Professional Documents
Culture Documents
Business Value:
Considerations And Recommendations For IT
And Business Decision Makers
Because applications
are a reflection of the
business, we believe
application security plays
a major role in creating
and retaining business
value system.
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Summary
6 Business Impact
Our application security system uses the terms presented in the HBR article. Ultimately
we have three elements to manage with three associated indices to track. The system is
illustrated in table 1.
Table 1. High level elements and metrics associated with the Information Security System
Note that aspects of application security make contributions in all three categories.
Next, we must think about the elements that connect the application security system
with the business. As with any other major subsystem of the overall information
security system, application security is a factor to consider in each major area of
the systems. An application security system must be driven by policy, integrated
with the overall strategy and tightly coupled with the controls that carry out holistic
protection objectives. An ideal description of the customer security system is shown in
the following diagram:
The Role Of
Applications Within
The Information
Security System
For an information security system to be running optimally managers must make decisions
about each of these application security areas and put in place processes to carry out
their decisions. If managers ignore their responsibility or take shortcuts on process, ad-
hoc decisions will fill the void. These decisions often have disastrous results.
Let’s discuss a few of the application security areas in each category to explore the
relationship to the overall information security system and business value contribution
through the foundation, flow and impact framework.
Security Checklists
These simple checklists are often useful for developers to keep security principles in
mind. Listed below is a subset of an actual checklist. These lists should also adapt
themselves to the business goals, threat environment and usage scenarios associated
with the application.
Session Token Session Security Does the application utilize session IDs
Security that are sufficiently long and random?
HTTP Methods Infrastructure What HTTP methods does the web server
Testing support? Does the web server support
HTTP methods such as PUT or DELETE?
Source code analysis Web Server Infrastructure Are there configuration dependent
Configuration Testing vulnerabilities on the server? Depending
tools can provide Common Paths upon the web server type, what are the
most common configuration errors and
of automation Directory
Browsing
Infrastructure
Testing
Can any directories be browsed?
vulnerabilities.
Source Code Analysis the threat profile for the system and any
Source code analysis tools can provide additional supporting documentation.
a useful point of automation in identifying The team is then equipped to examine
potential risks and vulnerabilities. This the tool output and determine whether
process may easily be integrated within risks are relevant or not. The threat profile
the build cycle. However, when it comes may also help rule out potential risks and
to analysis those performing the analysis vulnerabilities. Nevertheless, the findings
must be equipped with the system in scope must be addressed.
requirements and security specifications;
Privacy
vulnerabilities over Privacy is another area that should be
dictated by corporate security policy and
time even as new reinforced by the application. There may
be circumstances where the application
functionality is is intended to be used internationally
and corporate policy has not yet caught
added. up with privacy laws in those countries.
In this case the application team must
do their own research and fold back the
results into corporate policy.
Change Management
Change management controls when fixes to the application may be introduced.
Processes should be stipulated by policy. An important practice is to document well the
circumstances surrounding the need for the change. Often, a new set of vulnerabilities
will have been found, but it is equally important to note if there has been a change in
threat model or with the supporting infrastructure.
Regulatory Compliance
We advocate creating policy such that internal compliance encompasses regulatory
requirements. In any circumstance testing procedures need to ensure compliance with
the applicable regulations. This is often a good opportunity to perform a web application
assessment from a trusted third party in that compliance is generally a cut and dried
area, but the assessment may also surface other important areas of consideration.
Audit Process
One aspect of the secure application development process should consider making
the audit process easy and predictable. Strong documentation, predictable logging,
and demonstration of adherence to policy all contribute towards a successful audit
experience. Most importantly anticipating and preparing for an audit makes this task
just another predictable item on the schedule rather than a fear inducing experience that
can disrupt performance to schedule.
Incident Response
What happens if there is a data breach? We recommend that you prepare in advance
for the actions that will be taken. Further, responding to an incident will extend beyond
just the core applications team. Be clear on the roles and responsibilities of security,
operations and your own applications group.
Production Testing
To assess applications running in production a different strategy must be employed. One
potential approach is to do application penetration testing with a suite of attacks that are
known to be non-invasive and likely will not take down the application. A better option,
if the application is deployed in a virtualized environment, is to take a “snapshot” of
the application to be tested. This image is then moved to a staging environment where
it can be tested thoroughly. When vulnerabilities are identified the application must be
fixed, tested and then released back to production under change control.
Risk Management
Another important practice is to actively manage risk associated with the application. We
have found that this can be done most effectively by developing a model that accounts
for the likelihood and probability of loss related events. For example, quantitatively
modeling the risk of financial loss due to data breach, fines associated with non-
compliance or business loss due to application downtime can be helpful in terms of
allocating resources for prevention. But it is also useful in terms of helping management
understand why so much effort is being expended around application security. Once
again, this is an ongoing process that must stay current with emerging threats whether
internal, external or from partner organizations.
The extended team, including operations, security and business unit management should
have a high degree of confidence in the following areas: