Application Security 101. A primer on Application Security best practices



Similar documents
Five Best Practices of Vendor Application Security Management

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

HP Fortify Software Security Center

Your world runs on applications. Secure them with Veracode.

Cisco Security Optimization Service

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

HP Application Security Center

Preemptive security solutions for healthcare

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Integrated Threat & Security Management.

2011 Forrester Research, Inc. Reproduction Prohibited

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

The Path Ahead for Security Leaders

Information Security Services

Enterprise Security Tactical Plan

Application Security in the Software Development Lifecycle

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Cenzic Product Guide. Cloud, Mobile and Web Application Security

CORE Security and GLBA

2015 Vulnerability Statistics Report

Effective Software Security Management

Advanced Threat Protection with Dell SecureWorks Security Services

Enterprise Application Security Program

Where every interaction matters.

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Continuous Network Monitoring

Application Security Center overview

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

IT Risk Management: Guide to Software Risk Assessments and Audits

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

HP Fortify application security

Vulnerability Management

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

I D C A N A L Y S T C O N N E C T I O N

elearning for Secure Application Development

Avoiding the Top 5 Vulnerability Management Mistakes

BIG SHIFT TO CLOUD-BASED SECURITY

The Evolution of Application Monitoring

SANS Top 20 Critical Controls for Effective Cyber Defense

Rational AppScan & Ounce Products

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

NATIONAL CYBER SECURITY AWARENESS MONTH

Defending Against Cyber Attacks with SessionLevel Network Security

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

External Supplier Control Requirements

How To Protect Your Network From Attack From A Network Security Threat

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Enterprise-Grade Security from the Cloud

Interactive Application Security Testing (IAST)

Survey on Application Security Programs and Practices

Web application security: automated scanning versus manual penetration testing.

IT Security & Compliance. On Time. On Budget. On Demand.

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Breaking down silos of protection: An integrated approach to managing application security

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

SAST, DAST and Vulnerability Assessments, = 4

Safeguarding the cloud with IBM Dynamic Cloud Security

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

CloudCheck Compliance Certification Program

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Extreme Networks Security Analytics G2 Vulnerability Manager

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

IBM Security QRadar Vulnerability Manager

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Assuring Application Security: Deploying Code that Keeps Data Safe

Fighting Advanced Threats

FREQUENTLY ASKED QUESTIONS

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

IBM Rational AppScan: Application security and risk management

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Attack Intelligence: Why It Matters

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

BlackRidge Technology Transport Access Control: Overview

Global IT Security Risks

Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

BEST PRACTICES RESEARCH

REVOLUTIONIZING ADVANCED THREAT PROTECTION

FIVE PRACTICAL STEPS

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Transcription:

Application Security 101 A primer on Application Security best practices

Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration Testing...3 Automated Scanning Static Analysis...4 Automated Scanning Dynamic Analysis...4 Web Application Firewalls...4 Software Protection Technology...5 Vulnerability Management...5 Threat Intelligence...5 Governance, Risk & Compliance (GRC)...5 AppSec Consulting Services...5 AppSec Technology Recommendations...6 Conclusion...7 Learn More...7

Introduction The business software ecosystem of today has evolved to the point where organizations sensitive data is no longer safe without the implementation of an Application Security program. Building a successful Application Security program begins with learning the discipline s fundamentals and understanding the different technologies and services available. Security teams that are educated in these areas will be able to make well-informed decisions on how they should design and grow their Application Security programs. This paper will provide nascent security professionals the information and guidance they need to build an affective Application Security program for their enterprises. Defining Application Security The practice of Application Security, or AppSec for short, protects an organization s critical data from external threats by removing security vulnerabilities from the software used to run a business. Just as Quality Assurance (QA) is the operational solution to the problem of product quality, AppSec is the operational solution to the problem of Software Risk. Application Security helps identify, fix and prevent security vulnerabilities in any kind of software application no matter the function, language, or platform. It is important to understand the concept of a software vulnerability. A software vulnerability is a programming error that produces unintended behavior in the application which allows a malicious actors to bypass the security features built into the application. Once the application s security features are bypassed, malicious actors can use the application as a gateway for stealing sensitive, protected, or confidential data. A number of respected security research groups publish guidance on common insecure programming errors. The guidance includes classifying different types of vulnerabilities and the level of software risk that is incurred when the vulnerabilities are present in an application. Two of the most well known are the SANS Top 25 and the OWASP Top 10. As a best practice, AppSec programs employ proactive, preventative methods to manage software risk and align an organization s security investments with the reality of today s threats. AppSec programs have three distinct benefits: 1. Measurable reduction of risk in existing applications 2. Prevention of introduction of new risks 3. Ensuring compliance with software security mandates The severity and frequency of security attacks on applications are exploding. As a result, the practice of AppSec is only growing in importance. Additionally, AppSec as a discipline is becoming more complex as the variety of business software available continues to proliferate. Here are some of the reasons why: 1

Today s enterprise software comes from a variety of sources in-house development teams, commercial vendors, outsourced solution providers, and open source projects. This means that the AppSec program must encompass all applications from a variety of sources. Software developers have an endless choice of programming languages to choose from Java,.NET, C++, Ruby, PHP, and more. As a result, the AppSec technology must support a wide range of programming languages. Applications can be deployed across a myriad of platforms installed to operate locally, over virtual servers and networks, accessed as a service in the cloud, or running on mobile devices. Therefore, the AppSec program must encompass all applications regardless of how those applications are deployed. Each of these development and deployment options can introduce security vulnerabilities, so application security products must provide capabilities for managing security risk across all options. It is also important to understand that an effective software security strategy addresses both immediate and systemic risk. Managing Risk So, which applications are at risk of attack? Unfortunately, the risk of attack is not limited to organizations critical apps all applications are at risk. The past few years have shown that attackers will target any applications they can find, even applications that are not mission critical. The non mission critical applications are often less protected than critical apps, meaning attackers can more easily find vulnerabilities that can be exploited to gain access to the company s network. Once a malicious actor has breached the company network it can run attacks targeting company data. Since even non-critical applications can be used as a gateway to sensitive company data it is important that organizations begin their application security efforts by knowing all the different applications that are running on their network. Once all of an organization s applications have been accounted for, the organization can begin detecting and remediating vulnerabilities. Any organization can get started in application security, the key is to start at a comfortable, manageable level and scale the program over time. Organizations often start with automated techniques that quickly identify and assess all of their externally facing applications for the most common vulnerabilities. When a company is ready to build up its application security program, it can move on to more indepth assessment methods to test for additional vulnerabilities. The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a wellestablished roadmap. Once an organization has found and assessed its potential vulnerabilities it can move on to: 2

Following remediation procedures to prioritize and fix them Training developers on secure coding practices Leveraging ongoing threat intelligence to keep up-to-date Developing continuous methods to secure applications throughout the development lifecycle Instantiating policies and procedures that instill good governance Application security is an orderly process of reducing the risks associated with developing and running businesscritical software. Properly managed, a good AppSec program will move an organization from a state of unmanaged risk and reactive security to effective, proactive risk mitigation. Weighing Application Security Technology Options When considering investment in an AppSec program, security professionals must balance people, process, and technology to Organizations have to find a way to test all accomplish their strategic goals. In many companies this applications quickly to manage risk from this exposed decision falls to the Chief Information Security Officer (CISO) or layer of their infrastructure. Leveraging automation to achieve scale and applying multiple testing techniques equivalent head of security. There are a myriad of choices of is the key to success. products and services in the AppSec market, each with its own Sam King pros and cons. AppSec technologies are at different levels of EVP of Corporate Development maturity, and the deployment options available cover a wide Read the full press release at: range: from professional consulting to open source tools, from http://www.veracode.com/content/view/1832/38 installed software to cloud-based services. Each organization must strive to optimize its own AppSec investments, aligned against the reality of today s security threats. Note: the AppSec products and services detailed below do not represent an exhaustive list of options for AppSec. This list includes product categories with a substantive market and ecosystem. The categories listed are the ones found in industry analysts taxonomies of the AppSec landscape. Penetration Testing Penetration Testing methods manually evaluate the security of an application by running simulated attacks against it. The tester mimics the behavior of a malicious hacker by exploiting the software s potential vulnerabilities, whether in a staged or production environment. The tester provides a report that prioritizes discovered flaws by potential exploitability. Organizations pay per application tested, depending on the number of penetration tests required over time. Penetration testing services are a mature and established in the security marketplace, as such many organizations are familiar with penetration testing services and are already using these services. Because penetration testing can be labor-intensive and expensive, many organizations choose to test only their most critical applications. 3

The last few years have witnessed an explosion in automated software testing products and services (also known as automated scanning). Two kinds of automated testing have become increasingly popular among distributed development teams: static and dynamic analysis. These techniques allow development teams to scale testing regimens to cover the complete software portfolio, scanning more often and more affordably. Automated Scanning Static Analysis Static analysis is a software testing technique that can be used to scrutinize all code paths and data flows that a program will execute without actually running the program. It does away with the need to build a potentially complex and expensive environment in order to analyze a software program for many classes of quality and security defects. Static analysis can also be performed earlier in the development lifecycle since it does not require a fully functioning program or test data. A static analyzer can have the methodology of the world s best security and quality code reviewers encoded into software to provide the depth of a manual code review with the accuracy, repeatability, and speed of automation. Static analysis can be performed on either a program s source code or its binary executable; both will contain all of the semantics and logic that define the software s functionality. Automated Scanning Dynamic Analysis Dynamic analysis is an easy to use and popular type of automated testing that is performed against a running instance of the application. Dynamic analysis treats the application as a black box in that it only tests webaccessible application interfaces. In a typical dynamic analysis websites are investigated (or crawled ) to discover accessible application interfaces. The inputs and outputs of these accessible interfaces are tested for software vulnerabilities. Dynamic analysis can be used during development on a staged website environment or on live production applications accessible from the company s URLs. These scanning techniques have become popular to assess Software-as-a-Service (SaaS) and Cloud-based solutions that deliver application capabilities through web URLs. Web Application Firewalls A Web Application Firewall (WAF) is a software or hardware device that filters input to and output from a Web server. WAFs block malicious input and unintentional data leaks to protect the Web server and internal data. A WAF is often deployed as an explicit proxy or bridge in front of the Web server or as an offline device that sniffs Web traffic. WAF capabilities are often bundled with solutions for database monitoring, load balancing, application delivery, and intrusion detection. This method of application protection is considered to be a boundary defense and it takes a reactive approach to software protection. 4

Software Protection Technology These technologies deliver security features that help protect software intellectual property (IP) from piracy, make tampering more difficult, and protect code and cryptographic keys from attacks such as malware insertion. Software obfuscation makes IP theft more difficult by obscuring software logic and algorithms. In addition, license checking can enforce valid software licenses to prevent revenue loss. The underlying software code is not touched. Vulnerability Management Once software vulnerabilities have been found and reported by a testing methodology, they need to be fixed. Vulnerability management systems help software developers track flaws, remediate fixes, and verify secure processes. They integrate with the team s chosen development environment, tools, and programming languages to ensure application security throughout the software lifecycle. The better solutions provide a shared workspace with role-specific project management and a robust knowledgebase. Fixing vulnerabilities in all deployed applications should be considered a mission-critical step to defending intellectual property, protecting customer privacy, and meeting regulatory compliance obligations. When rigorously practiced, vulnerability management improves the overall security posture of an organization s entire software portfolio. Threat Intelligence New software vulnerabilities continue to emerge due to the near constant rate of innovation by hackers and cyber criminals. Without an ongoing threat intelligence capability, enterprises risk falling behind and leaving their businesses vulnerable to new kinds of attacks. This intelligence should include research on the latest threat trends and techniques being employed by hackers, organized criminals, rogue governments, and other adversaries. Typically these systems categorize vulnerabilities by language or platform and automatically update remediation knowledge-bases. Governance, Risk & Compliance (GRC) A plethora of industry mandates and government regulations compel the security of sensitive or confidential data such as personally identifiable information. GRC solutions abound in the wider corporate risk management and regulatory compliance marketplace. Offerings from the more advanced Application Security (AppSec) vendors often have added policy management functions. Capabilities include risk-based application portfolio management, policy enforcement, audit tracking and certification, history and trend analysis, dashboards, and reporting, among other functions. GRC products can help larger organizations that have thousands of development projects as well as companies in highly regulated industries better manage their enterprise AppSec programs. Application Security Consulting Services Many AppSec programs benefit from the services of professional consultants that help organizations augment their internal security expertise. Expert consultants typically focus on manual code reviews and penetration tests, developer training programs, security architecture reviews, and threat modeling. In addition to independent 5

consulting firms, many AppSec solution vendors offer consulting services to ensure customer success with their technologies. Engagement models range from one-time routine test regimens to long-term strategic relationships that can cost millions of dollars per year. Application Security Technology Recommendations Unfortunately, there is no single AppSec cure-all. No single AppSec solution can protect an organization s full range of applications from the full range of risks in today s environment. Since every technique has its own strengths and weaknesses, mature AppSec programs should employ multiple analysis techniques to improve vulnerability coverage. Well-equipped AppSec programs should use static analysis, dynamic analysis, and penetration testing methods. The combination of these methods provides the greatest amount of vulnerability coverage. If an organization is limited to choosing one technique, static analysis is the strongest choice due to its ease of testing and depth of code coverage. Chart comparing the tradeoffs between static analysis, dynamic analysis, and manual penetration testing In addition to Static, Dynamic and Manual testing, implementing an effective Application Security program relies on an organization s ability to define and enforce policies that drive effective vulnerability remediation. Timely and cost-effective remediation often calls for developer training, additional resources, and/or third party services. Implementing these capabilities better prepares an organization for sustained application security. 6

Conclusion The goal of an Application Security (AppSec) program is to protect an organization s critical data from external threats by ensuring the security of all the software used to run a business. When undertaken correctly, an AppSec program takes a systematic approach to protecting an organization s software applications. As an organization s experience with AppSec evolves, the practice should become more routine, and have a positive impact on the organization s software development, procurement and acceptance processes. Throughout this evolution, security teams can learn to anticipate specific attacks, understand harmful impacts, and define countermeasures in advance. Software developers should be trained and certified in secure development techniques to promote the ongoing development of more secure code with fewer software vulnerabilities. Today s governance, risk and compliance (GRC) mandates should inform the creation of AppSec policies and AppSec test results should be incorporated into GRC reporting. The key to managing software risks in a sustainable manner lies in the organization s ability to enforce AppSec policies and procedures across the enterprise while scaling its AppSec program to keep up with evolving security threats. Learn More Webinar on Application Security Fundamentals: https://info.veracode.com/082911-applicationsecurityfundamentals- ChrisWysopal_webinarApplicationSecurityFundamentals.html Datasheet on Veracode Program Management Services: https://info.veracode.com/datasheet-program-management-services.html Whitepaper on Policy-Driven Software Security: https://info.veracode.com/policy-wp-june-2011.html Datasheet on Veracode Dynamic MP: http://www.veracode.com/images/veracodedynamicmpdatasheetaug2011.pdf Webinar on Avoiding Security Spend Pitfalls featuring Wendy Nather, 451 Research: https://info.veracode.com/avoiding-security-spend-pitfalls.html 7

ABOUT VERACODE www.veracode.com 2012 Veracode, Inc. All rights reserved. Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive elearning capabilities, and advanced application analytics, Veracode enables scalable, policydriven application risk management programs that help identify and eradicate numerous vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration testing and static code analysis. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode Blog.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information