Part 2: The business case for application security The comprehensive business guide to application security (a three-part series)
Table of contents Introduction...3 The comprehensive business commitment to application security...3 Application security and corporate governance...3 Benefits of a secured application development lifecycle...4 Education....4 Creating accountability in outsourced and procured software applications...5 Due diligence on outsourcing...5 Contract/SLA process...5 Managing the development process...5 Business case models for application security...5 HP Application Security: solutions spanning the application lifecycle... 6 Summary...8
Introduction Software is the circulatory system of the global economy. It manages our financial transactions, it tracks the products in our ports shipping containers, it monitors a sick person s vital signs, and a lot more. Innovations in software development are changing our perceptions of the Internet, reshaping enterprises, and giving birth to significant new businesses. From Web 2.0 to Cloud Computing, not only is software driving global change, it is dictating the ever increasing pace of that change. No matter your industry, your enterprise is no doubt impacted by these trends, whether through your own software development initiatives, outsourced development, or through the strategic procurement of com mercial software. Your goals of creating new markets, gaining a competitive advantage, achieving organi zational efficiencies, and communicating efficiently may be intertwined with your efforts to introduce software innovations. A key success factor in leveraging the business benefits of software is assuring that it is implemented securely. Standing still is not an option, but failure to take appro priate measures to focus on software quality and security introduces unnecessary risk within your enterprise and often results in a situation where the organization takes one step forward and two steps back. As we near the end of the first decade of the 21st century, the software industry has the benefit of a growing body of knowledge that can be applied to software quality and security. What we have learned is that the organizations, which are most successful at securing software take a full lifecycle approach to the issue and make a program level commitment. This white paper is part two of HP s three-part Application Security for Business Educational Series, intended to help executives understand the importance of application security to their business. We encourage you to read the full series: Part 1: The mandate for application security Part 2: The comprehensive business commitment to application security Part 3: Implementing best practices through the HP Application Security Maturity Model The comprehensive business commitment to application security The risks to the enterprise from Web applications justify making a commitment to secure application development and procurement. This is not accomplished by creating a standalone group to block innovation, but rather by integrating security into the business processes you already have. The key guiding principles we encourage your organization to adopt are: Gain executive level commitment to secure software as a part of sound corporate governance. Implement a secured application development lifecycle. Drive accountability in outsourced and procured software. Use business case models to help justify and measure the effectiveness of your application security program. Application security and corporate governance Security practitioners sometimes need to be reminded of the extent to which business executives are willing to take risks as a part of corporate strategy. Risk is opportunity, and chief executive officers (CEOs) often are huge risk takers, for good or for bad. Unfortunately, the global economy has suffered at times from risk taking that occurs with inaccurate knowledge or violates compliance mandates. Governance reforms have proven to be incomplete solutions. As a result, many organizations are seeking to harmonize positive risk taking and their compliance mandates with a philos ophy known as Governance, Risk & Compliance Management (GRC). 1 GRC emphasizes organizational-wide understanding of the corporate culture and its risk tolerance. Its goal is to improve the accuracy of risk taking, while maintaining regulatory compliance and staying on course with the corporate strategy. 1 Demystifying GRC Governance Risk Compliance, Business Trends Quarterly, Q4 2007 3
Figure 1. HP Software approach to application lifecycle management HP Application Lifecycle Management Strategic control point Demand Portfolio Governance policies Requirements Complete system validation End-user management application mapping Business impact change management Prioritize and invest Plan Define/ design Develop/ test Launch Operation The complete application lifecycle Business demand Portfolio management Projects and programs Establish governance Architecture Policies Re-use Developer behavior New deployment Project management Fix/ patch Governance Minor release Fix/ patch Change management Fix/ patch Minor release Application fundamentals Functionality Performance Security GRC is quite relevant to application security. All constituencies concerned with software development will have a better understanding of the organizational risk tolerance and be better able produce the type of software the business expects. Executives should not create an application security program to eliminate vulnerabilities, but rather the program should be able to tell executives how secure they can produce software with a range of investment and time to market factors appropriate to the business. It is the business executive s job to understand the range of risks and to decide the level which is appropriate to the organization and its shareholders. Benefits of a secured application development lifecycle If there is any single objective of this paper, it would be for the reader to walk away convinced that excellence in application security is achieved by embedding security into the complete application development lifecycle. A security vulnerability is a software defect that should be identified during development. Incorporating security into the very beginning; from strategy, planning, design, coding, testing, and operation is a proven approach to reducing overall security vulnerabilities, which leads to lower costs and reduced risks by many measurements, including research detailed in part one of this series. Education Education, of course, should be considered to be a part of the secured application development lifecycle. The challenge with security-specific education is getting bandwidth on the part of the development teams to participate as they have many competing priorities, even within the educational realm. In the long run, traditional educational institutions need to take up the cause of secure software education to enable the next generation of developers. However, in the meantime, trusted organizations like SANS have made tremendous progress in creating training and certification for software developers, with its Secure Software Institute. 2 (ISC)2 3 has also developed the Certified Secure Software Lifecycle Professional curriculum and certification program to address this issue. 2 SANS Secure Software Institute, www.sans-ssi.org 3 (ISC) 2 Certified Secure Software Lifecycle Professional, www.isc2.org/csslp-certification.aspx 4
Creating accountability in outsourced and procured software applications A major mistake made by some corporations is to have two separate standards for application security: one for internally developed applications and one for software built externally. Many organizations have seen the outsourcer or software vendor as a black box and have taken insufficient steps to assure external software is of high quality. However, the origin of faulty Web applications that infect a customer matters little, it is the impact that is significant. In the highly interdependent architectures of state-of-the-art applications, a custom-built application may be vulnerable to a dependency on a commercial of-the-shelf (COTS) software package as well. Organizations have both the business leverage and the responsibility to maintain the same high standards for outsourced and procured applications. Due diligence on outsourcing Beyond basic business vetting: reference checks, credit ratings, etc., it is possible and recommended to research an outsourced software development company s investment in assuring application security. Corporate commitment to security ISO or similar standards and certifications. The ISO 27000 standards family, which is focused on best practices in information security management systems, are excellent indicators of the company s commitment to quality security. In addition, software vendors can become certified against these standards with the ISO 27001 certification specifically. Process improvement and quality certification. The existence of programs, such as the Capabilities Maturity Model (CMMi) from Carnegie Mellon and Six Sigma, are indicators of a mature approach to quality software development Documented secure development lifecycle. Software developers should be able to provide documentation of their software development lifecycle (SDL) process, including specification of the details and quantities of their security checkpoints. Contract/SLA process Companies that push for the inclusion of security milestone language in contracts during the procurement process uniformly report this to be a success and tend to institutionalize this practice. Generally speaking, the milestones in the contracts will specify application vulnerability testing to occur at delivery points which may coincide with the application development life cycle. These milestone tests may have service level agreements (SLAs) requiring a specific acceptable quantity of vulnerabilities and a timeframe to fix high and medium risk vulnerabilities. This remediation requirement should also apply to a post-delivery support period. Financial rewards and/or penalties are always an option with security quality of outsourced applications. Managing the development process An organization should stay engaged to the out sourcer s development process on multiple levels. With a documented contract and a defined development lifecycle, it is advisable to use your security testing tools to evaluate code during quality milestones and encourage your outsourcer to use the same tools during development to assure uniformity of results. The specific testing tools may need to be in the contract language itself. Business case models for application security Bruce Schneier, noted security expert, had this to say about application security, the problem of insecure software is not primarily a technological problem, it is an economic problem. Carnegie Mellon University (CMU) has done some excellent work in many areas of secure software development. In research sponsored by the Department of Homeland Security, CMU has developed the Build Security In Web site, 4 which contains a variety of business case models for justifying software security. The models are well known methodologies which have been adapted to the cause of secure software development. Investment-oriented models. Some examples include the Gartner Group s Total Value of Opportunity (TVO) and Microsoft s Rapid Economic Justification (REJ). Cost-oriented models. Total Cost of Ownership (TCO) from Gartner is likely the best known in this grouping. 4 http://buildsecurityin.us-cert.gov/ 5
Figure 2. HP Application Security Center products and assessment technology HP Application Security Center Enterprise Web application security and risk management HP Assessment Management Platform Policy and compliance Centralized administration Vulnerability and risk management Alerts and reporting Distributed scanning HP DevInspect Source code testing for.net and Java applications under development HP QAInspect Security testing integrated with HP Quality Center HP WebInspect Pre- and post-production application assessment Foundation Intelligent engines Hybrid analysis Reporting SecureBase SmartUpdate Security toolkit Open APIs Environmental models. The highly popular Balanced Scorecard from Norton and Kaplan, is the best known model in this group. The Balanced Scorecard ensures that a holistic view of outcomes, good and bad, are measured when investing in application security. A model will not solve the problem of making an economic justification argument for application security by itself, however consistent measurement of application development statistics within the context of these models will prove much more persuasive than the unfortunate scare tactics many security teams use. The longer you measure application security using a consistent approach, the more accurate your results will be. Given that an organizational attitude towards risk management is in place and understood, a key component to applying return on investment (ROI) research towards secure software development is to understand the consequences of software defects to your organiza tion. Understanding the consequences allow the business executive to guide the degree of the investment which should be made to develop software more securely. HP Application Security: solutions spanning the application lifecycle HP Application Security Center software products are tailored to integrate with all phases of a business s complete application lifecycle and are continuously updated to deliver an accurate and comprehensive assessment of Web sites and Web applications, including the latest Web 2.0 technologies. In the section below we would like to provide a brief introduction to the products, and position them in the context of the guiding principles in the previous section. HP DevInspect. HP DevInspect can be seamlessly implemented within a variety of integrated development environments used by enterprise programmers, including Microsoft Visual Studio, Eclipse and IBM Rational Application Developer, provides your team with a solution that is easy to deploy, easy to use, and easy to realize value. The HP Hybrid Analysis, the patent-pending core of HP DevInspect, combines static analysis ( white box ) and dynamic testing ( black box ) to provide the most precise results; taking the guesswork out of what to fix. In addition, HP SecureObjects, provided as part of HP DevInspect, can be applied to automatically remediate any security vulnerability. By installing HP DevInspect on the developer s desktop, we are able to begin fixing vulnerabilities during the initial coding phase of the lifecycle. Our research has shown that not only does 6
HP DevInspect reduce vulner abilities during the critical coding phase, but the tool creates a feedback loop with the developers, increasing their awareness of security issues introduced during the development process. While organizations will not hesitate to deploy HP DevInspect to internal developers, you should consider encouraging or mandating this tool with outsourced developers. HP DevInspect could be used to provide interim milestone reporting on the delivery of quality code and drive more accountability of outsourcing. HP QAInspect. HP QAInspect applies highly sophisticated security testing to the quality assurance testing stage of the application development lifecycle. HP QAInspect integrates directly into the market leading quality assurance (QA) solution, HP Quality Center, allowing security tests to be run in conjunction with functional tests or as a standalone security validation, all from within a familiar interface. HP QAInspect has been designed from the ground up to fit effortlessly into existing quality organizations and methodologies. From requirements gathering to test planning to test execution, HP QAInspect truly establishes security as a pillar of application quality management. HP WebInspect. HP WebInspect provides leading edge Web application testing capabilities for security professionals, with the ability to identify the most current, highest risk vulnerabilities within your Web applications. The tool provides expert guidance for less experienced security professionals while increasing the efficiency of experienced penetration testers and application security experts. Depending upon the scope of the application, several security testers may be needed from different organizations. While these testers may have a variety of techniques to identify vulnerabilities, there are distinct business process advantages to using an integrate tool to manage their assessment. HP WebInspect validates the configuration of your applications to be sure your application is secure from threats. Vulnerabilities detected in a HP WebInspect report can more easily be remediated by a developer using HP DevInspect. The same issues can also be flagged by the QA department as the application is re-tested. Using a common test suite facilitates productivity during the iterative processes characterized by the application development lifecycle. An additional point to be made about a tool like HP WebInspect is that it can also be used as an acceptance testing measurement for commercial, off the shelf software. Enterprise software can be highly dynamic, and the customization process can created unintended vulnerabilities. The ability to perform black-box testing can drive accountability during the procurement process and negotiations pertaining to pricing and support. New vulnerabilities are being discovered every day. The HP Web Application Security Research Group are the industry leaders in Web application security research and provide daily updates to HP WebInspect via SmartUpdate to verify that you are always testing for the latest vulnerabilities. HP WebInspect also provides you with the ability to continue to analyze both your existing and new Web applications throughout their life in production reducing the risk to your business. HP Assessment Management Platform. The HP Assessment Management Platform is used to assess and manage application security risk throughout the enterprise and entire lifecycle. Security professionals use HP Assessment Management Platform to define their entire application security program, including security policies, testing permissions, testing schedules, running distributed scans, and more. It is the backbone of the HP Application Security Center, giving your organization visibility, scalability, and control over your application security initiatives. HP SaaS for Application Security. Is time, skills or cost a challenge for you? With HP, application security does not need to be a challenge for you or your organization. With over eight years experience in offering Softwareas-a-Service (SaaS), HP Software-as-a-Service for HP Application Security enables you to establish or augment your security program and start decreasing vulnerabilities more quickly. HP Professional Services. HP also provides a full set of professional services programs to meet your needs including product implementation and training, penetration testing, vulnerability scanning, and security program consulting services. The HP Application Security Center provides the most robust and complete solution for protecting your business from application security breaches. Our suite of products provides a complete lifecycle approach to application security across development, QA and production. It is a true enterprise solution that provides accelerated ROI benefits compared with traditional security assessment methods by using proven technologies. 7
Summary All organizations have a stake in assuring the security of their software. This is particularly true in the case of the Web applications which are increasing dominating the software landscape. Organizational leaders should understand the nature of a full program-level commitment to application security which is critical to its success. We propose these high level principles as the components of a comprehensive program: Application security is part of good corporate governance. Because application security has a high degree of affinity with the quality of an organization s products and services, it is a necessary part of corporate governance and should have executive sponsorship. Accountability in outsourced development and procured software. The complexities of interrelated applications mandate a consistent level of security in applications of all origins. Businesses should leverage contracts, service level agreements and purchasing power to drive security assurance in non-native applications. Security must be embedded in the application development lifecycle. Applications can only be secured when security checkpoints are embedded into the process that manufactures software. This is called the application lifecycle, and it is fundamental that security considerations are part of the process, from the early planning through production operations. Education. Software developers and other organizational stakeholders require the benefits of an educational program targeted at application security best practices, which is currently not a pervasive part of traditional educational institutions. Technology to enable secure development. The scale and complexity of today s applications require the use of technology throughout the application development lifecycle to enable all of the high-level areas mentioned above. A complete portfolio of solutions, such as those provided within the HP Application Security Center, is an ideal approach to enforce a full commitment to application security. A comprehensive commitment to application security is not about altering business, but about integrating software development with the business. While some of the key areas are technology-centric, most of these principles are sound business practices requiring executive sponsorship. As part of your initiative to identify application security solutions, we recommend reading the other two parts to this series: Part 1: The mandate for application security Part 3: Implementing best practices through the HP Application Security Maturity Model HP, and the HP Application Security Center have a permanent commitment to providing comprehensive research, best practices, education, technology and products to enable your enterprise s own Security Center of Excellence and mature enterprise security program. Technology for better business outcomes To learn more, visit www.hp.com/go/securitysoftware Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Java is a U.S. trademark of Sun Microsystems, Inc. Microsoft and Visual Studio are U.S. registered trademarks of Microsoft Corporation. 4AA1-9814ENW, February 2009