Now Is the Time for Security at the Application Level



Similar documents
Key Issues for Identity and Access Management, 2008

The Current State of Agile Method Adoption

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Key Issues for Data Management and Integration, 2006

IT Operational Considerations for Cloud Computing

Organizations Must Employ Effective Data Security Strategies

Eight Critical Forces Shape Enterprise Data Center Strategies

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Understanding Vulnerability Management Life Cycle Functions

Toolkit: Reduce Dependence on Desk-Side Support Technicians

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Research Agenda and Key Issues for Converged Infrastructure, 2006

The Five Competencies of MRM 'Re-' Defined

Real-Time Decisions Need Corporate Performance Management

Successful EA Change Management Requires Five Key Elements

IT asset management (ITAM) will proliferate in midsize and large companies.

Overcoming the Gap Between Business Intelligence and Decision Support

Q&A: The Many Aspects of Private Cloud Computing

The What, Why and When of Cloud Computing

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Cloud IaaS: Service-Level Agreements

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Business Intelligence Focus Shifts From Tactical to Strategic

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

Make the maturity model part of the effort to educate senior management, so they understand the phases of the EIM journey.

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Gartner Defines Enterprise Information Architecture

NGFWs will be most effective when working in conjunction with other layers of security controls.

Government 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.

Managing IT Risks During Cost-Cutting Periods

The IT Service Desk Market Is Ready for SaaS

Data in the Cloud: The Changing Nature of Managing Data Delivery

Discovering the Value of Unified Communications

Risk Intelligence: Applying KM to Information Risk Management

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Tactical Guideline: Minimizing Risk in Hosting Relationships

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

The Seven Building Blocks of MDM: A Framework for Success

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Best Practices for Confirming Software Inventories in Software Asset Management

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

IT Architecture Is Not Enterprise Architecture

Assessing the Security Risks of Cloud Computing

Business Intelligence Platform Usage and Quality Dynamics, 2008

How to Develop an Effective Vulnerability Management Process

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Private Cloud Computing: An Essential Overview

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

X.509 Certificate Management: Avoiding Downtime and Brand Damage

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Research. Mastering Master Data Management

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

The Role of Enterprise Architecture in Technology Research

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Establishing a Strategy for Database Security Is No Longer Optional

Governance Is an Essential Building Block for Enterprise Information Management

Global Talent Management Isn't Just Global

Cloud IaaS: Security Considerations

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Roundup of Business Intelligence and Information Management Research, 1Q08

Document the IT Service Portfolio Before Creating the IT Service Catalog

Repurposing Old PCs as Thin Clients as a Way to Save Money

Consider Identity and Access Management as a Process, Not a Technology

Gartner's Business Intelligence and Performance Management Framework

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

Gartner Updates Its Definition of IT Infrastructure Utility

Emerging PC Life Cycle Configuration Management Vendors

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Security and Identity Management Auditing Converge

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

What to Consider When Designing Next-Generation Data Centers

Singapore Empowers Land Transport Planners With Data Warehouse

Transcription:

Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now more than ever, secure. Therefore, build security directly into the application life cycle to reduce costs and significantly increase application security. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW Managers of application development and testing organizations must be willing to identify security specialists on their staffs and invest in training, education and processes for their respective teams. They must work with traditional security teams on the operations side to understand what AD and testing can do to alleviate security risks. At this early stage, managers should work with technology providers to understand the needs and requirements for building security into the application, and making security part of the entire life cycle approach. Managers also must assess the AD and testing organizations to determine whether security is strategic or viewed as an afterthought. STRATEGIC PLANNING ASSUMPTION(S) By 2009, 80 percent of companies will have suffered an application security incident, and, as a result, will react by creating roles in the AD and testing organizations to ensure that security is handled at the application level (0.7 probability). ANALYSIS Today's successful businesses know no boundaries and work seamlessly with customers, systems integrators, virtual teams, offshore providers and trusted partners worldwide. Although firewalls and other security tools can curb most network penetrations, application-specific security tools can only offer limited protection for flawed applications. Reducing software flaws and improving security features (such as authentication) are the most-powerful tools to protect enterprise applications. Application development (AD) and testing organizations must be proficient in creating, modifying, maintaining and testing applications to deliver security as well as features and functionality. Security at the application level is a nascent area in which developers are poorly trained; however, technology providers are gearing up to assist businesses with the necessary skill growth. What is application security? Application security involves developers creating secure source code to prevent the inclusion of a potential security vulnerability, and involves test groups conducting vulnerability testing, application scanning and penetration testing to validate. Some of the most-common problems with source code that increase the risk of a security vulnerability include: Buffer overflows Error handling Command injection Unnecessary code Malicious code Broken threads Invalidated parameters Cross-site scripting Publication Date: 1 December 2005/ID Number: G00127407 Page 2 of 8

Caching, pooling and reuse errors Application security focuses on three elements: Reducing security vulnerabilities and risks Improving security features and functions such as authentication, encryption or auditing Integrating with the enterprise security infrastructure Although security represents many things to many people, the application has been primarily focused on features and functionality, and the market drivers are primarily time to market and cost. Security is another facet of quality and like quality, security must be built into the application, not tested at the end of the development cycle. By 2009, 80 percent of companies will have suffered an application security incident, and, as a result, will react by creating roles in the AD and testing organizations to ensure that security is handled at the application level (0.7 probability). Businesses have always been under threat of reliability and security events due to vulnerable source code. Although application outages are an unwelcome but inevitable event, an application outage caused by or coupled with a security violation is far more disastrous because of the loss of information, the difficulty in system recovery, lost productivity and so on. Part of the plan in building secure software is to make security part of the unified and comprehensive application life cycle. Having security at the start is crucial. Without skilled and trained professionals in the AD and testing groups, businesses won't build in security from the start and, as a result, security incidents will be far more likely. The "last mile" in terms of security is the application. The best network, host and data security can't effectively protect a weak application. Security must be considered first in the application. This translates to planning for security in the application life cycle (see Figure 1). AD and testing (process and application quality) organizations should heed the following action items: Develop a security strategy for AD and testing groups. Mandate security training for AD and testing staffs. Include security reviews in the development process as a codified set of behaviors. Perform a security review with the security team before development begins (that is, include the security team as a project stakeholder). Build security into project requirements (business and technical). Conduct security testing during development and use commercial tools (see "Stay Ahead of Changing Software Vulnerabilities"). Require sign-off from the security team, just as you would from any other project stakeholder, before application deployment. Publication Date: 1 December 2005/ID Number: G00127407 Page 3 of 8

Figure 1. Security 101 Security is many things to many people! Network Layer! ID Theft! Physical! Administrative! Patches! Infrastructure! Denial-of-Service Attacks! Hacks! Worms and Viruses! Terrorism (Cyber or Physical) Network Application Database Server Web Server Application Server Operating System 75 percent of hacks occur at the application level Source: Gartner (November 2005) Application Security in AD and Testing Teams AD and testing organizations are responsible for building applications, and they must understand and implement security for the entire application. Whether it's source code or an executable file, AD and testing organizations must identify where security defects or vulnerabilities are in the application. It's been predicted that AD organizations would become extraneous due to outsourcing, the decreasing need to develop custom applications and the lack of technical capabilities. Those predictions have proved false, however, because AD and testing organizations provide significant value to how a business is run. Companies plan to ensure that events resulting from security incidents with applications never occur, and the AD and testing organizations will turn those plans into reality. AD organizations are still building and maintaining code. Testing organizations are still responsible for process quality and application quality for custom code and packaged applications. AD and testing organizations, whether internal or outsourced, are essential to ensure that software is developed efficiently, effectively and securely. Security is a new skill that AD and testing organizations must take on immediately. Training for security at the application level will happen on the job. However, few security professionals are proficient in the nuances of development, and few development professionals are proficient in the area of security. AD and testing organizations should invest in outside assistance to meet their application security needs. Outside consulting companies such as Cigital and Security Innovation are examples of professional service providers that have proficiency in the area of application security. Prior to contracting with a professional service provider, AD and testing organizations should obtain references from similar customers, detail the scope of work and understand exactly what deliverables are expected. Professional service providers are likely to already have the much-needed security skills. If the AD and testing organization considers application security to be a strategic investment, then it should also invest in adequately training its AD and testing staffs. Combining on-the-job employee training with professional service providers is a Publication Date: 1 December 2005/ID Number: G00127407 Page 4 of 8

reasonable way to achieve knowledge transfer. Today, fewer than 5 percent of IT organizations are actively working on application security (see Figure 2). Figure 2. Application Security Adoption Percentage of IT Organizations 60% 50 40 30 20 50 45 10 0 5 Active Investigating Nothing Phases of Commitment Source: Gartner (November 2005) (As of July 2005, based on 1,000 responses) The application has always been a known security threat, but historically it hasn't received the attention required. In today's IT organization, new issues such as compliance, regulations, risk management and ever-changing priorities are increasing the focus on application security. The boundaries between AD and operations, where security has primarily been a factor, must be shattered. Information, plans and requirements regarding security must begin at the application level. Within AD and testing organizations, new roles with improved security skills will emerge. The application life cycle plays a significant role; it takes the emphasis away from AD (code creation) and places it squarely in the requirements phase. Improving security at the application level starts with the requirements phase. Teams can use popular business "storyboarding" products to build requirements for security, thereby demanding the creation of a test for that particular security requirement. The line of business that establishes the requirements must understand the consequences of failing to address security in the business requirements phase. The ideal scenario would be a consistent set of requirements across most projects, with increased levels of security in special cases. A process must also be built into the life cycle to establish requirements, test compliance and modify the base as new threats, tools or techniques become available (see Figure 3). Publication Date: 1 December 2005/ID Number: G00127407 Page 5 of 8

Figure 3. A New Level of Awareness CIO Dev. VP QA VP Application Architect Application Security Architect Dev. Mgmt. QA Developers Test Security Functional Load System Source: Gartner (November 2005) Today, developers are focused on building the right things at the right time for their customers. Organizations with a mature line of business will demand security from their applications. For the most part, testing is viewed as something conducted (if time permits) at the end of the development cycle. Because of the focus on time to market and doing more with less, primary test efforts have largely been focused on verifying functionality, not proactively investigating the potential effects of security defects. Tools, although not a panacea, have been focused on automation and productivity, not proactive analysis to prevent security incidents. Testing groups must be aware that security testing should focus on high-fidelity (low false-alarm rate) tests. Approximately 20 percent of application security testing tool rules will find 80 percent of errors with low false-alarm rates. Going beyond that level will cause false positives that will frustrate developers, waste expensive development time and generally result in less security, not more. As the U.S. National Institute of Standards and Technology demonstrated in its May 2002 study, "The Economic Impacts of Inadequate Infrastructure for Software Testing," removing a software defect after a system is operational can cost two to five times more than if the defect was fixed during the final testing phase. This study emphasized that removing those defects during code and unit tests can reduce the cost impact by an additional factor of three to 20. Although defects ideally should be removed as early as the requirements analysis and architectural design phase, Gartner estimates that if 50 percent of software vulnerabilities were removed prior to production use for purchased and internally developed software, then enterprise configuration management costs and incident response costs would be reduced by 75 percent each. The cost of fixing vulnerabilities and regression-testing the repaired code can be reduced by a factor of at least three by detecting security errors during code and unit tests, compared with finding errors during integration tests. Detecting commonly made coding errors during this phase Publication Date: 1 December 2005/ID Number: G00127407 Page 6 of 8

can also provide feedback to other modules that are still in the design and early-coding phases, so they can avoid repeating the same mistakes. Throughout the application quality life cycle, risk is continuously assessed. Risk assessment is gaining information about security, performance, application metrics, service-level agreements and more, and turning that information into knowledge. The knowledge gained from ongoing risk analysis becomes the power to understand the application, to identify security vulnerabilities, to understand when an application will begin to degrade, and to stop an application from going into production (see Figure 4). Figure 4. Security in the Application Life Cycle Design Build cases for business logic tests. Develop Inspect and analyze code for security flaws. Enforce secure coding standards and rules. Deploy Monitor, manage and defend missioncritical apps. and business logic. Test Simulate real world: Attacks Data privacy Source: Gartner (November 2005) Manage Manage software security policies. Publication Date: 1 December 2005/ID Number: G00127407 Page 7 of 8

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 1 December 2005/ID Number: G00127407 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information