Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
A CISO’s Guide to Application Security
Building the case for increased investment in organizational
application security
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
Table of Contents
Introduction .................................................................................................................................................................1
The Growing Threat to Applications ...........................................................................................................................1
Toward an Application Security Center of Excellence ................................................................................................4
The Ad Hoc Stage ...................................................................................................................................................4
The Baseline Program ............................................................................................................................................4
The Advanced Program – an Application Security “Center of Excellence” ............................................................5
Justifying an Investment in Application Security ........................................................................................................6
The Case for Application Security: Conclusion ..........................................................................................................8
Learn More .................................................................................................................................................................8
Works Cited ................................................................................................................................................................9
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
1
Introduction
The past few years have seen a massive increase in both the number and severity of threats facing applications.
With these new threats comes a serious increase in the amount of pressure being put on Chief Information
Security Officers (CISO) and their IT security teams to protect this gateway to sensitive company and customer
data. However, making a case for increased investment in application security can be a seemingly daunting task.
This paper will provide CISOs and their security teams with guidance for justifying application security investment
as well as recommendations for how they can build their efforts into advanced application security programs.
The Growing Threat to Applications
IT security professionals are well aware of the kinds of external threats targeting their organizations. Data
breaches from cyber attackers are the single biggest threat to enterprise security today. The quantity and
frequency of hacks, attacks and malware are only growing – and well-documented (see Figure 1 below). To
mitigate this threat, organizations must secure all three fundamental access points to their digital data: the
network, the hardware… and the software that supports their business operations.
Figure 1: Graph with data from the 2012 Verizon Data Breach Investigations Report showing distribution of threat agents over time by percentage of breaches
2
Existing security measures create a false sense of security. Most enterprises have widely adopted IT security
tools such as firewalls and intrusion detection to protect their networks as well as antivirus, access control and
physical security measures to secure their hardware. However, what many businesses still lack is adequate
investment in the protection of their critical software. Simply put, software applications are the most vulnerable
entry point for attacks targeting an organization’s sensitive, protected or confidential data. If a company's network
and hardware infrastructure can be called the “back door” to hacktivists, spies and fraudsters, then business
software should be called the front door.
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
2
Professional hackers and cyber criminals know how to exploit the weakest link in an organization’s IT
infrastructure – vulnerabilities in applications – to get to valuable data. Consider these sobering statistics:
90% of companies have been breached at least once by hackers over the past 12 months1
855 data breaches in 2011 lost 174 million records, the second highest volume of data stolen since 20042
54% of attacks on large organizations exploit web application vulnerabilities, while hacking was
responsible for 81% of compromised records2
For all organizations that reported the source of breach incidents in 2011, 40% were traced to application
security issues3
The National Vulnerability Database – the U.S. government’s repository of standards based vulnerability
management data – publishes at a rate of 13 new vulnerabilities each and every day4
The costs of a single data breach are daunting: $194 per compromised record, or an average $5.5M per
incident5
Data breaches can hammer a company’s valuation – Global Payments stock dropped 9% in March 2012
after it was reported that they were being investigated because of a data breach that affected firms
including Visa and MasterCard6
Companies spend just 0.3% of what they pay for software on ensuring that it is secure7
54% of incidents investigated in the 2012 Verizon Data Breach Investigations Report took months to be
discovered by their victims (see Figure 2 below)2
Figure 2: Chart with data from the 2012 Verizon Data Breach Investigations Report showing the span of time from when a company’s first asset is negatively affected to the moment when the victim learns of the incident
2
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
3
Alarmed by the potential for widespread social and commercial damage, government and industry regulatory
bodies have been strengthening their mandates in the area of application security. Many organizations are now
required by laws and regulations to address the risk posed by their applications, and perform scheduled risk
assessments and compliance audits. Some of the regulations which specifically require data privacy and security
include:
Payment Card Industry (PCI) Security Standards Council monitors compliance of any business accepting
electronic payments
The Federal Information Security Management Act (FISMA) requires federal government agencies to
provide information security for their operations and assets
Federal Financial Institutions Examination Council (FFIEC) is an interagency body of the United States
government empowered to secure the online banking and financial service industry
The Health Insurance Portability and Accountability Act (HIPAA) governs the security and privacy of
health data such as patient records in the healthcare industry
The Gramm-Leach-Bliley Act (GLBA) governs the collection, protection and disclosure of customers’
personal financial information
The Monetary Authority of Singapore (MAS) recently updated their Technology Risk Management
Guidelines to include quarterly assessments for application vulnerabilities as a best practice which
financial institutions are expected to adopt
Private contractual mandates: many organizations are contractually obligating their partners to assure
security as well.
Software is everywhere. It is increasingly accessible to attack, and the opportunities to exploit its weaknesses are
plentiful and painless for those intent on doing so. Applications are the new entry point to steal critical business
data — and the resulting attacks have proven profitable for cyber criminals. Network- and hardware-based
security have both proven ineffective against many of today’s threats. It is time for increased investment in
application security to protect the software that runs modern businesses.
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
4
Toward an Application Security Center of Excellence
When undertaken correctly, application security takes a systematic, programmatic approach to hardening
business-critical software, from the inside. That’s not to say that organizations must over-invest in an advanced
program from the start to be effective – in fact, quite the
opposite.
It is easy for organizations of any size to get started with
application security. In fact, there is a well-established
evolutionary curve that practitioners follow as they progress
and mature their processes, technology, and indeed their
teams as well. The simplest framework to establish programs
and policies addresses (and continuously improves) these
basic steps: identification of vulnerabilities, assessment of
risk, fixing flaws, learning from mistakes, and better managing
future development.
The application security market has reached sufficient maturity to allow IT management to follow a well-
established series of actions to build and scale a program. While the actual progression is more fluid and may
contain multiple phases, application security can generally be viewed in three primary stages: Ad-hoc, Baseline
Program and Advanced Program.
The Ad Hoc Stage
Construction – Initial investment in reactive technologies such as Intrusion Detection Systems and Web
Application Firewalls that block active, incoming attacks
Testing – Software development teams typically start with periodic manual penetration (PEN) testing, but
progress rapidly to automated static testing (SAST) of software still in development, then to dynamic
testing (DAST) of production applications
Remediation – Basic triage of test results to fix only the most egregious software flaws, in priority order
Reporting – Externally driven by industry-specific compliance bodies, according to audit requirements
Policy – No formal policies, reactive
Portfolio coverage – Protect only internally developed software to start, but complete an application
inventory
The Baseline Program
Construction – Initiate investment in basic software developer training, plus add threat modeling and
ongoing threat intelligence to anticipate specific attacks, understand harmful impacts, and define
countermeasures in advance
“Companies can put all of the other cybersecurity controls
in place but if there are application weaknesses, hackers
have the will and time to find and exploit them. The issue
simply cannot be neglected anymore.”
Chris Wysopal
Chief Information Security Officer and Co-Founder
Read the full press release at: http://www.veracode.com/content/view/1884/38
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
5
Testing – Combine PEN, SAST and DAST into a hybrid testing regimen
Remediation – Track progress in an Integrated Development Environment, including a flaw repository
with role-based access and validation of bug fixes
Reporting – Software teams earn formal certification in secure development techniques
Policy – Defined, according to a Software Development LifeCycle (SDLC) model, with proactive
monitoring and incident response
Portfolio coverage – Extends to third-party applications, such as commercial vendor, open source and
outsourced development
The Advanced Program – an Application Security “Center of Excellence”
Construction – Include secure architecture and design practices protecting all applications, with
accountability across security, operations and development teams
Testing – Continual process improvement of testing regimens
Remediation – Integrate training into development processes, including software change management
and scheduled “security gates” for regular re-testing
Reporting – Gain insight from multiple analytics tracking critical KPIs and benchmarking against industry
standards, with independent verification
Policy – Codify formal governance, risk and compliance management with executive support and policy
enforcement, including a cross-functional security committee and contractual requirements of all third
parties
Portfolio coverage – Scale to protect each and every app (including mobile) under formal vendor
management approach
An advanced Application Security program should be a critical component of an organization’s overall information
management architecture, and ultimately plays an integral role in business continuity. It is critical not only to get
started with software protection, but also to rapidly progress beyond ad hoc approaches to a framework for
continuous development of effective controls and enforceable policies. Ignoring this critical aspect of information
security leaves an organization at risk of failed regulatory audits – at best – and at worst a company can be
exposed to possible business interruption, financial losses and liability due to a crippling security breach.
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
6
Justifying an Investment in Application Security
The CISO must secure all three fundamental access points to sensitive enterprise information: the network, the
hardware… and the software that support business operations. Yet, companies spend just 0.3% of what they
pay for software on ensuring that it is secure.7 Most enterprises have widely adopted IT security tools such as
firewalls and intrusion detection to protect their networks as well as antivirus, access control and physical security
measures to secure their hardware. In a 2011 Gartner study on top security priorities, Application Security still
ranked a distant fifth after a variety of network security tools. First on the list: data loss prevention.
Ultimately, it’s up to the CISO and his or her security team to implement and verify the effectiveness of security
measures – that includes application security disciplines such as software testing, vulnerability remediation and
ongoing safe coding practices. Research and assembly of a solid business case analysis will help CISOs make a
better case for wide adoption of application security processes.
There are many sobering numbers that a CISO can employ to build the business case for greater application
security investment:
Costs of a Breach – The average cost of a single data breach has reached a staggering $5.5M per
incident, or $194 per compromised record5
Loss of Revenue/Reputation – the costs of insecure software include both hard measures like lost sales,
PR costs, customer issues – all of which figure into “total cost of recovery”
Company Valuation – Consider the recent Global Payments breach: its stock valuation dropped 9 percent
on news of the incident6
Cost to Fix – Software developers have long understood that the cost of fixing an application vulnerability
during the development or QA phases dwarfs the cost of fixing the same flaw once in production
Cost of Compliance – When asked about how security spending is justified at organizations, most C-level
IT execs rely on legal and regulatory requirements. The threats of non-compliance, fines and litigation are
still greater motivators than the threat of data loss for most companies (see Figure 3 below).8
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
7
Figure 3: Graph showing results of PwC survey on justifications for security spending from the 2012 Global State of Information Security Survey® Not all factors shown.
8
Perhaps the simplest formula for computing the risk/reward was detailed by Chris Wysopal, CTO of Veracode. His
basic financial model is:
(likelihood of a breach) X (potential impact in dollars) = (expected total loss)
Event likelihood is based on the quantity and severity of vulnerabilities present in the software portfolio plus the
likelihood that one of those flaws will be discovered and exploited. In a recent survey, 90 percent of organizations
reported a breach by hackers over the previous year.9 One can uncover flaws in the software portfolio through a
variety of testing and scanning tools. The rest of the model relies on imperfect but improving industry research
data which tracks aggregate measures of total monetary risk.
As a sustained, systemic undertaking, an application security program is a cross-functional effort between the
cybersecurity, risk management and application development teams. This reality makes funding decisions more
complicated. Software methodologies and technologies are rarely standardized – even across an organization’s
internal development teams – leading to competing agendas. However, new ROI models for application security
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
8
are emerging. For example, a survey of outsourced application suppliers reveals a mix of licensing options that
includes; per scan; per application; per flaw category; per developer; and time based pricing.
The key to positive ROI is to start small and scale over time. Any organization can get started with a basic
software testing regimen and expand with success from a single application to multiple projects. Creating a
successful deployment plan requires scoping all intended activities and associated hard and soft costs before
rolling out a chosen tool, including all staffing considerations. Organizations must create their own recipes for the
AppSec mix based upon their unique business requirements.
The Case for Application Security: Conclusion
Ongoing and well-funded investment in network- and hardware-based security solutions have proven effective in
protecting the hardware and network layers. However, these defenses are ineffective against hacks and attacks
that exploit flaws within an organization’s business applications. Many enterprises still lack adequate investment
in the protection of their critical software, the “front door” to their business. As a result, applications remain the
most vulnerable entry point for malicious actors targeting sensitive or confidential data. CISOs must prioritize their
investments in IT personnel, processes or technologies in alignment with the reality of today’s considerable
threats to the enterprise.
It’s time for increased investment in application security to protect the software that runs today's businesses.
Learn More
Veracode E-learning Course Curriculum:
http://www.veracode.com/products/veracode-elearning-curriculum.html
Application Security Solutions for Executive Team:
http://www.veracode.com/services/business-owner.html
Veracode Research:
http://www.veracode.com/reports
Application Security Webcasts:
http://www.veracode.com/webcasts
Veracode Customer Testimonials:
http://www.veracode.com/videos
WHITEPAPER: A CISO’S GUIDE TO APPLICATION SECURITY
9
Works Cited
1. Ponemon Institute. Perceptions About Network Security. Research rept. Juniper Networks, 2011. PDF
file.
2. Verizon. 2012 Data Breach Investigations Report. 2012. PDF file.
3. DataLossDB.org, and Open Security Foundation. "Statistics." DataLossDB. N.p., 2012. Web. 18 July
2012. <http://www.datalossdb.org/statistics>.
4. National Vulnerability Database. "Statistics." National Vulnerability Database. DHS National Cyber
Security Division/US-CERT, 2012. Web. 18 July 2012. <http://web.nvd.nist.gov/view/vuln/statistics>.
5. Ponemon Institute. 2011 Cost of Data Breach Study: United States. Research rept. Symantec, 2012. PDF
file.
6. Griffin, Donald. "Global Payments Trades Halt on Breach Probe." Businessweek. Bloomberg, 30 Mar.
2012. Web. 18 July 2012. <http://www.businessweek.com/news/2012-03-30/global-payments-trades-halt-
as-card-industry-probes-data-breach>.
7. King, Sam. "A Tale of Two Market Sizes." Veracode Blog. N.p., 7 Feb. 2012. Web. 08 Aug. 2012.
<http://www.veracode.com/blog/2012/02/a-tale-of-two-market-sizes/>.
8. PwC. 2012 Global State of Information Security Survey. Research rept. N.p.: PwC, 2012. PwC. Web. 24
July 2012. <http://www.pwc.com/gx/en/information-security-survey/giss.jhtml>.
9. Vijayan, Jaikumar. "90% of companies say they've been hacked: Survey." Computerworld. N.p., 22 June
2011. Web. 24 July 2012.
<www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey>.
ABOUT VERACODE
Veracode is the only independent provider of cloud-based application intelligence and security
verification services. The Veracode platform provides the fastest, most comprehensive solution to
improve the security of internally developed, purchased or outsourced software applications and
third-party components. By combining patented static, dynamic and manual testing, extensive
eLearning capabilities, and advanced application analytics, Veracode enables scalable, policy-
driven application risk management programs that help identify and eradicate numerous
vulnerabilities by leveraging best-in-class technologies from vulnerability scanning to penetration
testing and static code analysis. Veracode delivers unbiased proof of application security to
stakeholders across the software supply chain while supporting independent audit and compliance
requirements for all applications no matter how they are deployed, via the web, mobile or in the
cloud. Veracode works with global organizations across multiple vertical industries including
Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and
the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on
Twitter: @Veracode or read the Veracode Blog.
www.veracode.com
© 2012 Veracode, Inc.
All rights reserved.