Technology, Security

Weakest links are greatest opportunities to enforce application security

Application security must be addressed across all phases of the Software Development Life Cycle

Blog-post by,
HP Blogger
,

“By and large, most successful attacks today, approximately greater than 70 percent, are targeted at applications where inherently, most vulnerabilities reside,” says HP Distinguished Technologist, John Diamant in his interview on SecuritySolutionsWatch.com. Even so, Diamant points out that applications continue to represent one of the weakest links in enterprise security, often full of vulnerabilities. Weakest links can be the greatest opportunities to enforce application security. In the abstract for a session titled “Application security in the SDLC”  at HP Protect 2013, Kevin Poniatowski from Safelight Security asserts that “Application security is not an add-on or a plug-in. It is a process that must be included in all phases of the development lifecycle to mitigate risk.” What exactly does this mean within each phase of the Software Development Lifecycle? Let us take a look.

“Earlier the better” is the mantra that applies when it comes to the proactive enforcement of security across the lifecycle.

Analysis. Along with functional requirements, the non-functional requirements—including security—must also be determined for an application before it is architected. This includes a gap analysis of security regulations and best practices that apply to individual applications. Doing so would make it easier to justify the cost of enforcing the right security measures in alignment with these requirements. 

Architecture. Security is an integral part of the Enterprise Architecture (EA) DNA. High-level view of the architecture for threat modeling and attack surface analysis must be used to identify weaknesses in the structure and design, which correlate directly into security vulnerabilities that are likely to be coded or configured into an application.

Build. Application designs must also address the not-so-happy what-if scenarios as well. Model-driven approaches work well to proactively anticipate security violations, ensuring the right measures are in place at design time. Tools must be used to effectively scan the source code for vulnerabilities.

Test. “You can’t rely only on testing scenarios to find and fix all of your existing application vulnerabilities,” Diamant cautions. We must still test and fix security flaws even though they are reactive measures that should have been preempted in the preceding phases.

Sustain. Applications meet infrastructural components of network and storage, which open up additional intersection points — a fertile ground for violations. Independent validations and verifications of existing applications must be performed to proactively identify gaps, and therefore vulnerabilities.

The weakest link in the security fabric — the applications — is getting less than 10 percent of the security spend within the enterprise, according to Diamant. Proactive measures early in the lifecycle are vital to the enforcement of application security. To that end, Diamant details specific techniques that can require, architect and design security in to the process very early on in the lifecycle.

What measures are you taking within your enterprise to proactively enforce application security across the Software Development Life Cycle (SDLC)? Please consider attending the Application security session to check out other options.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

 

(7) (7)

Discussion
Would you like to comment on this content? Log in or Register.
Chris_P_Intel
Chris Peters 6 Points | Thu, 08/15/2013 - 20:52

Knowing where the weak points are is critical and investing to deliver balance across the threat landscape.

Recently I posted a blog on protection for a mobile business regarding need for layered defense in the enterprise. With the complexity of the mobility and ramping of security threats, having a proactive and dynamic approach to this space is key to success.

Chris

enadhan
E.G. Nadhan 246 Points | Fri, 08/16/2013 - 20:57

Chris, Thank you for weighing in with your observation here.

I really like the layered defense approach that you are describing in your post. It reinforces the need to ensure that proactive measures are taken early in the life cycle to secure applications. They are, in a way, the last opportunity to hold the fort against adversaries on the prowl. Once applications are penetrated, even encrypted data will be readily served up in a decrypted form to the "trusted" app.

Great post, by the way.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

jdodge
John Dodge 1396 Points | Fri, 08/16/2013 - 14:02

Chris, I love the graphic. Could I publish it on the ECF?

Chris_P_Intel
Chris Peters 6 Points | Sat, 08/17/2013 - 21:38

John, Absolutely. Let me know if you need anything. Original graphic came from a whitepaper from the Intel IT Center

enadhan
E.G. Nadhan 246 Points | Fri, 08/16/2013 - 20:59

John,

If you publish it, I would be very interested in sharing my thoughts in another blog post.  Nice graphic.  I agree.  

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

jdodge
John Dodge 1396 Points | Mon, 08/19/2013 - 14:19
enadhan
E.G. Nadhan 246 Points | Wed, 09/11/2013 - 22:38

Sure thing, John.

Here are my thoughts on how this could be extended to national security as well. http://owl.li/oJQIj

Team up with HP Technology Expert, E.G.Nadhan

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

jdodge
John Dodge 1396 Points | Tue, 08/13/2013 - 15:31

Is there a standard playbook for enterprise app security or does it vary from apps to app. I would imagine there is a common set of security measures all enterprise apps must do.

SafelightCoop
Mike Cooper 0 Points | Wed, 08/14/2013 - 17:52

John,

There are a variety of techniques that can be used throughout the design, implementation, testing, and release lifecycle of an application. There are methodologies that cover all varieties of technologies such as databases, web apps, clients and servers, etc. 

...The trick is applying the right one!

Identifying the technologies used- such as a database, the trust boundaries of the application, and data flow throughout the system are common activities to assist in identifying appropriate security measures for a particular application. Holistic approaches like HP's CATA and Microsoft's SDL outline activities and when they should be performed, if appropriate to your application. On the other end, a model such as the BSIMM helps identify who in the industry is doing WHICH activity and HOW MUCH of it- so you can compare yourself to what is out there to help identify what you might want to do and how much of your resources you want to devote to it.

Architectural reviews and threat modeling are an excellent place to start, and help shape the process as unique to your application, system, industry, and data classification.

Hope that helps!

~Mike Cooper @SafelightCoop

enadhan
E.G. Nadhan 246 Points | Fri, 08/16/2013 - 21:09

Mike,

Thank you for responding to a thought-provoking question from John with valuable detailed insight.  While I agree whole-heartedly with your response, I would only change one of your observations.  

"The trick is applying the right combination of methodologies and techniques"

Enterprises do have to determine the right set of methodologies and techniques that best fit their overall risk management strategy in the context of application components.  The answer may not always be a single methodology or technique.

Insightful response, by the way.  Thank you.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

jdodge
John Dodge 1396 Points | Wed, 08/14/2013 - 20:45

It does. Thanks, Mike.

SafelightCoop
Mike Cooper 0 Points | Wed, 08/14/2013 - 17:52

John,

There are a variety of techniques that can be used throughout the design, implementation, testing, and release lifecycle of an application. There are methodologies that cover all varieties of technologies such as databases, web apps, clients and servers, etc. 

...The trick is applying the right one!

Identifying the technologies used- such as a database, the trust boundaries of the application, and data flow throughout the system are common activities to assist in identifying appropriate security measures for a particular application. Holistic approaches like HP's CATA and Microsoft's SDL outline activities and when they should be performed, if appropriate to your application. On the other end, a model such as the BSIMM helps identify who in the industry is doing WHICH activity and HOW MUCH of it- so you can compare yourself to what is out there to help identify what you might want to do and how much of your resources you want to devote to it.

Architectural reviews and threat modeling are an excellent place to start, and help shape the process as unique to your application, system, industry, and data classification.

Hope that helps!

~Mike Cooper @SafelightCoop

enadhan
E.G. Nadhan 246 Points | Wed, 08/14/2013 - 15:02

Good question, John. In addition to defining the information security standards, enterprises must complement them with the guidelines that would apply to applications security at large in alignment with their Risk Management strategy. That said, there needs to be a level of autonomy from a business and technical perspective within the context of each application.

Incidentally, techniques like the one discussed by Diamant in his interview http://www.securitysolutionswatch.com/Interviews/in_Boardroom_HP_Diamant.html (HP's Comprehensive Applications Threat Analysis - HP CATA) bear strong consideration.

While CATA can be comprehensively applied across the landscape of applications within the enterprise, it can be also used to independently validate and verify applications to address specific vulnerabilities. A healthy mix of both approaches.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.