Part 2: The business case for application security. The comprehensive business guide to application security (a three-part series)



Similar documents
Part 3: The best practices guide for application security. The comprehensive business guide to application security (a three-part series)

HP Application Security Center

Table of contents. Web application security: too costly to ignore. White paper

Application Security Center overview

HP and netforensics Security Information Management solutions. Business blueprint

IBM Rational AppScan: Application security and risk management

Solution brief. HP solutions for IT service management. Integration, automation, and the power of self-service IT

HP Service Manager software. The HP next-generation IT Service Management solution is the industry-leading consolidated IT service desk.

HP Service Manager software

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify Software Security Center

Agile and the cloud: why automating application deployment matters. Executive summary. Applications are the business

HP Software. Services. Increase the value of IT with HP s end-to-end consulting. Brochure

Enterprise Business Service Management

Solution brief. HP CloudSystem. An integrated and open platform to build and manage cloud services

Business white paper. Best practices for implementing automated functional testing solutions

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Table of contents. Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability

How To Standardize Itil V3.3.5

Introduction to SOA governance and service lifecycle management.

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

Manage projects effectively

Table of contents. Performance testing in Agile environments. Deliver quality software in less time. Business white paper

Three simple steps to effective service catalog and request management

Best practices in project and portfolio management

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

Achieving business excellence through quality in a BPO environment

A tour of HP Sarbanes-Oxley IT assessment accelerator. White paper

HP ITSM Assessment Services Helping you reach the levels of service your business requires

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

Fortify. Securing Your Entire Software Portfolio

HP Fortify application security

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

HP Project and Portfolio Management: not just for IT. White paper

HP Master ASE Data Center and Cloud Architect

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

Bridge Development and Operations for faster delivery of applications

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

HP Virtualized Network Protection Service

HP Services Global Service Desk with esupport. Innovative technology and business processes that transform IT support for your employees

HP Managed Print Services. FOCUS and INVEST in. BUSINESS and CUSTOMERS

Service Virtualization:

HP Security Solutions for Microsoft

Getting started with API testing

Three simple steps to effective service catalog and request management

HP End User Management software. Enables real-time visibility into application performance and availability. Solution brief

Table of contents. Standardizing IT Service Management. Best practices based on HP experience in ITSM consolidation. White paper

Managed Desktop Services. End-user workplace management solutions for your distributed-client computing environment. HP Services

Transform Your Bank in Measurable Steps

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

HP CLOUDSYSTEM. A single platform for private, public, and hybrid clouds. Simply the most complete cloud system for enterprises and service providers

Realizing business flexibility through integrated SOA policy management.

HP Strategic IT Advisory Services

what if you could increase your agility and improve your pace of IT innovation?

the limits of your infrastructure. How to get the most out of virtualization

Best Practices for Implementing Software Asset Management

Brochure HP Workflow Discovery for FSI

Business white paper. Be a multisourced. IT services broker. HP Service Integration and Management

The top 10 misconceptions about performance and availability monitoring

Preemptive security solutions for healthcare

Beyond Labor Arbitrage. Achieving operational excellence through business process outsourcing

HP Server Automation Standard

Survey on Application Security Programs and Practices

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

IT Financial Management and Cost Recovery

10 Best Practices for Application Performance Testing

Key Benefits of Microsoft Visual Studio Team System

W H I T E P A P E R E d u c a t i o n a t t h e C r o s s r o a d s o f B i g D a t a a n d C l o u d

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Operationalizing Application Security & Compliance

Continuous Network Monitoring

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment.

Table of contents. Real world application security in five easy steps. Business white paper

Global Service Desk. Superior end-user support for the Adaptive Enterprise. HP Services

Intelligent document management for the legal industry

Design the Future of Your Human Resources with SuccessFactors Solutions

Taming Microsoft Environments with HP SiteScope Exchange and Active Directory Solution Templates

Choosing the Right Project and Portfolio Management Solution

DEMONSTRATING THE ROI FOR SIEM

IDM and Endpoint Integrity Technical Overview

HP Change Configuration and Release Management (CCRM) Solution

Ten questions to ask when evaluating contract management solutions

Monitoring and Operating a Private Cloud with System Center 2012 (10750) H7G37S

Minimizing code defects to improve software quality and lower development costs.

I D C T E C H N O L O G Y S P O T L I G H T. E n a b l i n g Quality I n n o va t i o n w i t h Servi c e

Windows 7 Upgrade Risk Mitigation Planning: Ensuring Windows 7 Upgrade Success

5 Steps to Choosing the Right BPM Suite

HP CloudSystem Enterprise

WHITE PAPER OCTOBER Unified Monitoring. A Business Perspective

HP StoreOnce D2D. Understanding the challenges associated with NetApp s deduplication. Business white paper

HP Client Automation software Starter and Standard Editions

Policy-based optimization

Managed Mobility Services. End-user workplace management for mobile workforces. HP Services

2014 SAP AG or an SAP affiliate company. All rights reserved.

Accelerate Time to Value and Innovation Through Complete Contract Management

Transcription:

Part 2: The business case for application security The comprehensive business guide to application security (a three-part series)

Table of contents Introduction...3 The comprehensive business commitment to application security...3 Application security and corporate governance...3 Benefits of a secured application development lifecycle...4 Education....4 Creating accountability in outsourced and procured software applications...5 Due diligence on outsourcing...5 Contract/SLA process...5 Managing the development process...5 Business case models for application security...5 HP Application Security: solutions spanning the application lifecycle... 6 Summary...8

Introduction Software is the circulatory system of the global economy. It manages our financial transactions, it tracks the products in our ports shipping containers, it monitors a sick person s vital signs, and a lot more. Innovations in software development are changing our perceptions of the Internet, reshaping enterprises, and giving birth to significant new businesses. From Web 2.0 to Cloud Computing, not only is software driving global change, it is dictating the ever increasing pace of that change. No matter your industry, your enterprise is no doubt impacted by these trends, whether through your own software development initiatives, outsourced development, or through the strategic procurement of com mercial software. Your goals of creating new markets, gaining a competitive advantage, achieving organi zational efficiencies, and communicating efficiently may be intertwined with your efforts to introduce software innovations. A key success factor in leveraging the business benefits of software is assuring that it is implemented securely. Standing still is not an option, but failure to take appro priate measures to focus on software quality and security introduces unnecessary risk within your enterprise and often results in a situation where the organization takes one step forward and two steps back. As we near the end of the first decade of the 21st century, the software industry has the benefit of a growing body of knowledge that can be applied to software quality and security. What we have learned is that the organizations, which are most successful at securing software take a full lifecycle approach to the issue and make a program level commitment. This white paper is part two of HP s three-part Application Security for Business Educational Series, intended to help executives understand the importance of application security to their business. We encourage you to read the full series: Part 1: The mandate for application security Part 2: The comprehensive business commitment to application security Part 3: Implementing best practices through the HP Application Security Maturity Model The comprehensive business commitment to application security The risks to the enterprise from Web applications justify making a commitment to secure application development and procurement. This is not accomplished by creating a standalone group to block innovation, but rather by integrating security into the business processes you already have. The key guiding principles we encourage your organization to adopt are: Gain executive level commitment to secure software as a part of sound corporate governance. Implement a secured application development lifecycle. Drive accountability in outsourced and procured software. Use business case models to help justify and measure the effectiveness of your application security program. Application security and corporate governance Security practitioners sometimes need to be reminded of the extent to which business executives are willing to take risks as a part of corporate strategy. Risk is opportunity, and chief executive officers (CEOs) often are huge risk takers, for good or for bad. Unfortunately, the global economy has suffered at times from risk taking that occurs with inaccurate knowledge or violates compliance mandates. Governance reforms have proven to be incomplete solutions. As a result, many organizations are seeking to harmonize positive risk taking and their compliance mandates with a philos ophy known as Governance, Risk & Compliance Management (GRC). 1 GRC emphasizes organizational-wide understanding of the corporate culture and its risk tolerance. Its goal is to improve the accuracy of risk taking, while maintaining regulatory compliance and staying on course with the corporate strategy. 1 Demystifying GRC Governance Risk Compliance, Business Trends Quarterly, Q4 2007 3

Figure 1. HP Software approach to application lifecycle management HP Application Lifecycle Management Strategic control point Demand Portfolio Governance policies Requirements Complete system validation End-user management application mapping Business impact change management Prioritize and invest Plan Define/ design Develop/ test Launch Operation The complete application lifecycle Business demand Portfolio management Projects and programs Establish governance Architecture Policies Re-use Developer behavior New deployment Project management Fix/ patch Governance Minor release Fix/ patch Change management Fix/ patch Minor release Application fundamentals Functionality Performance Security GRC is quite relevant to application security. All constituencies concerned with software development will have a better understanding of the organizational risk tolerance and be better able produce the type of software the business expects. Executives should not create an application security program to eliminate vulnerabilities, but rather the program should be able to tell executives how secure they can produce software with a range of investment and time to market factors appropriate to the business. It is the business executive s job to understand the range of risks and to decide the level which is appropriate to the organization and its shareholders. Benefits of a secured application development lifecycle If there is any single objective of this paper, it would be for the reader to walk away convinced that excellence in application security is achieved by embedding security into the complete application development lifecycle. A security vulnerability is a software defect that should be identified during development. Incorporating security into the very beginning; from strategy, planning, design, coding, testing, and operation is a proven approach to reducing overall security vulnerabilities, which leads to lower costs and reduced risks by many measurements, including research detailed in part one of this series. Education Education, of course, should be considered to be a part of the secured application development lifecycle. The challenge with security-specific education is getting bandwidth on the part of the development teams to participate as they have many competing priorities, even within the educational realm. In the long run, traditional educational institutions need to take up the cause of secure software education to enable the next generation of developers. However, in the meantime, trusted organizations like SANS have made tremendous progress in creating training and certification for software developers, with its Secure Software Institute. 2 (ISC)2 3 has also developed the Certified Secure Software Lifecycle Professional curriculum and certification program to address this issue. 2 SANS Secure Software Institute, www.sans-ssi.org 3 (ISC) 2 Certified Secure Software Lifecycle Professional, www.isc2.org/csslp-certification.aspx 4

Creating accountability in outsourced and procured software applications A major mistake made by some corporations is to have two separate standards for application security: one for internally developed applications and one for software built externally. Many organizations have seen the outsourcer or software vendor as a black box and have taken insufficient steps to assure external software is of high quality. However, the origin of faulty Web applications that infect a customer matters little, it is the impact that is significant. In the highly interdependent architectures of state-of-the-art applications, a custom-built application may be vulnerable to a dependency on a commercial of-the-shelf (COTS) software package as well. Organizations have both the business leverage and the responsibility to maintain the same high standards for outsourced and procured applications. Due diligence on outsourcing Beyond basic business vetting: reference checks, credit ratings, etc., it is possible and recommended to research an outsourced software development company s investment in assuring application security. Corporate commitment to security ISO or similar standards and certifications. The ISO 27000 standards family, which is focused on best practices in information security management systems, are excellent indicators of the company s commitment to quality security. In addition, software vendors can become certified against these standards with the ISO 27001 certification specifically. Process improvement and quality certification. The existence of programs, such as the Capabilities Maturity Model (CMMi) from Carnegie Mellon and Six Sigma, are indicators of a mature approach to quality software development Documented secure development lifecycle. Software developers should be able to provide documentation of their software development lifecycle (SDL) process, including specification of the details and quantities of their security checkpoints. Contract/SLA process Companies that push for the inclusion of security milestone language in contracts during the procurement process uniformly report this to be a success and tend to institutionalize this practice. Generally speaking, the milestones in the contracts will specify application vulnerability testing to occur at delivery points which may coincide with the application development life cycle. These milestone tests may have service level agreements (SLAs) requiring a specific acceptable quantity of vulnerabilities and a timeframe to fix high and medium risk vulnerabilities. This remediation requirement should also apply to a post-delivery support period. Financial rewards and/or penalties are always an option with security quality of outsourced applications. Managing the development process An organization should stay engaged to the out sourcer s development process on multiple levels. With a documented contract and a defined development lifecycle, it is advisable to use your security testing tools to evaluate code during quality milestones and encourage your outsourcer to use the same tools during development to assure uniformity of results. The specific testing tools may need to be in the contract language itself. Business case models for application security Bruce Schneier, noted security expert, had this to say about application security, the problem of insecure software is not primarily a technological problem, it is an economic problem. Carnegie Mellon University (CMU) has done some excellent work in many areas of secure software development. In research sponsored by the Department of Homeland Security, CMU has developed the Build Security In Web site, 4 which contains a variety of business case models for justifying software security. The models are well known methodologies which have been adapted to the cause of secure software development. Investment-oriented models. Some examples include the Gartner Group s Total Value of Opportunity (TVO) and Microsoft s Rapid Economic Justification (REJ). Cost-oriented models. Total Cost of Ownership (TCO) from Gartner is likely the best known in this grouping. 4 http://buildsecurityin.us-cert.gov/ 5

Figure 2. HP Application Security Center products and assessment technology HP Application Security Center Enterprise Web application security and risk management HP Assessment Management Platform Policy and compliance Centralized administration Vulnerability and risk management Alerts and reporting Distributed scanning HP DevInspect Source code testing for.net and Java applications under development HP QAInspect Security testing integrated with HP Quality Center HP WebInspect Pre- and post-production application assessment Foundation Intelligent engines Hybrid analysis Reporting SecureBase SmartUpdate Security toolkit Open APIs Environmental models. The highly popular Balanced Scorecard from Norton and Kaplan, is the best known model in this group. The Balanced Scorecard ensures that a holistic view of outcomes, good and bad, are measured when investing in application security. A model will not solve the problem of making an economic justification argument for application security by itself, however consistent measurement of application development statistics within the context of these models will prove much more persuasive than the unfortunate scare tactics many security teams use. The longer you measure application security using a consistent approach, the more accurate your results will be. Given that an organizational attitude towards risk management is in place and understood, a key component to applying return on investment (ROI) research towards secure software development is to understand the consequences of software defects to your organiza tion. Understanding the consequences allow the business executive to guide the degree of the investment which should be made to develop software more securely. HP Application Security: solutions spanning the application lifecycle HP Application Security Center software products are tailored to integrate with all phases of a business s complete application lifecycle and are continuously updated to deliver an accurate and comprehensive assessment of Web sites and Web applications, including the latest Web 2.0 technologies. In the section below we would like to provide a brief introduction to the products, and position them in the context of the guiding principles in the previous section. HP DevInspect. HP DevInspect can be seamlessly implemented within a variety of integrated development environments used by enterprise programmers, including Microsoft Visual Studio, Eclipse and IBM Rational Application Developer, provides your team with a solution that is easy to deploy, easy to use, and easy to realize value. The HP Hybrid Analysis, the patent-pending core of HP DevInspect, combines static analysis ( white box ) and dynamic testing ( black box ) to provide the most precise results; taking the guesswork out of what to fix. In addition, HP SecureObjects, provided as part of HP DevInspect, can be applied to automatically remediate any security vulnerability. By installing HP DevInspect on the developer s desktop, we are able to begin fixing vulnerabilities during the initial coding phase of the lifecycle. Our research has shown that not only does 6

HP DevInspect reduce vulner abilities during the critical coding phase, but the tool creates a feedback loop with the developers, increasing their awareness of security issues introduced during the development process. While organizations will not hesitate to deploy HP DevInspect to internal developers, you should consider encouraging or mandating this tool with outsourced developers. HP DevInspect could be used to provide interim milestone reporting on the delivery of quality code and drive more accountability of outsourcing. HP QAInspect. HP QAInspect applies highly sophisticated security testing to the quality assurance testing stage of the application development lifecycle. HP QAInspect integrates directly into the market leading quality assurance (QA) solution, HP Quality Center, allowing security tests to be run in conjunction with functional tests or as a standalone security validation, all from within a familiar interface. HP QAInspect has been designed from the ground up to fit effortlessly into existing quality organizations and methodologies. From requirements gathering to test planning to test execution, HP QAInspect truly establishes security as a pillar of application quality management. HP WebInspect. HP WebInspect provides leading edge Web application testing capabilities for security professionals, with the ability to identify the most current, highest risk vulnerabilities within your Web applications. The tool provides expert guidance for less experienced security professionals while increasing the efficiency of experienced penetration testers and application security experts. Depending upon the scope of the application, several security testers may be needed from different organizations. While these testers may have a variety of techniques to identify vulnerabilities, there are distinct business process advantages to using an integrate tool to manage their assessment. HP WebInspect validates the configuration of your applications to be sure your application is secure from threats. Vulnerabilities detected in a HP WebInspect report can more easily be remediated by a developer using HP DevInspect. The same issues can also be flagged by the QA department as the application is re-tested. Using a common test suite facilitates productivity during the iterative processes characterized by the application development lifecycle. An additional point to be made about a tool like HP WebInspect is that it can also be used as an acceptance testing measurement for commercial, off the shelf software. Enterprise software can be highly dynamic, and the customization process can created unintended vulnerabilities. The ability to perform black-box testing can drive accountability during the procurement process and negotiations pertaining to pricing and support. New vulnerabilities are being discovered every day. The HP Web Application Security Research Group are the industry leaders in Web application security research and provide daily updates to HP WebInspect via SmartUpdate to verify that you are always testing for the latest vulnerabilities. HP WebInspect also provides you with the ability to continue to analyze both your existing and new Web applications throughout their life in production reducing the risk to your business. HP Assessment Management Platform. The HP Assessment Management Platform is used to assess and manage application security risk throughout the enterprise and entire lifecycle. Security professionals use HP Assessment Management Platform to define their entire application security program, including security policies, testing permissions, testing schedules, running distributed scans, and more. It is the backbone of the HP Application Security Center, giving your organization visibility, scalability, and control over your application security initiatives. HP SaaS for Application Security. Is time, skills or cost a challenge for you? With HP, application security does not need to be a challenge for you or your organization. With over eight years experience in offering Softwareas-a-Service (SaaS), HP Software-as-a-Service for HP Application Security enables you to establish or augment your security program and start decreasing vulnerabilities more quickly. HP Professional Services. HP also provides a full set of professional services programs to meet your needs including product implementation and training, penetration testing, vulnerability scanning, and security program consulting services. The HP Application Security Center provides the most robust and complete solution for protecting your business from application security breaches. Our suite of products provides a complete lifecycle approach to application security across development, QA and production. It is a true enterprise solution that provides accelerated ROI benefits compared with traditional security assessment methods by using proven technologies. 7

Summary All organizations have a stake in assuring the security of their software. This is particularly true in the case of the Web applications which are increasing dominating the software landscape. Organizational leaders should understand the nature of a full program-level commitment to application security which is critical to its success. We propose these high level principles as the components of a comprehensive program: Application security is part of good corporate governance. Because application security has a high degree of affinity with the quality of an organization s products and services, it is a necessary part of corporate governance and should have executive sponsorship. Accountability in outsourced development and procured software. The complexities of interrelated applications mandate a consistent level of security in applications of all origins. Businesses should leverage contracts, service level agreements and purchasing power to drive security assurance in non-native applications. Security must be embedded in the application development lifecycle. Applications can only be secured when security checkpoints are embedded into the process that manufactures software. This is called the application lifecycle, and it is fundamental that security considerations are part of the process, from the early planning through production operations. Education. Software developers and other organizational stakeholders require the benefits of an educational program targeted at application security best practices, which is currently not a pervasive part of traditional educational institutions. Technology to enable secure development. The scale and complexity of today s applications require the use of technology throughout the application development lifecycle to enable all of the high-level areas mentioned above. A complete portfolio of solutions, such as those provided within the HP Application Security Center, is an ideal approach to enforce a full commitment to application security. A comprehensive commitment to application security is not about altering business, but about integrating software development with the business. While some of the key areas are technology-centric, most of these principles are sound business practices requiring executive sponsorship. As part of your initiative to identify application security solutions, we recommend reading the other two parts to this series: Part 1: The mandate for application security Part 3: Implementing best practices through the HP Application Security Maturity Model HP, and the HP Application Security Center have a permanent commitment to providing comprehensive research, best practices, education, technology and products to enable your enterprise s own Security Center of Excellence and mature enterprise security program. Technology for better business outcomes To learn more, visit www.hp.com/go/securitysoftware Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Java is a U.S. trademark of Sun Microsystems, Inc. Microsoft and Visual Studio are U.S. registered trademarks of Microsoft Corporation. 4AA1-9814ENW, February 2009

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information