delivery, and intrusion detection. This method of application protection is considered to be a boundary defense and it takes a reactive approach to software protection. 4

7 Software Protection Technology These technologies deliver security features that help protect software intellectual property (IP) from piracy, make tampering more difficult, and protect code and cryptographic keys from attacks such as malware insertion. Software obfuscation makes IP theft more difficult by obscuring software logic and algorithms. In addition, license checking can enforce valid software licenses to prevent revenue loss. The underlying software code is not touched. Vulnerability Management Once software vulnerabilities have been found and reported by a testing methodology, they need to be fixed. Vulnerability management systems help software developers track flaws, remediate fixes, and verify secure processes. They integrate with the team s chosen development environment, tools, and programming languages to ensure application security throughout the software lifecycle. The better solutions provide a shared workspace with role-specific project management and a robust knowledgebase. Fixing vulnerabilities in all deployed applications should be considered a mission-critical step to defending intellectual property, protecting customer privacy, and meeting regulatory compliance obligations. When rigorously practiced, vulnerability management improves the overall security posture of an organization s entire software portfolio. Threat Intelligence New software vulnerabilities continue to emerge due to the near constant rate of innovation by hackers and cyber criminals. Without an ongoing threat intelligence capability, enterprises risk falling behind and leaving their businesses vulnerable to new kinds of attacks. This intelligence should include research on the latest threat trends and techniques being employed by hackers, organized criminals, rogue governments, and other adversaries. Typically these systems categorize vulnerabilities by language or platform and automatically update remediation knowledge-bases. Governance, Risk & Compliance (GRC) A plethora of industry mandates and government regulations compel the security of sensitive or confidential data such as personally identifiable information. GRC solutions abound in the wider corporate risk management and regulatory compliance marketplace. Offerings from the more advanced Application Security (AppSec) vendors often have added policy management functions. Capabilities include risk-based application portfolio management, policy enforcement, audit tracking and certification, history and trend analysis, dashboards, and reporting, among other functions. GRC products can help larger organizations that have thousands of development projects as well as companies in highly regulated industries better manage their enterprise AppSec programs. Application Security Consulting Services Many AppSec programs benefit from the services of professional consultants that help organizations augment their internal security expertise. Expert consultants typically focus on manual code reviews and penetration tests, developer training programs, security architecture reviews, and threat modeling. In addition to independent 5

8 consulting firms, many AppSec solution vendors offer consulting services to ensure customer success with their technologies. Engagement models range from one-time routine test regimens to long-term strategic relationships that can cost millions of dollars per year. Application Security Technology Recommendations Unfortunately, there is no single AppSec cure-all. No single AppSec solution can protect an organization s full range of applications from the full range of risks in today s environment. Since every technique has its own strengths and weaknesses, mature AppSec programs should employ multiple analysis techniques to improve vulnerability coverage. Well-equipped AppSec programs should use static analysis, dynamic analysis, and penetration testing methods. The combination of these methods provides the greatest amount of vulnerability coverage. If an organization is limited to choosing one technique, static analysis is the strongest choice due to its ease of testing and depth of code coverage. Chart comparing the tradeoffs between static analysis, dynamic analysis, and manual penetration testing In addition to Static, Dynamic and Manual testing, implementing an effective Application Security program relies on an organization s ability to define and enforce policies that drive effective vulnerability remediation. Timely and cost-effective remediation often calls for developer training, additional resources, and/or third party services. Implementing these capabilities better prepares an organization for sustained application security. 6

9 Conclusion The goal of an Application Security (AppSec) program is to protect an organization s critical data from external threats by ensuring the security of all the software used to run a business. When undertaken correctly, an AppSec program takes a systematic approach to protecting an organization s software applications. As an organization s experience with AppSec evolves, the practice should become more routine, and have a positive impact on the organization s software development, procurement and acceptance processes. Throughout this evolution, security teams can learn to anticipate specific attacks, understand harmful impacts, and define countermeasures in advance. Software developers should be trained and certified in secure development techniques to promote the ongoing development of more secure code with fewer software vulnerabilities. Today s governance, risk and compliance (GRC) mandates should inform the creation of AppSec policies and AppSec test results should be incorporated into GRC reporting. The key to managing software risks in a sustainable manner lies in the organization s ability to enforce AppSec policies and procedures across the enterprise while scaling its AppSec program to keep up with evolving security threats. Learn More Webinar on Application Security Fundamentals: ChrisWysopal_webinarApplicationSecurityFundamentals.html Datasheet on Veracode Program Management Services: Whitepaper on Policy-Driven Software Security: Datasheet on Veracode Dynamic MP: Webinar on Avoiding Security Spend Pitfalls featuring Wendy Nather, 451 Research: 7

10 ABOUT VERACODE Veracode, Inc. All rights reserved. Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive elearning capabilities, and advanced application analytics, Veracode enables scalable, policydriven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit follow on or read the Veracode Blog.