Assuring Application Security: Deploying Code that Keeps Data Safe

Transcription

1 Assuring Application Security: Deploying Code that Keeps Data Safe

2 Assuring Application Security: Deploying Code that Keeps Data Safe 2 Introduction There s an app for that has become the mantra of users, developers, and IT alike. The explosion of applications whether homegrown, developed with outside teams, commercial off-the-shelf, or open source is clear. Just look at the icons populating phones, tablets, and computers everywhere. But all that code can bring new risks. Unprotected web applications that communicate with mobile apps, unencrypted login information flying around wi-fi hotspots, and consumer applications and games that try to gain access to corporate contact lists, data, and settings can lead to data leakage, compromised systems, and full-blown breaches. As such, developers, DevOps, and IT must ensure that the applications they create and run do not put the enterprise at risk. To put the urgency of the matter into perspective, just consider the financial consequences of cyber attacks. The Ponemon Institute 2014 Cost of Cyber Crime Study, based on survey of 257 organizations in six countries, found that attacks cost U.S. companies an average of $12.7 million in Any efforts that can be taken to harden apps during development, and better secure and test apps and their associated data during deployment and beyond, will return great value in cost avoidance. Meeting Today s New App Security Challenges Why do companies need to pay special attention to security when it comes to developing modern apps? The problem is that native and web-based applications intended for today s mobile workforce and customer base can introduce new risks. The best way to address these risks and minimize the chance of a breach, data leakage, or a system being compromised is to build security into the apps from the ground up, and to then repeatedly test the security of the app when it is in the field. Essentially, companies need to take today s cyber-risks into account at every stage of development, deployment, and usage. This can represent quite a challenge. New risks are increasingly complex and new threats are ever-more sophisticated than their predecessors of just a few years ago. Some of the common risks associated with new applications today include: Evolving Malware Threats: Malware aimed at mobile devices and backend servers continues to become more sophisticated, targeting data that can be used to commit fraud, identity theft, or compromise corporate systems. With many companies supporting bring-your-own-device (BYOD) policies and providing access to corporate applications and data via cloud services, a compromised mobile device or app can provide unfettered access to all forms of data. Unfortunately, malware designed to attack mobile devices is on the rise. With companies having less control over mobile devices, users have greater freedom to download and install any application whether or not it has been vetted for safety by IT. This is particularly troublesome because more and new types of data are being made accessible to mobile devices by corporations every day.

3 Assuring Application Security: Deploying Code that Keeps Data Safe 3 Systems Increasingly Exposed: When creating mobile applications, companies often expose systems that had not previously been accessible from outside of their networks. This introduces two potential problems. First, since the backend system had previously only been accessible internally through the corporate network, the security measures in place may not be as strong as required when access is opened up. Second, a common way to provide access to backend systems is via an API, which could interact with the backend system. If proper security steps are not enacted, a hacker might exploit an API for nefarious purposes. Insecure Data Storage: In trading off convenience for security, some apps automatically connect to their backend services without the need for the user to enter the credentials on a mobile device. In many cases, this is accomplished by storing user account information (username, password, address, geo-location data, etc.) in clear text. This is clearly a weakness that has the potential to be exploited by hackers. An example of this weakness in some commonly used apps was discovered early this year by security researcher Daniel Wood. A ComputerWorld article on his findings noted that the very widely used Starbucks payment app had been storing usernames, addresses, and passwords in clear text. If an app employs this approach, it exposes that account and the data associated with the app to risk. Additionally, since many people use the same username and password for all or many of their apps, a hacker who obtains the one app s credentials could then use them to log into other apps including corporate apps. This could provide a conduit to data and resources that should not be available to unauthorized users. Yet, the hacker using an employee s login credentials would go undetected appearing to have suitable access rights and privileges. Unintended Data Leakage: When an application processes sensitive information taken as input from the user or any other source that data may end up in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus exposing that data and the device to increased risk. The critical point to consider is that leaky apps have the potential to be exploited to gather incredible amounts of personal and corporate information. For example, an app might have permission and rights to access a user s contact list or a corporate database. Once that data is collected, the app might not have the same high levels of security measures in place as was the case before the data was acquired. So, data that seemed adequately protected on a backend server might be exposed by exploiting weaknesses in the app itself. Citizen Developers: Business units increasingly are trying to accelerate development times by handling the process themselves. While this might allow them to be more responsive to changing market conditions, it can introduce security problems. To that point, a rapidly developed app created by a citizen developer might not go through the normal testing and governance checks that a traditionally developed application would.

4 Assuring Application Security: Deploying Code that Keeps Data Safe 4 What s Needed? With these points in mind, companies need an application security testing solution that covers everything from the backend web applications to the mobile apps themselves. The solution must cover the development stage and offer testing after an application is put into use to monitor for potential problems. In particular, a solution must be capable of testing web applications for exploitable vulnerabilities, have the ability to analyze code, help manage the security and development management processes by coordinating efforts and enabling collaboration between the various stakeholders, and it must offer easy-to-use-and-deploy application security testing. These are all areas where HP Fortify can help. HP Fortify offers application security testing and management solutions, available on-premise or on-demand. The products within the solution line can help companies secure their software applications including legacy, mobile, third-party, and open source applications. The HP Fortify offerings included static application security testing and dynamic application security testing products, as well as products and services to support Software Security Assurance, or repeatable and auditable secure behaviors, over the course of a software application s life cycle. Furthermore, HP Fortify testing technologies are complemented with timely security intelligence from the HP Security Research team. The solutions include: HP Fortify Static Code Analyzer, which helps companies reduce security risks by building better software. In particular, HP Fortify Static Code Analyzer helps verify that software is trustworthy and allows companies to implement secure coding best practices. Static Code Analyzer scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results giving line of code guidance for closing gaps in security. To verify that the most serious issues are addressed first, it correlates and prioritizes results to deliver an accurate, risk-ranked list of issues. The software reduces costs and increases IT productivity in several ways. It is easy to install, configure, and administer. It automatically monitors applications and collects data on attacks. And it requires no customization, training, or coding to use. All of these factors eliminate many manual chores that IT would ordinarily be required to carry out to protect against vulnerabilities. Additionally, the software s ease of use and automation features makes the chores that IT must still handle simpler and faster to complete. This means fewer IT staff hours are needed to manage security, reducing costs and freeing up IT staff to work on other projects. HP Fortify Software Security Center Server, which helps security and development teams collaborate to resolve security issues. With HP Fortify Software Security Center Server, security and development teams can quickly triage and fix vulnerabilities identified by HP static and dynamic analyzers. A collaborative web-based workspace and repository lets teams work together using role-specific interfaces. Detailed reference information, delivered to developers, describes problems, and gives detailed instructions for fixing them.

5 Assuring Application Security: Deploying Code that Keeps Data Safe 5 HP Fortify on Demand, a managed application security testing service in the cloud, enables any organization to quickly test the security of a few applications or launch a comprehensive security program without additional investment in on-premises software and personnel. HP Fortify on Demand is the right choice for organizations that need a flexible solution and do not have the resources (time, experience, or budget) to implement an application security program in-house. The HP Fortify solution is considered among the best on the market. In particular, HP Fortify is ranked as a leader in the 2014 Gartner Magic Quadrant for Application Security Testing (AST). To gain that level of recognition, a solution provider must demonstrate breadth and depth of AST products and services. Leaders must also provide organizations with AST-as-a-service delivery models for testing, or with a choice of a tool and AST-as-a-service, using a single management console and an enterprise-class reporting framework supporting multiple users, groups, and roles. In addition, leaders should provide capabilities for testing mobile applications. HP Fortify does all of this and more. HP Fortify can be deployed in-house, as a managed service or in a hybrid model taking advantage of the best of both worlds. This flexible delivery model allows security groups to get started quickly and scale in response to business changes while protecting their assets and investments in application security. For more information about HP Fortify and how it can help you secure your applications, visit hp.com/go/fortify