Secure Web Applications: Creating a Security Culture
Companies move applications to the Web to improve customer interactions, lower business processing costs and speed outcomes. But driving applications to the Web also increases vulnerabilities — unless security is an integral component of the application development process.
Table of Contents:
Introduction Where’s the Disconnect? Culture Change Tool Time Application Security Resources
Introduction
IBM’s X-‐Force 2011 Mid-‐Year Trend and Risk Report notes that nearly 40 percent of disclosed security vulnerabilities this year occurred in Web applications. That number is down from about 50 percent in recent years, but it still represents a significant warning sign. Despite a drop in the volume of SQL injection vulnerabilities, other threats are on the rise. Clearly, Web application developers haven’t yet surmounted all the threats to online application security (see Figure 1).
Figure 1. Web application vulnerabilities The same report notes that the IBM Rational Application Security Group discovered that 40 percent of the nearly 700 Web sites tested contained client-‐side JavaScript vulnerabilities. The security group also discovered a new type of vulnerability: DOM-‐based email attribute spoofing, a way to exploit JavaScript code in a Web application by automatically crafting an email for users to fill in as a way to potentially leak private information. In short, the report found that, even with some battles being won, criminals and
mischief makers are continuing to scan the Internet for open services and attempting to break into them. Other research supports this conclusion and quantifies the results. Application-‐layer attack rates, according to TechNavio analysts, will contribute to the global Web-‐application vulnerability management market, reaching more than $660 million in 2014. To successfully deal with vulnerabilities in Web applications — including those that put regulatory compliance at risk — security must be woven into the design and development culture and supported by the appropriate technology. This approach leads to a true development life-‐cycle approach to securing Web applications. This e-‐book explores the issues that lead to cultural disconnects, offers solutions on how to address them with technology, and details the resulting security benefits and other critical returns on investment.
Competing organizational agendas are a key problem enterprises must address when it comes to Web application vulnerabilities. The enterprise needs to be secure, but it also wants to be fast, first and flush with profits.
Business executives want innovative Web applications to go live quickly — whether for clients, internal teams or key partners — and developers feel pressure to deliver on time-‐to-‐market mandates. The demand for increasingly rich Web applications, suitable for running on a growing array of endpoints, is pushing developers to use advanced code techniques, building to all the possibilities that the Web 2.0 and 3.0 worlds offer to enhance experiences on desktop PCs, smartphones and tablets. However, in addition to deadline pressures, developers also face budget restrictions. The economic doldrums of the past few years have put reducing application development costs and other IT budget cuts high up on the agenda.
This deadly combination of factors leads to more exposure. Developers are asked to operate faster and more efficiently and to quickly harness revenue opportunities and save scarce dollars. Somewhere in that rush, the security-‐related testing, tools, resources, training and management that may have been embedded in the development process budget have taken a hit, and security best practices have been shuffled to the side.
Is it any wonder that the information security professionals surveyed listed application vulnerabilities as the number-‐one threat to organizations in the 2011 (ISC)2 Global Information Security Workforce Study, conducted by Frost & Sullivan for the nonprofit International Information Systems Security Certification Consortium?
Where’s the Disconnect?
Most often, development and security live in two different and, unfortunately, isolated worlds. As a consequence, security — even when economic conditions are more favorable and business executives more patient — isn’t aligned with the development life cycle. Ironically, this situation actually increases costs, because fixing defects gets more expensive as the development and deployment cycle progresses.
Figure 2. Increasing application security costs
According to one study, costs to find and fix a defect rise from $80 at the requirements phase, to $240 at the design and build phase, to $960 at the QA/testing phase, to $7,600 after release. (See Figure 2.) The costs to remediate a security vulnerability can be a significantly more expensive than other bug fixes, because there’s more inherent risk if an application is compromised due to security issues.
And the impact can be more immediate, too, especially if the security breach affects customers who, by law, must be notified of the occurrence. Also, the impact may be longer lasting, taking a toll on the corporation’s reputation for quality and leading customers to explore other sources to meet their needs.
“Security can have an even more rapid or drastic impact to the overall business,” says IBM senior security architect Ryan Berg. “Although [quality defects and security vulnerabilities] share a lot of the same similarities from the standpoint of how they can impact the business and impact the brand that I’m trying to promote, security defects can have a much more sort of hockey-‐stick approach to how fast that negative impact can actually occur.”
C
Culture Change
The first step to ending the disconnect that leads to these problems is one that must be taken by both IT and business leaders. Once they understand how poor application security can — or already does — cost their business, they must forge the path that will make it possible to catch and fix security code flaws earlier in the software development life cycle, for Web and all other applications. That’s a path that intersects at multiple points — where security is able to effectively drive remediation into development, and testers and developers can have access to expertise about detection and remediation capability. It’s particularly important that testers and developers feel neither penalized nor at risk of losing any additional benefits for the time allocated to ensuring that new and existing code is securely developed, or else the effort to build in security will fail. Another intersection point is between senior executives and individual business unit heads, so that division leaders get the message that security must not be sacrificed for speed — and that they must manage their own initiatives to account for that. All facets of the organization would welcome managers supporting secure software delivery, according to some recent research conducted in association with information security professional body (ISC) 2 and the International Association of Software Architects (IASA) by software delivery analyst firm Creative Intellect Consulting. When respondents were asked what was preventing them from improving security across the software delivery life cycle, nearly two-‐thirds of software development, IT and information security professionals cited lack of management support and investment.
Given the impact that management’s actions have on the organization at large, it is not surprising that 69 percent of respondents claimed that not having the right culture, attitude and mindset were to blame. Sixty-‐nine percent targeted not having appropriate processes — again, no surprise, since processes themselves are an outgrowth of the attitudes that help set the culture of an organization. Discussing the secure software delivery issue in a statement at the time the survey was released, Bola Rotibi, founder of Creative Intellect, said that it is as much a lack of process as it is insecure code that keeps many organizations from embedding security tightly into the software delivery process. “It’s time we stopped blaming developers, recognized that insecure software is the root of many cyber-‐security challenges and demanded that management take control of the problem before it impedes organizations’ ability to deliver new business-‐critical applications,” his statement reads. “We’d like to see organizations taking a multifaceted approach to tackling the software security challenge.”
IBM’s Berg expresses similar thoughts. “Quality and security [are] not a developer problem. Sometimes we like to focus on the developers because … [they] are the tools that are building our software. So, when we have bad quality or bad security, we like to blame it on someone, and that poor person tends to be the developer,” Berg says. “But the reality of the situation is that it’s not a developer problem, but a development problem.” And, he adds, it requires senior executive-‐level commitment to make security an important aspect of the software delivery mechanism — to ensure that security standards are built into the development life cycle — or security won’t be achieved.
Tool Time
Just as tools contributed to the development of human culture — from Stone Age arrowheads in primitive hunting societies to the social media behind today’s participatory Internet — making Web application security an inherent element of a new software and systems delivery culture requires its own set of tools. Ideally, these tools are part of an integrated, automated and comprehensive suite. Point solutions suffer from design limitations, such as vulnerability scanners that don’t cover Web applications, or manual penetration testing that can’t scale and isn’t focused on remediation.
IBM’s Rational portfolio of tools provides a holistic approach, so that security accountability is built into development aspects. (See Figure 3.) That approach stretches from analyzing the source code used to build applications at any point and reviewing code for issues and errors prior to deployment, to automatically scanning applications (including those for the latest Web 2.0 technologies), identifying vulnerabilities and generating reports with intelligent-‐fix recommendations. The Rational AppScan Source and AppScan Standard and Enterprise solutions support these functions, with a focus on efficiency to avoid compromising realistic time-‐to-‐market goals.
Figure 3. The IBM Rational AppScan Suite A cohesive suite that introduces security into the development process from the outset reduces the costs of time-‐consuming manual code reviews and bolt-‐on remediation. It also provides a coordinated, dexterous method to meet Web application security concerns head on, enabling the organization to:
• Perform advanced vetting of weak or nonstandard cryptography algorithms that are breakable or might be of insufficient strength to stop an attacker from decoding encrypted data
• Steer away from access control vulnerabilities that might make it possible for someone to access confidential information or take control of the system
• Keep attackers from inserting malicious commands into applications that load dynamic code
• Use input/output validation to stop SQL injection attacks where hackers make inappropriate SQL queries to a database to illicitly access data or cause unstable database behavior, and also to stop cross-‐site scripting (XSS) attacks that cause unsuspecting users to run or access malicious code
• Combat cross-‐site request forgery (CSRF or XSRF) malicious exploitations of a website where a hacker transmits unauthorized commands from a user whom the website trusts
• Avoid improperly building Web 2.0 mashups, often created with new tools and technologies such as Ajax, that raise the potential for new forms of security abuse
Take Web Application Security to the Max When it comes to source code analysis, most organizations can profit from a single-‐source suite and from following a flexible, centralized model. (See Figure 4.) This model puts security functions in the hands of the group with the greatest experience and knowledge of software vulnerabilities. However, the model pays off when there is a culture of collaboration across security and development organizations. As IBM’s Berg defines the model, the security analysis team, which understands the business-‐level issues of risk management and can assign remediation based on company-‐specific policies, scans the entire application; prioritizes raw results; and generates this information for developers to provide a prioritized remediation workflow based on the criticality of vulnerabilities. A defect-‐tracking system allows the entire team to monitor progress of flaws being fixed. In this approach, developers can focus more of their time on advancements and improvements to the source code, either adding functionality to the software or recoding elements that were considered vulnerable, Berg notes.
Figure 4. Workflow in a security-conscious app-dev model. Businesses deploying sophisticated and interactive Web applications are playing a big part in building an increasingly instrumented, interconnected and intelligent world. But that world needs to be safer, in addition to smarter. Safety starts at home, and it requires that enterprises embrace a “secure by design” philosophy. It’s time to start building the security-‐aware culture that will make that philosophy practical, with the tools that will make it possible.
Enterprises Bring the Security-Aware Culture to Life What does it look like when an enterprise realizes a security-‐aware culture? Here’s a glimpse into what real companies are doing today:
• At one U.S. financial services and banking organization, the implementation of a Rational AppScan Source Edition product suite enabled a security system and process that connected all staff concerned with security. This initiative answered a challenge the company faced in making the security criteria consistent across multiple developers and development groups. Information and guidance were fed from a newly established Center of Excellence and from internal application security experts and architects in the development groups, with the result that the firm now can manage security policy centrally; apply consistent security criteria throughout the organization; and deliver reporting and analyses that address the needs of auditors, security leaders and the development organization.
• Skoda Auto in the Czech Republic needed to facilitate cooperation between development, security and operations departments during new Web application development; establish an application security program for effective governance of the development life cycle; and encourage effective cooperation and communication between all stakeholders. Among its needs were having an easy-‐to-‐use, universal security analysis tool for various types of Web applications (such as Java 2, Enterprise Edition, .Net and Apache), and finding a repeatable methodology that could help improve the development of secure applications earlier in the life cycle. Its IBM Rational software implementation helped the company implement an analysis strategy that could be embedded in its existing development process, and the company reports that it has
vastly improved the security of its software while reducing costs by finding vulnerabilities earlier when they are less costly to repair.
• A top-‐five U.S. commercial bank that offers innovative client solutions, including advanced Web-‐based services, needed greater speed-‐to-‐remediation and more accuracy for the vulnerability identification process, and it determined the job required a single, integrated set of products that met the needs of multiple roles. With IBM’s Rational AppScan Source Edition, auditors and security leads are empowered with insights into the application risk profile in a manner that saves time and increases effectiveness; managers can effectively set and enforce security priorities for individual applications and software projects; and software developers can now use secure-‐coding best practices and focus on specific issues identified in the code, instead of wasting time interpreting false positives.
Get Outsourced Development on Board Not all Web application development takes place within a company’s four walls. Enterprises have long outsourced such work to partners around the globe to expedite projects and drive cost savings. Too often, however results lag, and savings aren’t as dramatic as had been expected. One reason is that the cultural gap between the home office and the provider is even greater than the disconnects that may exist within an organization. According to InformationWeek Analytics’ State of IT Outsourcing Survey for 2011, there was no sign of a slowdown in outsourcing, but rather a steady increase in the number of respondents using service providers now. And the vast majority, it reported, were planning to increase their outsourcing activities across all categories, including software development. The survey showed that for both application development and testing of customer-‐facing applications, the majority of respondents looked to outsourcers to help them with the task, at least in part.
The extent to which outsourcers are used for customer-‐facing applications underscores how critical it is that those outsourcers be required to participate in the enterprise’s internal culture of security. Problems typically arise when the application development provider isn’t given enough information and detail of how the work has to line up with business requirements, including requirements regarding security. “When we’re talking about security, it’s really important for us — the consumer or the receiver of that software from outsourced providers — to make sure that the software development practices that that outsourced provider is using align with [the] business needs of acquiring that software,” says IBM senior security architect Ryan Berg. And, it’s critical to be able “to articulate what requirements are, especially what security requirements you have, [because] you’re the one responsible for that risk.”
If — or when — vulnerabilities in Web applications surface that expose your customers to risk, it isn’t the outsourcer that suffers, after all. It’s your business. Berg recommends a source code security audit as a critical component to ensure the security of the delivered outsourced application. This step can be accomplished via a security review team manually examining source code to identify vulnerabilities and request remediation, but that approach is expensive and time consuming. A better approach is to choose security-‐testing technologies that automate key activities and fulfill requirements in a more cost-‐effective, consistent and metrics-‐based manner.
Resources
IBM Security http://www-‐03.ibm.com/security/
Application Security http://www-‐142.ibm.com/software/products/us/en/subcategory/SWI10
Copyright 2012 United Business Media LLC ALL RIGHTS RESERVED
No reproduction without permission