Carney: How to Create an Effective Application Security Program

by Mark Carney, Fishnet Security

The arena of application security continues to top CSOs list of challenges.  Most organizations still seem to be taking a tactical approach to securing applications within their enterprises.  A very common path organizations take in protecting applications is by acquiring an application-layer scanning tool or an application firewall.  This tactical approach has driven the focus on application vendor tools and solutions, as well as a concentration on technical application vulnerabilities (i.e. SQL injection and XSS) and attack vectors through organizations such as Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC).  Although, OWASP and WASC are excellent resources for the application security community and application security tools/solutions are essential and maturing, a more strategic approach is necessary in building a holistic application security program. 

Over the course of six months, a comprehensive list of application security program “elements” have been collected through the process of interviewing numerous CSOs and application developers, and soliciting feedback from over 125 security professionals.  Before rolling out a corporate application security program, consider these elements a part of your strategy.

Elements of the Application Security Initiative

* Application & Information Inventory

* Meeting and Maintaining Compliance Requirements

* Developing Internal Application Security Standards

* Establishing Initiative Sponsor & Owners

* Internal IT Audit Function

* Defining Methods of Application Security Due Diligence

* Performing Due Diligence on Affiliates/Business Partner Applications

* Outsourcing vs. Insourcing

* Prioritization of Applications & Frequency of Testing

* Training & Staffing Requirements

* Application Solutions & Tools

* Automated vs. Manual Review Process

* Remediation Procedures

* Reporting & Documentation

Application & Information Inventory

The starting block of an Application Security initiative is to complete an inventory of all applications within the enterprise.  Compile a spreadsheet of the number of applications, type of applications, middle-tier software, and database technologies that exist within all facets and business units of the organization.  By understanding the business purposes and information/data that is flowing through these applications, you can start developing protection strategies and standards that will secure your organization’s most critical data.

Meeting and Maintaining Compliance Requirements

As a CSO, one of the first steps in developing an application security program is to understand your organization’s responsibility in meeting application related standards or compliance requirements.  Recently, the Payment Card Industry (PCI) Data Security Standard (DSS) version 1.1, specifically states two significant application focus requirements.  The DSS requirement 11.3.2, states companies must conduct annual “application-layer penetration tests” and requirement 6.6 states that organizations need to “ensure all web-facing applications are protected against know attacks” by either “installing an application layer firewall” or “having all custom application code reviewed for common vulnerabilities” by June 30, 2008.  These types of application security related requirements must be identified as you begin to develop your application security program.

Developing Internal Application Security Standards

Establishing application specific security standards within the Software Development Lifecycle (SDLC) that require developers to follow applications as they are being developed is a sound business practice.   This proactive element consists of providing developers essential security requirements surrounding development frameworks (i.e. .NET, Java) that are mandatory to be included within the application development process.  The CSO’s responsibility is to ensure that Project Managers, Application Development Managers, and others involved in managing the application development lifecycle are including these security requirements within all in-house developed applications before moving them into a production environment.

Establishing Initiative Sponsor & OwnersMaybe the most important element of any initiative is to first get executive buy-in and support from upper management.  Establishing an initiative evangelist or sponsor, typically the CSO, who is experienced in developing business cases, metrics, and presenting to C-level executives is critical.  Deciding sole or shared responsibility of the application security program is important as well.  Several departments should or maybe involved with owning components of the application security program, such as Risk Management & Compliance, Internal Audit, Project Management, Development Teams, Security Group, and Systems & Infrastructure to name a few.  Establishing clear responsibility for each of these groups is imperative.   Internal IT Audit Function

Organizations that have an internal IT audit department should communicate how these individuals will be involved in the application security program.  Some organizations are having IT Audit review application testing result findings to provide follow up and accountability for completing remediation plans.  A few IT audit departments are even getting involved in performing certain types of application testing.   Make sure to understand the type of skill sets and training necessary for interrupting and evaluating technical application results and transitioning technical findings into how they may impact business.  

Defining Methods of Application Due Diligence There are many methods or approaches on how to provide the appropriate level of due diligence for applications.  A few of these methods include Threat Modeling, Fault Injection Testing, Architecture/Design/Implementation Analysis, Source Code Reviews, Database Vulnerability Testing, Host Configuration Reviews, Access Control Reviews, Software Development Lifecycle Reviews, Performance Load Testing, and others.  Based upon the application, CSOs need to define corporate standard on which methods of testing will be utilized for applications in the enterprise.Performing Due Diligence on Affiliates/Business Partner ApplicationsBusinesses outsource and connect to third party vendors and/or affiliates via web applications.  In these situations, due diligence reviews on these applications are necessary to ensure these applications align with your corporate internal application security standards.  For financial institutions, GLBA requires that security reviews be performed on Third Party Vendors.  Application security best practices and technical testing are a part of many of these Third Party Assessments.Outsourcing vs. Insourcing

Establishing an application security program involves deciding whether to bring in-house the right people and technology, or outsource these responsibilities.   The unique skill sets needed to perform quality application security reviews are rare in the marketplace.  Most seasoned and experienced application security staff or consultants come from an application development background.  Ensure that your organization has properly trained internal staff responsible for testing applications.  Hiring the right personnel is significant, as these individuals will also take ownership of evaluating, selecting, and utilizing application tools and solutions for the enterprise.  Outsourcing application security could involve hiring application security consulting firms to assist you in one or every aspect of the application security program.  There are now several options for application tools and firewalls to be outsourced by Managed Security Services companies.  Whether you in-house or outsource some or all components of the application security program, conduct a cost/benefits analysis prior to making this decision.

Prioritization of Applications & Frequency of Testing

With the potential of a large number of applications within the enterprise, an evaluation process is necessary to determine what criteria will assist your organization to prioritize which applications are most critical for testing.  A continuous next step after the application inventory is to set a “risk” rating for each application.  This allows for effective use of time, resources and budget.  Depending on the situation, organizations perform a multitude of testing periodically on applications.  Most organizations are performing application penetration testing on an annual basis.  However, the frequency of application testing must be revisited and reevaluated based on the critical data stored, processed, or transmitted in the application and the level of business impact the application has on business operations.

Training & Staffing Requirements

Proper training of internal security staff is critical and sometimes required for application security personnel.  Many application security focused consulting and training firms have very mature training instructors and course material.  These courses include high level application security awareness training and to specialized hands-on courses concentrating on a specific development language.  The more knowledgeable your staff becomes, the more comprehensive and in-depth testing will become.  Education is key.

Application Solutions & Tools

With much focus on the right application firewall, application-layer penetration testing tool, or source code analyzer, these solutions and tools by themselves cannot be relied upon.  As always, the right people and processes to properly implement and manage them must be in place to effectively leverage these technologies in securing applications.  Overall, application related solutions are maturing and are an essential part of application security.  However, time and time again, organizations solely depend on technology as the “silver bullet” to solve all problems.  Choose to properly evaluate and gain an understanding of what, when, where, and how application security technologies can be utilized.

Automated vs. Manual Review Process

As the marketplace continues to commoditize application security penetration testing, driving down the associated costs to perform this type of review, an organization must carefully understand the sorely missed value of “manual” testing process when conducting this work.  Historically, for application penetration tests that include both automated and manual testing on applications, 40-70 percent of overall application findings are found in the manual testing process.  This presents a significant portion of vulnerabilities and application exposures that simply would not be found with automated tools alone.  The level of due diligence performed within application penetration testing must align with the criticality of the application to the organization and the associated data being stored, processed, or transmitted.

Remediation Procedures

Upon completion of all application security reviews and testing, associated risks, threats, vulnerabilities, and weaknesses will be discovered. Discovering these findings is only the beginning. Organizations must assign the appropriate level of risk, prioritize findings, and make a business decision to mitigate, transfer, or accept each risk. Accountability is key.   

Reporting & Documentation

The final and one of the most critical application security program elements is multi-tiered reporting.  Both executive and technical level reporting and documentation are essential.  Executives require compliance and regulatory related reporting for external and internal auditors, examiners, and others.  In addition, executives desire to see improvement matrices or charts on how the application security program is reducing business risk.  Security professionals and developers will look for more granular data that empower them to mitigate specific vulnerability instances found in the testing process.

ConclusionThe elements of the application security corporate initiative is a guide for CSOs.  Developing an application security program within an enterprise is not a simple task, but considering these elements will make the program more strategic, effective, efficient, and hopefully more successful moving forward.

Mark Carney, CISSP, QSA, IAM, MBA, is Director of Strategic Solutions at FishNet Security.  He is a strategic advisor to CSOs at FORTUNE 500 and global institutions surrounding the topics of developing formal security programs, risk management, compliance, application security, incident management, and security assessment programs.