Embed Size (px)
Citation preview
The Trends and Impact of Cyberattacks
Cyberattacks are the top concern for all digital businesses worldwide. In 2017 cyberattacks increased in frequency, diversity and damage. Various widely-publicized attacks resulted in the theft of personal information for millions of people worldwide. Even more troubling is the advent of aggressive business disruptive attacks in which business operations are damaged, productivity seriously impacted and extraordinary unplanned costs incurred trying to recover—including regaining confidence in the company’s brand by customers, partners, and staff.
As the threat landscape continues to accelerate and evolve, companies are re-evaluating how to better protect core assets, as well as, instilling security into the very fabric of their product development efforts.
In this paper, Daitan reviews the threat landscape and common vulnerabilities of 2017. In the context of application development and security measures, we discuss the role Digital Transformation plays in security. In addition, we review how the evolution of software development technologies, architectures and the growing use of third party resources (both proprietary and open source) has influenced development processes and security measures. Finally, we provide our thinking and approach to building a security mindset for application development.
The Cost and Frequency of Cyberattacks Escalates
Industry experts researching and tracking damage from cyberattacks provide plenty of staggering data points about the cost to business.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 1
DAITAN WHITE PAPER
Building an Application Development Security MindsetORGANIZATIONS MUST SWITCH FROM REACTIVE TO PROACTIVE APPROACHES
White Paper Contents
Trends & Impact Of Cyberattacks Common Vulnerabilities In Software Products How Has Digital Transformation Affected Security Risks? What Does It Take To Build A Security Mindset? Application Security Testing Tools
According to the 2017 Cost of Cyber Crime report published by Ponemon Institute and Accenture, “the accelerating cost of cybercrime is now 23 percent more than last year and is costing organizations, on average, US$11.7 million.…One of the most significant data breaches in recent years has been the successful theft of 143 million customer records from Equifax—a consumer credit reporting agency—a cybercrime with devastating consequences due to the type of personally identifiable information stolen and knock-on effect on the credit markets. Information theft of this type remains the most expensive consequence of a cyber crime…”
Global Average Cost of Cyber Crime Over Last Five Years 1
In terms of market verticals, no industry can avoid the inevitability of a cyberattack. However, some industries are naturally more lucrative to hackers as they follow the money to breach data. As described in Ponemon’s study, Financial Services and Utilities and Energy sectors experienced the highest cost from cybercrime at $18.3M and $17.2M respectively. They were followed by Aerospace/Defense at $14.5M and Technology/Software at $13.2M.
In another breach broadly covered by media, Sony Pictures Entertainment was the target of an aggressive cybersecurity business disruption attack. This specific attack differs from many other high profile examples where the intended damage was accessing sensitive personal data. The Sony attack maliciously disrupted business operations by taking down servers, wiping out data and releasing Sony’s corporate intellectual property. As a result of the attack, Sony’s internal operations and internal network remained offline for approximately five months. The company stated that the cost of the attack was well within the bounds of their insurance coverage, however the intangible cost to brand image equity and customer relationships were nearly impossible to measure.
2017 Ponemon Cost of Cyber Crime Report https://www.accenture.com/us-en/insight-cost-of-cybercrime-20171
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 2
“Cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
Ginni Rommety, IBM
What are the Common Vulnerabilities in Software Products? Understanding the big cost picture definitely helps, but taking a closer look at where the vulnerabilities might exist provides insights that can guide how engineers can improve security best practices.
There are many resources that track, benchmark and report on security vulnerabilities. We highlighted a couple below from Ponemon Research, which has provided year-over-year reporting continuity since 2005; as well as Open Web Application Security Project (OWASP) which is an open community-based security project that provides data from community organizational members.
Of course many companies also rely on The National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce and hosts the National Vulnerability Database (NVD). The NVD is a repository of standards-based vulnerability management data represented using their Security Content Automation Protocol (SCAP). NVD advocates that using their products and data can help organizations automate vulnerability management, security management and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.
In addition to OWASP, Poneman and NVD, we recommend reading a few other reports, more specific to application testing, such as, WhiteHat Security, Veracode and Trustwave among others
Ponemon’s 2017 Study Reveals Most Common Types of Attack Methods
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 3
Source: Ponemon 2017 Report
According to the Poneman study, which includes 250+ participating companies that shared the types of attack methods experienced, “Virtually all organizations had attacks relating to viruses, worms and/or trojans and malware over the four-week benchmark period. Malware attacks and malicious code attacks are inextricably linked. We classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack. 69% of companies experienced phishing and social engineering and 67% of companies had Web-based attacks.”
OWASP’s 2017 Top Ten Application Security Risks
A well respected resource, the Open Web Application Security Project, (OWASP) has published its 2017 Top Ten Application Security Risks , 2
which any organization can reference to understand not only what is happening, but also find technical explanations and risk scoring.
OWASP’s aim is to provide the community with guidance on establishing proactive security controls as a means for developers and quality assurance teams to build security into application development; as well as an Application Security Verification Standard (ASVS) to promote review.
In their most recent 2017 report, the top ten vulnerabilities are based on direct input from community member organizations with the purpose of identifying the most serious security risks they experienced. OWASP compares the threat landscape between 2013 and 2017 to demonstrate how vulnerabilities have evolved.
OWASP www.owasp.org2
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 4
OWASP Top 10 - 2013 OWASP Top 10 - 2017
A1 Injection A1 2017 Injection
A2 Broken Authentication & Session Management A2 2017 Broken Authentication
A3 Cross-Site Scripting (XSS) A3 2017 Sensitive Data Exposure
A4 Insecure Direct Object References [Merged+A7] U A4 2017 XML External Entities (XXE) NEW
A5 Security Misconfiguration A5 2017 Broken Access Control [Merged]
A6 Sensitive Data Exposure A6 2017 Security Misconfiguration
A7 Missing Function Level Access Control [Merged+A4] U A7 2017 Cross-Site Scripting (XSS)
A8 Cross-Site Request Forgery (CSRF)✖
A8 2017 Insecure Deserialization [NEW, Community]
A9 Using Components with Known Vulnerabilities A9 2017 Using Components w/Known Vulnerabilitites
A10 Unvalidated Redirects & Forwards✖
A10 2017 Insufficient Logging & Monitoring [NEW, Community]
Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. Source: www.owasp.org
OWASP’s Objective
How Has Digital Transformation Affected Security Risks?
In a not too distant past, the only way of an attacker could steal money and damage a company was through a physical invasion. Companies were safe based on the size of their walls and strength of their doors. Those companies that had a lot to lose, enhanced their safety using security guards, cameras, alarms, etc. The point was to prevent unauthorized people from gaining access to their premises, and protect against unwanted breaches. At that time, security teams use to work hard to minimize points of entry, strengthen walls and doors, identify everyone allowed into the buildings; and finally, monitor what people could bring in-and-out of the company.
Today, the digital interfaces have become the “new doors” that need to be guarded. Firewalls and security measures have replaced the physical walls, and security guards and monitoring systems augment cameras and alarms.
The same mindset of the past holds true today—security is defined by how seriously companies safeguard their digital premises. Application programs used by companies, need to be protected from hackers, and the only way of doing that is applying modern security principles at the level of software programs and interfaces.
Digital Business has brought the potential for increased risk of cyberattack unless companies build a systemic security mindset to protect themselves. From targeted vulnerabilities.
Total risk for an organization is known as its ‘attack surface’ which increases from these types of digital business features and trends:
Digital Ecosystems Digital businesses are focused by the event-driven mindset in which externally-facing digital interfaces are implemented for managing relationships with suppliers, distributors, partners and customers. While these ecosystems are vital to business, they do increase a company’s security exposure and therefore should be a focal point for risk assessment and mitigation.
Mobile Users The wide variety of user devices and environments makes digital interfaces more numerous and more complex. Users are accessing through desktop, mobile, online and a variety of new devices such as home cameras, sensors, gadgets and conversational interfaces. Every Digital Business strives to connect with customers everywhere in order to
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 5
improve and accelerate the “customer journey.” Once again, if this dominates your business and customer service strategies, then careful risk assessments and mitigation efforts are necessary to reduce the threat.
Internet of Things Billions of smart devices and connected sensors are coming online. Many are small, light and inexpensive with constrained compute capabilities and power consumption. Those constraints limit the security mechanisms that can be embedded on those devices (i.e. antivirus scanning). Even worse, those devices are usually not consistently upgraded when new firmware versions are released, opening the possibilities for attackers to explore known vulnerabilities. IoT devices— both industrial and consumer—result in new digital interfaces that create risk of new vulnerabilities. The risk associated with IoT increasingly represents an emerging and growing threat that concerns many security professionals. We believe this will continue to be a main focus area as new vectors of attack appear via IoT.
Fact is, the digital world is possible due to remote connections, microservices, APIs and integrations. Companies share resources and data using these common channels. The business benefit is obvious, making companies more responsive to customers and better equipped to compete in an accelerating, hyper-connected, 24x7 digital world.
However, if both sides of “the connection” do not take the proper security precautions, the potential risk of an attack coming from an assumed “trustable source” could become an ugly, costly reality. Thus, building a secure mindset is critical to ensuring continued momentum around Digital Transformation.
The Symbiotic Relationship Between Digital Transformation and DevOps—and Now Security History shows us that as companies have moved to innovate faster and become digital businesses, they also adopted new best practices between development and operations— Agile and DevOps. The business need for rapid innovation has absolutely fueled the adoption of these practices so companies can benefit from Digital Business while ensuring the velocity of change did not break the organization. The relationship is, in essence, symbiotic.
More recently as Digital Transformation continues to grow, this expansion of “exposed surface areas” has called new attention to the security risk it creates. Once again the need for organizational and process evolution arises as we hear calls for better security practices.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 6
As Software Development Evolves, What’s Been the Industry’s Response to Threat?
The Change in Application Technology Correlates to Greater Application Security Programs The past few years have brought fundamental and significant changes to how applications are architected and the technologies used to build them. The new open API economy and the usage of 3rd party software components has enabled connectivity relevant to Digital Transformation, and exposed new vulnerabilities that require updated thinking around establishing trust in those connections.
According to the SANS Institute, “The reliance on remote services exposes software to new risks. Services need to be carefully authenticated, and data received needs to be validated. Ad-hoc services are difficult to inventory and security scans must consider that the service will only be started as needed.”
The bottom line is, relying on remote services is almost mandatory these days, but we have to be sure that the proper security measures are in place to monitor, authenticate and validate all the information that is not under your control.
The SANS Institute State of Application Security Survey Provides Insights into Measures Companies Take The SANS 2016 survey of over 450 companies covering many topics reflecting the current status of security implementations, the biggest challenges facing these organizations, and how they are approaching solutions.
The report reveals a large percentage of respondents describe their Application Security (AppSec) programs to be in various states of maturity; and describes a variety of well-targeted activities to improve security measures, including:
• Integrating AppSec into their security programs, risk management and overall incidence response programs;
• Imposing greater documented approaches and policies to validate third-party vendor best practices; and,
• Defining testing roles and responsibilities across their security, development, business, architecture and quality assurance teams
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 7
The SANS Institute was established in 1989 as a cooperative research and education organization. It is a trusted resource for information security training and security certification. Source: www.sans.org
SANS’ Objective
Even though most companies are in a state of perpetually “maturing” their application security measures, we believe these are useful insights into how organizations are changing, and can serve as a solid benchmark to compare your own current internal security measures versus peer organizations.
Top Concerns: Skills, Tools and Methods. For example, one of the top 3 concerns was lack of skills, tools and methods. Further in the discussion, as expected, a focus on training emerges in the results as an important enabler to not only improve skills, but implement better development practices and testing. Nearly half of all respondents indicated that training developers on application security was a top priority, and some even increased testing responsibility at the development team level in order to accelerate competencies within development organizations.
The Importance of Continuous Testing. In terms of application testing, the results were an interesting reflection of the value SDLC (Software Development Life Cycles), Agile and DevOps have brought to software development overall. Survey responses about testing schedules varied, but “60% indicated that they test applications continuously, with 27% using continuous assessment in their Agile development processes and 53% of respondents testing applications when they are initially launched into production.” 3
Is Using Open Source Code Secure? Open Source believers often say their code is more secure because the community dynamic inherently catches, remediates and resolves bugs faster that internally-developed code. For contributors, it’s like having an extended team that contributes to ensuring quality in addition to completing your own code audits.
At Daitan we believe in the value of open source and have written a whitepaper providing guidance to developers and companies to make the business case for taking your code Open Source . That said, there are 4
things to watch for when considering using open source code in a development project such as community activity (number of commits, number of committers from different companies, number of merges, forks, etc), size and the time it takes for the organization to respond.
However, it’s not always so simple. Activity can be a good indication of interest and usage of open source, but not always. When the code serves
SANS Institute 2016 State of Application Security3
Daitan Whitepaper, Making the Business Case for Taking Your Code Open Source Link: http://www.daitangroup.com/wp-content/uploads/2017/05/4
Daitan_Whitepaper_Making_the_Business_Case_to_Open_Source_Your_Software.pdf
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 8
“Based on the SANS Institute data, we believe it is encouraging that 60% (of surveyed organizations) indicated they test applications continuously, with 27% using continuous assessment in their Agile development processes.”
Daitan Group
a broad function and multiple markets, having vibrant activity is a good sign. Yet, some open source code that is narrowly applied may not require frequent updates. For example, Freeswitch has thousands of contributors and committers. However, it is so large, that is used for several different types of applications. So, you can compare FreeSwitch with Asterisk, to get a relative comparison.
Kazoo is much smaller, compared to Freeswitch, and Kazoo is dedicated to a single application. It uses other Open Source parties (including Freeswitch, Kamailio, Couch DB and RabbitMQ). So, one commit at Kazoo is most probably tailored to what you need, if you are using Kazoo. One commit at Freeswitch may not be related at all, with what you have implemented.
How a Financial Services Open Source Platform Secures Code The Symphony Software Foundation is a non-profit organization that fosters an open ecosystem around open source in the Financial Services industry. The Financial Services industry leverages Symphony for internal and external communication, feeding of financial information and market data, as well in integration with trading platforms. We think it makes a good case study for how open source is “done right.”
The Foundation released the Open Development Platform (ODP), the venue for FinServ collaboration on open source. ODP is built and trusted by Foundation Members - biggest FinServ/FinTech firms worldwide. To reduce vulnerabilities in components, the Foundation offers access to Application Security Testing (AST) tools. They also encourage developers to provide compliance reports to support component activation.
The Open Developer Platform (ODP) is a collaborative initiative that delivers a secure and compliant sandbox for software development in the financial world.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 9
Source: Symphony - Open Developer Platform (ODP)
The Symphony Foundation demonstrates solid best practices that help developers ensure their code is high quality, compliant and secure when using the Open Developers Platform (ODP). For example:
• Source Code Management (SCM). The SCM is structured to streamline tasks, documentation and facilitate compliance checking while always preserving the contributor’s control.
• Build Process Optimization. It’s easy for developers to define the technologies and tools necessary for optimizing (and maintaining) the build process. The Symphony Foundation environment gives developers a flexible structure to configure their build process.
• Test Automation & Infrastructure. Providing easy-to-use automated testing and release features such as, infrastructure enables developers to readily set-up a continuous integration build process. Having easy access to proper infrastructure avoids a common mistake when the build process runs on developers’ workstations, which can be misconfigured or have configuration issues that can lead to a build failure.
• Code Validation. When it comes to validating the code’s quality, legal compliance and security—which is mission critical for applications in the highly regulated financial services space—the Foundation’s ODP provides several code validation tools, depending on the language and use case you’re trying to solve.
Important Takeaways About the Software Industry’s Response The important takeaways come down to a few concepts. First, we encourage you to check out the 2016 SANS Institute survey to see where you stand relative to similar organizations.
Second, great value has been gained through the growth of Digital Transformation, the API Economy and Open Source. The business value created by these drivers means they will continue to play important roles in how software is developed and made secure. And, as software development continues to evolve, so will the threat landscape—the two are inextricably linked.
Finally, as software professionals, we must continuously work toward building an ever-vigilant security mindset.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 10
What Does It Take to Build a Security Mindset?
Just planning rapid response to cyberattacks is no longer sufficient. Businesses must do more to thwart potential attacks. So, while the concept of Business Continuity Management remains vital to the 5
company’s security strategy, it’s a reactive approach.
We believe engineering organizations must do more to anticipate vulnerabilities and incorporate a security mindset from the point of inception and carry it throughout the product lifecycle. In short, organizations must switch from reactive to proactive approaches.
Regardless of your development environment and practices, security must fundamentally factor into your thinking throughout. We consider the following 5 core tenets as essential to building a security mindset:
Business Continuity Management (BCM) A framework for identifying an organization's risk of exposure to internal and external threats. 5
www.bcmpedia.org
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 11
The Technical Components for Building a Security Mindset
In Daitan’s experience, we approach security by looking at three key technical components that should factor into a plan:
1. Security Frameworks: Review, select and adopt proven and appropriate security-focused frameworks.
2. Security + DevOps: Fully integrate the framework processes into your DevOps progression.
3. Security Tools: Select and deploy security validation tools for engineering and production systems.
#1 Secure Frameworks are the Cornerstone of an Application Development Security Plan Security frameworks are resources for developing secure code and addressing security compliance requirements. We believe the right objective is to review, select and adopt proven and appropriate security-focused frameworks based on best practices, software libraries and standards and governance policies that align to your specific industry.
Best Practice Frameworks. These frameworks are collections of rules, techniques and processes that guide development organizations and frequently provide resources that can be applied. Organizations should select frameworks that provide the closest match to the needs. In some cases organizations blend the benefits of some with others into a hybrid approach, in order to optimize for their environment and needs. Here are three framework examples:
• Open Web Application Security Project (OWASP). [www.owasp.org] Mentioned earlier, this open community provides data about top vulnerabilities, the associated impact and risk; as well as guidance for best practices for developing and reviewing secure web apps.
Daitan has had some experience using OWASP. As new code was developed for a client, we used the OWASP 2017 Top 10 Vulnerabilities as a consistent benchmark to test against. For each of the risks, OWASP provided guidance about how to determine if an application is vulnerable, example attack scenarios and how to prevent an attack in the first place.
The Top 10 Vulnerabilities also includes guidance on how to effectively find vulnerabilities in web applications and APIs using the OWASP Testing Guide. All of these resources and the overall
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 12
OWASP community, gave structure to the development process which the client continues to follow today.
• Microsoft Secure Development Lifecycle (SDL). [www.microsoft.com/en-us/sdl] Secure software development process and best practices. Their process steps fit well within existing DevOps environments, and provide a more generic structure that does a good job at incorporating security throughout the process.
Based on our experience, the Microsoft SDL framework is not specific to any application type or operating environment. The framework processes are suitable for integrating with the DevOps progression and provides a good vehicle for developing, publishing and maintaining secure code.
Microsoft SDL Framework 6
As the diagram colors indicate, the middle 5 (green) phases are the core of this Security Development Lifecycle. The Training phase is for preparation and further reflects the emphasis to bring security training across all the organizational disciplines as described earlier in the SANS Institute survey report. The Response phase is separate from the Security Development Lifecycle and focuses entirely on operations, specifically responding to attacks.
• Industrial Internet Consortium (IIC). [www.iiconsortium.com] The IIC published an Industrial Internet Security Framework report derived from an active working group as part of the IIC.
Founded by 5 large industrial giants: AT&T, Cisco, General Electric, Intel, and IBM, their mission is to “deliver a trustworthy IIoT in which the world’s systems and devices are securely connected and controlled to deliver transformational outcomes.”
Microsoft Secure Development Lifecycle Process: https://msdn.microsoft.com/en-us/library/windows/desktop/cc307406.aspx6
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 13
Source: Microsoft SDL Framework
The group was formed to help identify the requirements for open interoperability standards and defining common architectures to connect smart devices, machines, people, and processes. The IIC is not a standards organization; however, it strongly advocates for open standard technologies in order to ease the deployment of connected technologies. 7
#2 Security + DevOps—How Secure DevOps or DevSecOps Fits At Daitan we believe security factors into every project from the point of inception, not as an afterthought at the point of production release. So, not only do we apply DevOps principles, we also believe in incorporating security throughout—in other words, we advocate secure DevOps or a DevSecOps model. Some DevOps practitioners refer to this as Rugged DevOps. Gartner’s graphic clearly demonstrates the flow and concept of Continuous Delivery encompassed by security.
Just as DevOps requires simultaneously addressing development and operational issues, security concerns must now be addressed as well. Security + DevOps or DevSecOps involves not only expanding each phase to include a security focus, but incorporating cross-functional training.
Training, Skills & Culture
Whether you are adding security experts to the team or training existing members to recognize security issues in code; adopting a security mindset in which security is an ongoing, integrated concern—and not an afterthought—is a challenging cultural change. But, it is essential to success.
Industrial Internet Consortium: Industrial Internet of Things Volume G4: Security Framework, Sept 2016, https://www.iiconsortium.org/pdf/7
IIC_PUB_G4_V1.00_PB-3.pdf
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 14
One practical way to start the developers training on security is during the Sprint demo presentation. Invite security team members to participate in order for them to evaluate and identify potential risks. This simple step helps enhance the security training of all developers and reinforces the importance of security throughout development.
Requirements & Risk Assessments
Start by describing the full attack surface which is the set of digital interfaces that could have vulnerabilities subject to exploit by a cyberattack. Evaluate the cost of successful exploit for all interfaces and the strategies for minimizing risk. This includes monitoring National Vulnerability Database (NVD) and other sources of information on new threats and exploits. Use this to generate an overall risk assessment and defining acceptable levels of risk.
Plan, Design & Architecture. Develop specifications for methods, algorithms and tools to be employed in implementation. External modules from vendors and Open Source should be subject to rigorous security validation.
Create & Implement Development Testing
Define coding best practices to minimize introducing vulnerabilities. Integrate code reviews. Select and use tools for static code validation and dynamic validation during execution.
Verify Throughout
Expand Agile acceptance criteria to include security test plans and test execution using automated tools. Develop careful staging plans that can be used to test code against real-world threats without exposing valuable or sensitive data.
PreRelease, Configure & Release
Maximum automation and diligent version management with selective and stage-wise deployment is essential. All deployment stages must be tested immediately and capable of non-destructive rollback if problems occur. In general adding security to DevOps increases the importance of problem-free releases and magnifies the cost of errors.
Monitor, Detect, Predict & Respond
Automated system monitoring is especially important. Monitoring should be comprehensive and enduring. Where possible, interactive self-healing tools should be used for
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 15
immediate response to new threats. Develop a comprehensive Business Continuity Management plan that includes specific emphasis on security.
The DevSecOps Manifesto
While the change to DevSecOps is important, it also has an impact on organizations—engineering, operations and security—so recognizing the cultural ramifications helps business executives implement change.
There is a Manifesto, highlighted below, that walks through how to think about, and approach DevSecOps—in other words, building that security mindset.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 16
The DevSecOps Manifestowww.devsecops.org
• Leaning in over Always Saying “No”• Data & Security Science over Fear, Uncertainty and Doubt• Open Contribution & Collaboration over Security-Only Requirements• Consumable Security Services with APIs over Mandated Security Controls & Paperwork• Business Driven Security Scores over Rubber Stamp Security• Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities• 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident• Shared Threat Intelligence over Keeping Info to Ourselves• Compliance Operations over Clipboards & Checklists”
#3 Security Tools—What are They and What’s Important to Application Development? In our experience, including security into the development process means living it from the point of inception and throughout a product lifecycle. As part of living DevSecOps, when considering Application Security Testing Tools, keep in mind that it’s better to identify the tool set you want to use up front in order to optimize instrumentation in the code. Otherwise, the tools may not perform properly or fully scan the code.
To give some perspective as to the magnitude and breadth of security investment by organizations, we start with a look at how larger enterprises scope investment, which includes IT departments. More specific, and relevant, to engineering organizations are Application Security Testing (AST) Tools which is a rapidly evolving and growing industry that includes many players and methods.
Typical Enterprise Security Investments According to Ponemom
Enterprise investment in security tools takes a fairly broad view, as described in the Ponemon report. The following chart shows nine enabling security technology categories with each bar representing the percentage of companies fully deploying a security technology. The top three technology categories include: security intelligence systems (67%), access governance tools (63%), and advanced perimeter controls (58%).
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 17
“Security testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity. Security and risk management leaders must integrate AST into their application security programs.”
Source: Gartner Magic Quadrant for Application Security Testing 2017
Gartner Research
Source: Ponemon 2017 Report
Application Security Testing (AST)
Application Security Testing (AST) tools are divided into three categories (see below) and can be delivered as a tool or as a subscription service. Gartner’s 2017 Magic Quadrant report indicates that, “the majority of enterprises that develop applications employ some form of AST, but the various technologies differ in adoption and maturity. DAST and SAST are the most widely adopted, while IAST adoption is still growing.” 8
Static Application Security Testing (SAST)
Static tools analyze an application’s source code, byte code or binary code for vulnerabilities. This includes weak parsing that exposes code to injection vulnerabilities. Static tools also target weak encryption algorithms that put sensitive data at risk or unconstrained system permissions that allow inappropriate access.
Dynamic Application Security Testing (DAST)
DAST is also known as Penetration Testing tools, and monitors applications while running during testing or in production. These tools simulate attacks and analyze application reaction to identify vulnerabilities. Although more commonly used, Static and Dynamic AST tools each have different strengths. Static tools
should be used as part of code acceptance criteria typically at the programming and/or testing phases. SAST tools could also be used to validate external modules from third party vendors or open source.
A Static tool might find Injection flats more easily. In contrast, a Dynamic tool is more likely to find deployment configuration flaws such as gaps in Authentication or unconstrained Permissions.
Interactive Application Security Testing (IAST)
Less common are Interactive (IAST) tools, which provide an additional level of monitoring through hooks into internal application code. This is typically implemented by instrumenting the runtime environment such as Java Virtual Machine or .NET
framework to observe operation or attacks from within the application and identify vulnerabilities.
Interactive tools are relatively new and the market is less mature than the other two categories—SAST and DAST. Gartner also mentions that emerging in the application security testing sector is Runtime Application Self Protection (RASP). It is like a self-monitoring
Gartner 2017 Magic Quadrant for Application Security Testing (AST)8
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 18
technology built into an application with the purpose of detecting and protecting the application from attack during runtime.
Another security tool that falls under the category of Application Security Testing is Software Composition Analysis (SCA), which is a technology used to identify open-source and third-party components used in an application and their known security vulnerabilities.
Leading Application Security Testing Tools Providers
Static, Dynamic & Interactive — IBM is a global provider of IT services and products. They offer a good solution with all categories of AST from a single source. IBM provides a single dashboard that integrates reports from static, dynamic and interactive security testing.
Static, Dynamic & Runtime — HP provides AST products and services with the Fortify brand. Software Security Center (SSC) is HP’s console for managing all offerings and Application Defender is a management tool for monitoring and Runtime Application Self Protection (RASP).
Static & Dynamic — A wide variety of AST tools based on several recent acquisitions. As a company focused on software and semiconductor offerings, Synopsys offers tools focused on securing network and messaging protocols including XMPP, MQTT and AMQP. These have strong relevance for applications supporting Internet of Things (IoT).
Static & Dynamic — A complete mix of AST tools and their new service, Greenlight that integrates Static AST throughout the early stages of Software Development Lifecycle (SDLC). Greenlight integrates into developer tools allowing security test scans of individual modules early in development. Greenlight also includes a sandbox for scanning running applications locally without degrading performance.
Static & Dynamic — Provides Static and Dynamic AST as a service. WhiteHat was a pioneer in offering Dynamic AST as a service. WhiteHat should be considered by organizations looking to outsource application security practices to an expert external partner offering a scalable solution.
Static — Checkmarx is a static tool that scans uncompiled source code, finding potential vulnerabilities to attack vectors and recommending best fix solutions.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 19
Dynamic — Qualys FreeScan is a browser-based scanner that scans network, servers, desktops or web apps for security vulnerabilities. FreeScan provides scan reports that identify threats and recommended patches.
Dynamic — Rapid7 provides a suite of tools for vulnerability management, penetration testing and dynamic web application security testing. Rapid7 also provides tools for infrastructure monitoring and troubleshooting.
Dynamic — Trustwave provides security scanning, vulnerability detection and monitoring across a very wide set of application types, environments and platforms.
Dynamic — Acunetix performs a full scan of web-based applications. The scanner identifies vulnerabilities and points to errant code. Acunetix scans for a wide variety of vulnerabilities and can be run as part of an automated, Jenkins-based deployment.
Dynamic — An assessment solution for identifying the vulnerabilities, configuration issues, and malware that attackers use. 90,000 + plugins, 1.6 million users worldwide, 23,000 organizations.
Open Source Application Security Testing (AST) Tools
Static — CppCheck is a static analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecting undefined behavior and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).
Dynamic — Kali is a project within the Offensive Security Community. Kali is an enterprise-ready penetration testing tool that provides static vulnerability assessment for applications and networks.
Dynamic — SQLMap is a penetration testing tool that is focused on database servers. It is specifically designed to detect database injection vulnerabilities and other exploits that potentially take over databases.
Dynamic — Web Application Attack and Audit Framework is a Python-based toolkit that allows developers to configure specific exploits and test for vulnerabilities within Web-based applications.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 20
Dynamic — Wapiti is a black box web application scanner. It crawls the web pages of a deployed app searching for scripts and forms where it can inject data. Once found, Wapiti injects diverse payloads to find possible vulnerabilities.
Dynamic — Vega is a project within Subgraph OS, the adversary resistant computing platform. Vega is a GUI-based tool written in Java that scans web-based applications looking for vulnerabilities.
Dynamic — ZAP is the Zed Attack Proxy and part of the Open Web Application Security Project (OWASP). ZAP is a broadly configurable scanner that probes web-based applications looking for vulnerabilities.
Conclusion
Security is top-of-mind with everyone, as it should be. The threats are escalating and costs are growing at unprecedented rates. Companies are investing heavily to tackle the threat even as they also work to transform into Digital Businesses—creating greater risk of vulnerabilities.
We believe the answer lies in every organization building a strong security mindset that instils security into all aspects of application development and moves organizations from reactive to proactive modes of operation. Security can no longer be an afterthought, it must be central to every phase of development and integral to every organization’s culture.
Acknowledgements
We would like to acknowledge some of our engineers and managers for their contribution to this white paper: Felipe Miney, Douglas Pereira and Ivan Marin.
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 21
DAITAN GROUP HEADQUARTERS 2410 CAMINO RAMON, SUITE 285 | SAN RAMON, CALIFORNIA, 94583 | USA
White Paper: Building an Application Development Security Mindset | © Daitan Group 2017 | Accelerating.TM 22
About Daitan Group
Daitan Group provides high-quality software development services to significantly accelerate time-to-market for global technology companies. The company’s expert agile teams deliver full lifecycle software product development, maintenance and quality assurance services across today’s leading technologies, including: cloud computing and virtualization; secure communication, data engineering and analytics, artificial intelligence, machine learning and security.
For more information: http://www.daitangroup.com
![PHYSICAL SECURITY & ENVIRONMENTAL SECURITY · Physical Security & Environmental Security Policy and Procedures Title [company name] Physical Security & Environmental Security Policy](https://img.dokumen.tips/doc/110x75/5b5559c77f8b9ac5358b71e4/physical-security-environmental-security-physical-security-environmental.jpg)
