Upload
nguyenlien
View
217
Download
1
Embed Size (px)
Citation preview
Attacks on applications are among the most costly incidents organisations can face. One coordinated attack reportedly stole US$1 billion from 50 different companies.1
As the information explosion continues, applications are proliferating and becoming increasingly diverse – moving from mainframes and servers to clouds, smartphones, wearables and other devices. The ability to create applications, once exclusive to vendors and in-house programmers, is now commonplace.
Modern applications are written in multiple languages and run on myriad devices. Organisations no longer have the luxury of managing a handful of applications. Today’s portfolios contain thousands of diverse applications that complicate lines of responsibility and introduce unknown risk.
Complex application portfolios provide fertile ground for a growing number of vulnerabilities. Attackers know that vulnerable applications open doors into organisations’ protected systems and most valuable information: more than two thirds of attacks are targeted at applications.2 Organisations that do not secure their applications present themselves as easy targets.
Good practice to reduce the risk of attacks is available, and it works. But application risk needs to be governed effectively, otherwise good practice will be applied inconsistently across the application life cycle, leaving risk unmanaged.
The ISF Application Security Framework has been developed to help organisations improve security at all stages of the application life cycle. The framework is a structured and comprehensive set of 27 good practice guidelines, derived from leading practice, expert input, standards and other guidance. The framework is supported by an iterative approach that ISF Members can use to address immediate risk and incrementally improve information security across their application portfolios.
Bringing order to chaosAPPLICATION SECURITY
APPLICATION SECURITY – Bringing order to chaosHOW SHOULD ORGANISATIONS RESPOND TO INCREASING APPLICATION RISK?
By performing successive iterations of the improvement cycle shown below to: – address immediate application risk– incrementally improve the security of their application portfolios.
2. IMPLEMENTExecute the plan to implement good practice and address the identified gaps.
4. ENHANCEIdentify and incorporate lessons learned to enable sustainable improvements.
Determine the extent to which improvements were effective. Remediate if necessary.
3. EVALUATE
1. DEFINEFor a specific group of applications, assess current practice against the framework to determine gaps. Create and agree an implementation plan.
THE ISF APPLICATION SECURITY FRAMEWORK
ApplicationSecurityRequirements
Application Security Architecture
ApplicationIntegration
ApplicationConfiguration
ApplicationDecommission
GOVERNANCE
Application Risk Management
B1 C1
C2
C3
D1 Application Procurement
D2
Application BuildD3
Threat ProtectionD4
Application Security TestingD5
E1
E2
G1Application Security OperationalProcedures
F1
F2
F3
F4
F5
F6
F7
F8
Application SecurityDesign
Application ThreatModelling
Contractual Agreements
ApplicationVulnerabilityManagement
SecurityEvent Logging
Application Monitoring
Incident Management
ApplicationBackup
Application Change Management
Application Security Audit
Application Identity andAccess Control
F9
A4
REQUIREMENTS DESIGN DEVELOPMENT OPERATIONS DISPOSALDEPLOYMENT
Application Security Governance StructuresA1 Application Security
Policies and Procedures Application Ownership
Application Register Application Security Education and Training
A2
A5
A3
A6
Information Security Forum 33Application Security: Bringing order to chaos
IN A NUTSHELLProvide the appropriate level of information, education and training about application risk to everyone in the organisation.
WHY IT MATTERS Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and training for stakeholders according to their roles and responsibilities (e.g., risk for application owners and users, security requirements for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures (e.g., keeping to secure coding practice, not compromising security requirements in contracts, not letting unauthorised people see application information, not sharing passwords and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is, and use the results to improve it.
Hints and Tips• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good Practice for Information Security, in particular the topics CF2.2 Security Awareness Programme, CF2.3 Security Awareness Messages and CF2.4 Security Education/Training.
Application Security Education and TrainingA6
See the ISF report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, which provides guidance on how to set up and implement awareness and training courses according to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance domain including activities such as “educate executives”.
• SAMM Training and Guidance.• Microsoft SDL, SDL Practice #1.• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
ABOUT THIS REPORT This report describes how application risk is increasing and why managing the risk is now critical, given the impacts organisations are experiencing and their reliance on applications. It highlights a number of areas that ISF research found to be particularly important in overcoming the barriers to effective application governance and risk management. Leading CISOs ensure clear governance structures are in place. They communicate across multiple organisational levels, allowing stakeholders to visualise responsibilities clearly and understand the true extent of the risk. They facilitate skills development for those who need it, in particular application teams and risk managers.
The ISF Application Security Framework, shown on the left, is the centre of the ISF approach to addressing application risk. This structured and comprehensive set of 27 good practice guidelines, shown below, is aligned with the ISF Standard of Good Practice for Information Security and will help organisations improve governance and risk management across the application life cycle.
photo messages
Information volumes explode
Every minute...
Facebookusers share
2,460,000pieces of content
Emailusers sendAmazon generates
204,000,000messages
$83,000in online sales
40,500are sent using Snapchat (as of Jul 2014)
Mobile applications downloaded
US$ earned by mobile app providers
2.5225
270
6.8
18.6
76.5
0
20
40
60
80
2009 2011 2013 20170
100
200
300
Year
Estimated
$
2015
Billi
ons (
US$
)
Billi
ons (
Apps
dow
nloa
ded)
2590
60
22
Applications proliferate
Organisations are not keeping up
The equivalent of 106 YEARS of downtime was
services in 2014 due to 11,944 outages
suffered by Microsoft, Yahoo! and Google
of applications are tested for vulnerabilities (as of Nov 2014)
37%Only
Sources: Jack Taylor, ViralNova, Statista, NCC, Veracode, Gemalto
1 BILLION personal data records were compromised in 2014
WHERE NEXT?
ABOUT THE ISFFounded in 1989, the Informati on Security Forum (ISF) is an independent, not-for-profi t associati on of leading organisati ons from around the world. It is dedicated to investi gati ng, clarifying and resolving key issues in cyber, informati on security and risk management by developing best practi ce methodologies, processes and soluti ons that meet the business needs of its Members.
ISF Members benefi t from harnessing and sharing in-depth knowledge and practi cal experience drawn from within their organisati ons and developed through an extensive research and work programme. The ISF provides a confi denti al forum and framework, which ensures that Members adopt leading-edge informati on security strategies and soluti ons. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
DISCLAIMERThis document has been published to provide general informati on only. It is not intended to provide advice of any kind. Neither the Informati on Security Forum nor the Informati on Security Forum Limited accept any responsibility for the consequences of any use you make of the informati on contained in this document.
Reference: ISF15 09 02 | Copyright © 2015 Informati on Security Forum Limited | Classifi cati on: Public, no restricti ons
CONTACTFor further informati on contact:
Steve Durbin, Managing DirectorUS Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: [email protected]: www.securityforum.org
Applicati on Security – Bringing order to chaos equips ISF Members to improve governance and risk management across the applicati on life cycle. It does this by:
– articulating the magnitude of application risk
– providing practical guidance on how organisations can overcome operational barriers with clear governance, better communications, the right skills and actions to address immediate risk
– setting out an approach that incrementally improves application risk management and embeds good practice across application portfolios.
Central to the ISF approach for protecting applications and the information they handle is the ISF Application Security Framework. The 27 good practice guidelines that make up the framework are aligned with the ISF Standard of Good Practice for Information Security and a wide set of good practice including BSIMM, ISO/IEC 27034-1:2011, Microsoft SDL and SAMM.
ISF Members will also find that this report complements the ISF Information Risk Assessment Methodology 2 (IRAM2).
The ISF encourages collaboration on its research and tools. Members are invited to join the active Application Security group on ISF Live (https://www.isflive.org/community/process/application-security), to share their experience and debate findings in this report. Please let other ISF Members know how you have translated the guidelines into effective controls to improve information security across your organisation’s application portfolio.
The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at [email protected].
1 Kaspersky Lab (2015) Carbanak APT: The great bank robbery version 2, Securelist. http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt2 Gartner Security and Risk Summit, 23-26 June 2014, National Harbor, Maryland, USA.