Engineering e Business Applications for Security

8/6/2019 Engineering e Business Applications for Security

1/45

IBM Global Services

April 2005

Engineering e-BusinessApplications for Security

By Sharon Hagi,

Senior IT Architect, IBM Canada Ltd.


2/45

IBM Global Services

Page 2

Abstract

In todays economy, enterprises are evermore dependent on reliableand secure application software to enable their critical business processes.

In particular, e-Business applications provide critical linkage between

customers, suppliers and partners. Enterprises today have realized that

their success will necessitate considerable attention to the security

and privacy of their application software, and particularly their

e-Business applications.

Vulnerabilities and threats related to e-Business application programs

can be seen as occurring at all the different levels of the application

system, including:

denial-of-service attacks proliferating from mal-ware or worms

sophisticated application Web Services interface exploits or script-based

injections that cripple and damage the application and its data

network interception due to protocol weaknesses

defeat of encryption due to faulty cryptographic key management or

encryption methods

database administrators being able to easily steal and sell database

content or sensitive configuration parameters

application programmers who place undetected malicious code that

can cause widespread security failure and can even enable subverted

and malicious masquerading of critical business transactions

All of these vulnerabilities and threats result in loss of confidentiality,

integrity and authenticity.

Traditionally, enterprises have prioritized and focused their IT security

strategies and budgets on protection of the network perimeter and physical

access control to the application system environment. Their goals have

been directed at universal elimination of external threats at lower network

levels and common infrastructure technical services, as well as through

restriction of certain types of physical and logical access to the application.However, the reality today is that these measures are simply inadequate in

light of the wide spectrum of threats and vulnerabilities that are seen

affecting application systems.

Contents

2 Abstract

4 The Motivation for

Application Security

10 Challenges

14 Methods and Recommendations

for Application Security Strategies

38 Integrated Application Security

Services Model


3/45

IBM Global Services

Page 3

Applications, data and business processes can be attacked even when a

very good network and infrastructure security program is in place.

For example, good network perimeter defense using firewalls, intrusion

detection systems (IDS) and other network security components must still

ensure the applications can be accessed by legitimate users and therefore

at the same time can facilitate an opportunity for a so-called legitimate

user to attack impudently at the vulnerable application interface level.

In the same manner in which mature software and systems development

organizations engineer for failure to ensure quantifiable degrees of quality

and predictable reliability, the notion is that there is a clear need to

engineer applications for security. Engineering applications for security is

a concept that applies to all the different levels of the application system.

Methods include attention to operational and functional policies, processes

and standards. Rigorous security conscience design, defensive coding,

continual testing, metric collection and monitoring ensure that risks

related to application development, maintenance and management are

systematically mitigated and reduced as part of a comprehensive risk

management life-cycle.

This paper contains highlights of methods and recommendations that

can be utilized by organizations working through the complex maze of

application security. Organizations require a methodical approach as part ofa cost-effective enterprise remediation and assurance program to improve

security and privacy compliance for their critical e-Business operations.

Highlights

Processes can be attacked even

when a very good network

defense exists

Attention to operational and

functional policies is important

Improve compliance for critical

e-Business operations.


4/45


5/45

IBM Global Services

Page 5

Highlights

Manage risks throughout the

application development lifecycle

Risk scenarios and measures for

applications need to be defined

Risk Management

Organizations need to understand their exposure and sensitivity to security

events as they relate to development, maintenance and management of

applications. This understanding leads to appropriate strategy and allocation

of budget and spending on security to offset and mitigate the risks.

Organizations have been focusing typically on applying risk management

subsequent to application development and deployment. The focus of risk

determination in such cases has been largely on the network and the shared

IT infrastructure supporting the application and, to a lesser degree, on the

processes involved in designing and developing the software.

In addition, there is often a need to have metrics available to understand

scenarios and risk measures particularly relevant to applications and their

management. In absence of these instruments, development organizations

have gaps in their risk management and their appreciation of their complete

risk picture. The deficiency is due to incomplete analysis of exposures,

scenarios and potential loss to the business, attributed to security failures of

the application itself and/or the application development process. Methods

devised to address the gaps clearly require the use of quantification and

benchmarking to assess and measure risk due to security concerns intro-

duced during the design or coding of an applications (e.g. insider attacks).

Unfortunately, we have observed that this kind of risk managementshortcoming is indeed widespread in the market place and have concluded

that in many cases it serves to explain why market analysts continually

report on the lack of strategic focus and often insufficient budget allocations

to deal with risk specifically in the application security context.


6/45

IBM Global Services

Page 6

Highlights

Financial reporting systems are

dependent on applications and their

associated security

Regulatory Compliance

The legislative landscape and the resulting regulatory requirements place

increasing emphasis on the role of corporate governance with respect to

application software assurance. The tenets of regulations such as Sarbanes

Oxley specify that corporate governance, which is principally composed of

executive management, be responsible for providing transparency, integrity,

and accountability over regulated financial reporting and data.

While the subject matter of information security is not specifically discussed

within the text of the act, the reality is that modern financial reporting

systems are heavily dependant on applications and their associated security

controls, processes and audit-ability. Any review of internal controls would

not be complete without addressing controls and processes specifically

around application development and maintenance. An insecure application

system would not be considered a source of reliable financial information

because of the possibility of unauthorized transactions or manipulation

of financial data. In the eyes of auditors, there is no clear distinction

between applications that help run the business (e.g. billing systems)

and applications that help service the customers (e.g. e-store, medical

electronic records, etc.)

Other regulatory requirements with focus on application security and

privacy include the Health Insurance Portability and Accountability Actof 1996 (HIPAA), Gramm-Leach-Bliley Act (GLBA), EU Data Protection,

Basel Accords (Basel II guidelines promulgated by the Bank for

International Settlements), Bill 198, Personal Information Protection

and Electronic Documents Act (PIPEDA) and other Canadian Privacy

Laws. Regulatory requirements have specific implications on organizations

developing and managing applications in their e-Business environment.

Compliance is non-trivial when considering the complexities of modern

and highly distributed application systems.


7/45

IBM Global Services

Page 7

Highlights

Security vulnerabilities in applications

can have large business impacts

Fixing a ruined reputation is

exponentially more expensive than

building in application security

Costly defects can be traced to

deeply rooted design flaws or

process shortcomings

Corporate Reputation and Public Image

Negative publicity about security vulnerabilities in applications impacts

potential sales and plays a major role in eroding user confidence in not

only the products but also the companys value-add services. For financial

institutions, insurance companies, medical, transportation, utility and

telecommunications firms the impact can be rather devastating.

Application security events resulting in customer data being lost, financial

data being compromised or altered, medical records exposed, even

cyber-terrorism and crime can all damage customers and shareholders

confidence and impact business growth potentials for a substantial period

of time.

In addition, one might also consider that in light of increasing government

regulatory pressures, any incident, even a relatively minor one, may indeed

flag the organization for some closer attention from compliance auditors.

Security advocates in mature software and systems development organiza-

tions often attest to the fact that it is exponentially more expensive to fix a

ruined reputation resulting from an application security failure than it is to

build the right processes and methods that could have caught and fixed the

exposure that lead to the failure in the first place.

Cost Of Redesign/Reengineering Due To Security Failure

The cost to companies needing to continually fix various vulnerabilities andsecurity flaws in systems and application portfolios is significant. Loss of

revenue is one cost component but more importantly, in many cases,

companies have had to postpone significant strategic initiatives and divert

considerable investment capital in order to revamp their application

security posture. Since most serious security defects can be traced to deeply

rooted design flaws or process shortcomings, there is a realization that to

truly address security, companies need to fundamentally look at their

software security architecture and design and even more so, focus their

security re-engineering efforts on the development processes.


8/45

IBM Global Services

Page 8

Highlights

Applications have to be designed

systematically for security

Effective and practical application development and management security

needs to be appropriately prioritized and consideration must be given to

questions such as:

Is there sufficient thought given to costs involved in continually

fixing applications for security vulnerabilities?

What are the costs involved in a possible re-design/re-engineering

of processes and applications should they fail an audit?

What are the cost saving in addressing security at the early

requirements and design stages?

What are the risks to the company in accepting application

security status quo?

More often than not, security for applications is viewed as an ancillary aspect,

something that can be retrofitted later on. There is also ample evidence from

organizations such as the Carnegie Mellon Software Engineering Institute

(CMMI) to suggest that in an analogous manner to software defects, security

defects and related concerns are far easier and significantly cheaper to fix

when they are uncovered and addressed in the early steps of the develop-

ment process. Applications have to be designed systematically for robustness

and for security as early as possible so as to reduce the costly need to re-

design and re-engineer when its not really practical or economically feasible.

The following chart illustrates the exponential cost increase to correctdetected security defects with respect to the development and maintenance

phase in which the defect is discovered.

Source: IBM Corp.


9/45

IBM Global Services

Page 9

Highlights

75% of attacks against websites and

web-based applications come at

the application layer

Skilled hackers exploit exposed

application-level information to gain

access to systems and data

Hacker Activity Statistics

A recent Garner report states that over 75% of attacks against websites

and web-based applications come at the application layer and not lower

infrastructure and network layers. If e-Business organizations place

all their efforts and trust in good network security but not as much effort

toward their application security, they are in actuality missing key risks and

therefore have critical business gaps.

From observed hacker malicious activity statistics, we know that hackers

are now seldom interested in defeating the network or the infrastructure

low-level defenses. The adversaries today are well aware of the fact that

applications are typically less defended than the rest of the IT infrastructure.

For example, hackers may be interested in directly probing and discovering

unsafe SOAP method implementations to pass in SQL script injections

based on known database vulnerabilities. Exposed XML Schema often

makes it extraordinarily easy to postulate how a specific attack can in fact

be structured. In other examples we see skilled hackers employ rather

clever social engineering tactics to entice and recruit employees with sensi-

tive roles to obtain artifacts such as unprotected XML configuration files

for J2EE application servers. The information in those files is often

sensitive enough and can be used to gain levels of access and enable

unauthorized deployment of application components.


10/45

IBM Global Services

Page 10

Highlights

Vulnerabilities need to be managed

in more than one type of platform,

framework and configuration

Spending on IT security is significant,

and needs to be targeted effectively

Challenges

There are several challenges in mitigation of risks in applicationsystems and development processes which effective strategies must

take into consideration:

Complexity

Cost

Skills

Compressed time-to-market

Monitoring

Application security incident response

Complexity

Managing vulnerabilities in todays largely heterogeneous and highly

distributed application systems is a significant task. There is a need to

manage vulnerabilities in more than one type of platform, framework and

configuration. There is a need to manage vulnerabilities from third-party

software, components and subsystems. There is a need to manage

vulnerabilities in the software the enterprise develops itself.

Since applications are really part of the automated manifestations of

business processes, there is little to suggest that one will be similar to

another. Each one is more or less unique and therefore must be treated

and addressed separately from a security perspective. The shear number of

combinations, variations and configurations is enough to cause major con-

cern over how to really tackle and deal with this undertaking in any cost-

effective manner. The answer is that there are, of course, methods and

processes that do help and we shall examine some of them more closely.

Cost

Most businesses today have a specific budget allocated to IT security. IDC

has reported that while larger organizations traditionally tend to spend the

most money, smaller companies today are surprisingly allocating a fair por-

tion of their IT spending on security. The question often asked by CIOs(Chief Information Officers) and CSOs (Chief Security Officers) is whether or

not the budget allocation is effective at addressing the risk comprehensively.


11/45

IBM Global Services

Page 11

Highlights

Required application security skill sets

are in short supply in the market place

Pressure to beat competition and be

first to market is not a new challenge

As we saw earlier, with gaps in risk management as it relates to application

security, there is no quantification of risks and therefore we can expect that

budgets may not appropriately align to address application risks in a manner

typically expected by senior management. Perception in the industry is also

that application security tends to be an expensive business undertaking.

There is little appreciation of the real cost saving because of lack of metrics

collected over the life-cycle of a business application. Using metrics and

statistical methods on observations would indicate overall cost of a

stressful event in the life-cycle of an enterprise application verses the

cost of developing the application with the ability to either prevent the

event or successfully recover from it.

Skills

Engineering security into applications and associated processes and

methods involves a wide range of roles and skills, including:

Application security architects

Developers with specific security and cryptography training

Security platform, product and integration specialists

Security assessment experts

(system certifiers, product evaluators, ethical hackers and auditors)

Security system administrators

This combination of skill sets is in short supply in the market place and

organizations are challenged to manage those valuable resources on anon-going basis in terms of career development and other HR issues.

Outsourcing and contracting out work to a trusted third party specializing

in security for application development and maintenance can be a practical

solution to many of the skills acquisition, supply and management issues.

Compressed Time-To-Market

The continuous pressure to beat competition and be first to market is not

a new challenge. If history is a guide, the challenges facing development

organizations in transitioning to higher maturity levels (e.g. Capability

Maturity Model levels) has always been the fear that increasing process anddocumentation overhead would slow things down and hence harm the

companys potential profitability.


12/45

IBM Global Services

Page 12

Highlights

Implementing application security

requires careful planning

Monitoring efforts must be designed in

conjunction with efforts to collect and

analyze process metrics

When planning to incorporate security into the processes and development

life-cycles the very same reaction is to be anticipated. Overwhelmed by the

overabundance of implied processes and plans, an organization may draw

back from adopting application security practices. Like any other maturity

based engineering model, the application security engineering model

includes requirements to document processes and procedures and to follow

up with reviews and testing to ensure they are performed as documented

and mandated by policy.

While a number of processes, plans, and other types of documentation will

be required, and hence overhead will be incurred, careful planning and

choosing the right kind of risk management process will ensure the most

effective size and priority of the investment in these activities. A single

security plan may meet the requirements of many process areas within a

typical development organization. In more complex cases a longer term,

multi-phase transition plan may be required. In many cases the process

re-engineering is not as revolutionary as some may see it. It really

emphasizes the same common sense practices that have been

implemented for software quality assurance for many years.

Monitoring

Throughout the application development and maintenance security

processes it is necessary to measure progress and monitor for success.Methods include processes that can be used to validate the appropriateness

of and compliance with written policies, processes and business control

measures designed to address application security. Typically, monitoring

efforts must be designed in conjunction with efforts to collect and analyze

process metrics. The metrics are quantifiable aspects that are used in

assessment and risk management activities to compare against pre-deter-

mined benchmarks.


13/45

IBM Global Services

Page 13

Highlights

Responding to security incidents

requires analyzing and evaluating

large amounts of information

Application Security Incident Response

A significant challenge for enterprises managing application systems and

operations is how to organize a response to application security incidents.

Security information, even when it is compartmentalized into one area,

involves sifting through large amounts of information in real-time. In a

complex enterprise, there are alerts from firewalls, intrusion-detection

systems, application audit trails, database logs, messages from operating

systems, etc. All of which need to be analyzed and evaluated before an

appropriate response can be formulated. In many organizations, this has

led to the institution of a Computer Security Incident Response Team.

Other organizations have outsourced the monitoring of key elements of

their application security infrastructure and let outside agencies handle

the first-response duties.

Security is not and cannot be a cookie cutter process. There is no magic pixie

dust that can be sprinkled over a protocol to make it secure. Each protocol must be

analyzed individually to determine what vulnerabilities exist, what r isks they may

lead to, what palliative measures can be taken, and what the residual risks are.

S. Bellovin, AT&T Labs Research, RFC 2316, Report of the IAB Security

Architecture Workshop


14/45

IBM Global Services

Page 14

Highlights

Engineering security into application

systems is a critical discipline

Methods and Recommendations for Application Security Strategies

Engineering security into application systems is a critical disciplineand should be a key component in multi-disciplinary, concurrent or

distributed development teams. This applies to the development,

integration, operation, administration, maintenance and evolution of

e-Business application systems as well as to the development, delivery,

and evolution of software-based products. Security concerns are addressed

throughout the development and maintenance life-cycle. Competencies

and capabilities can be delivered as tools, systems, products or as a

collection of processes and services.

In general, the key steps involved in application security strategies involve:

Gaining a quantified understanding of the security risks associated with

an enterprise e-Business application

Establishing a balanced set of security requirements in accordance

with identified risks

Transforming security requirements into security controls and process

guidance to be integrated into activities of development disciplines

and methodologies employed on a development project and into the

definition of system configuration, operation and maintenance goals

Establishing confidence or assurance in the correctness and

effectiveness of security mechanisms using assessments, reviews,

testing and certification

Determining impacts due to residual risk associated with

security vulnerabilities in a system or its operation which are

determined acceptable


15/45

IBM Global Services

Page 15

The focus at IBM has for many years been one that covers the breadth and

depth of the discipline of engineering security into software. IBM, through

its numerous product development arms and research laboratories around

the globe, has produced some of the most advanced methods, tools and

products that cover a broad range of application security aspects. These

range from code analysis, testing tools and sophisticated risk management

systems to process engineering, systems and software architecture and

security consulting methods delivered by IBM Global Services. This paper

focuses on key methods showcased in a number of services being offered

as part of the Integrated Application Security Services model recently

introduced by the Security/Identity & Privacy Practice in conjunction withthe Application Management Services (AMS) and Application Innovation

Services (AIS) groups within IBM Global Services.

Source: IBM Corp

Highlights

IBM has introduced an Integrated

Application Security Services model


16/45

IBM Global Services

Page 16

Highlights

A comprehensive and well-communi-

cated security policy is fundamental

Development security standards are

required for compliance

Typical strategies for mitigation employing the IBM services focus on

these key areas in addressing e-Business application security:

Complying with Regulations

Development and Maintenance Life-Cycle Processes and Methodologies

Training and Awareness

Monitoring and Security Intelligence

In the following sections we provide several important highlights of

methods and recommendations that enterprises can leverage to enhance

their application security efforts and provide deeper insight into issues

that may need to be considered.

Complying with Regulations

By examining compliance strategies devised by IBM for its customers using

audit guidance such as the Control Objectives for Information and related

Technology(COBIT) from the Information Systems Audit and Control

Association (ISACA), we are able enumerate several key recommenda-

tions as they relate to application security controls and processes.

Security Policy for compliance, there needs to be evidence in the form of

written and comprehensive policy that addresses application development

and maintenance business requirements. A security policy is something

very fundamental for any organizations security program. While mostsecurity cognisant organizations do have some form of policy, in many

cases we have found it did not document managements desire or criteria

as it relates to the effort of developing, deploying and maintaining critical

business functions implemented in computer software. In addition, there

needs to be clear evidence of effective policy communication to developers,

administrative and operational staff.

Security Standards for compliance there needs to be evidence of the

existence of appropriate security standards related to the development

environment (e.g. tools, platforms, components etc.). Standards are typicallycollections of system-specific or procedural-specific requirements that

must be met by everyone involved in the development, deployment and

maintenance of an application.


17/45

IBM Global Services

Page 17

Highlights

A broad range of application security

controls are required

Architecture, Design and Implementation of Security Controls - Fundamental

controls for applications with impact on financial reporting or privacyand confidentiality of an individuals private records such as medical

records, involve ensuring that only people who are authorized to use

an application can access it. And once they do, they are able to use the

application and data in a manner that guarantees confidentiality and

integrity as well as ensures there is continual monitoring and auditing of

everything transpiring that has any impact on the companys compliance

with the regulations. This includes controls in the following areas:

User account management; provisioning; activation; change control

enforced at the application level.

Authentication, Authorization and Auditing (AAA) assurance

Credential storage and management

Use of cryptography to facilitate authentication, protect confidentiality

and integrity of data and provide forms of non-repudiation for

transactions and critical activities.

Protection from mal-ware and viruses

Resiliency - ability to detect security conditions and ensure that further

actions by the user or the application will not adversely impact the data

or the business process integrity.

Continuity ability to detect service failure arising from possible security

events and rely on redundant capabilities to recover operations without

adversely impacting data or the application.

Segregation of Duties Whereby it is demonstrated that sufficient

segregation is in place, enforced by the application system as well as

within the software development life-cycle (SDLC), so that no single

person involved has the capabilities required to control, monitor and

audit any process from start to finish.


18/45

IBM Global Services

Page 18

Highlights

Effective monitoring must be capable

of detecting security issues affecting

the application

Security of an application system,

as a whole, is only as strong as the

weakest link

Monitoring Evidence must be provided that application systems are being

effectively monitored for security events. Effective monitoring, whichaccording to guidelines must be capable of detecting security issues affect-

ing the application, requires the use of correlation analysis, intelligence and

the appropriate tools and statistical techniques. Examining network logs for

application attacks is often not effective if the application is not designed

to report or capture the right type of event information. For audit purposes,

it is important to design and document monitoring goals that focus on

timely identification of security issues affecting the application and the

creation of action plans to address those issues.

Physical Security while physical security is outside the scope of this paper,

we feel compelled to mention that compliance and audit readiness will

involve steps to ensure that physical access to the application infrastructure

and systems supporting the application development processes is appropri-

ately restricted, controlled and monitored. General guidelines range from a

simple lock and key to controls as sophisticated as biometric identification

systems and multi-factor authentication.

Establishing the physical boundaries can be difficult in todays distributed

computing application environments. A data center supporting the enter-

prise business systems may have very strong security controls, while a

remote site or office may simply not have the same levels of control.

A principle of security would dictate that security of an application system,

as a whole, is only as strong as the weakest link. In this case the concern

may be that an adversary can choose to attack the application indirectly

using the less secure remote site/office as a launch pad. In either case,

auditors will be examining and ensuring that physical access to the

systems is restricted uniformly and access is monitored and reviewed on

a periodic basis.


19/45

IBM Global Services

Page 19

Highlights

Software is not just code

Development and Maintenance Life-Cycle

The application software development life cycle (SDLC) is a conceptual

model used mainly in a software engineering and project management

context that describes the stages involved in the applications development

project and subsequent maintenance. When we get into security issues

surrounding the SDLC we cannot avoid talking about what software really

is. The ANSI/IEEE Standard 610.12-1990 defines a standard glossary of

software terminology. It includes software product definitions of:

Development Program

Development Project Plan

Requirement Specification

Architecture and Design Description

Source Code

Object Code

Test Plans

User Documentation

Hence, software is not just code. Consequently, security and assurance

methods or activities should not be exclusively focused on reviewing source

code or practicing defensive coding techniques alone, as they will likely not

lead to a secure application!

In general, nearly all SDLC methodologies, to some degree, follow stepsthat include: Project Requirements and Planning; Product Requirements

and Specification Analysis; Architectural or High-level Design; Detailed

Design; Coding and Unit Testing; System Testing; Production, Operation

and Maintenance.

Various SDLC methodologies have been developed since the early days

of computing to guide the processes involved, including the waterfall/

V-shaped model (arguably the original SDLC method); rapid application

development (RAD); joint application development (JAD); the spiral model;

Rational Unified Process (RUP) and many other examples with differentvariations on the theme.


20/45

IBM Global Services

Page 20

Highlights

Security assurance methods apply

throughout the SDLC

To better illustrate how specific security assurance methods work within

the SDLC, we employ the classic V-shaped model. While this model may

not necessarily be the best or even the most popular model, it is well

understood, which makes it an excellent illustration tool to show the basic

quality assurance processes involved in most SDLC models and how they

map back to the early planning, design and implementation phases.

The following diagram shows the progression of application development

life-cycle activities in the classic V-shaped model:

Processes and procedures for security are placed within these unifying

life-cycle frameworks. They are incorporated as gateways, checkpoints and

qualifying steps to ensure that risk reduction and appropriate controls are

being addressed prior to transitioning to subsequent phases. In addition,

metrics collection and audit functions can be closely integrated so that

analysis can occur throughout the processes, and monitoring can establish

how well the development and maintenance process are meeting the

security objectives of the enterprise as well as the applicable regulations.

Source: IBM Corp.


21/45

IBM Global Services

Page 21

Highlights

A Threat and Risk Assesment

must be conducted

A threat and risk assessment

must be conducted

Requirements and Planning

During this phase, activities are required to review and ensure that security

policies are updated and include application security and development

interests. In addition, this phase is an ideal launch pad for initiatives

targeted at the applications regulatory compliance and audit objectives.

Security standards are revisited and reviewed to ensure they contain

appropriate specifications for software development and maintenance

(e.g. hardware, software, environment access, build tools, platforms, etc.).

Standards for security components and protocols need to be defined using,

for example, standard profiles for security controls, where some of the

following criteria can be considered:

Interoperability what standards and profiles are necessary for

interoperability with other platforms, peers and partners?

Topology how will application components be deployed and distributed

and will that have any impact on selection of standards and profiles for

controls?

Manageability and Ease of Use what is the impact on user experience?

Accountability what monitoring facilities and methods will need to

be considered?

Performance what impact will the standards have on overall

performance requirements?

Confidentiality, Integrity and Audit-ability

Requirements and planning phases fundamentally have to include some

form of threat and risk assessment (TRA) as part of the enterprise risk

management framework. A TRA is conducted to determine principal busi-

ness risk exposures and mitigation requirements for the application. The

TRA examines information assets that are being impacted and handled by

the application as well as the assets composing the application system itself

(e.g. components, databases, APIs). These assets are subject to a sensitivity

analysis which uses vulnerability and threat information and correlates this

information to scenarios and benchmarks. This is performed to determinethe likelihood of occurrence and impact severity, and provide prioritization,

mitigation recommendations and quantification of the residual risk.

The TRA process feeds specific mitigation requirements and criteria into


22/45

IBM Global Services

Page 22

ensuing phases for design and implementation. It is recommended to

employ standard risk management methods and emerging industry

standards such as the IEEE Std. 16085 Software Engineering:

Software Life Cycle Processes, Risk Management.

There are also a number of additional security tasks that require attention

during the project management and project planning stages:

Security clearances and qualifications of resources assigned to the project

Segregation of duties and the impact on project scheduling and costs

Security of the development environment

o How sensitive information is communicated and handled by staff and

external parties (e.g. secure email, instant messaging or other forms of

collaboration tools)

o Source code repository and documentation management system access

control and protection

o Configuration management database, provisioning and deployment/

distribution systems security

o Development workstation security

o Build and testing environment security controls

Architecture and Design Methodologies and Activities

Similar to any software and systems engineering discipline, there is a need

to promote order and consistency in the way the enterprise develops securitycontrols and solutions for e-Business applications. A consistent approach is

required to provide the technical guidance for developing security architec-

tures with clear linkage to other disciplines involved in the design, creation

and operation of the application. In addition, risk management, security

strategies and business requirements need to have specific delineation and

integration points as there needs to be logical flow from the threats, vulner-

abilities and risk to the counter measures, security controls and patterns

which are designed as part of security architecture and design activities.

IBMs own Method for Architecting Secure Solutions (MASS) is a goodexample of a solution design methodology incorporating the requirements

of security engineering for applications. In fact, MASS is the basis for much

of the application security architecture and design services available from

Highlights

Numerous security tasks are

required during project planning

and management

IBMs Method for Architecting Secure

Solutions (MASS) is a good example of

a solution design methodology


23/45


24/45

IBM Global Services

Page 24

Highlights

Collaboration of architects and

designers in other disciplines is

critical to ensure seamless integration

of the solution into the applications

overall design

At a high-level, the architecture and solution design activities related to

application security can be seen as applying in all levels of the enterprise

e-Business application framework and infrastructure, including hardware

layers, network services, distributed object communications and messaging,

management application framework services, common services including

identity, authentication and authorization, business process and transaction

orchestration, and so on. Processes and methods work in conjunction with

SDLC, risk management, monitoring and metrics activities and phases to

ensure the incorporation of security controls and assurance in every layer

and every subsystem of the application.

As seen in the following process diagram, baseline application security

requirements, derived from business requirements analysis, regulatory

control objectives and specific risk management activity outputs, including

vulnerability assessments, risk assessment and corresponding asset profiles,

are used to form security and privacy controls and mitigation requirements.

Security architecture principals, design patterns, policies and standards are

used to derive the security solution outline. Collaboration of architects and

designers in other disciplines is critical to ensure seamless integration of

the solution into the applications overall design.

Source: IBM Corp.


25/45

IBM Global Services

Page 25

Highlights

Focus on physical design

and cryptographic-oriented

systems development

Application frameworks support

business logic and provide all

necessary services

Architectures, patterns and best practices are good at providing solutions at

higher levels. Security low-level solution design activities provide more

detailed blueprints and design specification for platform and technology

dependent application security components and nodes. They also include

low-level cryptographic details on how crypto APIs, toolkits, protocols and

specific hardware and/or software components are to be integrated.

The activities in application security low-level solution design also focus

on physical design and cryptographic-oriented systems development.

Dedicated cryptographic solution design is needed, for example, if the

application requires use of specific low-level security and crypto services

not available or accessible in the environment and not found in any off-

the-shelf solutions. It is also needed in cases where requirements call for

functionality such as custom secure application level messaging, specialized

encryption key management and other customized security related controls.

In e-Business applications, the application itself is but the manifestation

of the use cases or processes that implement business logic. Much of the

enabling functionality and facilitation of services are provided by the appli-

cation framework. The application framework is a construct supporting the

business logic and provides all the necessary services using technologies

and components, such as middleware services (e.g. J2EE containers);

content rendering and user interfaces (UI) such as .NET clients, Web

content, wireless application gateways, etc.; databases; identity managementand directory services; PKI certificate services; protocol gateways (e.g. Web

Services adapters), legacy services connectors (e.g. IMS/CICS/JCL), virtual-

ization management, clustering and load management; operating system

platform services, storage area networks (SANs) and others.


26/45

IBM Global Services

Page 26

Highlights

Security low-level designs will be quite

pervasive in the application framework

The following diagram illustrates some of the many constructs involved in

application frameworks which are the main focus areas in design activities.

Undoubtedly, much like the architecture, security low-level designs will

be quite pervasive in the application framework. Many development

organizations producing high assurance application solutions on COTS

framework components have addressed some of the following security

structures within the framework:

Structures and design for Credential Issuance and Management

Integrated PKI services helping users obtain and manage their digitalidentities using certificates

Multi-factor authentication and policy-based conditional access control

components and subsystems

Secure storage of sensitive credential data (e.g. password encryption or

hashing, private key protection using hardware security modules (HSMs),

bio-metric patterns data protection, etc.)

Source: IBM Corp.


27/45

IBM Global Services

Page 27

Highlights

Granular data access control

policy enforcement

Identification, Authentication

and Authorization

Designing highly available and

guaranteed transaction logging

Structures and design for Flow Control

Transaction integrity measures that prevent transaction replay,

masquerading, repudiation or unauthorized modification

Communications confidentiality using encrypting protocols such as

transport layer security (TLS), Internet protocol security (IPSec),

XML-Encryption, XML-Signature, cryptographic message syntax (CMS)

S/MIME, etc.

Legal bearing non-repudiation mechanisms using digital signatures,

trusted time services, user-transaction contract management principals

Structure and design for Privacy

Encryption of persistent data in databases and files

Granular data access control policy enforcement provide a form of

privacy-based access policy enforcement, which ensures that authorized

parties can only access and view information which they are permitted to

access based on privacy legislation, policies or contractual obligations.

Information collection, processing and distribution management, logging

and auditing for privacy regulatory compliance

Structures and design for Access Control

Identification, Authentication and Authorization - these are hot topics

today, especially in the area of Web Services applications. A number of

competing standards and methods are available but the intent is tofacilitate identity management, authentication management via single

sign-on (SSO) or reduced sign-on (RSO) and communication of security

assertions containing things such as privileges between applications using

federated trust services.

Structures and design for Auditing, Monitoring, Integrity and Resiliency

Logging and tracing facilities designing highly available and guaranteed

transaction logging; secure activity and event logging that prevent sensi-

tive data (e.g. user credentials or account numbers) from being included

in operational logs (e.g. in violation of privacy policies or regulations).


28/45

IBM Global Services

Page 28

Highlights

Secure coding practices ensure that

software modules are developed to

address known vulnerabilities

Security reviews are a very effective

tool for revealing coding errors and

security coding issues/exposures as

compared to testing

Coding and Building

Security activities in the coding and building phases are mainly focused on

the following:

Safe coding

Secure configuration handling

Reviews

Building (compiling, linking and packaging) with security

Application of defensive/secure coding practices ensures that software

modules are developed to address known vulnerabilities. Practices involved

include techniques and methods for memory and buffer management that

prevent overflow, techniques and methods for input validation checking,

correct and safe use of APIs, safe remote invocation, safe metadata and

interface definitions, correct use of cryptographic toolkits and security

functions and so on. Tools and computer aided software engineering

(CASE) products are available and can help at all levels of the design and

development process, including specialized code analysis tools that, in

many cases, integrate into the Integrated Development Environments

(IDEs) (e.g. WebSphere Studio, Microsoft's Visual Studio or Borlands

JBuilder) and work in conjunction with CASE tools such as Rational Rose,

Purify, Quantify etc.

Secure handling of application configuration information is something thatis often overlooked by many development organizations. It may surprise

some to find out that many developers can leave highly sensitive configura-

tion items, such as database users and passwords, in configuration files that

can be viewed without restriction by anyone and are therefore a serious

exposure. Specific methods and techniques are required to ensure safe

handling of configuration files and parameters to reduce such exposures.

Code reviews and peer reviews are arguably the most important processes

that are most frequently advocated by mature development organizations.

According to available statistical data1 , testing alone finds one defect per 4hours staff lab time. Formal review/inspection finds one defect per 1 staff

hour. Hence security reviews are a very effective tool for revealing coding

errors and security coding issues/exposures as compared to testing.

1 Based on data from documented results from ISO certified companies who have attained a minimum SEI Level 2 (or better)

designation; IBM, Hewlett Packard, Motorola, Boeing etc.


29/45

IBM Global Services

Page 29

Highlights

Use a combination of both automated

code analysis tools and process

frameworks

The goal of the reviews is to detect security problems (potential security

defects) as close as possible to their point of origin. The earlier a security

problem is detected, the easier and cheaper it is to fix it. The process

should involve extensive metrics collection to track and document sources

of errors and defects, leading to improvement of both the application and

the development process. The bottom line is that, reviews improve not only

software quality but also security.

Fix security errors early = Fix security errors cheaply!

Here too we see the use of a combination of both automated code analysis

tools and process frameworks to develop effective security code review

methods and processes.

As a general guideline, code review methodologies should concentrate on

correct, efficient and defensive/secure coding techniques, and usage of:

Method calls and input validation (e.g. cross-site scripting, SQL injections)

Class structures

Code reuse practices and use of dangerous APIs

Networking

Correct SPRNG (Secure Pseudo Random Number Generators) seeding

Device drivers

Infrastructure access Protocols

Encryption Methods/performance/administration

Scoping and name space issues to reduce errors resulting in security

issues

Data access controls

Memory management (e.g. buffer overflow protection)

Access to OS functions and admin APIs

Port mapping

Exception and error handling

Tracing and debugging issues as they relate to exposing sensitive data Logging

Configuration and provisioning management

Cryptographic methods and implementation


30/45

IBM Global Services

Page 30

Highlights

Security activities involved in

the build processes

Obfuscation techniques

Administration

Patching and upgrade methods

3rd Party API integration

Compilation and other code build issues

OS authentication

Garbage collection Java

Security activities involved in the build processes, which include things

such as compiling, linking and packaging for deployment, include:

use of code obfuscation tools to prevent certain degrees of reverse

engineering of object code which can lead to exposure of sensitive

information embedded in the code itself (e.g. initialization data such as

crypto initialization parameters or sensitive intellectual capital)

application of technologies and methods to deal with issues around

trusted software distribution and updates (e.g. signed code), digital rights

management (DRM), trusted computing, licensing and so on.

Testing and Security Controls Validation

In later phases of the SDLC, the focus shifts from designing and building

security controls to validating that the security controls will be effective.

Execution of testing and validation activities in the SDLC is preceded by

the definition of appropriate testing plans that correspond to all aspectsrelevant to use cases, the application component model, and the opera-

tional model. The following diagram illustrated processes involved as an

example in how effective testing plans are created.

Source: IBM Corp.


31/45

IBM Global Services

Page 31

Testing plans incorporate specific guidelines for the following types of

testing activities:

Unit Testing

Integration Testing

System Testing

Certification/Accreditation

Unit testing guidelines specify the source-level security functional

verification criteria that are the responsibility of the developer/programmer.

For example, unit testing would specify how a developer is to verify that a

particular code segment executing data encryption is actually encrypting

the data in the correct and expected manner.

Integration testing guidelines support component-wise system integration

as well as cross-organizational integration and interoperability testing that

focuses on security aspects. For example, such testing would be conducted

between development teams working in a B2B Web Services project where

the teams collaborate in order to execute tests designed to verify security

functions of interfaces and messages passed between the applications.

System testing guidelines take the user view as well as the adversary view of

the application. System testing involves testing all of the implemented use

cases and user interaction models to see if any avenues or exposures existthat could permit a user to override security controls or even defeat them.

Ethical hacking techniques and penetration testing are an integral part of

building more comprehensive test plans.

Certification testing typically involves an independent accreditation third-

party and is a final step toward achieving industry security assurance

certification for standards such as the Common Criteria (ISO 15408),

Europay, MasterCard, Visa (EMV) standard, Federal Information Processing

Standard (FIPS), Federal Information Security Management Act (FISMA),

Defense Information Technology Security Certification and AccreditationProcess (DITSCAP) and others.

Highlights

Ethical hacking techniques and

penetration testing are an integral

part of building more comprehensive

test plans.


32/45

IBM Global Services

Page 32

Production, Operation and Maintenance

Most standard organizations identify four types of maintenance wherespecific security assurance activities are integrated:

Adaptive Maintenance modification of an application because of some

changes to its external environment or requirements

Corrective Maintenance - modification of an application to correct a

defect or security vulnerability

Perceptive Maintenance - modification of an application to enhance its

functionality, hence potentially impacting security assurance

Preventative Maintenance - modification of an application to anticipate

a problem and ease future maintenance

A major element of on-going maintenance activities involves continual

vulnerability and risk management processes, security testing and re-certifi-

cation to ensure the continued security assurance levels of the application

system. Among the testing activities included we can find, for example:

Application Security Controls Testing a type of validation testing that

focuses on applications conformance to security requirements using

black-box, data-driven or I/O-driven security testing. The test plans

are derived from system testing plan guidelines.

Application Security Vulnerability and Risk Assessment and Review -

white-box or logic-driven testing designed to uncover systematic or

process security defects. This type of testing is based on detailed knowl-

edge of software design and implementation and can occur after the code

has been changed to add a new feature, or perform fixes. The test plans

are derived from integration and system testing plan guidelines.

Application Security Error-Oriented and Component-Oriented Testing -

focuses on assessing the security resiliency and recoverability of the

application in the event of error conditions such as memory overflow,

storage capacity limit attainment, network outage, OS or hardware faults.

This type of testing is necessitated by the potential presence of errors in

the maintenance processes leading to security vulnerabilities. The test

plans are derived from unit testing plan guidelines.

Highlights

On-going maintenance activities

involve continual vulnerability and

risk management processes, securitytesting and re-certification


33/45

IBM Global Services

Page 33

Highlights

Metrics should be collected

throughout the SDLC and

operational life-cycles

Application Code Security Metrics

Application Secure Development

Process Metrics

In addition, we see the growing importance of integrating automated

testing, vulnerability scanning and discovery systems that test the

application on a regular and continual basis and can be used to report

on any discovered vulnerability points, unsecured services, security and

privacy policy violations, unprotected resources, exposed sensitive data etc.,

in a continual way.

Metrics

A metric is a quantitative measure that characterizes an attribute of:

The application software development process

The quality and security assurance process

A software product or application system.

To help determine how good the enterprises efforts are at achieving their

assurance goals for application security we see the appropriate inclusion of

activities needed to collect metrics data effectively throughout the SDLC

and operational life-cycles. It is recommended that, at the very minimum,

metrics are collected and analyzed to provide some idea of the possible

issues around the development of the application: number of lines of code

found with security errors, function points with possible input validation

concerns, feature points missing security test plans, effort size (staff

months, man years), etc. Metrics are essential in those areas where we

need most control of our security efforts and processes.

Some traditional approaches in structuring metrics include:

Application Code Security Metrics: used to identify security quality of

application code

Metric: Number of Security Defects per module or package of similar

size/complexity.

Perspective: Total Released Security Defects (Development perspec-

tive) vs. Customer Found Security Defects (Customer perspective)

Application Secure Development Process Metrics: used to identify quality

of SDLC security processes and their QA.

Metric: In-process security faults per module or package per

phase/process. Containment Effectiveness (per phase and total)


34/45

IBM Global Services

Page 34

Highlights

Maintenance Metrics

Reliability and Resiliency Metrics

Estimation Accuracy Metrics

Developer Metrics

Perspective: Phase Containment Effectiveness, Total Security Defect

Containment Effectiveness. Maintenance Metrics: used for assessing security processes around the

maintenance environment

Metric: Number of New Open Security Problems, Total Open

Security Problems, Age of Open Security Problems, Age of Closed

Security Problems, Cost to Fix Security Problems, Mean Time To

Repair, Mean Time To Isolate, etc.

Reliability and Resiliency Metrics: used to identify and predict

application failures due to security faults

Metric: Failure rate, TBF Time between Failures, MTBF Mean Time

between Failures

Estimation Accuracy Metrics: to determine the viability of estimates for

application security

Estimation Accuracy

Developer Metrics: used to measure or define an indication of

application security properties

Modularity and compartmentalization of code for which indication of

following the proper defensive coding principals can be a guide to

the overall survivability of modules and subsystems in the event of

a security event.

Complexity measures which assess the goodness of security in a

structured design:

Coupling - the degree of critical interdependence of each pair

of elements.

Cohesion - the degree of tightness of each element,

communication cohesion.

Information hiding - the degree to which low-level details are

hidden in the elements.

Code complexity measures which assess the complexity and

understandability of the source code. Simplicity inevitably leads to

more secure applications. The more complex and less understand-

able the code is, the less secure it can be.


35/45

IBM Global Services

Page 35

Highlights

People are really the most important

component of achieving desired

security at any level

Development of technical application

security training courses

Employees with critical security roles

should undergo a certification process

Training and Awareness

As seen for application security, the power is clearly in the process.

However, people are really the most important component of achieving

desired security at any level. For an application security assurance program

to be successful, it is necessary to create a security culture where employees,

contractors and partners are educated on security policies, specific

processes, why security is important and what behavior is expected of them

Most employees will do the right thing if they know what it is, and most

employees have a very specific role to play within the development and

operational aspects of the application for security to be achieved.

A training and awareness program will obviously need to include technical

aspects that aid in the design and implementation of secure applications.

Approaches such as safe coding practices, defensive and resilient design

patterns are only a sample of the possible technical topics that staff will

need to be aware of and trained in. A general strategy will also determine

if a custom education program needs to be developed and maintained

internally or outsourced to a third party. For example, development of

technical application security training courses could be an aspect left best

to a subject matter expert third party company, whereas internal process

and policy education and awareness can be designed, developed and

delivered by the enterprises IT Security Organization.

In addition, there may be a need to examine education delivery options for

course material. Depending on the need and complexity of the material,

computer based training and/or instructor-led material should ideally be

incorporated. We also recommend closely examining the implementation

of a specific secure application development certification process for

developers and administration staff. Employees with these critical roles

should require a certificate attesting and validating their knowledge of

necessary security requirements.


36/45

IBM Global Services

Page 36

Highlights

Effective monitoring requires the

use of correlation analysis,

intelligence and use of tools and

statistical techniques

Metrics monitoring criteria are

required to define specific

response triggers

IBMs new Security Intelligence

managed service provides critical

advisories for the risk management

and application life-cycle processes

Monitoring and Security Intelligence

Application security events should be monitored throughout the life-cycle.

Depending on the size and complexity of the application system and

infrastructure, a very large amount of security event information may be

generated. Effective monitoring requires the use of correlation analysis,

intelligence and use of tools and statistical techniques. Regardless of the

scope of security monitoring, the result should be identification of security

issues and the creation of action plans to address those issues. Monitoring

of collected metrics for processes related to the SDLC and maintenance

are also important.

Metrics monitoring criteria are required to define specific triggers which

will drive timely response to certain negative patterns which will require

immediate or high priority attention. For example, suppose that for a

certain e-Business application it is of value to measure the number of

times security vulnerabilities failed to be identified or captured during

code review processes. This metric may indicate the code review

processes are not as effective as they should be in capturing these issues.

The development organization must be capable of identifying weaknesses

and provide plans designed to remedy the deficiency in the process or

the method being monitored.

Security intelligence for applications is meant to collect, analyze anddisseminate information designed to equip the enterprise with the

necessary tools to effectively mitigate and resolve threats involving and

affecting application systems infrastructure on a continuous basis.

IBMs new Security Intelligence managed service is an example of a service

that provides critical advisories and information for the risk management

and application life-cycle processes. The service provides specific data

collection on today's global complex technical security environment where

this data is then analyzed and converted into specific threat mitigation

knowledge, making it a powerful tool in developing application specific

mitigation and counter measures on an on-going basis. The goal is to stayahead of adversaries and indeed market competitors.


37/45

IBM Global Services

Page 37

Highlights

Application security engineering

and development methods can

help achieve business application

assurance goals.

Conclusion

We have seen a significant array of activities and issues that are involved in

application security carried out throughout the SDLC. It is important to

emphasis that while this may seem overwhelming to many inexperienced

enterprises, a combination of expert guidance, effective risk management

and crisp definition of security business strategies will help prioritization

and steer IT spending capital to achieve the business application assurance

goals. Continuous improvement, reusability, measurement and monitoring

of the security processes and practices will promote consistency, cost savings

and ultimately will lead to the success of the application security engineering

and development methods and consequently the expected reduction in the

amount of application security related incidents.


38/45

IBM Global Services

Page 38

Integrated Application Security Services Model

In an effort to help customers address security for e-Business applications,IBM has expanded its security services offerings, with an emphasis on

security vulnerability assessment, security process development for the

application SDLC, security architecture and solution design and

implementation as well as managed services including Security

Intelligence and Incident Response support.

The integrated services model for application security is possible due to

the strong partnership between the IBM Global Services Security/Identity

& Privacy Practice and Application Management and Innovation Services

(AMS/AIS). In addition, through collaboration with industry best-in-class

partner companies, IBM is able to bring together comprehensive application

security services and leading edge technologies, tools and capabilities.

IBM Global Services is uniquely positioned to deliver these services due

to its access to the IBM software product development and research arms

from which security and privacy (S&P) consulting lines of business draw

vast capabilities.

Highlights

IBMs integrated services model

for application security


39/45

IBM Global Services

Page 39

Highlights

In-depth review of specific

processes and controls around

the application development and

maintenance life-cycles

Apply best practices to design

and develop specific application

security processes

Customized application security

architecture based on sound

principles and standards

The following is a synopsis of the services offered:

Application Security Process Review

This service provides an in-depth review of specific processes and controls

around the application development and maintenance life-cycles. It is

particularly effective at going to sufficient depth to verify that security

controls intended to be in place have processes in place to ensure they

are implemented. The review is typically conducted against predefined

application security process standards and best practices such as ISO/IEC

17799, benchmarks and maturity capability models such as SEI

CMM/CMMI,SA-CMM and SSE-CMM. The processes are reviewed or

inspected along all aspects of the development life-cycle process.

The emphasis is incorporation of specific risk processes into broader

engineering and assurance processes.

Application Security Process Development

By employing strong process development methodologies such as the IBM

ITPM methodology, IBM Rational Unified Process model (IBM RUP), SEI

CMM/CMMI, SSE-CMM maturity model goals and ISO/IEC 17799, this

service identifies best practices to design and develop specific processes

that can be infused with the application development life-cycle model in

use by the customer, and provides the introduction of security controls,

checkpoints, monitoring, metrics and audit capabilities to ensure

application development processes are secure end-to-end.

Application Security Architecture

Every enterprise developing secure e-Business applications will need at

some point a consistent method to design and conceptualize an application

security solution and architecture. Be it for packaged or commercial off

the shelf (COTS) software that requires extensive customization or perhaps

a new J2EE or .NET application, the enterprise architecture and in particu-

lar the security architecture, should be based on sound methodologies,

security design patterns and best practices. IBM consultants analyze the

business and application strategies as well as any existing security policythroughout the clients enterprise, or a subset of the enterprise, and provide

application security architecture principles that can be used to make

management and technology decisions consistent with the organizations


40/45

IBM Global Services

Page 40

Highlights

Design and implement application

security controls and subsystems

Review source code using analysis

tools and manual walkthroughs to

validate the security of application

software modules

application security objectives. Methodologies are based on Common

Criteria (ISO 15408), ISO 7498-2 for technology recommendations and

ISO/IEC 17799 for process recommendations. The customized application

security architecture will provide a comprehensive, standards-based

framework for managing the application security program and ensuring

that it is consistent with the business objectives.

Secure Application Solution Design

Implementing security at any level can be complex, even more so when

considering security system design. Aspects that require considerable

engineering attention and cryptographic expertise when designing a security

system are addressed in this service. Advanced encryption techniques,

cryptographic key provisioning, management and exchange, tamper-proofing

persistent data and databases, conditional access control, digital signatures,

secure email, signed code and trusted computing, integration of smart

cards, biometrics and advanced hardware security modules and crypto

acceleration solutions are just a few of the many application security

controls and subsystems IBM consultants can help design and implement.

Application Security Code Reviews

This service provides and facilitates review processes for source code

using analysis tools and manual walkthroughs to validate the security of

application software modules. The reviews are offered in a wide range ofprogramming languages and development platforms. The service is also

aimed at inspection of security protocol design and implementation,

security metadata, interface definition, information hiding, obfuscation,

configuration data usage and more.


41/45

IBM Global Services

Page 41

Highlights

Ethical hacking and application

penetration testing

Identifying the security requirements

Threat and Risk Analysis geared

towards application security

posture and software

engineering process

Application Security Testing

The focus in this testing and assessment service is on the application

design and implementation as opposed to the processes. The testing and

assessments focus on the application itself, interfaces (web content, web

services and GUI), subsystems, integration and aggregation points, transient

data, transactions, platforms (concrete or virtualized), networking services

employed and any database or operating platform services. The incorporation

of ethical hacking and application penetration testing throughout provides

a hands-on component which works well with the entire assessment

framework for both legacy, new (developed) and third party components.

Application Security Controls Review

This service provides a "health check" type of assessment of general

application security controls. IBM consultants review the application

security controls from a broader organizational perspective. The service

includes identifying the security requirements (policy, standards, proce-

dures, including those to meet its legal requirements, ISO/IEC 17799 and

other ISO standards), what is in place, what is currently missing or weak

and what can be done to improve it. The service is typically useful

to customers who are seeking to get a snapshot of their application

development security maturity and what gaps they have in their high

level architecture, design and processes.

Application Security Risk Review

Risk review and assessment is a vital element of the enterprise application

security program. This service provides a TRA methodology using industry

standards such as IEEE 16085 specifically geared towards the measurement

of the applications security posture and the software engineering process

involved in its construction and validation. Starting with identification and

enumeration of assets, data and business transactions and processes handled

by the application, consultants will determine sensitivities, conduct scenario-

based analysis and provide reports indicating exposures, including potential

legal and regulatory compliance exposures. The assessment will also test thesecurity controls of the application and identify areas that require additional

controls enhancements, process improvement and investment prioritization

and strategy for the vulnerable assets.


42/45

IBM Global Services

Page 42

Highlights

IBM Global Services Learning provides

a broad range of security education

and awareness services.

IBM Security Intelligence Servicesis part of the Managed Security

Services portfolio

Learning Services

IBM Global Services Learning provides a broad range of security education

and awareness services. An extensive library of classroom and e-learning

courses is available to help customers build critical application security

competencies and keep development and operational staff skills up-to-date.

Services range from Security Engineering Practices, Security Clinics for

J2EE and .NET developers to Hands-on Security Qualification Testing and

Advanced Penetration Testing for the Ethical Hacker.

Intelligence Services

IBM Security Intelligence Services (ISIS) is part of the Managed Security

Services portfolio and is a key component of keeping our customers up

to date with the latest advisories, vulnerabilities and threats related to

platforms, middleware, COTS components and development tools.


43/45

IBM Global Services

Page 43

Biography

Sharon Hagi, Security/Identity & Privacy Practice, IBM Global Service,

IBM Canada Ltd, 3600 Steeles Ave. East, Markham, Ontario, L3R 9Z7

([email protected]). Mr. Hagi is a Senior Architect in the Security and

Privacy service delivery organization at IBM Global Service. He

received his Hon. B.Sc. in Computer Science and Physics from the

University of Toronto. Mr. Hagi has a solid background in the telecom-

munications and software industries. He has worked on a range of

information technology projects including multi-channel applications

for mobile banking, brokerage and m-commerce, financial risk

management large-scale analytical engines, software engineering and

design for telecom equipment and development of high speed switch

fabrics for Frame Relay and Asynchronous Transfer Mode WAN

protocols. He was in charge of leading technical engineering groups

for security product development including firewalls, smart card

applications and embedded hardware security modules. He has also

led a security services and professional consulting practice in Canadas

leading cryptography technology firm. He was involved in specification

and design of security solutions for distributed and ubiquitous

computing application frameworks, integrating wireless access security

technologies, 3G cellular mobile intelligent communication systems,

WLAN, WMAN and satellite networking, as well as advanced public-key

enablement (PKI) concepts for which Mr. Hagi holds a number ofinternational patents. Subsequent to joining IBM in 2003, he became

lead architect for application security consultancy projects. Mr. Hagi is

a member of the Institute of Electrical and Electronics Engineers and

the Association for Computing Machinery.


44/45

IBM Global Services

Page 44

References

[1] Christopher Fox, CA and Paul Zonneveld, CISA, CA,IT Control

Objectives for Sarbanes-Oxley, Issued by IT Governance Institute

[2] Systems Security Engineering Capability Maturity Model, SSE-CMM,

Model Description Document, Version 3.0, June 15, 2003

[3] Dunsmore, and Shen, Software Engineering Metrics and Models, the

Benjamin/Cummings Publishing Company, Inc. 1986

[4]Application Security Best Practices at Microsoft, The Microsoft IT group

shares its experiences, White Paper Published: January 2003

[5] Huaiqing Wang and Chen Wang, Taxonomy of Security Considerations

and Software Quality, COMMUNICATIONS OF THE ACM June2003/Vol. 46, No. 6

[6] J. J. Whitmore,A Method For Designing Secure Solutions, IBM Systems

Journal - Vol. 40, No. 3, 2001

[7] IEEE Std. 16085 Standard for Software Engineering - Software Life

Cycle Processes - Risk Management

[8] ISO/IEC Std. 17799 Standard forInformation Technology Code of

practice for information security management


45/45

Copyright IBM Corporation 2005.

IBM Canada Ltd.

3600, Steeles Ave East

Markham, ON

L3R 9Z7

Printed in Canada

04/05

All rights reserved.

IBM and the IBM logo are trademarks or

registered trademarks of International Business

Machines Corporation in the United States and

are used under licence by IBM Canada Ltd.

Other company, product and service names

may be trademarks or service marks of others.