Five steps to achieve success with application security


Published on

This white paper provides a general framework your organization can use to create or build upon an application security program. It includes guidelines that can be useful at different stages of your security program’s maturity. By addressing key considerations, providing clear and actionable items, and offering real-world examples, these five steps provide an adaptable strategy to help your organization get started and maintain an effective, ongoing application-security strategy.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Five steps to achieve success with application security

  1. 1. IBM Software Thought Leadership White Paper October 2012 Five steps to achieve success in your application security program Guidelines to help define your initiative, meet your goals and ensure ongoing security
  2. 2. 2 Five steps to achieve success in your application security program Contents 2 Introduction 2 Taking a smart approach to ensure long-term application security 4 Step 1: Know where you are going 5 Step 2: Understand where you are today 6 Step 3: Create a plan 8 Step 4: Drive operational excellence 10 Step 5: Govern responsibly 11 Summary 11 For more information 11 About IBM Security Systems software Introduction For organizations developing applications today, security is not an option. The constant threat of security breaches and the potential loss of data, impact to business-critical systems and damage to reputation drive an ever-increasing focus on applica- tion security. In fact, in 2011, the number and severity of worldwide security breaches became great enough for the IBM® X-FORCE® research and development team to declare 2011 the “Year of the security breach.”1 High-profile incidents including data leaks, denial-of-service attacks and others affected organizations across a wide range of industries. Attacks such as these—many of which target applications—have become a catalyst for organizations to reevaluate their application security policies and practices. In an attempt to prevent breaches and their resulting data loss or systems and reputational damage, many organizations are looking to implement programs focused on application security. But they must first understand that there is no single, one-size-fits-all application security solution. Organizations looking to start programs, and even those that already have pro- grams in place, need to make sure their application security pro- grams are tailored to their specific business needs and adapted to the risk levels associated with each application and its data. A successful program needs to have not only the right focus, but also a realistic timeframe. Application security is not something that happens overnight. Taking a phased approach that starts small and can be applied gradually across the enterprise is a sen- sible method organizations can follow when launching a security initiative. This white paper provides a general framework your organization can use to create or build upon an application security program. It includes guidelines that can be useful at dif- ferent stages of your security program’s maturity. By addressing key considerations, providing clear and actionable items, and offering real-world examples, these five steps provide an adapt- able strategy to help your organization get started and maintain an effective, ongoing application-security strategy. Taking a smart approach to ensure long-term application security Providing data security is one goal that is virtually universal throughout today’s business environment. Although most orga- nizations strive to protect critical business data and prevent potentially damaging security breaches, the prospect of taking
  3. 3. 3IBM Software action and initiating an application security effort can be daunt- ing. The technology that supports application development and security plays an important role, but it cannot solve security problems by itself. Organizations need to implement a strategy with a clear and focused path to ensure success. Application security programs must be adapted to an organiza- tion’s specific needs, such as application types, potential security risks and compliance requirements. These priorities should drive the investment direction of the program, since the ineffective pursuit of application security can easily become a financial sinkhole. Organizations need to focus on finding cost-effective ways to execute their initiatives. Just as programs for application security can vary according to specific business needs, the starting points for organizations can vary according to the maturity of their security programs. In the early phases of application security, some organizations may simply want to understand more and see what their options are going forward. Others may already have tried various programs and methods but want to take their capabilities to the next step and improve their program’s effectiveness. Regardless of their stage of maturity, organizations across a wide range of types and sizes can ensure application security using the set of guidelines outlined in this paper. This step-by-step strategy offers a phased approach that your organization can roll out over time. Each step presents impor- tant considerations, clear and actionable items, and potential services or products you can use. Although these steps provide a helpful framework, keep in mind that an application security program takes time and can be a multi-year journey. Taking the right approach can be well worth the time and effort and can ensure continual efficiency and security improvements for your program. Figure 1: The five steps to achieve success in application security programs are designed for a wide range of organizations with varying levels of security experience and are easily adaptable to help you meet your specific security and business goals. Know where you are going Understand where you are today Create a plan Drive operational excellence Govern responsibly 1 month or more 1 to 3 months 2 to 4 months 1 to 2 years Ongoing 1 2 3 4 5 The journey to application security
  4. 4. 4 Five steps to achieve success in your application security program Step 1: Know where you are going Once you have decided to embark upon your journey toward application security, your first instinct may be to immediately start evaluating your organization’s applications and identifying their security vulnerabilities. However, before diving in, you need to have a firm grasp of the environment you are venturing into. You don’t need to be a security expert on day one, but hav- ing an understanding of the basic security landscape and the nature of security threats can help you to be prepared. Security threats and breaches come in many shapes and sizes, ranging from SQL injection to Trojan horses to URL tamper- ing. The types of breaches reported in the media today will likely continue to evolve and fluctuate in frequency over time. Techniques used by attackers also can change over time. And their scope can vary to include broad attacks that may target the entire Internet or highly targeted attacks that focus on breaking into particular organizations. Attackers can use off-the-shelf tools and common techniques, or highly customized tools and sophisticated techniques that can exploit vulnerabilities before anyone else is aware of them. Understanding the common breaches and attacks relevant to your organization is therefore an important part of your security knowledge, as different industries tend to have different vulnera- bilities. For example, in 2011, the financial industry faced a much larger percentage of cross-site scripting (XSS) attacks than injection attacks.1 Identifying the types of attacks common to similar organizations in your industry can help give you a better idea of what specific challenges you may be facing. Compliance requirements also can present security challenges that affect your applications. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act may require your applications to have specific or additional security measures. Regulations may also affect the security processes you adopt. For example, you may need to produce reports documenting your compliance efforts. It is also important to understand how your organization and its overall structure relate to application security. You should identify which of your teams and which individual roles are key to the security program. This knowledge can also help you with another critical step in your project—gaining executive sponsor- ship. At this point, it is a good idea to start thinking about which roles or groups will be able to support your project—an essential step to get the initiative off the ground. Things you can do: ●● Educate yourself: To learn more about the current security environment and how threats and risks pertain to your organization, you can take advantage of the many free online resources, purchase web-based security training or hire an expert to provide educational services. Many organizations begin security programs with the assistance of a security consultant who can help them prepare for the critical first steps. ●● Understand your organization as it relates to application security: Pinpoint who is in charge of application security in your organization. To start, identify the chief information security officer in your organizational chart. If your organiza- tion does not have that role, look within the group of the chief information officer and identify the group or groups respon- sible for security. ●● Seek executive sponsorship: Having executive backing and the budget to support your project along its journey is a must. You will need to know who in your organization has the ability to support your initiative, so now is a good time to start making a convincing argument and a plan for your program. Your organization as a whole needs to agree that application security is an important issue, and having the right support can help shape your security priorities to ensure the success of your program.
  5. 5. 5IBM Software Services you can use: ●● Security education: To learn more about security, you can take advantage of publicly available training offerings and resources, including the IBM Institute for Advanced Security2 and IBM web-based training offerings. If you require the services of a consultant to help you through this step, the IBM Professional Security Services team offers world-class expertise, and IBM Business Partners also can provide services. Case study: Higher education To provide proactive security for its web applications, a large US university with 30,000 students launched an initiative to address its application vulnerabilities. To ensure a successful program, the university began by assessing its needs and potential risks and created a simple list of requirements. Primarily, the university wanted to avoid security breaches that could result in negative media exposure. Another goal was to reduce risks that could potentially impact the university’s day-to-day operations. Addressing regulatory requirements also was an important priority. By conducting a thorough analysis of its security environment and goals, the university provided the necessary foundation for its program, which continued onward to significantly improve the security of the university’s web applications. Step 2: Understand where you are today Whether you are new to application security or your organiza- tion and its security staff are seasoned experts, understanding where you currently stand on application security is another important step along your project’s journey. A large part of risk identification is knowing where data can be lost or compromised. Your organization needs to know how data enters applications, whether from user data entry, field selection or other methods. Understanding the nature of the client—web or mobile—is also important. You should identify the number and type of application users, including public, authorized, inter- nal and external. Knowing the importance of the application and whether it is mission-critical can help you determine the priority you will give to different components of your program. Another part of risk identification is to understand the nature of the data exposure your application may be allowing. Understanding the types of data—such as non-critical informa- tion or highly sensitive customer account information—and knowing the types of authentication used to protect it can help you determine how to address vulnerabilities. Identifying the threat types—internal or external—can also help you narrow your focus. Applications hosted within the organiza- tion cannot be ignored, as internal users such as employees are typically granted higher levels of access than external users. However, external access points typically pose a larger threat to organizations because they can expose the organization to attacks from anywhere on the Internet. For example, a bank with thousands of applications and multiple external interface points can face numerous threats from external users who would steal financial data or account information. Things you can do: ●● Obtain or perform an application inventory: Taking an inventory of all of your organization’s applications can be a big task, but is worth the effort to help you know which applica- tions you have and which ones need the most attention. To identify who owns an application list or can create one, determine who manages the web environment. In a larger organization, you may need to contact individual lines of business. Once you have a list of applications, determine which person or group owns each one. You can keep track of this in a simple spreadsheet or with an extensive database, depending on the number or scale of your applications. Out of these, identify the most important applications—such as those that are public-facing—using your own tools or with the help of a consultant.
  6. 6. 6 Five steps to achieve success in your application security program ●● Conduct a vulnerability assessment: Begin with one or two applications and perform a vulnerability assessment. Using dynamic analysis—testing how your applications respond to attacks as the applications are running—can help you quickly check all of the critical points in the application and in its development process and help you generate a list of potential vulnerabilities. Once these are known, perform a risk analysis to identify the risk levels associated with each of the identified vulnerabilities. ●● Identify key focus areas: After conducting an initial vulner- ability assessment, organizations often find their applications and development processes riddled with problems such as XSS vulnerabilities. At this point, use your information from the vulnerability assessment and decide which areas your application security program needs to focus on. You may want to show the results of your assessment and risk analysis to your executive sponsor. These findings can be very useful to help you and your sponsor generate support and funding for your project. Products you can use: ●● Dynamic analysis: Application-scanning tools such as IBM Security AppScan® Standard software can help you perform an initial vulnerability assessment. These tools can be used to perform a dynamic analysis of an application and generate detailed information on its vulnerabilities. Services you can use: ●● Vulnerability assessment: Many organizations choose to hire consultants to help them assess the current state of their applications and to conduct a vulnerability assessment. Consulting services such as the IBM Professional Security Services team or services available through IBM Business Partners can assist you with an application security assessment. Case study: Global software developer A global leader in software development needed to enhance the quality of its online applications and also increase customer confidence in the security of these applications. After undergoing a restructuring of its product portfolio, the company evaluated its inventory of applications and began to conduct vulnerability assessments. Using IBM Security AppScan Standard software, the company was able to efficiently and thoroughly scan its applications to identify vulnerabilities and remediate risks. This enabled the company to meet its security goals and correct issues before applica- tions were deployed for public release. Step 3: Create a plan After conducting an initial vulnerability assessment and choosing key security areas to target, you can start creating a plan for your security program by identifying a small number of initial applications to work with. Focus on applications of highest importance to your organization, those that need the most atten- tion or those that can benefit the most from your program. It is a good idea to start with a limited number of stakeholders and team members. This approach can help your program begin smoothly and maintain focus. After you identify the right applications to prioritize, focus on fixing the critical issues in these applications. Where possible, correct the issue and educate the development teams about the vulnerability, including detailed information on the problem and how it can be fixed. Keep in mind that not every application can be fixed today and that development and testing can take time.
  7. 7. 7IBM Software Once you have achieved some initial successes, create a repeat- able model and apply it to a larger number of applications. To continue the momentum of your program and increase your executive support, utilize your initial teams to evangelize the project and serve as role models for other teams to emulate. Things you can do: ●● Start a pilot project: At first, focus on a small number of applications—perhaps only one. Use careful selection when choosing not only applications, but also application owners. Working with an application team that is committed to application security helps to ensure a smoother pilot project and enables you to use the application owners as role models for the rest of the organization. When creating a process for your project, make sure it is tailored to your organization’s needs. Work to improve the security of your applications, measure the results and build upon your internal knowledge and capability. ●● Track your progress: Make sure to track the progress of your program and keep your executive sponsors in the loop. Before you begin to measure your progress, it is a good idea to create a baseline including information such as the number of applications you are addressing and the number of initial vulnerabilities present. Continue to track the progress of your project against the baseline as you address more applications and resolve more vulnerabilities. ●● Streamline testing: Where possible, automate your new testing processes and integrate best practices into your existing tools and processes. ●● Share information: To keep your teams connected and well informed, use knowledge-sharing tools such as wikis or educate team members using brown-bag sessions. Products you can use: ●● Dynamic analysis: Tools for dynamic analysis can help your testers understand how applications respond to attacks as the applications are running. You can use software such as IBM Security AppScan Standard and start with a small number of licenses (one per tester). As your organization expands its analysis process, more advanced tools such as IBM Security AppScan Enterprise can provide additional functionality such as broad-based reporting and self-serve dynamic scanning. ●● Static analysis: If your team is using static analysis, which analyzes application source code, you can use tools such as IBM Security AppScan Source with its included IBM Security AppScan Enterprise server software for data sharing, reporting and oversight capabilities. ●● Hybrid analysis: If you are using a hybrid combination of dynamic and static analysis to test your applications, tools such as IBM Security AppScan Enterprise can be useful to help you consolidate the testing data. ●● Intrusion prevention solutions: In addition to using dynamic, static or hybrid analysis for applications in develop- ment, you also may choose to identify vulnerabilities in your deployed applications that need immediate protection. Intrusion prevention measures such as IBM Security Network Intrusion Prevention System solutions can be used to block attacks against these applications. Using a layered approach instead of relying on a single security solution is an important best practice to integrate into your organization’s security.
  8. 8. 8 Five steps to achieve success in your application security program Services you can use: ●● Application security testing: If you choose not to use your existing teams to test your applications, you can work with expert in-house security auditors such as the IBM Professional Security Services team, or you can use services available through IBM Business Partners. Case study: Insurance company With a primary goal to increase customer focus, a Fortune 100 insurance company wanted to expand the mobility of its agents and improve their application access. But to provide this, the company needed to address the security risks for its applications. After developing a solid plan for an application security program, the company embarked upon a phased, multi-year mission. Using testing methods including static analysis, the company was able to reduce application vulnerabilities and use the knowledge gained to develop an internal training course curriculum providing standard processes for its application teams. Step 4: Drive operational excellence Regardless of your program’s stage of maturity, there is always room to improve the operations throughout your application security program—from application development to production. After you have created a proven set of processes to address vulnerabilities, you can employ a systematic approach to ensure efficiency when applying your program across the organization. Whether you are using dynamic, static or hybrid analysis, you can begin to build out repeatable and measurable processes. One way to improve your program’s operations is to address the needs of the different groups involved, which can help you bridge the communication gaps and eliminate silos of teams. For example, development teams are typically designing and building code to meet functional and performance objectives. Initially, they often do not have security requirements established, so they do not design, build or test for security. On the other hand, teams that specialize in security typically play an auditing role in which they review software just before it goes into production, identifying security vulnerabilities late in the development cycle. This can create a bottleneck and cause tension between these teams. By understanding how different teams are involved and adjusting your processes accordingly, you can help to ensure operational efficiency in your program. Addressing the development lifecycle also can help your organization uncover cost-saving opportunities. By identifying vulnerabilities early in development as opposed to later in the application’s lifecycle, you can substantially reduce the cost of fixing vulnerabilities. As illustrated in Figure 2, fixing defects found late in the cycle can prove to be much more expensive than fixing them earlier during development. Also, creating processes that help you discover vulnerabilities earlier can help you provide extra defense against security breaches, since it is less likely that the vulnerabilities will slip through the process and exist in the final product. Building security into the applica- tion lifecycle from the start is therefore an important best prac- tice to consider for your application security program.
  9. 9. 9IBM Software Things you can do: ●● Measure the cost of being secure: As you scale out your security program, measure the cost per defect for fixing vulnerabilities. This helps you focus on reducing costs and places emphasis on early detection and remediation. ●● Build security into your process: Engage with your software architects to focus on secure application design and work with testers to build security into their test plans. Develop a template of security requirements, which can save planning time and help to ensure that processes are followed consis- tently. It is also a good idea to build security into your procurement process. Create a list of security requirements for third parties who develop or deliver software to your organization. ●● Audit your web applications: Use your internal teams to conduct regular audits of your web applications to identify and fix vulnerabilities early in the development cycle—before vulnerable software is deployed into your live environment. ●● Perform regular third-party audits of your environment: In addition to leveraging internal teams, using third parties to conduct security audits can greatly improve your organiza- tion’s chances of finding application security issues. ●● Address advanced persistent threats: Using intrusion prevention systems can help provide a critical layer of protection for your applications in production, which can prevent many types of breaches such as SQL injection. ●● Have an incident response plan: Be prepared for a potential security breach and create detailed plans describing how your organization will respond. Estimated costs based on IBM Global Business Services industry standards* Reduce costs by finding application vulnerabilities early* Coding Build Quality assurance Security Production Find during development $80/defect $240/defect $960/defect Find during build Find during quality assurance/test Find in production $7,600/defect Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent unnecessary costs when fixing application security issues. The costs represented in this illustration are based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the application lifecycle is typical of what many organizations experience.3
  10. 10. 10 Five steps to achieve success in your application security program Products you can use: ●● Advanced testing, reporting and integration: At this phase of your program’s maturity, you can benefit from using advanced tools such as IBM Security AppScan Enterprise, which provides the scalability and control to support security testing as early as possible in the development lifecycle. Tools such as these with developer-friendly reporting can be used to produce insights and actionable items for development teams. IBM Security AppScan Enterprise also supports integration with development tools to help minimize disruption to the development processes. Case study: Federal department A large US Federal government department wanted to incorporate static analysis as part of its application develop- ment lifecycle. After adopting a new approach to development, whereby automated security testing is performed as the software is built, the department was able to identify defects as early as possible and with minimal manual effort. This helped the department to reduce the cost of development throughout the software lifecycle by avoiding expensive reworking and patching of software. By focusing on security tests that could be automated and on tests with high probabil- ity rates of success, the department found it could reduce the cost of fixing vulnerabilities while increasing the visibility of security throughout the organization. Step 5: Govern responsibly Creating a long-term program for application security can be a challenging and complex process, but implementing an efficient program capable of achieving your security goals can be invaluable to your organization. However, it is critical to your program’s—and your organization’s—future that you maintain your security posture and continue to guide your program along its ongoing journey. Governing your program is an ongoing activity, one that should begin as soon as you have gained an executive sponsor. If you have kept closely tuned to your program’s progress, you should have new perspectives about where your organization is today and how far it has come since the program began. Make sure to keep your sponsor and staff—including management, security, development and quality-assurance teams—well informed on your progress. In addition to communicating with your teams, make sure your program stays on track and its processes and guidelines are consistently followed. This is important not only to maintain security, but also to keep you prepared for security audits. Ensuring that your teams play by the rules is an important part of your program’s continued success. Things you can do: ●● Continue to measure security: Make security one of your key performance indicators and continue to track the progress of your program. ●● Measure and report regularly: Continue to measure the results of your program and create reports to keep teams and management informed. ●● Leverage security intelligence systems: Integrate your application vulnerability data with your security intelligence systems to strengthen the overall security of your program.
  11. 11. 11IBM Software Products you can use: ●● Reporting and dashboarding: To help provide oversight for your entire application security program, tools such as IBM Security AppScan Enterprise include useful reporting and dashboarding features that can help you improve the visibility and communication of your program’s progress. IBM Security AppScan Enterprise includes roles and permis- sions features to ensure that information is shared on a need-to-know basis. Compliance reporting is also included to help you meet regulatory requirements. ●● Advanced visualization and analysis: You can take advantage of your known vulnerability information using products such as QRadar SIEM solutions with advanced threat visualization and impact analysis capabilities. These solutions integrate with the IBM Security AppScan family and can provide meaningful insights to help you identify and remediate threats and assess potential impacts. Summary Starting an application security program can be a significant endeavor, but breaking up the journey into phases can help you to build upon individual accomplishments and ensure continual success for the program. By using the five phases presented in this white paper as a framework for your program, you can have the flexibility to ensure that your security goals and processes are tailored to meet your organization’s needs. And by using advanced tools such as those offered in IBM Security AppScan family, you can quickly identify and fix application vulnerabilities early in the development lifecycle, improve communication across the organization, and save considerable time and costs throughout your journey to application security. For more information To learn more about the IBM Security AppScan family, please contact your IBM representative or IBM Business Partner, or visit: About IBM Security Systems software IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-FORCE research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 13 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit:
  12. 12. © Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America October 2012 IBM, the IBM logo,, X-FORCE, and AppScan are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. 1 IBM X-FORCE, “IBM X-Force 2011 Trend and Risk Report,” IBM Corporation, March 2012. webapp/iwm/web/ trend-risk-report 2 For more information on the IBM Institute for Advanced Security, visit 3 RTI, “Planning Report 02-3: The Economic Impacts of Inadequate Infrastructure for Software Testing,” National Institute of Standards & Technology, May 2002. WGW03014-USEN-00 Please Recycle