Upload
basia-santiago
View
43
Download
1
Embed Size (px)
DESCRIPTION
Bootstrapping the Application Assurance Process. Sebastien Deleersnyder Belgium OWASP Chapter Leader Ascure [email protected]. Sebastien Deleersnyder?. 5 years of Developer Experience 5 years of Information Security Experience Principal Application Security Consultant @ Ascure: - PowerPoint PPT Presentation
Citation preview
Copyright © 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
AppSec
Europe
May 2006 http://www.owasp.org/
Bootstrapping the Application Assurance Process
Sebastien DeleersnyderBelgium OWASP Chapter Leader
2OWASP AppSec Europe 2006
Sebastien Deleersnyder?
5 years of Developer Experience 5 years of Information Security Experience
Principal Application Security Consultant @ Ascure: Web Application/Services Security Testing Training Web Application/Services Security Initiating & Improving Application Security Assurance
Belgian OWASP Chapter Leader
3OWASP AppSec Europe 2006
Agenda
Application Security Assurance? Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
4OWASP AppSec Europe 2006
Agenda
Application Security Assurance? Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
5OWASP AppSec Europe 2006
Application Security Problem
Business demands more: automation availability adaptability
Growing connectivity / user base Increasing complexity of software Rush software out without adequate security
testing Poor security training and awareness
75% of vulnerabilities are application related(Gartner + NIST-ICAT)
6OWASP AppSec Europe 2006
Cost of Insecure Software
More maintenance (updates, patches) Lost:
MoneyProductivity Information Image, reputation
7OWASP AppSec Europe 2006
DataSoftware
STOP
Network
Unauthorized
access
Application Security AssuranceUnderstand and manage your software security
risk
The Solution
8OWASP AppSec Europe 2006
Application Security Assurance
Combination of People,
Processes, and Technology
to identify, measure, and manage Risk
presented by COTS(*), open source, and custom applications.
PeoplePeople
ProcessesProcesses
TechnologyTechnology
Risk MgmtRisk Mgmt
(*) Commercial Of The Shelf
9OWASP AppSec Europe 2006
Agenda
Application Security AssurancePeopleProcessesTechnology
Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
10OWASP AppSec Europe 2006
People
Awareness decision makersBoard of DirectorsAudit and Assurance (Risk Management)CEO/CFO/CIOExecutive(s) responsible for systems
development and change managementSales & Product Management!
11OWASP AppSec Europe 2006
People
Teach your developers to “fish”:
Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.
Chinese proverb
Meaning: Developer awareness Secure design guidelines Secure implementation practices
12OWASP AppSec Europe 2006
Agenda
Application Security AssurancePeopleProcessesTechnology
Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
13OWASP AppSec Europe 2006
Processes
Build security into Development processDeployment process
14OWASP AppSec Europe 2006
DesignRequirementsUse Cases
Code Test Deploy
Threat Modeling / Secure Design
Code ReviewRisk Based
Security TestingSecure Config / CM / App FWs
“Integrate” Security within Application Life Cycle
Security Requirements / Abuse Cases
15OWASP AppSec Europe 2006
Security Requirements / Abuse Cases
Define “Secure” & “Reliable”Use <-> Abuse Cases
UML basedBetter understanding
Foundation rest AppSec controls
16OWASP AppSec Europe 2006
Abuse Cases
Source: Templates for Misuse Case Description, Sindre & Opdahl
17OWASP AppSec Europe 2006
Threat Modeling
Select mitigation Strategy & Techniques based on identified, documented and rated threats.
Benefits: Prevent security design flaws Identify & address greatest risks Increased risk awareness and understanding Mechanism for reaching consensus Cost justification and support for needed controls Means for communicating results
18OWASP AppSec Europe 2006
Secure Design
Principles (*) Secure the weakest link Practice defence in depth Fail securely Follow the principle of least privilege Compartmentalize Keep it simple Promote privacy Remember that hiding secrets is hard Be reluctant to trust Use your community resources
Future proof security design!
(*) Building Secure Software, Viega-McGraw
19OWASP AppSec Europe 2006
Code Review
Security bugs subset of implementation bugs! Static / dynamic analysis tools Requires manual inspection Threat-based Benefits:
Improves code quality Prevents security bugs Increased developer awareness and understanding
20OWASP AppSec Europe 2006
Application Security Testing
Focus on application vulnerabilities Tools can do the automated work Experienced Testers Black / White Box security testing
21OWASP AppSec Europe 2006
Deployment Process
Ensure the application configuration is secure
Security is increasingly “data-driven”XML files, property files, scripts, databases, directories
How do you control and audit this data?Design configuration data for auditPut all configuration data in CMAudit configuration data regularlyDon’t allow configuration changes in the field
Gap Development - Deployment
22OWASP AppSec Europe 2006
Agenda
Application Security AssurancePeopleProcessesTechnology
Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
23OWASP AppSec Europe 2006
Technology
Do not develop on islands, but look for company wide:Frameworks J2EE, .NETWeb Services: new ballgame or same thing?Leverage PKI, IAM initiativesVulnerability ScannersApplication level firewalls
24OWASP AppSec Europe 2006
Agenda
Application Security Assurance Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
25OWASP AppSec Europe 2006
Risk Management
Risk Management “Looking both ways before crossing the road”
Risk “The possibility of suffering harm or loss”
Management “The act or art of managing; the manner of treating,
directing, carrying on, or using, for a purpose”
26OWASP AppSec Europe 2006
Risk Management?
The process concerned with identification, measurement,
control and minimization
of security risks in information systems to a level commensurate with the value of the
assets protected.
27OWASP AppSec Europe 2006
Risk Management
Deeply influenced by business objectives Each business has different risk profile Risk changes over time
28OWASP AppSec Europe 2006
The foundation of security
Risk is the combination of a threat exploiting some vulnerability that could cause harm to some asset.
Vulnerability
Risk
Threat
29OWASP AppSec Europe 2006
Handling Risks
Methods of risk treatment: Mitigate or suppress Accept Transfer (insurance) Ignore (poor – often used)
Types of countermeasures Preventive Detective Corrective
In case of risk acceptance Request documented justification Get formal approbation (sign-off) by senior management Have the decision reviewed after 6 to 12 months
30OWASP AppSec Europe 2006
Residual Risk
Residual Risk is a combined function of (1) a threat less the effect of some threat reducing
safeguards; (2) a vulnerability less the effect of some vulnerability
reducing safeguards and (3) an asset less the effect of some asset value reducing
safeguards.
31OWASP AppSec Europe 2006
Risk Analysis – Thread Modeling
Company Level - Risk Analysis: Perform Business Risk AnalysisIdentify Critical Business ApplicationsFocus on Business RisksOwnership?
Application Level -Threat Modeling:What are the real threats against the
application?Focus on Technical Threats
32OWASP AppSec Europe 2006
Success Factors
Obtain management support Involve Business and Technical experts Designate focal points Define procedures Document and maintain result
33OWASP AppSec Europe 2006
Results
Assurance that greatest risks have been identified and addressed
Increased awareness and understanding of the risks
Mechanism for reaching consensus Cost justification and support for needed
controls Means for communicating results Compliancy & Audit reporting
34OWASP AppSec Europe 2006
Cost vs. Security
Security
Maximum viable security
Targeted balance
Sub-optimalSecurity Spending
Maximum allowable cost
Cost
“Maximum allowable cost” is found through Risk Management.
35OWASP AppSec Europe 2006
Agenda
Application Security Assurance Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
36OWASP AppSec Europe 2006
How to Start?
No Big Bang approach Trigger can be (bad) result of Web App
Pen Test First business case! Then Bootstrap!
37OWASP AppSec Europe 2006
Business Case
For use throughout the lifecycle and the entire software portfolio:Contracting PhaseDevelopment PhaseDeployment/Production PhaseAudit Phase
Benefits:Cost savingsRisk measurement and reductionCompliance reporting
38OWASP AppSec Europe 2006
Cost Savings
Significantly reduce the costs associated with new and deployed products :A flaw that costs $1 to fix in the design and
development phase will cost $100 to correct once it is deployed
Reduce development time and number of cyclesPatch management costsContractor and vendor costs
“Removing only 50 percent of software vulnerabilities before use will reduce patch management and incident response costs by 75 percent.” (John Pescatore, Gartner)
39OWASP AppSec Europe 2006
Risk measurement and reduction
Eliminate vulnerabilities before they become liabilities
Manage the risks of serious financial loss, negative publicity, legal liability, loss of contracts, erosion of market share, degraded performance or other serious business impact as a result of a failure in security
Set, enforce and report that software assurance thresholds are maintained
Measurable reports prove progress internally and for compliance
40OWASP AppSec Europe 2006
Compliance Reporting
Compliance reporting: Comply with legal and regulatory requirements Regularly assess risk, disclose vulnerabilities and
weaknesses, and prove progress both internally and for compliance requirements
Scope & application Risk assessments are mandatory for most regulations,
including application vulnerability detection Example internal control frameworks: CobiT, ISO 17799 Example regulations: Basel II, FISMA (NIST 800-53), DoD
8500.2, Sarbanes-Oxley, FDA, HIPAA …
41OWASP AppSec Europe 2006
BootStrap!
Identify current way of working! Set goals and start with phased approach Compare this with security strategy
(can already be set out in a secure development policy)
Perform a gap analysis and proceed with process improvement cycles:Tailor to Company Culture!Driven by Risk Management!
42OWASP AppSec Europe 2006
Quality – Application Security Analogy
Quality Application Security
ISO standardsIndustry level
OWASP guidelines / standards ?
Quality AssuranceCompany level
Application Security Assurance
Set up AppSec Assurance Framework for Development & Deployment Process
Quality ControlProject level
AppSec ControlsPart of development and deployment of one application
43OWASP AppSec Europe 2006
Driver for Improvement Process
Accountability Organisation Reporting (develop metrics)
Risk Management
Strategy
Governance Development Deployment
44OWASP AppSec Europe 2006
Company Wide
Identify Business Critical High Risk projects to focus on. E.g. through BIA
Focus on business risks! Must align Application Security Assurance
with the company's "Risk Appetite"
45OWASP AppSec Europe 2006
Process Gateway Checks
Introduce process gateway checks to be formally reported by project manager for project board sign-off (including residual risk!)
Introduce Application Security Controls in phased approach
Requirements phase is key for new projects:Security specifics must be part of functional
requirements (not bolted on later!)Awareness for stake-holders / project sponsors!
46OWASP AppSec Europe 2006
“Natural” Allies
QA:Security vulnerabilities are to be considered
bugs, the same way as a functional bug, and tracked in the same manner.
PMO: Factor some time into the project plan for
security.Consider security as added value in an
application.– $1 spent up front saves $10 during development and $100 after release
47OWASP AppSec Europe 2006
Application Security Defect Tracking and Metrics“Every security flaw is a process problem”
Tracking security defectsFind the source of the problem
Bad or missed requirement, design flaw, poor implementation, etc…
ISSUE: can you track security defects the same way as other defects?
MetricsWhat lifecycle stage are most flaws originating in?What security mechanisms are we having trouble
implementing?What security vulnerabilities are we having trouble
avoiding?
48OWASP AppSec Europe 2006
Roles
Role of security architect (cross-development projects): ensure security goals are reached during all cycles of
the development process create awareness within development teams, business bridge function to "IT Security" mentor the security engineers and project leaders
Role of security engineer (part of project team) SPOC within development team for all security related
matters.
Search for Champions!
49OWASP AppSec Europe 2006
Agenda
Application Security Assurance Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
50OWASP AppSec Europe 2006
Bootstrapping User Story – Mercator Insurances
Triggered by application assessment on critical Web Applications
Tailored Best Practices to Mercator Development & Deployment Process Interviews with key actorsSupport by Mercator Security Architect Included PMO
Workshops for developer awareness & involvement in AppSec Assurance process
51OWASP AppSec Europe 2006
Split Secure Development Guidelines
Different involved people Different environments
52OWASP AppSec Europe 2006
Added Security Checkpoints in phased approach
53OWASP AppSec Europe 2006
Lessons Learned
Management support Look for Quick Wins Convince developers + other parties
InterviewsAwareness & empowerment through workshops
Include PMOProvide PM checklistSign-off responsibility!
Identify & leverage existing access control and authorization frameworks
Bridge gap development - deployment
54OWASP AppSec Europe 2006
Agenda
Application Security Assurance Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
55OWASP AppSec Europe 2006
Software Security Assurance in Outsourcing
Define security requirements and priorities Assign responsibility for identifying and
remediation of coding flaws Reserve the right to audit
Save money by ensuring that testing eliminates major security issues pre-deployment
Negotiate a more active contract with less time for rework needed at the end
56OWASP AppSec Europe 2006
Benefits for Outsourced development
Cost savings: No additional hours and fees to fix software No lost revenue due to delay in deployment
Risk measurement and reduction: Providers understand what’s expected Enforce internal security policies regardless of code
source Reduce patch and fix cycle speeds deployment Set security acceptance and release criteria
Compliance reporting
OWASP Legal Project?
57OWASP AppSec Europe 2006
Agenda
Application Security Assurance Risk Management Bootstrap Application Security Assurance
Cycle User Story: Mercator Insurances Outsourced Development Roundup
58OWASP AppSec Europe 2006
Roundup
Embed within complete approach:Educate peopleAdd security best practices to processesTailor secure design guidelines to company
cultureLeverage existing tools & practices
Risk Management is Key!
Get Improvement Cycle going!Cultural changesBridge Building
59OWASP AppSec Europe 2006
Gartner 2006(*):
Proper execution: improves application security,
reduces overall costs, increases customer satisfaction and yields a more-efficient SDLC.
(*) Gartner Report - Integrate Security Best Practices and Tools Into Software Development Life Cycle