SlideShare ist ein Scribd-Unternehmen logo

White Paper: Aligning application security and compliance

Security Innovation
Security Innovation

According to a study made by Microsoft Security Intelligence Report, application vulnerability are reported as much as 4 times more often than browser or operating system vulnerabilities combined. This growing danger needs to be approached from two different, yet complementary perspectives: 1. Companies should first start to acknowledge the importance of software application risk management and then implement security objectives and measures into the SDLC. The question here is how should they do this? What are the best practices and what are the general compliance requirements and regulations? 2. Handling software security in applications should be done after compliance rules. However, despite the existence of some authorities and regulations in this field, the general compliance requirements are still insufficiently detailed and are subject to change and improvement. Since companies should follow the existent compliance requirements, but the latter seem to lack a coherent and explanatory guidance, the question of aligning application security to compliance requirements becomes a great challenge. Why aren't companies paying enough attention to application risks and its security? Why is the latter so difficult to implement? What are the best practices than can be approached to do it, while still following the general regulations? The following white paper extensively treats these questions and proposes to analyze the following: 1. How to align software development processes with corporate policies. 2. How to align software development activities with compliance requirements. 3. How to define an action plan to identify and remediate gaps between current and best practices.

Technologie
1 von 15
Downloaden Sie, um offline zu lesen
Aligning Application Security and Compliance A Security Innovation Whitepaper BOSTON | SEATTLE 187 Ballardvale St. Suite A195 ●Wilmington, MA 01887● Ph: +1.978.694.1008 getsecure@securityinnovation.com● www.securityinnovation.com
Page 1 Application Security: The Next Frontier of Compliance Application security is moving to the forefront Enterprises have gone to great lengths to improve information security and document compliance with regulations and industry standards such as Sarbanes-Oxley, PCI DSS, HIPAA, FFIEC, FISMA and ISO 2700x. But one critical area is only now coming into focus: application security. Regulators, auditors and enterprises are increasingly emphasizing application security because of the growing recognition that applications are the biggest source of data breaches. Citing data compiled from the U.S. National Vulnerability Database, a recent Microsoft Security Intelligence Report found that application vulnerabilities were reported about four times as often as browser vulnerabilities and operating system vulnerabilities combined. Analyst firm Gartner stated: “Over 70% of security vulnerabilities exist at the application layer, not the network layer.” Other researchers have estimated this figure at 90%.i As a result, regulators and industry standards bodies are introducing requirements related to application development practices. For example:  The PCI DSS standard calls for organizations to “develop applications based on secure coding guidelines” and prevent coding vulnerabilities such as injection flaws, buffer overflows, improper error handling and cross-site scripting.  The latest version of PCI DSS (2.0) adds examples of secure coding standards that organizations should follow to be compliant.  FISMA (Federal Information Security Act) and NIST (National Institute of Standards and Technology) guidelines require organizations to integrate security assessments into the software development life cycle, including code reviews, application scanning and regression testing.ii Why application security is difficult Unfortunately, most executives, IT managers and compliance teams find it difficult to come to grips with application security for a number of reasons:  Organizations usually have dozens or even hundreds of applications and systems that are exposed in some fashion to hackers, cybercriminals and potentially malicious “insiders” (business partners, contractors and employees).  Enterprises don’t understand how applications interact with their environment and exactly where these interactions can introduce risk.  Regulations call for general security requirements like “developing according to industry best practices” when no authoritative source for industry best practices exists.  Many regulatory requirements have non-obvious implications. For example, a requirement that protected information “should not be improperly altered or destroyed” implies that application developers need to provide extensive logging of transactions. This requirement is never stated 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 2 explicitly, but an experienced auditor will recognize when inadequate logging renders an application non-compliant.  Implementing application security is complex; it involves policies, processes and training the entire software development team. How to connect application security and compliance While obstacles exist, reducing application-based risks and documenting the compliance of software applications can be easier than most organizations think — with the right knowledge and planning. In this white paper we discuss how to: 1. Align software development processes with corporate policies. 2. Align software development activities with compliance requirements. 3. Create an action plan to identify and remediate gaps between current and best practices. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 3 Aligning Software Development Processes with Corporate Policies Why involve management? Can’t application security be left to the software development organization? Why involve management? Software development groups typically concentrate primarily on delivering functionality and meeting schedules because they perceive that management priorities place these goals far ahead of application security and regulatory compliance. To counteract this tendency, software development groups need guidance from management on topics such as:  The importance management places on data security and compliance relative to other priorities.  The direct impact software applications have on data security risks.  The applicability and relative importance of the many federal, state and international regulations and industry standards.  The business implications of not meeting compliance mandates.  The potential impact on business of different types of data breaches and attacks on business systems. In other words, enterprises need an explicit process for formulating corporate security and compliance standards and policies, and for translating these into terms specific enough for people to apply on their jobs. This process should reach not only the application development group, but also the IT operations teams that deploy applications and monitor them for vulnerabilities, and the risk and compliance teams that are on the hook for meeting compliance mandates. The Corporate Application Compliance Framework To align software development with management policies, enterprises need an approach such as the Corporate Application Compliance Framework, shown in Figure 1. At the top level of the framework, the enterprise risk management (ERM), human resources and legal groups define the global scope, objectives and requirements for corporate governance, evaluating factors such as:  Applicable legislation (Sarbanes-Oxley, HIPAA, California SB 1386), industry standards (ISO 2700x, FISMA/NIST standards), compliance mandates (PCI DSS), and legal and human resources requirements (data privacy laws).  The potential impact of security breaches on customers, corporate reputation, regulatory bodies, and domestic and international governments.  The costs of security breaches and attacks in terms of regulatory fines, customer notification, loss of revenue, interrupted operations, loss of business continuity and other expenses. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 4 These evaluations can be embodied in standards that provide guidelines and priorities for business units and form the basis of corporate compliance standards. At the middle level of the process, an ERM group, together with representatives of the compliance and security teams, take the corporate security and compliance standards and add detail to create security policies for the company. These are high- level guidelines for operational security and compliance activities that can later be contextualized for specific business units and functional roles. Figure 1: The Corporate Application Compliance Framework Typical tasks at this middle level include: Source: Security Innovation  Studying the applicable regulations and standards, to identify specific requirements that apply to the enterprise.  Conducting a threat assessment to determine the security breaches potentially most damaging to the enterprise and the specific threats that might cause those breaches.  Classifying data assets to define levels of data sensitivity and identify which business processes store and transmit sensitive data.  Defining concrete application security objectives. Ideally, the policies developed through these exercises will be specific enough to guide the operational teams, although in practice, reaching the right level of specificity can be very challenging. At the base level of the process, the security and compliance teams help define and refine specific development processes, coding practices and procedures for documenting compliance, ensuring that they are relevant to local requirements and technology, as well as consistent with corporate security and compliance policies. These should address regional and business-unit-specific regulations and the technologies used by each development team. Contextualizing the corporate security and compliance policies for each software development and assessment team can be a labor-intensive and deeply technical process, but the effort is justified. The more specific and practical the guidance, the more successful the team will be in complying with corporate governance requirements. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 5 Aligning Software Development Activities with Compliance Requirements Security training Security training is a critical prerequisite to a successful, and compliant, application security program. While the appropriate type and amount of security training varies across organizations, in most cases:  All members of the software development organizations and selected members of the compliance team should attend basic software security awareness training.  Managers and architects should receive training on topics like threat modeling, architecture risk analysis and secure development life-cycle practices.  Software engineers should study defensive coding for specific languages and environments such as C+, C#, J2EE and ASP.NET.  Software engineers should learn how to operate tools such as code and web scanners. However, unless they understand how applications function and fail with respect to security, they will not get full utility out of these tools and spend countless hours weeding through false positives. Unless they understand the limits of the tools, they will be misled by a false sense of security.  Software engineers, network/IT managers and quality assurance professionals should be trained on how software applications are attacked. They also need to learn how to code software to fail securely, and to handle the error conditions that attackers attempt to create in applications.  Compliance professionals can benefit from courses on application security for specific standards like HIPAA and PCI DSS. Compliance and Security Training HIPAA requires that covered entities: Implement a security awareness and training program for all members of its workforce (including management). PCI DSS requires that organizations: “Implement a formal awareness program to make all personnel aware of the importance of cardholder data security...[and] verify that personnel attend awareness training upon hire and at least annually.” The Federal Financial Institutions Examination Council (FFIEC) states: “Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures.” NIST SP 800-64 R2 suggests that: “System development training and orientation should include basic and specialized (to environment) security awareness, training, and education.”iii 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 6 Coding practices Standardized coding practices are essential for any professional software development organization. They embody best practices, improve consistency, reduce errors and facilitate testing. Most important, they provide a benchmark against which compliance can be measured. But “connecting the dots” between coding practices and compliance requirements can be extremely challenging. First, a broad range of domain expertise is required. Several experts may need to pool their knowledge to triangulate between: 1. Applicable regulations and standards. 2. Probable threats and application-related vulnerabilities. 3. Application security techniques and coding practices. Typically, this involves representatives from the compliance, software development and security teams. Often, outside experts are employed to catalyze the cross-training process and provide useful tools, mentoring and training. Second, many high-level requirements imply that certain functionality be provided or specific practices be followed, without stating the details. To comply with a requirement for data integrity, customer- facing applications should include comprehensive input validation and error-handling routines. A general requirement for confidentiality implies (among other things) that the software development organization have an internal standard forbidding the use of custom or untrusted encryption routines. These details are not explicit in the original requirement, but experienced auditors will know that they are implicit. Third, a number of implementation steps are required. Security coding practices and standards need to be documented, and software engineers, architects, database analysts and quality assurance engineers need to be trained in their use. Examples of application security coding practices Coding practices and standards can run to hundreds of topics, and will vary based on factors like corporate priorities, application types, probable threats and technical environments. The Corporate Application Compliance Framework and the software development life cycle (SDLC) activities discussed later in this white paper will help narrow down and prioritize these topics. But the coding practices necessary for compliance can still be voluminous. Table 1 summarizes some of the more important, grouped by high-level requirements. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 7 Table 1: Selected coding practices that contribute to compliance High-Level Standards (Partial Selected Coding Practices Requirement List) Confidentiality SOX, PCI DSS, ISO Appropriate use of strong encryption for data in databases. 27002, HIPAA, GLBA, Encrypting confidential data in memory. FFIEC, Basel lI, CA SB Encrypting data in motion, especially for wireless transmissions. 1386, FIPS 199, No custom or untrusted encryption routines. NIST SP 800-30/ 800- Masking confidential data that needs to be viewed in part (e.g., partial credit card or Social 53/800-64 Security numbers). Data integrity SOX, PCI DSS, ISO Robust integrity checks to prevent tampering with data. 27002, HIPAA, GLBA, Input validation and comprehensive error handling to prevent injection attacks, privilege FIPS 199, NIST SP escalation and other hacking techniques. 800-30/ 800-53/800-64 Output encoding. Use of least privileges. Hashing for confidential data that needs to be validated (e.g., passwords). Authentication SOX, PCI DSS, ISO Support for strong passwords and two-factor authentication where appropriate. and access 27002, HIPAA, Basel II, Role-based access control and revocation of rights, with clear roles mapped to permissions. control NIST SP 800-30/ 800- Locked-down file access and database roles. 53/800-64 No guest accounts. Passwords and keys encrypted before storage and transmission. Logging and SOX, PCI DSS, ISO Detailed audit trails of users accessing data and resources. auditing 27002, HIPAA, GLBA, Detailed logging of systems that process sensitive data, including shutdowns, restarts and CA SB 1386, NIST SP unusual events. 800-30/ 800-53/800-64 Event logs and audit trails available only to system administrators and protected from unauthorized modifications. No confidential data exposed in logs. Availability SOX, ISO 27002, Code reliability. HIPAA, Basel II, Failover and redundancy built into applications. FIPS 199, NIST SP Applications resistant to denial-of-service attacks. 800-30/ 800-53/800-64 Cleanup of confidential data in memory and in file systems during failures and shutdowns. Change SOX, Basel II, NIST SP Source control. management 800-53/ 800-64 Logging of application changes. Application change logs accessible only to authorized users and resistant to tampering. The approach taken in assembling the table above is a useful tactic in mapping application security to compliance. Often, a spreadsheet is created with controls from the necessary compliance regulations and guidelines listed in rows and the application security activities necessary to meet each control documented in the columns. A simple refactoring that combines redundant activities will show how single application security changes can provide coverage for multiple regulatory and governance controls. OWASP and other coding standards Several organizations publish documents and tools that can help enterprises develop and document their own secure coding practices. These include:  The Open Web Application Security Project (OWASP) Top 10 listing of critical web application security threats and suggested preventative practices.  The Microsoft SDL (Security Development Lifecycle).  The Common Weakness Enumeration (CWE) list of most dangerous software weaknesses.  The CERT Secure Coding Standards. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 8  Security Innovation’s TeamMentor™ secure development standards, an extensive collection of SSDLC practices and recommendations.iv Compliance and the SDLC Most enterprises have defined processes for software development. These help managers control functionality, quality and developer productivity. Unfortunately, they rarely place much emphasis on security or compliance activities. Yet building security into the software development life cycle (SDLC) is critically important for both compliance and development productivity. Regulations and industry standards are increasingly specifying requirements related to software development security best practices. For example, the PCI DSS standard specifies that compliant organizations should “incorporate information security throughout the software development life cycle.” The Department of Defense and Defense Information Systems Agency (DISA) recently published the 114-page Application Security and Development Security Technical Implementation Guide with detailed Figure 2: Integrating security into the software development life cycle (SDLC) Source: Security Innovation recommendations for creating a secure SDLC. iii There is also strong evidence that addressing security issues early can dramatically reduce software development costs and improve delivery schedules. Missing or inadequate security features are defects, and industry experts have determined that preventing defects in the design phase requires one-tenth the effort of catching and fixing those defects at the system test phase. Gartner estimates that removing 50 percent of software vulnerabilities prior to applications being put into production can reduce configuration management and incident response costs by 75 percent.iv Figure 2 shows how security can be built into the SDLC. Table 2 summarizes some activities that address compliance mandates. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 9 Table 2: Addressing compliance requirements related to the SDLC Activity Examples of Requirements and Recommendations Selected Best Practices Security “Security planning should begin...by: identifying key  Examine regulations and standards, potential exploits and objectives and security roles for the system development; identifying attacks, and the business risks of those exploits and requirements sources of security requirements, such as relevant laws, attacks. analysis regulations, and standards; and ensuring all key  Evaluate business requirements in terms of information stakeholders have a common understanding.” NIST SP confidentiality, integrity and availability. 800-64  Write “abuse cases” detailing how malicious users might interact with the system.  Define measurable goals for compliance and reducing vulnerabilities. Threat “[Covered entities must] conduct an accurate and Describe how adversaries might choose targets, locate entry modeling thorough assessment of the potential risks and points and conduct attacks. vulnerabilities to the confidentiality, integrity, and Identify what specific application defenses the attacker must availability of electronic protected health information defeat to be successful. held by the covered entity.” HIPAA Architecture “[Federal agencies should] employ architectural Identify design decisions that can mitigate risk; e.g., use and design designs, software development techniques, and languages such as Java and C# to reduce the risk from buffer review for systems engineering principles that promote effective overflow vulnerabilities, and validate all user input on servers to security information security within organizational information prevent attacks that manipulate variables on clients. systems.” FIPS PUB 200 Code review for “[Compliant organizations must conduct a] review of Use automated code scanning tools and manual reviews to security custom code prior to release to production or customers identify patterns such as non-constrained methods, unchecked in order to identify any potential coding vulnerability...by return values, methods without exception handling, embedded knowledgeable internal personnel or third parties.” PCI passwords and sensitive information disclosed in logs. DSS 2.0 Security testing “[Organizations must review] public-facing web Rigorously test those application components that process applications via manual or automated application confidential information, validate inputs, parse file formats and vulnerability security assessment tools or methods, at authenticate users. least annually and after any changes [unless those Check for sensitive information exposed in memory and in applications are protected by a web-application temporary files. firewall].” PCI DSS 2.0 Maintain a unit test library. Have developers cross-check each other’s code. Conduct extensive penetration testing. Deployment “[Organizations must] develop configuration standards Develop checklists to ensure that web servers, databases, and review for for all system components...Verify that system storage and networking systems are properly configured and security configuration standards are applied when new systems patched. are configured... For a sample of system components, Remove custom application accounts, user IDs and embedded verify that all unnecessary functionality is removed.” PCI passwords before applications are put into production. DSS 2.0 Of course, in the real world not every best practice can be adopted, at least not all at once. Organizations need to identify which activities are most important to them based on corporate governance and priorities, then decide which to adopt first and in what sequence to introduce the rest. For some enterprises, a “find and fix” approach using vulnerability scanners may suffice until their SDLC matures. Organizations with web-facing legacy applications may determine that the best use of their time is to plug a few gaping vulnerability holes. Companies with hundreds of small, internally facing applications might determine that code reviews are the best use of their time and skip penetration testing. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 10 The bottom line is that an enterprise needs to understand the inherent risk level of the applications it is building and deploying. Applications need to be examined in terms of factors like applicable compliance requirements, source (internal or outside third party), age, language (especially if written in an old or vulnerable language), environment in which they will be deployed, and the type and amount of sensitive information processed, stored and transmitted. The enterprise then needs to decide which activities in the software development life cycle will have the greatest impact on reducing risk and improving compliance. Again, a simple spreadsheet can be very useful here. Each of the risk factors can be documented and weighted based on threats and the risks they pose to business operations and data protection. Threat modeling is an activity with a high return on investment, because it helps organizations chart and measure threats, translate them into tangible risks and document compensating controls that can be used to mitigate the threats. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 11 Creating an Action Plan So far we have discussed:  How to align software development processes with corporate policies.  How to align software development activities with compliance requirements. But what is the best process for tackling these tasks? Below is a four-phase process that has proved effective in helping enterprises improve application security and document compliance. Assess existing software processes and practices  Assess existing software development processes and practices in terms of security effectiveness and match with regulatory requirements.  Review security policies and standards, organizational capabilities related to security, training, security attack response and patching processes.  Examine the security-related components of the software development life cycle, such as threat modeling, security objectives and requirements analysis, abuse case modeling, architecture and design reviews, code reviews for security, static and penetration testing, and deployment reviews for security.  Assess existing coding practices and standards related to objectives like confidentiality, privacy, data integrity and authentication.  Evaluate current processes for documenting compliance with application security best practices. Identify objectives and gaps The second phase of the process should center on goal setting. Investigate:  The gaps between existing security practices and industry best practices.  The technical and business risks associated with each security gap.  The costs, benefits and expected value of addressing each gap.  The extent to which current compliance activities successfully document application security processes and coding practices. One output of this analysis can be a spreadsheet with compliance requirements on one axis and controls and actions on the other. This spreadsheet can be employed to identify overlap and opportunities to use a single control to satisfy multiple requirements. The spreadsheet can also be used to highlight which current practices do not meet standards and which added security practices are desired but not yet in place in the SDLC. The sum of these two (practices needing improvement and practices desired but not yet in place) represents a comprehensive description of the activities the organization needs to adopt. Then use the results of these investigations to create a set of security and security compliance goals. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 12 Plan a remediation roadmap In the third phase of the process, use the assessments from the previous two phases to prioritize the identified threats and the areas most in need of improvement. For each high-priority area, review the major risk management strategies (avoid, transfer, accept, remediate), identify appropriate control options and describe necessary modifications to compliance activities. This process will show which activities and controls will produce the biggest “bang for the buck” by addressing the most important requirements or several requirements at once. Use the results of this analysis to construct a phased software risk remediation and compliance roadmap. Implement the remediation roadmap In the final phase of the process, select tools and partners and implement the remediation roadmap. Tools and partners can be used to accelerate or outsource tasks like training, threat modeling, requirements analysis, code reviews, penetration testing and development of secure coding practices. For example, expert advice can pay large dividends in areas like selecting the sequence of activities, since the order in which new tools and procedures are introduced is often critical in ensuring the successful evolution of the application security management process. Continue to measure progress relative to security and compliance objectives and requirements. Adjust the roadmap as corporate priorities, threat patterns and compliance standards change. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 13 How Security Innovation Can Help Security Innovation’s solutions are built upon 15 years of application security experience and research. Organizations such as Barclay’s, Symantec, ING, GoDaddy.com, MassMutual, Microsoft and HP depend on Security Innovation’s solutions to ensure their software applications are secure and in compliance. Improving application security and aligning it with compliance requirements involves a challenging set of activities. As detailed in this white paper, these range from defining standards and policies, to training large numbers of software engineers, testers and compliance professionals, to defining and documenting detailed coding practices, to adding new processes and compliance activities to the software development life cycle. Security Innovation can provide expertise and solutions to accelerate all of these activities. Offerings include:  SDLC Compliance gap analysis and optimization service to help IT and compliance managers map application security practices to compliance and corporate governance requirements. This service includes a complete analysis of people, processes and technology. It delivers a practical, specific roadmap to close gaps, and includes recommendations for security tools and training needed to achieve and maintain compliance.  TeamProfessor™ eLearning, the industry’s largest library of application security courses, covering each phase of the SDLC, all software application types, popular technologies like ASP.Net, Java, C/C++, .Net, Windows, C# and JRE, and industry standards/guidelines such as OWASP, PCI DSS, Microsoft SDL, HIPAA and NIST.  The TeamMentor™ Security Process Framework, featuring an extensive collection of SDLC best practices and methodologies designed to ensure that development is aligned with corporate security policies and compliance requirements. TeamMentor includes dedicated, prescriptive guidance views for PCI DSS, OWASP and Security Engineering, and is an excellent complement to any security training initiative.  Compliance consulting services to help managers evaluate current application security processes, assess staff training, create a Corporate Application Compliance Framework, and implement application security and compliance action plans.  Application assessment services to perform threat modeling, code reviews and application penetration testing on a single application or across an entire portfolio of software applications.  High-performance encryption software to ensure secure, efficient communications. To Learn More: For more information, please visit Security Innovation’s web site at http://www.securityinnovation.com. To evaluate the company’s eLearning products, please contact us at + 1.877.694.1008 x1 or getsecure@securityinnovation.com. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
Page 14 Additional Reading from Security Innovation Application Security by Design: Security as a Complete Lifecycle Activity Regulatory Compliance Demystified: An Introduction to Compliance for Developers The Art of Threat Modeling for IT Risk Management How to Conduct a Code Review: Effective Techniques for Uncovering Vulnerabilities in Your Code 19 Attacks for Breaking (all) Applications (Excerpts from the best-selling book How to Break Software Security) Available at: http://web.securityinnovation.com/whitepaper-library Notes and Sources i Microsoft Security Intelligence Report, Vol. 9, January through June 2010: http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_3_1. Estimate from Gartner, quoted in Computerworld, February 25, 2005: http://www.computerworld.com/printthis/2005/0,4814,99981,00.html. ii See https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf; https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf; NIST Special Publication 800-53A Rev 1:Guide for Assessing the Security Controls in Federal Information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. iii Department of Defense/DISA Application Security and Development Security Technical Implementation Guide, Vol. 3, Release 2: http://iase.disa.mil/stigs/downloads/zip/u_application_security_and_development_stig_v3r2_20101029.zip. iv OWASP Top 10: http://www.owasp.org/index.php/OWASP_Top_Ten_Project Microsoft SDL: http://www.microsoft.com/security/sdl/ CWE/SANS Top 25 Software Errors: http://www.sans.org/top25-software-errors/ CERT Secure Coding: http://www.cert.org/secure-coding/ Security Innovation TeamMentor™: http://www.securityinnovation.com/products/team-mentor/index.shtml. v For estimates of the cost of finding defects at different stages of the development life cycle, see B. W. Boehm , P. N. Papaccio, Understanding and Controlling Software Costs, IEEE Transactions on Software Engineering, Vol. 14, No. 10, p.1462-1477, October 1988, or IDC and IBM Systems Sciences Institute, quoted in Microsoft Security Development Lifecycle: http://www.cert.uy/historico/pdf/MicrosoftSDL.pdf. The Gartner estimate can be found at: http://www.gartner.com/press_releases/asset_106327_11.html. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com

Empfohlen

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Va\\lue of e-safebusiness solutions
Va\\lue of e-safebusiness solutionsVa\\lue of e-safebusiness solutions
Va\\lue of e-safebusiness solutionsiansadler
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedIBM Security
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 

Empfohlen

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Va\\lue of e-safebusiness solutions
Va\\lue of e-safebusiness solutionsVa\\lue of e-safebusiness solutions
Va\\lue of e-safebusiness solutionsiansadler
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedIBM Security
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Coso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-ageCoso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-ageLuisMiguelPaz4
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperNIIT Technologies
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEnterprise Management Associates
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Graeme Payne
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor PrivacyRaymond Cunningham
 
RSA大会2009-2010分析
RSA大会2009-2010分析RSA大会2009-2010分析
RSA大会2009-2010分析Jordan Pan
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Unlocking High Fidelity Security
Unlocking High Fidelity SecurityUnlocking High Fidelity Security
Unlocking High Fidelity SecurityEnterprise Management Associates
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Coso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-ageCoso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-ageLuisMiguelPaz4
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperNIIT Technologies
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Graeme Payne
 
RSA大会2009-2010分析
RSA大会2009-2010分析RSA大会2009-2010分析
RSA大会2009-2010分析Jordan Pan
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 

Was ist angesagt? (19)

Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Coso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-ageCoso deloitte-managing-cyber-risk-in-a-digital-age
Coso deloitte-managing-cyber-risk-in-a-digital-age
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
Supply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - WhitepaperSupply Chain Risk Management corrected - Whitepaper
Supply Chain Risk Management corrected - Whitepaper
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2Microsoft Power Point Information Security And Risk Managementv2
Microsoft Power Point Information Security And Risk Managementv2
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
RSA大会2009-2010分析
RSA大会2009-2010分析RSA大会2009-2010分析
RSA大会2009-2010分析
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Unlocking High Fidelity Security
Unlocking High Fidelity SecurityUnlocking High Fidelity Security
Unlocking High Fidelity Security
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 

Ähnlich wie White Paper: Aligning application security and compliance

Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15James Fisher
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersBroadridge
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Anju21552
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Choosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for BusinessesChoosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for Businessesbasilmph
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 

Ähnlich wie White Paper: Aligning application security and compliance (20)

Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework Panel
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Choosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for BusinessesChoosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for Businesses
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

White Paper: Aligning application security and compliance

  • 1. Aligning Application Security and Compliance A Security Innovation Whitepaper BOSTON | SEATTLE 187 Ballardvale St. Suite A195 ●Wilmington, MA 01887● Ph: +1.978.694.1008 getsecure@securityinnovation.com● www.securityinnovation.com
  • 2. Page 1 Application Security: The Next Frontier of Compliance Application security is moving to the forefront Enterprises have gone to great lengths to improve information security and document compliance with regulations and industry standards such as Sarbanes-Oxley, PCI DSS, HIPAA, FFIEC, FISMA and ISO 2700x. But one critical area is only now coming into focus: application security. Regulators, auditors and enterprises are increasingly emphasizing application security because of the growing recognition that applications are the biggest source of data breaches. Citing data compiled from the U.S. National Vulnerability Database, a recent Microsoft Security Intelligence Report found that application vulnerabilities were reported about four times as often as browser vulnerabilities and operating system vulnerabilities combined. Analyst firm Gartner stated: “Over 70% of security vulnerabilities exist at the application layer, not the network layer.” Other researchers have estimated this figure at 90%.i As a result, regulators and industry standards bodies are introducing requirements related to application development practices. For example:  The PCI DSS standard calls for organizations to “develop applications based on secure coding guidelines” and prevent coding vulnerabilities such as injection flaws, buffer overflows, improper error handling and cross-site scripting.  The latest version of PCI DSS (2.0) adds examples of secure coding standards that organizations should follow to be compliant.  FISMA (Federal Information Security Act) and NIST (National Institute of Standards and Technology) guidelines require organizations to integrate security assessments into the software development life cycle, including code reviews, application scanning and regression testing.ii Why application security is difficult Unfortunately, most executives, IT managers and compliance teams find it difficult to come to grips with application security for a number of reasons:  Organizations usually have dozens or even hundreds of applications and systems that are exposed in some fashion to hackers, cybercriminals and potentially malicious “insiders” (business partners, contractors and employees).  Enterprises don’t understand how applications interact with their environment and exactly where these interactions can introduce risk.  Regulations call for general security requirements like “developing according to industry best practices” when no authoritative source for industry best practices exists.  Many regulatory requirements have non-obvious implications. For example, a requirement that protected information “should not be improperly altered or destroyed” implies that application developers need to provide extensive logging of transactions. This requirement is never stated 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 3. Page 2 explicitly, but an experienced auditor will recognize when inadequate logging renders an application non-compliant.  Implementing application security is complex; it involves policies, processes and training the entire software development team. How to connect application security and compliance While obstacles exist, reducing application-based risks and documenting the compliance of software applications can be easier than most organizations think — with the right knowledge and planning. In this white paper we discuss how to: 1. Align software development processes with corporate policies. 2. Align software development activities with compliance requirements. 3. Create an action plan to identify and remediate gaps between current and best practices. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 4. Page 3 Aligning Software Development Processes with Corporate Policies Why involve management? Can’t application security be left to the software development organization? Why involve management? Software development groups typically concentrate primarily on delivering functionality and meeting schedules because they perceive that management priorities place these goals far ahead of application security and regulatory compliance. To counteract this tendency, software development groups need guidance from management on topics such as:  The importance management places on data security and compliance relative to other priorities.  The direct impact software applications have on data security risks.  The applicability and relative importance of the many federal, state and international regulations and industry standards.  The business implications of not meeting compliance mandates.  The potential impact on business of different types of data breaches and attacks on business systems. In other words, enterprises need an explicit process for formulating corporate security and compliance standards and policies, and for translating these into terms specific enough for people to apply on their jobs. This process should reach not only the application development group, but also the IT operations teams that deploy applications and monitor them for vulnerabilities, and the risk and compliance teams that are on the hook for meeting compliance mandates. The Corporate Application Compliance Framework To align software development with management policies, enterprises need an approach such as the Corporate Application Compliance Framework, shown in Figure 1. At the top level of the framework, the enterprise risk management (ERM), human resources and legal groups define the global scope, objectives and requirements for corporate governance, evaluating factors such as:  Applicable legislation (Sarbanes-Oxley, HIPAA, California SB 1386), industry standards (ISO 2700x, FISMA/NIST standards), compliance mandates (PCI DSS), and legal and human resources requirements (data privacy laws).  The potential impact of security breaches on customers, corporate reputation, regulatory bodies, and domestic and international governments.  The costs of security breaches and attacks in terms of regulatory fines, customer notification, loss of revenue, interrupted operations, loss of business continuity and other expenses. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 5. Page 4 These evaluations can be embodied in standards that provide guidelines and priorities for business units and form the basis of corporate compliance standards. At the middle level of the process, an ERM group, together with representatives of the compliance and security teams, take the corporate security and compliance standards and add detail to create security policies for the company. These are high- level guidelines for operational security and compliance activities that can later be contextualized for specific business units and functional roles. Figure 1: The Corporate Application Compliance Framework Typical tasks at this middle level include: Source: Security Innovation  Studying the applicable regulations and standards, to identify specific requirements that apply to the enterprise.  Conducting a threat assessment to determine the security breaches potentially most damaging to the enterprise and the specific threats that might cause those breaches.  Classifying data assets to define levels of data sensitivity and identify which business processes store and transmit sensitive data.  Defining concrete application security objectives. Ideally, the policies developed through these exercises will be specific enough to guide the operational teams, although in practice, reaching the right level of specificity can be very challenging. At the base level of the process, the security and compliance teams help define and refine specific development processes, coding practices and procedures for documenting compliance, ensuring that they are relevant to local requirements and technology, as well as consistent with corporate security and compliance policies. These should address regional and business-unit-specific regulations and the technologies used by each development team. Contextualizing the corporate security and compliance policies for each software development and assessment team can be a labor-intensive and deeply technical process, but the effort is justified. The more specific and practical the guidance, the more successful the team will be in complying with corporate governance requirements. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 6. Page 5 Aligning Software Development Activities with Compliance Requirements Security training Security training is a critical prerequisite to a successful, and compliant, application security program. While the appropriate type and amount of security training varies across organizations, in most cases:  All members of the software development organizations and selected members of the compliance team should attend basic software security awareness training.  Managers and architects should receive training on topics like threat modeling, architecture risk analysis and secure development life-cycle practices.  Software engineers should study defensive coding for specific languages and environments such as C+, C#, J2EE and ASP.NET.  Software engineers should learn how to operate tools such as code and web scanners. However, unless they understand how applications function and fail with respect to security, they will not get full utility out of these tools and spend countless hours weeding through false positives. Unless they understand the limits of the tools, they will be misled by a false sense of security.  Software engineers, network/IT managers and quality assurance professionals should be trained on how software applications are attacked. They also need to learn how to code software to fail securely, and to handle the error conditions that attackers attempt to create in applications.  Compliance professionals can benefit from courses on application security for specific standards like HIPAA and PCI DSS. Compliance and Security Training HIPAA requires that covered entities: Implement a security awareness and training program for all members of its workforce (including management). PCI DSS requires that organizations: “Implement a formal awareness program to make all personnel aware of the importance of cardholder data security...[and] verify that personnel attend awareness training upon hire and at least annually.” The Federal Financial Institutions Examination Council (FFIEC) states: “Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures.” NIST SP 800-64 R2 suggests that: “System development training and orientation should include basic and specialized (to environment) security awareness, training, and education.”iii 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 7. Page 6 Coding practices Standardized coding practices are essential for any professional software development organization. They embody best practices, improve consistency, reduce errors and facilitate testing. Most important, they provide a benchmark against which compliance can be measured. But “connecting the dots” between coding practices and compliance requirements can be extremely challenging. First, a broad range of domain expertise is required. Several experts may need to pool their knowledge to triangulate between: 1. Applicable regulations and standards. 2. Probable threats and application-related vulnerabilities. 3. Application security techniques and coding practices. Typically, this involves representatives from the compliance, software development and security teams. Often, outside experts are employed to catalyze the cross-training process and provide useful tools, mentoring and training. Second, many high-level requirements imply that certain functionality be provided or specific practices be followed, without stating the details. To comply with a requirement for data integrity, customer- facing applications should include comprehensive input validation and error-handling routines. A general requirement for confidentiality implies (among other things) that the software development organization have an internal standard forbidding the use of custom or untrusted encryption routines. These details are not explicit in the original requirement, but experienced auditors will know that they are implicit. Third, a number of implementation steps are required. Security coding practices and standards need to be documented, and software engineers, architects, database analysts and quality assurance engineers need to be trained in their use. Examples of application security coding practices Coding practices and standards can run to hundreds of topics, and will vary based on factors like corporate priorities, application types, probable threats and technical environments. The Corporate Application Compliance Framework and the software development life cycle (SDLC) activities discussed later in this white paper will help narrow down and prioritize these topics. But the coding practices necessary for compliance can still be voluminous. Table 1 summarizes some of the more important, grouped by high-level requirements. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 8. Page 7 Table 1: Selected coding practices that contribute to compliance High-Level Standards (Partial Selected Coding Practices Requirement List) Confidentiality SOX, PCI DSS, ISO Appropriate use of strong encryption for data in databases. 27002, HIPAA, GLBA, Encrypting confidential data in memory. FFIEC, Basel lI, CA SB Encrypting data in motion, especially for wireless transmissions. 1386, FIPS 199, No custom or untrusted encryption routines. NIST SP 800-30/ 800- Masking confidential data that needs to be viewed in part (e.g., partial credit card or Social 53/800-64 Security numbers). Data integrity SOX, PCI DSS, ISO Robust integrity checks to prevent tampering with data. 27002, HIPAA, GLBA, Input validation and comprehensive error handling to prevent injection attacks, privilege FIPS 199, NIST SP escalation and other hacking techniques. 800-30/ 800-53/800-64 Output encoding. Use of least privileges. Hashing for confidential data that needs to be validated (e.g., passwords). Authentication SOX, PCI DSS, ISO Support for strong passwords and two-factor authentication where appropriate. and access 27002, HIPAA, Basel II, Role-based access control and revocation of rights, with clear roles mapped to permissions. control NIST SP 800-30/ 800- Locked-down file access and database roles. 53/800-64 No guest accounts. Passwords and keys encrypted before storage and transmission. Logging and SOX, PCI DSS, ISO Detailed audit trails of users accessing data and resources. auditing 27002, HIPAA, GLBA, Detailed logging of systems that process sensitive data, including shutdowns, restarts and CA SB 1386, NIST SP unusual events. 800-30/ 800-53/800-64 Event logs and audit trails available only to system administrators and protected from unauthorized modifications. No confidential data exposed in logs. Availability SOX, ISO 27002, Code reliability. HIPAA, Basel II, Failover and redundancy built into applications. FIPS 199, NIST SP Applications resistant to denial-of-service attacks. 800-30/ 800-53/800-64 Cleanup of confidential data in memory and in file systems during failures and shutdowns. Change SOX, Basel II, NIST SP Source control. management 800-53/ 800-64 Logging of application changes. Application change logs accessible only to authorized users and resistant to tampering. The approach taken in assembling the table above is a useful tactic in mapping application security to compliance. Often, a spreadsheet is created with controls from the necessary compliance regulations and guidelines listed in rows and the application security activities necessary to meet each control documented in the columns. A simple refactoring that combines redundant activities will show how single application security changes can provide coverage for multiple regulatory and governance controls. OWASP and other coding standards Several organizations publish documents and tools that can help enterprises develop and document their own secure coding practices. These include:  The Open Web Application Security Project (OWASP) Top 10 listing of critical web application security threats and suggested preventative practices.  The Microsoft SDL (Security Development Lifecycle).  The Common Weakness Enumeration (CWE) list of most dangerous software weaknesses.  The CERT Secure Coding Standards. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 9. Page 8  Security Innovation’s TeamMentor™ secure development standards, an extensive collection of SSDLC practices and recommendations.iv Compliance and the SDLC Most enterprises have defined processes for software development. These help managers control functionality, quality and developer productivity. Unfortunately, they rarely place much emphasis on security or compliance activities. Yet building security into the software development life cycle (SDLC) is critically important for both compliance and development productivity. Regulations and industry standards are increasingly specifying requirements related to software development security best practices. For example, the PCI DSS standard specifies that compliant organizations should “incorporate information security throughout the software development life cycle.” The Department of Defense and Defense Information Systems Agency (DISA) recently published the 114-page Application Security and Development Security Technical Implementation Guide with detailed Figure 2: Integrating security into the software development life cycle (SDLC) Source: Security Innovation recommendations for creating a secure SDLC. iii There is also strong evidence that addressing security issues early can dramatically reduce software development costs and improve delivery schedules. Missing or inadequate security features are defects, and industry experts have determined that preventing defects in the design phase requires one-tenth the effort of catching and fixing those defects at the system test phase. Gartner estimates that removing 50 percent of software vulnerabilities prior to applications being put into production can reduce configuration management and incident response costs by 75 percent.iv Figure 2 shows how security can be built into the SDLC. Table 2 summarizes some activities that address compliance mandates. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 10. Page 9 Table 2: Addressing compliance requirements related to the SDLC Activity Examples of Requirements and Recommendations Selected Best Practices Security “Security planning should begin...by: identifying key  Examine regulations and standards, potential exploits and objectives and security roles for the system development; identifying attacks, and the business risks of those exploits and requirements sources of security requirements, such as relevant laws, attacks. analysis regulations, and standards; and ensuring all key  Evaluate business requirements in terms of information stakeholders have a common understanding.” NIST SP confidentiality, integrity and availability. 800-64  Write “abuse cases” detailing how malicious users might interact with the system.  Define measurable goals for compliance and reducing vulnerabilities. Threat “[Covered entities must] conduct an accurate and Describe how adversaries might choose targets, locate entry modeling thorough assessment of the potential risks and points and conduct attacks. vulnerabilities to the confidentiality, integrity, and Identify what specific application defenses the attacker must availability of electronic protected health information defeat to be successful. held by the covered entity.” HIPAA Architecture “[Federal agencies should] employ architectural Identify design decisions that can mitigate risk; e.g., use and design designs, software development techniques, and languages such as Java and C# to reduce the risk from buffer review for systems engineering principles that promote effective overflow vulnerabilities, and validate all user input on servers to security information security within organizational information prevent attacks that manipulate variables on clients. systems.” FIPS PUB 200 Code review for “[Compliant organizations must conduct a] review of Use automated code scanning tools and manual reviews to security custom code prior to release to production or customers identify patterns such as non-constrained methods, unchecked in order to identify any potential coding vulnerability...by return values, methods without exception handling, embedded knowledgeable internal personnel or third parties.” PCI passwords and sensitive information disclosed in logs. DSS 2.0 Security testing “[Organizations must review] public-facing web Rigorously test those application components that process applications via manual or automated application confidential information, validate inputs, parse file formats and vulnerability security assessment tools or methods, at authenticate users. least annually and after any changes [unless those Check for sensitive information exposed in memory and in applications are protected by a web-application temporary files. firewall].” PCI DSS 2.0 Maintain a unit test library. Have developers cross-check each other’s code. Conduct extensive penetration testing. Deployment “[Organizations must] develop configuration standards Develop checklists to ensure that web servers, databases, and review for for all system components...Verify that system storage and networking systems are properly configured and security configuration standards are applied when new systems patched. are configured... For a sample of system components, Remove custom application accounts, user IDs and embedded verify that all unnecessary functionality is removed.” PCI passwords before applications are put into production. DSS 2.0 Of course, in the real world not every best practice can be adopted, at least not all at once. Organizations need to identify which activities are most important to them based on corporate governance and priorities, then decide which to adopt first and in what sequence to introduce the rest. For some enterprises, a “find and fix” approach using vulnerability scanners may suffice until their SDLC matures. Organizations with web-facing legacy applications may determine that the best use of their time is to plug a few gaping vulnerability holes. Companies with hundreds of small, internally facing applications might determine that code reviews are the best use of their time and skip penetration testing. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 11. Page 10 The bottom line is that an enterprise needs to understand the inherent risk level of the applications it is building and deploying. Applications need to be examined in terms of factors like applicable compliance requirements, source (internal or outside third party), age, language (especially if written in an old or vulnerable language), environment in which they will be deployed, and the type and amount of sensitive information processed, stored and transmitted. The enterprise then needs to decide which activities in the software development life cycle will have the greatest impact on reducing risk and improving compliance. Again, a simple spreadsheet can be very useful here. Each of the risk factors can be documented and weighted based on threats and the risks they pose to business operations and data protection. Threat modeling is an activity with a high return on investment, because it helps organizations chart and measure threats, translate them into tangible risks and document compensating controls that can be used to mitigate the threats. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 12. Page 11 Creating an Action Plan So far we have discussed:  How to align software development processes with corporate policies.  How to align software development activities with compliance requirements. But what is the best process for tackling these tasks? Below is a four-phase process that has proved effective in helping enterprises improve application security and document compliance. Assess existing software processes and practices  Assess existing software development processes and practices in terms of security effectiveness and match with regulatory requirements.  Review security policies and standards, organizational capabilities related to security, training, security attack response and patching processes.  Examine the security-related components of the software development life cycle, such as threat modeling, security objectives and requirements analysis, abuse case modeling, architecture and design reviews, code reviews for security, static and penetration testing, and deployment reviews for security.  Assess existing coding practices and standards related to objectives like confidentiality, privacy, data integrity and authentication.  Evaluate current processes for documenting compliance with application security best practices. Identify objectives and gaps The second phase of the process should center on goal setting. Investigate:  The gaps between existing security practices and industry best practices.  The technical and business risks associated with each security gap.  The costs, benefits and expected value of addressing each gap.  The extent to which current compliance activities successfully document application security processes and coding practices. One output of this analysis can be a spreadsheet with compliance requirements on one axis and controls and actions on the other. This spreadsheet can be employed to identify overlap and opportunities to use a single control to satisfy multiple requirements. The spreadsheet can also be used to highlight which current practices do not meet standards and which added security practices are desired but not yet in place in the SDLC. The sum of these two (practices needing improvement and practices desired but not yet in place) represents a comprehensive description of the activities the organization needs to adopt. Then use the results of these investigations to create a set of security and security compliance goals. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 13. Page 12 Plan a remediation roadmap In the third phase of the process, use the assessments from the previous two phases to prioritize the identified threats and the areas most in need of improvement. For each high-priority area, review the major risk management strategies (avoid, transfer, accept, remediate), identify appropriate control options and describe necessary modifications to compliance activities. This process will show which activities and controls will produce the biggest “bang for the buck” by addressing the most important requirements or several requirements at once. Use the results of this analysis to construct a phased software risk remediation and compliance roadmap. Implement the remediation roadmap In the final phase of the process, select tools and partners and implement the remediation roadmap. Tools and partners can be used to accelerate or outsource tasks like training, threat modeling, requirements analysis, code reviews, penetration testing and development of secure coding practices. For example, expert advice can pay large dividends in areas like selecting the sequence of activities, since the order in which new tools and procedures are introduced is often critical in ensuring the successful evolution of the application security management process. Continue to measure progress relative to security and compliance objectives and requirements. Adjust the roadmap as corporate priorities, threat patterns and compliance standards change. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 14. Page 13 How Security Innovation Can Help Security Innovation’s solutions are built upon 15 years of application security experience and research. Organizations such as Barclay’s, Symantec, ING, GoDaddy.com, MassMutual, Microsoft and HP depend on Security Innovation’s solutions to ensure their software applications are secure and in compliance. Improving application security and aligning it with compliance requirements involves a challenging set of activities. As detailed in this white paper, these range from defining standards and policies, to training large numbers of software engineers, testers and compliance professionals, to defining and documenting detailed coding practices, to adding new processes and compliance activities to the software development life cycle. Security Innovation can provide expertise and solutions to accelerate all of these activities. Offerings include:  SDLC Compliance gap analysis and optimization service to help IT and compliance managers map application security practices to compliance and corporate governance requirements. This service includes a complete analysis of people, processes and technology. It delivers a practical, specific roadmap to close gaps, and includes recommendations for security tools and training needed to achieve and maintain compliance.  TeamProfessor™ eLearning, the industry’s largest library of application security courses, covering each phase of the SDLC, all software application types, popular technologies like ASP.Net, Java, C/C++, .Net, Windows, C# and JRE, and industry standards/guidelines such as OWASP, PCI DSS, Microsoft SDL, HIPAA and NIST.  The TeamMentor™ Security Process Framework, featuring an extensive collection of SDLC best practices and methodologies designed to ensure that development is aligned with corporate security policies and compliance requirements. TeamMentor includes dedicated, prescriptive guidance views for PCI DSS, OWASP and Security Engineering, and is an excellent complement to any security training initiative.  Compliance consulting services to help managers evaluate current application security processes, assess staff training, create a Corporate Application Compliance Framework, and implement application security and compliance action plans.  Application assessment services to perform threat modeling, code reviews and application penetration testing on a single application or across an entire portfolio of software applications.  High-performance encryption software to ensure secure, efficient communications. To Learn More: For more information, please visit Security Innovation’s web site at http://www.securityinnovation.com. To evaluate the company’s eLearning products, please contact us at + 1.877.694.1008 x1 or getsecure@securityinnovation.com. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com
  • 15. Page 14 Additional Reading from Security Innovation Application Security by Design: Security as a Complete Lifecycle Activity Regulatory Compliance Demystified: An Introduction to Compliance for Developers The Art of Threat Modeling for IT Risk Management How to Conduct a Code Review: Effective Techniques for Uncovering Vulnerabilities in Your Code 19 Attacks for Breaking (all) Applications (Excerpts from the best-selling book How to Break Software Security) Available at: http://web.securityinnovation.com/whitepaper-library Notes and Sources i Microsoft Security Intelligence Report, Vol. 9, January through June 2010: http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_3_1. Estimate from Gartner, quoted in Computerworld, February 25, 2005: http://www.computerworld.com/printthis/2005/0,4814,99981,00.html. ii See https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf; https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf; NIST Special Publication 800-53A Rev 1:Guide for Assessing the Security Controls in Federal Information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. iii Department of Defense/DISA Application Security and Development Security Technical Implementation Guide, Vol. 3, Release 2: http://iase.disa.mil/stigs/downloads/zip/u_application_security_and_development_stig_v3r2_20101029.zip. iv OWASP Top 10: http://www.owasp.org/index.php/OWASP_Top_Ten_Project Microsoft SDL: http://www.microsoft.com/security/sdl/ CWE/SANS Top 25 Software Errors: http://www.sans.org/top25-software-errors/ CERT Secure Coding: http://www.cert.org/secure-coding/ Security Innovation TeamMentor™: http://www.securityinnovation.com/products/team-mentor/index.shtml. v For estimates of the cost of finding defects at different stages of the development life cycle, see B. W. Boehm , P. N. Papaccio, Understanding and Controlling Software Costs, IEEE Transactions on Software Engineering, Vol. 14, No. 10, p.1462-1477, October 1988, or IDC and IBM Systems Sciences Institute, quoted in Microsoft Security Development Lifecycle: http://www.cert.uy/historico/pdf/MicrosoftSDL.pdf. The Gartner estimate can be found at: http://www.gartner.com/press_releases/asset_106327_11.html. 187 Ballardvale St. • Wilmington, MA 01887 Ph: +1 (978) 694-1008 • F: (978) 694-1666 www.securityinnovation.com