Securing To Days Application
Content
SWG Rational Marketing Software Delivery Program
Securing today’s applications
Design, deliver and secure smarter software and services
2
Securing today’s applications
The What, Where and How of Application Security
Why is application security such a hot issue moving into 2010 and beyond? Applications are becoming more pervasive, organizations are growing and implementing smarter software to support business process, product development and daily operations. The way businesses are dealing with their customers, their partners and their own internal businesses is changing and becoming more complex. New SOA-oriented architectures and the extension of things like the electrical grid are becoming an essential part of an organization’s everyday. So it is natural that the security ramifications of deploying all of these applications are a very important concern for customers. They’ve generally done a very good job over the last 10 or 15 years in understanding the established security technologies for tasks like networking and operations, and managing security procedures like access control or authentication. But now, as these new applications roll out, they’re really changing the game. In many ways, these applications can exist in a couple of worlds. Sometimes they can have portions of their behavior inside a firewall, while sometimes it will be external to the firewall, such as the web-facing front end to a legacy back-end application. The possible security problems are not just the threat surface that gets exposed with new applications, but are also the composite of behaviors that goes on outside the firewall at the front end of the application, and all of the possible unintended consequences of the new exposure to the internal application. All of these things are conspiring together: the influx of new applications, the increased importance of applications for core business goals and the difficulty in terms of understanding the way in which all these components will play together. These forces are driving applications into a place of prominence in the current environment.
Four strategic best practices for protecting web applications
To address security-related issues as they pertain to web applications, organizations can employ four broad, strategic best practices. 1. Increase security awareness This includes training, communication and monitoring activities, preferably in cooperation with a consultant. Training Provide annual security training for all application team members: developers, quality assurance professionals, analysts and managers. Describe current attacks and a recommended remediation process. Discuss the organization’s current security practices. Require developers to attend training to master the framework’s prebuilt security functions. Use vendor-supplied material to train users on commercial off-theshelf (COTS) security tools, and include security training in the project plan.
SWG Rational Marketing Software Delivery Program
Communication Collect security best practices from across all teams and lines of business in your organization. Distribute them in a brief document and make them easily accessible on an intranet. Get your IT security experts involved early and develop processes that include peer mentoring. Assign a liaison from the security team to every application team to help with application requirements and design. Monitoring Ensure that managers stay aware of the security status of every application in production. Track security errors through your normal defect tracking and reporting infrastructures to give all parties visibility. 2. Categorize application risk and liability Every organization has limited resources and must manage priorities. To help set security priorities, you can:
•
4. Integrate security testing throughout the development and delivery process By integrating security testing throughout the delivery lifecycle, you can have significant positive effects on the design, development and testing of applications. You should base functional requirements on security tests your application must pass, making sure that your test framework. Application security planning and security strategy should be based on systematic process and practices and not symptomatic issues that arise during a testing cycle.
The Business Case for Data Protection was the first study to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations Poneman Business case for Data Protection (US) Poneman Business case for Data Protection (UK
•
•
•
Define risk thresholds and specify when the security team will terminate application services. Categorize applications by risk factors (e.g., Internet or intranet vs. extranet). Generate periodic risk reports based on security scans that match issues to defined risk thresholds. Maintain a database that can analyze and rank applications by risk, so you can inform teams of how their applications stack up against deployed systems.
3. Set a zero-tolerance enforcement policy An essential part of governing the development and delivery process, a well-defined security policy can reduce your risk of deploying vulnerable or noncompliant applications. During inception, determine which tests the application must pass before deployment, and inform all team members. Formally review requirements and design specifications for security issues during inception and elaboration—before coding begins. Allow security exceptions only during design and only with appropriate executive-level approval.
4
Securing today’s applications
Secure by Design
Innovation depends upon the safe and reliable operation of the systems that will gather, transmit and analyze data, communicate and act upon the results and advance the capabilities of highly distributed organizations to unify and focus on critical shared goals. This type of security, this type of safety, is not something that can simply be bolted onto the solutions as an afterthought. It must be considered from the first requirements to the final implementation, and it must be inherent in the capabilities that are brought to bear as these complex problems are solved. The reliability of these solutions cannot be jeopardized by delay. They must be Secure by Design. Secure by Design demonstrates that cost-effective security begins with the creation of secure systems from the start. Time-to-market, maintenance and the devastating costs of public breaches are reduced through the benefits of integrating secure practices early in the development lifecycle. It is a long-standing axiom that functional defects identified during system development are orders of magnitude less costly to repair than those found in production systems, and the benefits and savings are even higher when it comes to security. Current models show us that the average data breach costs an organization roughly $6.6M, and that the average cost per lost customer data record is over $200. These numbers are staggering. Vulnerability within some Smarter Planet™ systems is even more destructive, as some systems manage critical infrastructure, and failure can disable entire regions or worse, jeopardize lives. A critical enabler of trust in this process is the ongoing validation of the security of critical applications. System development history has shown us that there is a natural tendency for implementations to veer from their original designs, and that constant reinforcement of design objectives through testing and assessment are the most practical means of arriving at a deliverable with the proper attributes. Security is no different, but can be more difficult to assess. Security, particularly at the coding and implementation level, is not a widely understood discipline, and its inclusion in the set of critical deliverables will only be possible as organizations simplify and automate security checking in ways similar to those employed for functional and performance testing. The
IBM® Rational® AppScan® suite of products has been created to integrate within this environment, whether through application scanning on the developer desktop, at the nightly or weekly build server, or through targeted penetration testing of the final application. In practice, not every application can be protected from every threat, and the continuous appearance of new attacks means that today’s results will never be sufficient to guarantee tomorrow’s safety. As a result, the path to maximizing the security of an application begins by rigorously testing that application today, and planning for its continuing testing as the application, and the threats it encounters, evolve. Automated source code analysis is widely recognized as the most effective method of this type of testing early in the life cycle, because it allows for a consistent and repeatable assessment of source code without requiring the additional assets that would be needed to field a completed system to test. The best of these technologies provide the most valuable results by pinpointing the vulnerability at the precise line of code and detailing information about the type of flaw, degree of criticality and how to fix it. Ethnical hacking is also an important element of software security, but its value comes later in the life cycle, when it can be used on a completed application with a functional interface. Together, these approaches can paint a picture which is both comprehensive in its scope and useful in the level and amount of detail that it provides.
SWG Rational Marketing Software Delivery Program
Securing components and systems from their inception produces a flexibility and sense of assurance that fuels the growth and adaptability of the Smarter Planet. Early implementations of smarter projects are only the beginning of the potential for integrating information and technology to solve fundamental infrastructural problems. Systems which are gathering information to optimize a Smarter City today may well be repurposed in the future to bring smarter healthcare or smarter communications to the same area. By designing the core components with security in mind, adapting them to a new area of use becomes much more straightforward, eliminating the need to re-engineer the component for the next role it may fulfill.
Fact: There might be initial delays to the development cycle as individuals learn the new system, but this is indisputably the most time-efficient method for reducing software risk. The process eventually reduces development time by instilling good, secure coding practices among developers, and these practices reduce time spent elsewhere in the cycle, such as during security and acceptance testing of the final application. Fiction: We are already doing peer review; therefore, we do not need additional security code reviews. Fact: A peer review is not a substitute for a security review. Peer reviews are typically used to find functional bugs. Unless reviewers have a deep understanding of application security, many of the more critical security vulnerabilities and design flaws are missed. In many cases, the best-intentioned user requirement implemented without functional error can lead to the greatest security risk. Common security errors will traverse thousands of lines of code and many files, leading to a very challenging, if not impossible, task of manual identification.
Roadblocks to building in security
Among the most common impediments to the adoption of security testing in the software development life cycle, the most difficult to overcome is typically the gap between development group functions and the security team’s priorities. The skill sets themselves are rarely present in the same individual or even group, and organizationally there is very little inherent synergy. While development goals focus on product functionality and on-schedule delivery, security analysts are often tasked with eliminating vulnerabilities and implementing security controls only after the applications are completed and deployed. Development is rewarded for on-time delivery, while security is rewarded for preventing the deployment of an insecure application. To effectively decrease vulnerabilities created during the development process, development and security teams must cooperate, and in all cases, higher-level management support for improving security during development is essential. There also exists a general reluctance to alter an existing software development life-cycle process which can delay implementation of security testing. In these cases, an understanding of the business-level benefits to be gained is usually enough incentive to move things forward. There are some common misconceptions about the potential and difficulties of improving security within the development process. Fiction: The development schedule cannot delay any other activities, not even to address security issues.
Assigning core responsibilities
Many enterprises still find it challenging to identify the most appropriate method and resources to implement source code analysis in their development life cycle. Utilizing a series of workflow models to help guide the implementation of automated source code scanning into an existing development process is the most effective way to achieve a favorable approach. Although it is clear that development organizations
6
Securing today’s applications
Verify fixes: The code is rescanned and studied to ensure the code changes have eliminated the vulnerability while maintaining application functionality. Organizations which have already adopted this methodology have seen very positive results. One major telecommunications firm has gone so far as to apply the knowledge of their relevant threats and the operational implementation goals of their software components to devise an automated testing regimen that is kicked off regularly with the software build. The information generated has already been tailored by the security team, and the results are regularly reviewed to ensure relevance and continuing accuracy. In the interim, each build automatically assesses the security of the software, and forwards any newly found vulnerabilities to the appropriate development groups for remediation. This integrated process has led to much faster cycle times, decreased rework, and a far better performance during rigorous pre-deployment certification. “Secure by Design” as a goal has two different meanings. The first, as described here, relates to assembling the knowledge, tools and processes to generate components and systems that will perform reliably and securely, through efforts at all phases of the construction lifecycle. The second meaning, though, is equally important: As we enter this instrumented age, and we come to expect technology to improve our day-to-day existence in new ways, we must acknowledge our responsibility to make our organizations “Secure by Design.” We must educate ourselves and our teams on the importance of security, on the cost savings and benefits of secure development, and on the balance that must be reached between that concern and concerns of functionality, performance, and time-to-market. If we do this, then soon “secure” will be as natural a characteristic of the Smarter Planet as “fast”, “stable”, or “easy-to-use.”
and processes each have their own distinct characteristics, the functions below are primary to source code testing and must be served by existing staff or experts brought in during implementation. Set security requirements: A manager or central source of business requirements meets with groups with security expertise to define the security requirements of the application, the vulnerabilities that would most jeopardize its function, and assign criticality based on business needs. Configure analysis: Internal definitions are used to customize the source code analysis tool to match policies, ensuring sufficient and consistent review of applications. Scan source code: The source code analysis tool is run against the target application or parts of the application to pinpoint vulnerabilities. These scans are commonly automated, but can also be executed on demand. Prioritize results: Staff members with knowledge of security and the application study results to prioritize remediation and resources workflow appropriately. Remediate flaws: Vulnerabilities are eliminated by rewriting code, removing flawed components, or adding security-related functions.
For detailed information on three development models, including workflows and best practices, please see the whitepaper Secure at the Source in the Web Application Security e-Kit.
SWG Rational Marketing Software Delivery Program
Hackers and Malware
The proliferation of malware designed to infiltrate computer systems without the owners’ informed consent has become one of the most challenging security issues facing users today. Hackers are engineering ever more sophisticated viruses, worms and Trojan horses that can outsmart traditional defense mechanisms. Malicious software can be distributed in a variety of ways,and attackers generally do not limit themselves to a single channel. For a long time, email was the primary delivery mechanism, and it is still significant today. Network vulnerabilities and instant messaging have also been used for pushing worms from one machine to another. Today, web applications are the primary delivery mechanisms for malware via “drive-by downloads” or “social engineering.” A drive-by download happens when a user’s machine becomes compromised simply by browsing an infected web page. The browser executes components that are maliciously crafted to exploit vulnerabilities in the browser, operating system or other plug-ins as the page renders images, in-line scripts and videos, for example. Social engineering is a term used to describe tricking a user into performing some action, such as downloading a file or accepting a prompt. “Scareware,” such as an alarming pop-up that prompts users to perform an action, is a good example of
this. A pop-up designed to look like an antivirus alert may read “A virus has been detected on your system” and prompt a user to download a cleanup utility, which is actually malware (often a Trojan horse). In the fall of 2009, a major national newspaper in the United States faced a version of this tactic in the form of a scam that was designed to scare users into buying useless antivirus software. In recent years, occurrences of legitimate websites serving malware have become more widespread. Previously, cautious web surfers who avoided questionable sites, such as adultoriented or illegal download sites, could reasonably expect to avoid attacks. This is not so today. Moreover, site owners rarely even know that the compromise has occurred. Consider the consequences. Users are no longer able to avoid exposure through good judgment alone. The malware is delivered through the sites they use and trust on a regular basis—for personal and business needs. Web gateways can no longer rely on blacklists of malicious sites without blocking legitimate sites as well. So how are users expected to protect themselves, and how can website owners avoid putting their users in harm’s way? That question can’t be addressed without understanding how legitimate sites are compromised.
A look at how legitimate websites are compromised
In most cases, reputable websites are attacked using one or a combination of four primary methods. Vulnerability exploitation Vulnerabilities on a site are a favorite target of criminals. These could be 0-day vulnerabilities in the software running the website or vulnerabilities in the application-specific code. Such vulnerabilities can allow attackers to deface the site, making it link or serve malicious content. Exploiting 0-day or very recent vulnerabilities in web infrastructure (for example, web servers, application servers and operating systems) is the primary method of compromising websites today. Uploaded malware on user-driven sites User-driven Web 2.0 community sites—including blogs, wikis and social media sites—that let users create and post data likely provides another popular malware delivery source. Worse, technical vulnerabilities aren’t even necessary. If users are
8
Securing today’s applications
security tools. But this will only get them so far. As a result, website owners have significant responsibilities in the matter, as their users should expect a reasonable level of protection against malicious code. There are several ways companies and organizations can protect the server side: an intrusion prevention system (IPS) or similar network protection device that monitors outgoing traffic, and server-side antivirus solutions. An IPS can examine all traffic returned from the site and block anything deemed malicious. The problem with this approach is the depth of the analysis—the IPS needs to work at a very high velocity to support huge volumes of data, and thus can only afford a fraction of a second to analyze passing content. As a result, its analysis is mostly limited to matching known malicious patterns against the content. A server-side antivirus solution can be used to examine files on the server and identify whether they are malicious. The problem with this approach is visibility. Antivirus solutions are designed to look for viruses in files, but are limited in their ability to examine content residing in the databases where most applications store their dynamic content. Similarly, antivirus solutions don’t see or understand web pages, making them blind to content that is linked from the website but not hosted on them. Currently, the most common way for criminals to make legitimate websites serve malware is by injecting an iframe that leads to a malicious site. The existing solutions discussed above cannot find this very common manifestation of the problem. An alternative approach: HTTP-based malware scanning uses a new approach, combining the HTTP view with antivirus-like capabilities. Scanning and detection capabilities can help you overcome the inherent problems of existing security technologies.
allowed to add content and links to the site, they may be uploading malicious items. For example, PDF document files holding malicious content or images that exploit a security hole in a graphics library can cause a legitimate website to serve malware. Internal attacks Website defenses are often not as robust when accessed from within an internal network. As a result, internal resources, such as disgruntled employees or an employee who has been blackmailed, can modify a web application from within and make it serve or link to malware. Third-party content Including third-party content such as ads or mashup applications can multiply the risk of malware on your website. Third-party sources may be malicious or may have been compromised by yet another party, resulting in malware being served through your application’s pages. Consider an advertising service serving Flash–based advertising banners. Flash applications are powerful and dynamic and have potent scripting engines. If an advertising company is not properly vetting and analyzing each banner it posts, it may be serving malicious banners that deliver malware.
Existing solutions
How can users be expected to protect themselves from malware on legitimate websites? Certainly, users need to take precautions by installing appropriate endpoint security solutions, such as antivirus software, firewalls and other
Please see the demo of Rational AppScan std edition for a full view of the the AppScan Standard Edition and Express products.
SWG Rational Marketing Software Delivery Program
Security and Cloud Computing
Cloud computing is a flexible, cost-effective and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications and services provided “on demand,” regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management and better align IT services with dynamic business requirements. Both public and private cloud models are now in use. Available to anyone with Internet access, public models include Software as a Service (SaaS) clouds like IBM LotusLive™, Platform as a Service (PaaS) clouds such as IBM Computing on Demand, and Security and Data Protection as a Service (SDPaaS) clouds like the IBM Vulnerability Management Service. Private clouds are owned and used by a single organization. They offer many of the same benefits as public clouds, and they give the owner organization greater flexibility and control. Many organizations embrace both public and private cloud computing by integrating the two models into hybrid clouds. These hybrids are designed to meet specific business and technology requirements, helping optimize security and privacy with a minimum investment in fixed IT costs. Although the benefits of cloud computing are clear, so is the need to develop proper security for cloud implementations. In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk because essential services are often outsourced to a third party. The “externalized” aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability and demonstrate compliance. As a result, clients must establish trust relationships with their providers and understand risk in terms of how these providers implement, deploy and manage security on their behalf. This “trust but verify” relationship between cloud service providers and clients is critical because the clients are still ultimately responsible for compliance and protection of their critical data, even if that workload has moved to the cloud.
Infrastructure sharing calls for a high degree of standardized and process automation, which can help improve security by eliminating the risk of operator error and oversight. However, the risks inherent with a massively-shared infrastructure mean that cloud computing models must still place a strong emphasis on isolation, identity and compliance. In other words, the framework of governance, risk management and compliance can be broken into five security focus areas: People and Identity: Address the risks associated with user access to corporate resources • Data and Information: Understand, deploy and properly test controls for access to and usage of sensitive business data • Application and Process: Help keep applications secure, protected from malicious or fraudulent use, and hardened against failure • Network, Server and End Point: Optimize service availability by mitigating risks to network components • Physical Infrastructure: Provide actionable intelligence on the desired state of physical infrastructure security and make improvements Each focus area has its own value proposition and corresponding financial payback that must be balanced.
•
While cloud computing is often seen as increasing security risks and introducing new threat vectors, it also presents an exciting opportunity to improve security. Characteristics of clouds such as standardization, automation and increased visibility into the infrastructure can dramatically boost security levels. For example, the use of a defined set of cloud interfaces, along with centralized identity and access control policies, will reduce the risk of user access to unrelated resources. Running computing services in isolated domains, providing default encryption of data in motion and at rest, and controlling data through virtual storage have all become activities that can improve accountability and reduce the loss of data. In addition, automated provisioning and reclamation of hardened run-time images can reduce the attack surface and improve forensics.
For more information on how the Rise of Cloud is creating new requirements for Security please see our podcast.
10
Securing today’s applications
Security in Industry
Industry specific software assets that allow you to deploy business solution with lower costs and risk: Financial Services: Banking and Insurance companies need to manage risk more efficiently, at a lower cost through online channels including web-based applications and cloudimplemented solutions. With the ever changing environment facing financial institutions, maintaining system integrity and automating all security and compliance initiatives is imperative to keeping up with the integration of mergers and acquisitions.
Please review this case study of how a Financial Services and Banking company managed a response to security mandates.
Government: Growing concerns over government data security driven by increasing vulnerabilities and cyber security threats have agencies looking for cost-effective and efficient solutions to manage their data systems, including fulfilling various changing requirements for compliance (accessibility, etc.) and security to governing bodies. As Government agencies are opening citizen access to new Internet-based services and establishing efficient methods for creating trusted identities, the need for stronger authentication and portal security is increasing. Greater accountability & transparency means more exposure of data vulnerabilities.
Records (EHR), the access and security of health records is becoming a pressing issue. A more reliable infrastructure management, reducing the possibility and impact of security vulnerabilities while adhering to industry regulations, is needed.
Please see the demo of Rational AppScan std edition for a full view of the the AppScan Standard Edition and Express products.
Please review the case study of how a branch of the armed forces secured the needs of the military.
Energy and Utilities: The “Smart Grid” raises privacy and safety concerns, and standards like the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) are driving heightened protection from cyber attack. These efforts to strengthen access and data loss are critical to the success of not only the project, but also the customers that utilize the system.
Healthcare: Securing sensitive patient information and adhering to compliance mandates is an overwhelming requirement for all healthcare professionals at every level of the industry. With funding for use of Electronic Health
Please review the case study of an International Telecommunications Company.
SWG Rational Marketing Software Delivery Program
Resources
Whitepapers:
Poneman Business case for Data Protection (US) Poneman Business case for Data Protection (UK) The Business Case for Data Protection was conducted by Ponemon Institute and sponsored by Ounce Labs, an IBM Company. It is the first study to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations The Right Tool for the Right Job A range of application security tools was developed to support the efforts to secure the enterprise from the threat posed by insecure applications. This white paper examines the most common tools found in the enterprise application security environment. Trust, but Verify This white paper will discuss the need for addressing security concerns in outsourced applications. Will outline a framework for addressing these concerns with outsourcing partners and explore the role of source code review and related technologies to assess and certify outsourced applications. Knowledge is Power Your software has a lot to say about data privacy. Your software is the engine for your data, where it gets processed, transformed, and transmitted. Understanding what your software can tell you puts power in your hands. Maintaining trust: protecting your website users from malware This paper explores the problem of malware and how it is increasingly being delivered through legitimate websites.
Web Application Security e-Kit
IBM Rational AppScan can help you effectively design security into your products and services early in the lifecycle, in a way which is resilient to change. Download your complimentary e-Kit now. You’ll receive white papers, demos, podcasts and additional information on helping you design, deliver, and manage smarter software and services faster, in a more secure and cost-efficient manner.
Rational AppScan ROI Calculator
Automated application security analysis enables you to detect exploitable vulnerabilities to protect against the threat of cyber-attack and also significantly reduces costs associated with manual vulnerability testing. This Rational AppScan ROI calculator will help provide estimates on your ROI from implementing a web application security testing solution
Podcasts:
“What, Why and How of Application Security” In this podcast you can learn how application security strategy and policy can mitigate risk and thus safeguard not only your company’s informational assets but also your bottom line and brand. “Rise of Cloud is creating new requirements for Security” In this BizTech Reports podcast, David Grant discusses the new and elevated role application security must play to protect vital corporate interests in as efficient a manner possible. According to IBM X-Force’s most recent research from the end of 2008, over 50% of all vulnerabilities disclosed last year were related to the application layer. “Securing software at the source is good for Quality” Hear from Ryan Berg, Security Architect, IBM on how to promote secure software delivery starting in QA. Learn how to you ensure that security standards are met as part of your quality measures.
Demos:
IBM’s Development and Test Enterprise Cloud Solution IBM Smart Business Development & Test on the IBM Cloud is your gateway to the cloud. With an ever-growing list of images and functionality, you can provision, manage, and customize your instances in minutes. Rational AppScan Standard Edition This demo takes you through the process of scanning a web application for security vulnerabilities using Rational AppScan Standard Edition.
© Copyright IBM Corporation 2010 IBM Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America August 2010 All Rights Reserved IBM, the IBM logo, ibm.com, Smarter Planet, the Smarter Planet logo, AppScan, LotusLive and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Please Recycle
Case Studies:
A branch of the armed forces secured the needs of the military A financial services and banking company managed a response to security mandates. A financial services and banking company managed a response to security mandates. An International Telecommunication Company Building security into the software development life cycle with low cost and high value.
ESW03001-USEN-01
Securing today’s applications
Design, deliver and secure smarter software and services
2
Securing today’s applications
The What, Where and How of Application Security
Why is application security such a hot issue moving into 2010 and beyond? Applications are becoming more pervasive, organizations are growing and implementing smarter software to support business process, product development and daily operations. The way businesses are dealing with their customers, their partners and their own internal businesses is changing and becoming more complex. New SOA-oriented architectures and the extension of things like the electrical grid are becoming an essential part of an organization’s everyday. So it is natural that the security ramifications of deploying all of these applications are a very important concern for customers. They’ve generally done a very good job over the last 10 or 15 years in understanding the established security technologies for tasks like networking and operations, and managing security procedures like access control or authentication. But now, as these new applications roll out, they’re really changing the game. In many ways, these applications can exist in a couple of worlds. Sometimes they can have portions of their behavior inside a firewall, while sometimes it will be external to the firewall, such as the web-facing front end to a legacy back-end application. The possible security problems are not just the threat surface that gets exposed with new applications, but are also the composite of behaviors that goes on outside the firewall at the front end of the application, and all of the possible unintended consequences of the new exposure to the internal application. All of these things are conspiring together: the influx of new applications, the increased importance of applications for core business goals and the difficulty in terms of understanding the way in which all these components will play together. These forces are driving applications into a place of prominence in the current environment.
Four strategic best practices for protecting web applications
To address security-related issues as they pertain to web applications, organizations can employ four broad, strategic best practices. 1. Increase security awareness This includes training, communication and monitoring activities, preferably in cooperation with a consultant. Training Provide annual security training for all application team members: developers, quality assurance professionals, analysts and managers. Describe current attacks and a recommended remediation process. Discuss the organization’s current security practices. Require developers to attend training to master the framework’s prebuilt security functions. Use vendor-supplied material to train users on commercial off-theshelf (COTS) security tools, and include security training in the project plan.
SWG Rational Marketing Software Delivery Program
Communication Collect security best practices from across all teams and lines of business in your organization. Distribute them in a brief document and make them easily accessible on an intranet. Get your IT security experts involved early and develop processes that include peer mentoring. Assign a liaison from the security team to every application team to help with application requirements and design. Monitoring Ensure that managers stay aware of the security status of every application in production. Track security errors through your normal defect tracking and reporting infrastructures to give all parties visibility. 2. Categorize application risk and liability Every organization has limited resources and must manage priorities. To help set security priorities, you can:
•
4. Integrate security testing throughout the development and delivery process By integrating security testing throughout the delivery lifecycle, you can have significant positive effects on the design, development and testing of applications. You should base functional requirements on security tests your application must pass, making sure that your test framework. Application security planning and security strategy should be based on systematic process and practices and not symptomatic issues that arise during a testing cycle.
The Business Case for Data Protection was the first study to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations Poneman Business case for Data Protection (US) Poneman Business case for Data Protection (UK
•
•
•
Define risk thresholds and specify when the security team will terminate application services. Categorize applications by risk factors (e.g., Internet or intranet vs. extranet). Generate periodic risk reports based on security scans that match issues to defined risk thresholds. Maintain a database that can analyze and rank applications by risk, so you can inform teams of how their applications stack up against deployed systems.
3. Set a zero-tolerance enforcement policy An essential part of governing the development and delivery process, a well-defined security policy can reduce your risk of deploying vulnerable or noncompliant applications. During inception, determine which tests the application must pass before deployment, and inform all team members. Formally review requirements and design specifications for security issues during inception and elaboration—before coding begins. Allow security exceptions only during design and only with appropriate executive-level approval.
4
Securing today’s applications
Secure by Design
Innovation depends upon the safe and reliable operation of the systems that will gather, transmit and analyze data, communicate and act upon the results and advance the capabilities of highly distributed organizations to unify and focus on critical shared goals. This type of security, this type of safety, is not something that can simply be bolted onto the solutions as an afterthought. It must be considered from the first requirements to the final implementation, and it must be inherent in the capabilities that are brought to bear as these complex problems are solved. The reliability of these solutions cannot be jeopardized by delay. They must be Secure by Design. Secure by Design demonstrates that cost-effective security begins with the creation of secure systems from the start. Time-to-market, maintenance and the devastating costs of public breaches are reduced through the benefits of integrating secure practices early in the development lifecycle. It is a long-standing axiom that functional defects identified during system development are orders of magnitude less costly to repair than those found in production systems, and the benefits and savings are even higher when it comes to security. Current models show us that the average data breach costs an organization roughly $6.6M, and that the average cost per lost customer data record is over $200. These numbers are staggering. Vulnerability within some Smarter Planet™ systems is even more destructive, as some systems manage critical infrastructure, and failure can disable entire regions or worse, jeopardize lives. A critical enabler of trust in this process is the ongoing validation of the security of critical applications. System development history has shown us that there is a natural tendency for implementations to veer from their original designs, and that constant reinforcement of design objectives through testing and assessment are the most practical means of arriving at a deliverable with the proper attributes. Security is no different, but can be more difficult to assess. Security, particularly at the coding and implementation level, is not a widely understood discipline, and its inclusion in the set of critical deliverables will only be possible as organizations simplify and automate security checking in ways similar to those employed for functional and performance testing. The
IBM® Rational® AppScan® suite of products has been created to integrate within this environment, whether through application scanning on the developer desktop, at the nightly or weekly build server, or through targeted penetration testing of the final application. In practice, not every application can be protected from every threat, and the continuous appearance of new attacks means that today’s results will never be sufficient to guarantee tomorrow’s safety. As a result, the path to maximizing the security of an application begins by rigorously testing that application today, and planning for its continuing testing as the application, and the threats it encounters, evolve. Automated source code analysis is widely recognized as the most effective method of this type of testing early in the life cycle, because it allows for a consistent and repeatable assessment of source code without requiring the additional assets that would be needed to field a completed system to test. The best of these technologies provide the most valuable results by pinpointing the vulnerability at the precise line of code and detailing information about the type of flaw, degree of criticality and how to fix it. Ethnical hacking is also an important element of software security, but its value comes later in the life cycle, when it can be used on a completed application with a functional interface. Together, these approaches can paint a picture which is both comprehensive in its scope and useful in the level and amount of detail that it provides.
SWG Rational Marketing Software Delivery Program
Securing components and systems from their inception produces a flexibility and sense of assurance that fuels the growth and adaptability of the Smarter Planet. Early implementations of smarter projects are only the beginning of the potential for integrating information and technology to solve fundamental infrastructural problems. Systems which are gathering information to optimize a Smarter City today may well be repurposed in the future to bring smarter healthcare or smarter communications to the same area. By designing the core components with security in mind, adapting them to a new area of use becomes much more straightforward, eliminating the need to re-engineer the component for the next role it may fulfill.
Fact: There might be initial delays to the development cycle as individuals learn the new system, but this is indisputably the most time-efficient method for reducing software risk. The process eventually reduces development time by instilling good, secure coding practices among developers, and these practices reduce time spent elsewhere in the cycle, such as during security and acceptance testing of the final application. Fiction: We are already doing peer review; therefore, we do not need additional security code reviews. Fact: A peer review is not a substitute for a security review. Peer reviews are typically used to find functional bugs. Unless reviewers have a deep understanding of application security, many of the more critical security vulnerabilities and design flaws are missed. In many cases, the best-intentioned user requirement implemented without functional error can lead to the greatest security risk. Common security errors will traverse thousands of lines of code and many files, leading to a very challenging, if not impossible, task of manual identification.
Roadblocks to building in security
Among the most common impediments to the adoption of security testing in the software development life cycle, the most difficult to overcome is typically the gap between development group functions and the security team’s priorities. The skill sets themselves are rarely present in the same individual or even group, and organizationally there is very little inherent synergy. While development goals focus on product functionality and on-schedule delivery, security analysts are often tasked with eliminating vulnerabilities and implementing security controls only after the applications are completed and deployed. Development is rewarded for on-time delivery, while security is rewarded for preventing the deployment of an insecure application. To effectively decrease vulnerabilities created during the development process, development and security teams must cooperate, and in all cases, higher-level management support for improving security during development is essential. There also exists a general reluctance to alter an existing software development life-cycle process which can delay implementation of security testing. In these cases, an understanding of the business-level benefits to be gained is usually enough incentive to move things forward. There are some common misconceptions about the potential and difficulties of improving security within the development process. Fiction: The development schedule cannot delay any other activities, not even to address security issues.
Assigning core responsibilities
Many enterprises still find it challenging to identify the most appropriate method and resources to implement source code analysis in their development life cycle. Utilizing a series of workflow models to help guide the implementation of automated source code scanning into an existing development process is the most effective way to achieve a favorable approach. Although it is clear that development organizations
6
Securing today’s applications
Verify fixes: The code is rescanned and studied to ensure the code changes have eliminated the vulnerability while maintaining application functionality. Organizations which have already adopted this methodology have seen very positive results. One major telecommunications firm has gone so far as to apply the knowledge of their relevant threats and the operational implementation goals of their software components to devise an automated testing regimen that is kicked off regularly with the software build. The information generated has already been tailored by the security team, and the results are regularly reviewed to ensure relevance and continuing accuracy. In the interim, each build automatically assesses the security of the software, and forwards any newly found vulnerabilities to the appropriate development groups for remediation. This integrated process has led to much faster cycle times, decreased rework, and a far better performance during rigorous pre-deployment certification. “Secure by Design” as a goal has two different meanings. The first, as described here, relates to assembling the knowledge, tools and processes to generate components and systems that will perform reliably and securely, through efforts at all phases of the construction lifecycle. The second meaning, though, is equally important: As we enter this instrumented age, and we come to expect technology to improve our day-to-day existence in new ways, we must acknowledge our responsibility to make our organizations “Secure by Design.” We must educate ourselves and our teams on the importance of security, on the cost savings and benefits of secure development, and on the balance that must be reached between that concern and concerns of functionality, performance, and time-to-market. If we do this, then soon “secure” will be as natural a characteristic of the Smarter Planet as “fast”, “stable”, or “easy-to-use.”
and processes each have their own distinct characteristics, the functions below are primary to source code testing and must be served by existing staff or experts brought in during implementation. Set security requirements: A manager or central source of business requirements meets with groups with security expertise to define the security requirements of the application, the vulnerabilities that would most jeopardize its function, and assign criticality based on business needs. Configure analysis: Internal definitions are used to customize the source code analysis tool to match policies, ensuring sufficient and consistent review of applications. Scan source code: The source code analysis tool is run against the target application or parts of the application to pinpoint vulnerabilities. These scans are commonly automated, but can also be executed on demand. Prioritize results: Staff members with knowledge of security and the application study results to prioritize remediation and resources workflow appropriately. Remediate flaws: Vulnerabilities are eliminated by rewriting code, removing flawed components, or adding security-related functions.
For detailed information on three development models, including workflows and best practices, please see the whitepaper Secure at the Source in the Web Application Security e-Kit.
SWG Rational Marketing Software Delivery Program
Hackers and Malware
The proliferation of malware designed to infiltrate computer systems without the owners’ informed consent has become one of the most challenging security issues facing users today. Hackers are engineering ever more sophisticated viruses, worms and Trojan horses that can outsmart traditional defense mechanisms. Malicious software can be distributed in a variety of ways,and attackers generally do not limit themselves to a single channel. For a long time, email was the primary delivery mechanism, and it is still significant today. Network vulnerabilities and instant messaging have also been used for pushing worms from one machine to another. Today, web applications are the primary delivery mechanisms for malware via “drive-by downloads” or “social engineering.” A drive-by download happens when a user’s machine becomes compromised simply by browsing an infected web page. The browser executes components that are maliciously crafted to exploit vulnerabilities in the browser, operating system or other plug-ins as the page renders images, in-line scripts and videos, for example. Social engineering is a term used to describe tricking a user into performing some action, such as downloading a file or accepting a prompt. “Scareware,” such as an alarming pop-up that prompts users to perform an action, is a good example of
this. A pop-up designed to look like an antivirus alert may read “A virus has been detected on your system” and prompt a user to download a cleanup utility, which is actually malware (often a Trojan horse). In the fall of 2009, a major national newspaper in the United States faced a version of this tactic in the form of a scam that was designed to scare users into buying useless antivirus software. In recent years, occurrences of legitimate websites serving malware have become more widespread. Previously, cautious web surfers who avoided questionable sites, such as adultoriented or illegal download sites, could reasonably expect to avoid attacks. This is not so today. Moreover, site owners rarely even know that the compromise has occurred. Consider the consequences. Users are no longer able to avoid exposure through good judgment alone. The malware is delivered through the sites they use and trust on a regular basis—for personal and business needs. Web gateways can no longer rely on blacklists of malicious sites without blocking legitimate sites as well. So how are users expected to protect themselves, and how can website owners avoid putting their users in harm’s way? That question can’t be addressed without understanding how legitimate sites are compromised.
A look at how legitimate websites are compromised
In most cases, reputable websites are attacked using one or a combination of four primary methods. Vulnerability exploitation Vulnerabilities on a site are a favorite target of criminals. These could be 0-day vulnerabilities in the software running the website or vulnerabilities in the application-specific code. Such vulnerabilities can allow attackers to deface the site, making it link or serve malicious content. Exploiting 0-day or very recent vulnerabilities in web infrastructure (for example, web servers, application servers and operating systems) is the primary method of compromising websites today. Uploaded malware on user-driven sites User-driven Web 2.0 community sites—including blogs, wikis and social media sites—that let users create and post data likely provides another popular malware delivery source. Worse, technical vulnerabilities aren’t even necessary. If users are
8
Securing today’s applications
security tools. But this will only get them so far. As a result, website owners have significant responsibilities in the matter, as their users should expect a reasonable level of protection against malicious code. There are several ways companies and organizations can protect the server side: an intrusion prevention system (IPS) or similar network protection device that monitors outgoing traffic, and server-side antivirus solutions. An IPS can examine all traffic returned from the site and block anything deemed malicious. The problem with this approach is the depth of the analysis—the IPS needs to work at a very high velocity to support huge volumes of data, and thus can only afford a fraction of a second to analyze passing content. As a result, its analysis is mostly limited to matching known malicious patterns against the content. A server-side antivirus solution can be used to examine files on the server and identify whether they are malicious. The problem with this approach is visibility. Antivirus solutions are designed to look for viruses in files, but are limited in their ability to examine content residing in the databases where most applications store their dynamic content. Similarly, antivirus solutions don’t see or understand web pages, making them blind to content that is linked from the website but not hosted on them. Currently, the most common way for criminals to make legitimate websites serve malware is by injecting an iframe that leads to a malicious site. The existing solutions discussed above cannot find this very common manifestation of the problem. An alternative approach: HTTP-based malware scanning uses a new approach, combining the HTTP view with antivirus-like capabilities. Scanning and detection capabilities can help you overcome the inherent problems of existing security technologies.
allowed to add content and links to the site, they may be uploading malicious items. For example, PDF document files holding malicious content or images that exploit a security hole in a graphics library can cause a legitimate website to serve malware. Internal attacks Website defenses are often not as robust when accessed from within an internal network. As a result, internal resources, such as disgruntled employees or an employee who has been blackmailed, can modify a web application from within and make it serve or link to malware. Third-party content Including third-party content such as ads or mashup applications can multiply the risk of malware on your website. Third-party sources may be malicious or may have been compromised by yet another party, resulting in malware being served through your application’s pages. Consider an advertising service serving Flash–based advertising banners. Flash applications are powerful and dynamic and have potent scripting engines. If an advertising company is not properly vetting and analyzing each banner it posts, it may be serving malicious banners that deliver malware.
Existing solutions
How can users be expected to protect themselves from malware on legitimate websites? Certainly, users need to take precautions by installing appropriate endpoint security solutions, such as antivirus software, firewalls and other
Please see the demo of Rational AppScan std edition for a full view of the the AppScan Standard Edition and Express products.
SWG Rational Marketing Software Delivery Program
Security and Cloud Computing
Cloud computing is a flexible, cost-effective and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications and services provided “on demand,” regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management and better align IT services with dynamic business requirements. Both public and private cloud models are now in use. Available to anyone with Internet access, public models include Software as a Service (SaaS) clouds like IBM LotusLive™, Platform as a Service (PaaS) clouds such as IBM Computing on Demand, and Security and Data Protection as a Service (SDPaaS) clouds like the IBM Vulnerability Management Service. Private clouds are owned and used by a single organization. They offer many of the same benefits as public clouds, and they give the owner organization greater flexibility and control. Many organizations embrace both public and private cloud computing by integrating the two models into hybrid clouds. These hybrids are designed to meet specific business and technology requirements, helping optimize security and privacy with a minimum investment in fixed IT costs. Although the benefits of cloud computing are clear, so is the need to develop proper security for cloud implementations. In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk because essential services are often outsourced to a third party. The “externalized” aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability and demonstrate compliance. As a result, clients must establish trust relationships with their providers and understand risk in terms of how these providers implement, deploy and manage security on their behalf. This “trust but verify” relationship between cloud service providers and clients is critical because the clients are still ultimately responsible for compliance and protection of their critical data, even if that workload has moved to the cloud.
Infrastructure sharing calls for a high degree of standardized and process automation, which can help improve security by eliminating the risk of operator error and oversight. However, the risks inherent with a massively-shared infrastructure mean that cloud computing models must still place a strong emphasis on isolation, identity and compliance. In other words, the framework of governance, risk management and compliance can be broken into five security focus areas: People and Identity: Address the risks associated with user access to corporate resources • Data and Information: Understand, deploy and properly test controls for access to and usage of sensitive business data • Application and Process: Help keep applications secure, protected from malicious or fraudulent use, and hardened against failure • Network, Server and End Point: Optimize service availability by mitigating risks to network components • Physical Infrastructure: Provide actionable intelligence on the desired state of physical infrastructure security and make improvements Each focus area has its own value proposition and corresponding financial payback that must be balanced.
•
While cloud computing is often seen as increasing security risks and introducing new threat vectors, it also presents an exciting opportunity to improve security. Characteristics of clouds such as standardization, automation and increased visibility into the infrastructure can dramatically boost security levels. For example, the use of a defined set of cloud interfaces, along with centralized identity and access control policies, will reduce the risk of user access to unrelated resources. Running computing services in isolated domains, providing default encryption of data in motion and at rest, and controlling data through virtual storage have all become activities that can improve accountability and reduce the loss of data. In addition, automated provisioning and reclamation of hardened run-time images can reduce the attack surface and improve forensics.
For more information on how the Rise of Cloud is creating new requirements for Security please see our podcast.
10
Securing today’s applications
Security in Industry
Industry specific software assets that allow you to deploy business solution with lower costs and risk: Financial Services: Banking and Insurance companies need to manage risk more efficiently, at a lower cost through online channels including web-based applications and cloudimplemented solutions. With the ever changing environment facing financial institutions, maintaining system integrity and automating all security and compliance initiatives is imperative to keeping up with the integration of mergers and acquisitions.
Please review this case study of how a Financial Services and Banking company managed a response to security mandates.
Government: Growing concerns over government data security driven by increasing vulnerabilities and cyber security threats have agencies looking for cost-effective and efficient solutions to manage their data systems, including fulfilling various changing requirements for compliance (accessibility, etc.) and security to governing bodies. As Government agencies are opening citizen access to new Internet-based services and establishing efficient methods for creating trusted identities, the need for stronger authentication and portal security is increasing. Greater accountability & transparency means more exposure of data vulnerabilities.
Records (EHR), the access and security of health records is becoming a pressing issue. A more reliable infrastructure management, reducing the possibility and impact of security vulnerabilities while adhering to industry regulations, is needed.
Please see the demo of Rational AppScan std edition for a full view of the the AppScan Standard Edition and Express products.
Please review the case study of how a branch of the armed forces secured the needs of the military.
Energy and Utilities: The “Smart Grid” raises privacy and safety concerns, and standards like the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) are driving heightened protection from cyber attack. These efforts to strengthen access and data loss are critical to the success of not only the project, but also the customers that utilize the system.
Healthcare: Securing sensitive patient information and adhering to compliance mandates is an overwhelming requirement for all healthcare professionals at every level of the industry. With funding for use of Electronic Health
Please review the case study of an International Telecommunications Company.
SWG Rational Marketing Software Delivery Program
Resources
Whitepapers:
Poneman Business case for Data Protection (US) Poneman Business case for Data Protection (UK) The Business Case for Data Protection was conducted by Ponemon Institute and sponsored by Ounce Labs, an IBM Company. It is the first study to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations The Right Tool for the Right Job A range of application security tools was developed to support the efforts to secure the enterprise from the threat posed by insecure applications. This white paper examines the most common tools found in the enterprise application security environment. Trust, but Verify This white paper will discuss the need for addressing security concerns in outsourced applications. Will outline a framework for addressing these concerns with outsourcing partners and explore the role of source code review and related technologies to assess and certify outsourced applications. Knowledge is Power Your software has a lot to say about data privacy. Your software is the engine for your data, where it gets processed, transformed, and transmitted. Understanding what your software can tell you puts power in your hands. Maintaining trust: protecting your website users from malware This paper explores the problem of malware and how it is increasingly being delivered through legitimate websites.
Web Application Security e-Kit
IBM Rational AppScan can help you effectively design security into your products and services early in the lifecycle, in a way which is resilient to change. Download your complimentary e-Kit now. You’ll receive white papers, demos, podcasts and additional information on helping you design, deliver, and manage smarter software and services faster, in a more secure and cost-efficient manner.
Rational AppScan ROI Calculator
Automated application security analysis enables you to detect exploitable vulnerabilities to protect against the threat of cyber-attack and also significantly reduces costs associated with manual vulnerability testing. This Rational AppScan ROI calculator will help provide estimates on your ROI from implementing a web application security testing solution
Podcasts:
“What, Why and How of Application Security” In this podcast you can learn how application security strategy and policy can mitigate risk and thus safeguard not only your company’s informational assets but also your bottom line and brand. “Rise of Cloud is creating new requirements for Security” In this BizTech Reports podcast, David Grant discusses the new and elevated role application security must play to protect vital corporate interests in as efficient a manner possible. According to IBM X-Force’s most recent research from the end of 2008, over 50% of all vulnerabilities disclosed last year were related to the application layer. “Securing software at the source is good for Quality” Hear from Ryan Berg, Security Architect, IBM on how to promote secure software delivery starting in QA. Learn how to you ensure that security standards are met as part of your quality measures.
Demos:
IBM’s Development and Test Enterprise Cloud Solution IBM Smart Business Development & Test on the IBM Cloud is your gateway to the cloud. With an ever-growing list of images and functionality, you can provision, manage, and customize your instances in minutes. Rational AppScan Standard Edition This demo takes you through the process of scanning a web application for security vulnerabilities using Rational AppScan Standard Edition.
© Copyright IBM Corporation 2010 IBM Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America August 2010 All Rights Reserved IBM, the IBM logo, ibm.com, Smarter Planet, the Smarter Planet logo, AppScan, LotusLive and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Please Recycle
Case Studies:
A branch of the armed forces secured the needs of the military A financial services and banking company managed a response to security mandates. A financial services and banking company managed a response to security mandates. An International Telecommunication Company Building security into the software development life cycle with low cost and high value.
ESW03001-USEN-01
