five steps to secure outsourced application development
TRANSCRIPT
1
Five Steps to Secure Outsourced Application Development
2
Contents
Executive Summary ............................................................................................................... 3
Software: Today’s Biggest Security Risk ................................................................................. 4
Offshore Development Trends ............................................................................................... 5
Five Key Steps ....................................................................................................................... 6
Step 1 – Risk Assessment 6
Step 2 – Embed Security Metrics and SLAs into Outsourcing Contracts 7
Step 3 – Conduct Independent Application Security Testing 7
Step 4 – Set Acceptance Thresholds 8
Step 5 – Outsource Applications to Providers with Security Certifications 9
How Veracode Can Help ........................................................................................................ 9
About Veracode .................................................................................................................. 10
Annex A – Sample Outsourced Application Contract Language ............................................. 11
© 2008 Veracode, Inc.
3
Executive Summary
Application security has risen to the top of the agenda for security professionals striving to control their company’s overall risk profile. According to Gartner and the Computer Emergency Response Team (CERT), 75% of new attacks target the application layer and software vulnerabilities have reached an all time high – with more than 7,000 new vulnerabilities discovered over the last year1.
At the same time, over $50 billion in custom code is being developed in locations such as India, China, and Eastern Europe as many businesses have rushed to take advantage of cost savings and flexibility to gain a competitive advantage.2 In fact, over two-thirds of the world’s largest companies are engaged in offshore outsourcing. However, due to training and developer turnover, secure coding and application security testing of outsourced software are often overlooked. This pushes both costs and liabilities onto the enterprise resulting in an unacceptable level of unbounded risk. In response to this emerging trend, analyst firm Gartner has recently advised their enterprise clients that “…Application security testing should be mandatory for outsourced development and maintenance”. Joseph Feiman, Gartner VP and Fellow, went on to recommend that “Enterprises should also consider long-term arrangements with service providers that will be conducting deployed applications' dynamic security testing on a continuous basis (because hackers will be inventing new types of attacks against deployed applications)”.3 However, until now, enterprises have lacked an efficient manner to analyze the security of outsourced software. Security testing has been limited to manual analysis by consultants, using internal teams with source code tools or trusting the outsourcer to test their own code. None of these approaches scale to cover an enterprise’s entire outsourced application portfolio and can add significant time and costs to projects. This whitepaper outlines how these limitations can be overcome by following five best practices that enterprises can use to secure their outsourced application development. These key steps provide enterprises with visibility into the security of their outsourced applications before the risk enters their front door. From software risk assessments to embedding specific contract language into development contracts, these practices provide guidance on steps that enterprises can immediately implement to simply and cost-effectively meet regulatory requirements, establish metrics and SLAs and protect their critical assets.
1 Microsoft Security Intelligence Report 2008 – Based on data from the DHS NVD & CERT
2 Gartner IT Services Forecast, 2007
3 Joseph Feiman, “Application Security Testing Should Be Mandatory”, 2007, Gartner ID Number: G00146313
4
Software: Today’s Biggest Security Risk
Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network-level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points --- - the application. While hackers were once satisfied with defacing Web sites, unleashing denial-of-service attacks and trading illicit files through targeted networks, modern attackers are profit-driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year – an all time high4. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software5, 78% of threats target business information, and 75% of attacks target the application level6. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security.
4 Microsoft Security Intelligence Report 2008 – Based on data from the DHS NVD & CERT
5 Mark Curphey, “Software Security Testing: Let’s Get Back to Basics” October, 2004, SoftwareMAG.com
6 Theresa Lanowitz, “Now Is the Time for Security at the Application Level” 2005, Gartner
NIST/Gartner Key Facts CERT – Number of Software Vulnerability Disclosures per Year
5
Offshore Development Trends
It comes as no surprise that the amount of offshore software development has been drastically transforming development processes for the past ten years. Companies have moved from staff augmentation to project-based work to complete application development and maintenance outsourcing. While one of the main drivers has certainly been around lowering overall costs, according to an InformationWeek report enterprises have also indicated that they are increasing their outsourcing activities for the following reasons:
Access hard-to-find technical skills
Focus on their core business
Improve service levels
Utilize a provider’s mature processes and methodologies
Create flexibility to “ramp-up” or “ramp-down” quickly Recent industry forecasts for offshore development growth reflect this growing trend. In fact, according to analyst firm Gartner, offshore software development is expected to rise from $50 billion today to over $88 billion within four years7 and InformationWeek has reported that over two-thirds of the companies in the InformationWeek 500 use at least some offshore software development to build and maintain their applications8. India continues to lead all outsourcing locations with over 42% of the offshore software development market, followed by China and Europe9.
7 “Applications Services Scenario: 2008 to 2012 — Trends and Directions, 2008”, 2008, Gartner
8 Mary Hayes Weier, “The Second Decade Of Offshore Outsourcing: Where We're Headed”, Nov. 2007, InformationWeek
9 Rick Saia, Peter S. Kastner, “Outsourcing Application Development and Maintenance”, Nov. 2006, Aberdeen
Application Outsourcing Spending ($B)
6
Five Key Steps
As multiple industry sources show, outsourcing application development allows organizations to realize cost savings and provides the flexibility necessary to scale. However, it also introduces significant risk in the form of security vulnerabilities and malicious backdoors. Enterprises face an uphill battle in controlling security risks across their extended software supply chain. Identifying, controlling and reducing the unbounded risk and capital requirements currently absorbed by organizations resulting from insecure software are critical. Based on its experience working with enterprises that outsource code development and outsourcing providers, Veracode has compiled a list of five key steps which help enterprises implement security into their outsourced application development.
Step 1 – Risk Assessment
While it may seem obvious that as part of a risk assessment organizations need to create an inventory of their applications that are being developed or maintained by an outsourcing provider, however, in practice it can be a challenging exercise. With the advent of low cost offshore development, it is common to see application “sprawl” as individual groups or business units may have contracted work that previously would have required higher capital costs and formal approvals. When conducting an application inventory, involve business units, procurement and vendor management to ensure you have identified all software that was or is entering the organization through though outsourcing providers. Once outsourced software has been identified, organizations need to understand the risk that the application poses to the business. This can be achieved through the assignment of an assurance level for each application based on business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations. Assurance levels are used to determine the extent of testing methods (e.g. higher assurance levels may be tested using multiple techniques) and the overall acceptance criteria (e.g. a lower assurance level application may be accepted with a lower security scores as they do not pose a significant risk to the business). The following chart from NIST provides guidance on selecting an assurance level based on business risk:
7
Step 2 – Embed Security Metrics and SLAs into Outsourcing Contracts
Outsourced software development contracts typically emphasize features, quality, time and costs. Thus, the burden and risks of application security has fallen solely on the enterprise. Organizations need to establish clear metrics and SLAs surrounding application security with their outsourcing partners as part of the procurement and contract processes. This benefits both the enterprise and the offshore provider by explicitly defining the goals and objectives around software security so both parties know what is expected. Security metrics and SLAs should be separated from functional or operational testing requirements and need to address the following areas:
Security Testing Methods (i.e. static, dynamic, manual, etc…)
Security Providers and/or Tools (i.e. who will conduct testing, or what products will be used)
Security Score – What scoring method will be used and what score will be deemed acceptable
Vulnerabilities – What types of vulnerabilities need to be included in the assessment (i.e. OWASP Top 10, PCI 6.5 , etc…)
Veracode has created a “Recommended Outsourced Software Development Security Contract Language” which organizations can use as part of their development contracts and it is available as Annex A of this document.
Step 3 – Conduct Independent Application Security Testing
Gartner recommends that application security testing should be mandatory for all outsourced development and maintenance. However, until now, true testing of outsourced software has been difficult due to the high cost and effort required to conduct manual code reviews and the difficulty in obtaining access to of source code. Because of these issues, more than half of companies that outsource application development conduct no testing at all, and those that do test for security are only able to address a small sub-segment of their highest risk applications.10
Given the current threat landscape, it is imperative that organizations test all of their outsourced applications, ideally using a third party to obtain Independent Verification and Validation (IV&V). New technologies and testing methodologies, e.g. automated security testing services offered by companies such as Veracode, now enable organizations to independently test all of their outsourced applications before they are accepted and deployed by the enterprise.
10
Fran Howarth "Why Application Security is Critical", April 2008, Quocirca
8
Step 4 – Set Acceptance Thresholds
Enterprises can leverage software security ratings to decide which applications are secure enough to be accepted or deployed and which applications need remediation by the outsourcing provider before software acceptance.
To demonstrate setting acceptance thresholds, we will use Veracode’s SecurityReview service as an example. Application testing with various testing techniques, combined with a scoring system based on the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) standards, a Security Quality Score (SQS) is derived for each application. The assurance levels the enterprise selected in Step 1 (above) is then applied to incorporate business risk and the output is normalized to an easy to understand letter grade (A, B, C, etc…).
Thus, enterprises can set an acceptable grade – “A” for example and outsourcing providers know they must achieve that grade for the application to be accepted. Setting thresholds and using standard-based scoring removes the subjectivity and “gray-area” on what constitutes acceptance and clarifies the process for both the enterprise and provider. Below is a chart that demonstrates how organizations can use assurance levels, quality scores and testing methods to achieve an overall rating:
9
Step 5 – Outsource Applications to Providers with Security Certifications
Application security expertise should become a key element in the evaluation of outsourced application partners. As part of their selection process, enterprises should ensure that they work only with partners that implement security into all phases of development. Enterprises should look for certifications such as:
ISO 27001
System Security Engineering-Capability Maturity Model (SSE-CMM)
CMM/Capability Maturity Model Integration (CMMI)
While the above are high-level quality and development programs are a good indicator of supplier trustworthiness, they do not guarantee application security expertise and do not replace independent security testing. Organizations should also look for application security specific testing and certifications that have been formally validated by an independent quality seal of approval such as Veracode’s “Verified by Veracode” assurance program.
How Veracode Can Help
Veracode Outsourcing SecurityReview provides simple, cost-effective, and automated security audits that ensure enterprises receive secure applications from offshore development partners. Veracode SecurityReview uses breakthrough patented binary code analysis and dynamic web analysis that is uniquely able to detect application backdoors and can inspect entire outsourced application inventories, including components and libraries, without requiring source code. This enables both outsourcing providers and enterprises to implement security best practices, reduce operational cost and achieve compliance without requiring any hardware, software or training.
As an expert in application security, Veracode is uniquely suited to provide independent verification and validation (IV&V) of outsourced applications without the need for costly on-site consultants. Veracode's Ratings System produces a software security rating based on respected industry standards including MITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST’s application assurance levels. These universally accepted vulnerability scoring methods provide a clear audit trail enabling enterprises to automate
the security acceptance testing of outsourced applications and meet both internal and external security and compliance requirements and reduce their exposure to risk.
10
About Veracode
Veracode is the world’s leader for on-demand application security testing solutions. Veracode SecurityReview is the industry’s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company’s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner “Cool Vendor” 2008, Info Security Product Guide’s “Tomorrow’s Technology Today Award 2008,” Information Security “Readers’ Choice Award 2008,” AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld “Top 10 Security Company to Watch 2007,” and Dark Reading’s “Top 10 Hot Security Startups 2007.” Based in Burlington, Mass., Veracode is backed by .406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com.
11
Annex A – Sample Outsourced Application Contract Language
This sample contract Annex is intended to help enterprises negotiate the purchase of outsourced software development. Most software development contracts focus on features, functionality and delivery timeframes. Additionally, they may require the developer to show a certain level of application security competency or attempt to include liability clauses as part of the contract process. Frequently, the parties have very different views on what defines application security and what has actually been agreed to in the contract. The following languages lays out a simple process, utilizing independent security reviews and industry standard benchmarks, which allows both outsourced developers and enterprises to ensure that application security is embedded in the deliverable. Portions of this document incorporate details from the OWASP Secure Software Contract Annex and the SwA Working Group’s “Software Assurance (SwA) in Acquisition: Mitigating Risks to the Enterprise” paper. Organizations are free to use the following sample language, however, as with any legal agreement, we recommend you contact a qualified attorney prior to entering into any contract.
Sample Contract Annex
1. INTRODUCTION
This Annex is made to _____________________ ("Agreement") between Client and Developer. Client and Developer agree to maximize the security of the software according to the following terms.
2. ORIGIN, LIBRARIES, FRAMEWORKS, AND PRODUCTS
(a) Disclosure
Developer shall disclose all binary executables (i.e. compiled or byte code; source code is not required) of the software, including all libraries or components.
(b) Origin
Developer shall disclose the origin of all software components used in the product including any open source or 3rd party licensed components.
3. SECURITY REVIEWS
(a) Independent Review
Developer shall have their software reviewed for security flaws, in binary format (i.e. compiled or byte code; source code is not required), by an independent organization that specializes in application security, at their expense, prior to delivery to the Client.
(b) Review Coverage
Security reviews shall cover all aspects of the software delivered, including third party components, and libraries.
12
(c) Scope of Review
At a minimum, the review shall cover common software vulnerabilities. The review may include a combination of static analysis of the binary code, dynamic web application vulnerability scanning, and manual penetration testing.
(d) Issues Discovered
Overall application security ratings with aggregate number of flaws found by the independent organization shall be reported to both Client and Developer. Detailed reports of specific vulnerability instances within the application will only be provided to the Developer. All issues will be tracked and remediated as specified in the Security Issue Management section of this Annex.
(e) Standard Benchmarks
To ensure that all parties have a common understanding of any security issues uncovered, the independent organization that specializes in application security shall provide a rating based on industry standards as defined by First’s Common Vulnerability Scoring System (CVSS) and Mitre’s Common Weakness Enumeration (CWE).
(f) Review Frequency
Reviews shall be conducted to revalidate the software prior to delivery of any new major or minor release prior to delivery to Client.
4. SECURITY ISSUE MANAGEMENT
(a) Identification
Developer will track all security issues uncovered during the security review and the entire life cycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue will be evaluated, documented, and reported to Client as soon as possible after discovery.
(b) Protection
Developer will appropriately protect information regarding security issues and associated documentation to help limit the likelihood that vulnerabilities in operational Client software are exposed.
(c) Remediation
Client and Developer shall create a mutually agreed upon remediation roadmap to resolve security issues that are identified. Developer shall make all commercially feasible efforts to fix all high level issues prior to delivery to Client.
13
5. SECURITY ACCEPTANCE AND MAINTENANCE
(a) Acceptance
The software shall not be considered accepted until the independent review is complete and all security issues have been assigned to a mutually agreed upon remediation roadmap.
(b) Investigating Security Issues
After acceptance, if security issues are discovered or reasonably suspected, Developer shall assist Client in performing an investigation to determine the nature of the issue.
(c) Other Security Issues
Developer shall use all commercially reasonable efforts consistent with sound software development practices, taking into account the severity of the risk, to resolve all security issues as quickly as possible.