IT Risk Management: Guide to Software Risk Assessments and Audits

Similar documents
Five Steps to Secure Outsourced Application Development

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Understanding NIST FISMA Requirements

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Software Risk Management and Mitigation Model

Your world runs on applications. Secure them with Veracode.

Five Best Practices of Vendor Application Security Management

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

SAST, DAST and Vulnerability Assessments, = 4

CDM Vulnerability Management (VUL) Capability

NIST National Institute of Standards and Technology

External Supplier Control Requirements

Application Security 101. A primer on Application Security best practices

Defending the Database Techniques and best practices

IT Security & Compliance. On Time. On Budget. On Demand.

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Proactive Vulnerability Management Using Rapid7 NeXpose

PCI DSS Reporting WHITEPAPER

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Vulnerability Management

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Application Security in the Software Development Life Cycle (SDLC) White Paper

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

PENETRATION TESTING GUIDE. 1

SANS Top 20 Critical Controls for Effective Cyber Defense

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

The Seven Deadly Myths of Software Security Busting the Myths

Agile Security Successful Application Security Testing for Agile Development

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Software Vulnerability Assessment

How To Monitor Your Entire It Environment

Application Security in the Software Development Lifecycle

Developing Secure Software in the Age of Advanced Persistent Threats

SAFECode Security Development Lifecycle (SDL)

Devising a Server Protection Strategy with Trend Micro

Continuous Network Monitoring

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Devising a Server Protection Strategy with Trend Micro

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Vulnerability management lifecycle: defining vulnerability management

2015 Vulnerability Statistics Report

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Review: McAfee Vulnerability Manager

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Simplifying the Challenges of Mobile Device Security

VENDOR MANAGEMENT. General Overview

The Value of Vulnerability Management*

Preemptive security solutions for healthcare

10 Things Every Web Application Firewall Should Provide Share this ebook

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Breaking down silos of protection: An integrated approach to managing application security

SharePoint Governance & Security: Where to Start

How to ensure control and security when moving to SaaS/cloud applications

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Securing SharePoint 101. Rob Rachwald Imperva

white SECURITY TESTING WHITE PAPER

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Passing PCI Compliance How to Address the Application Security Mandates

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

On Demand Penetration Testing Applications Networks Compliance.

Optimizing Network Vulnerability

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Security for NG9-1-1 SYSTEMS

Sytorus Information Security Assessment Overview

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Introduction to Penetration Testing Graham Weston

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Privacy + Security + Integrity

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

Transcription:

IT Risk Management: Guide to Software Risk Assessments and Audits

Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5 Software Risk Management... 6 Step 1 Software Risk Assessment: Inventory and Assurance Levels 6 Step 2 Software Risk Assessment: Independent Application Security Testing 7 Step 3 Software Risk Mitigation: Set Acceptance Thresholds 7 Step 4 Evaluation and Assessment 8 How Veracode Can Help... 8 About Veracode... 9 2008 Veracode, Inc. 2

Overview Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 1 In IT systems, risk can be introduced from the internet, servers, networks, malicious insiders and even lapses in physical security. However, the current rate of newly discovered vulnerabilities in software has risen to the top of the agenda for security professionals striving to control their company s overall risk profile. According to Gartner and the Computer Emergency Response Team (CERT), 75% of new attacks target the application layer and software vulnerabilities have reached an all time high with more than 7,000 new vulnerabilities disclosed over the last year. 2 Executive Summary The software industry is one of the largest manufacturing industries in the world, with $350 billion in off-the-shelf software sold each year and over $100 billion in customized code on top of that. Despite the size, there is no standardized notion of software security quality even though the repercussions include product patches, data breaches leading to massive theft and fluctuations in corporate stock prices. This pushes both costs and liabilities onto the enterprise purchasing the software. In most cases organizations do not have any insight into what vulnerabilities exist in these applications, resulting in an unacceptable level of unbounded risk. Until now, enterprises have lacked an efficient manner to analyze the security of software as part of their risk management processes. Security testing has been limited to manual analysis by consultants, using internal teams with source code tools or trusting the software supplier to test their own code. None of these approaches scale to cover an enterprise s entire application portfolio and can add significant time and costs to projects. In an effort to combat this growing trend, new compliance requirements from the Payment Card Industry (PCI), the Comptroller of the Currency Administrator of National Banks (OCC) along with recommendations from industry groups and analysts call for risk management processes to secure software applications. This whitepaper outlines how new application security technologies enable organizations to meet the growing threat posed by software and provides risk management best practices which enterprises can use to secure their application inventory. 1 NIST Risk Management Guide for Information Systems Special Publication 800-30 2 Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 3

Software: Today s Biggest Security Risk Today s application has become the enterprise s new perimeter. With better network-level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points --- - the application. While hackers were once satisfied with defacing Web sites, unleashing denial-of-service attacks and trading illicit files through targeted networks, modern attackers are profit-driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year an all time high 3. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software 4, 78% of threats target business information, and 75% of attacks target the application level 5. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security. NIST/Gartner Key Facts CERT Number of Software Vulnerability Disclosures per Year 3 Microsoft Security Intelligence Report 2008 Based on data from the DHS NVD & CERT 4 Mark Curphey, Software Security Testing: Let s Get Back to Basics October, 2004, SoftwareMAG.com 5 Theresa Lanowitz, Now Is the Time for Security at the Application Level 2005, Gartner 4

How Software Risk Enters the Enterprise As the myriad of applications deployed within organizations increases, some developed internally, some brought in from outside the effort needed to manage risk becomes greater. Applications are inherently more complex with many being based on a mixed code base from a wide range of sources, teams, and geographic locations. Gone are the days when companies developed their own source code. Now over two-thirds of the world s largest companies are engaged in offshore outsourcing. 6 Additionally enterprises have lacked an efficient matter to analyze the security of off-the-shelf commercial applications that are purchased further decreasing their security posture. Traditional tools cannot rise to this challenge as they typically require source code which usually isn t available in mixed code based applications. Manual penetration testing is time consuming, costly and simply doesn t scale. Figure 1 below shows how software risk enters the enterprise as today s application development and procurement processes have become increasingly distributed and complex. Figure 1 - Modern Software Risk Landscape Today s applications are made up of multiple pre-compiled components, libraries and open source. The US Department of Homeland Security calls this SOUP or software of unknown pedigree. Simply put, the software supply chain is increasingly complex and whether software is purchased from an established vendor or developed in-house, the liability and risk that the application poses rests with the enterprise and organizations must take steps to test applications for security vulnerabilities prior to accepting and deploying software. 6 Mary Hayes Weier, The Second Decade Of Offshore Outsourcing: Where We're Headed, Nov. 2007, InformationWeek 5

Software Risk Management Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions. Overall risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. 7 The following steps detail best practices for implementing a successful software risk management program. Step 1 Software Risk Assessment: Inventory and Assurance Levels While it may seem obvious that as part of a risk assessment organizations need to create an inventory of their applications that are being developed, purchased or maintained by an outsourcing provider, however, in practice it can be a challenging exercise. With the advent of low cost offshore development, open source and low cost commercial software it is common to see application sprawl as individual groups or business units may have contracted work that previously would have required higher capital costs and formal approvals. When conducting an application inventory, involve business units, procurement and vendor management to ensure all software that was or is entering the organization has been identified. Once applications have been identified, organizations need to understand the risk that the application poses to the business. This can be achieved through the assignment of an assurance level for each application based on business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations. Assurance levels are used to determine the extent of testing methods (e.g. higher assurance levels may be tested using multiple techniques) and the overall acceptance criteria (e.g. a lower assurance level application may be accepted with a lower security scores as they do not pose a significant risk to the business). The following chart from NIST provides guidance on selecting an assurance level based on business risk: 7 NIST Special Publication 800-37 6

Step 2 Software Risk Assessment: Independent Application Security Testing In order to quantify the risk posed by software identified in step 1, organizations need to conduct security testing in order to determine if the application contains vulnerabilities. However, until now, true testing of software has been difficult due to the high cost and effort required to conduct manual code reviews and the difficulty in obtaining access to of source code. Because of these issues, few companies conduct software testing or are only able to address a small sub-segment of their highest risk applications. Given the current threat landscape, it is imperative that organizations test all of their outsourced applications, ideally using a third party to obtain Independent Verification and Validation (IV&V). New technologies and testing methodologies, e.g. automated security testing services offered by companies such as Veracode, now enable organizations to independently test all of their applications before they are accepted and deployed by the enterprise. Step 3 Software Risk Mitigation: Set Acceptance Thresholds Enterprises can leverage software security ratings to decide which applications are secure enough to be accepted or deployed and which applications need remediation by the provider before software acceptance. To demonstrate setting acceptance thresholds, we will use Veracode s SecurityReview service as an example. Application testing with various testing techniques, combined with a scoring system based on the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) standards, a Security Quality Score (SQS) is derived for each application. The assurance levels the enterprise selected in Step 1 (above) is then applied to incorporate business risk and the output is normalized to an easy to understand letter grade (A, B, C, etc ). Thus, enterprises can set an acceptable grade A for example and software must achieve that grade for the application to be accepted. Setting thresholds and using standard-based scoring removes the subjectivity and gray-area on what constitutes acceptance and clarifies the process for both the enterprise and provider. Below is a chart that demonstrates how organizations can use assurance levels, quality scores and testing methods to achieve an overall rating: 7

Step 4 Evaluation and Assessment Security and risk are not a point-in-time, but a continuous process. As the organization grows, new applications are deployed, existing applications are upgraded and new features or functionality is enabled. Additionally, the threat landscape for software vulnerabilities is constantly changing. An application which is secure today may become vulnerable at a future date as new attack vectors and methods are developed. Thus, it is critical that a successful risk management program performs ongoing evaluations and assessments as to the effectiveness and relevance of the controls which are deployed. For software risk management, this means constantly monitoring the threat landscape through formal vulnerability notification programs such as the Department of Homeland Security s National Vulnerability Database or MITRE s Common Vulnerability and Exposures (CVE) service. Additionally, because attacker s methods evolve over time, software risk management programs should use the following evaluation and assessment methods for deployed applications: Re-test applications after upgrades, patches or significant changes prior to deployment Re-test deployed applications at on a quarterly or semi-annually basis, depending on assurance level, in order to determine if new threat models expose the application to vulnerabilities How Veracode Can Help Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve compliance without requiring any hardware, software or training. As an expert in application security, Veracode is uniquely suited to provide independent verification and validation (IV&V) of software applications without the need for costly on-site consultants. Veracode's Ratings System produces a software security rating based on respected industry standards including MITRE s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST s application assurance levels. These universally accepted vulnerability scoring methods provide a clear audit trail enabling enterprises to automate the security acceptance testing of outsourced applications and meet both internal and external security and compliance requirements and reduce their exposure to risk. 8

About Veracode Veracode is the world s leader for on-demand application security testing solutions. Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner Cool Vendor 2008, Info Security Product Guide s Tomorrow s Technology Today Award 2008, Information Security Readers Choice Award 2008, AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld Top 10 Security Company to Watch 2007, and Dark Reading s Top 10 Hot Security Startups 2007. Based in Burlington, Mass., Veracode is backed by.406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information