Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing And Modernizing Applications For Texas State Agencies


Published on

State of Texas Agencies must provide a high level of service, respond to an evolving security landscape and maintain compliance with changing laws and regulations. The urgency of these needs often outweighs the immediate importance of maintaining modern application environments. As a result, agencies often run a variety of applications on insecure and unsupported legacy platforms.

Over time, applications become difficult to support and contain a larger number of security flaws. Knowledge of each system also diminishes, making ongoing maintenance more challenging.

Migrating to more modern, secure and sustainable application platforms
This Denim Group-sponsored session, led by Principal and application security expert Dan Cornell, will focus on the following:
• Decision-making to determine which Agency applications need remediation or should be considered for "end of life"
• A risk-based approach to prioritizing applications for updates, remediation and modernization
• Strategies for deploying and maintaining a secure application portfolio in the State of Texas Datacenters

The session is for IT executives, including IRM's, ISO's, Directors of Application Development, and other State IT executives, who would like to take concrete steps toward a comprehensive application portfolio management process.
• Learn the strategies needed to modernize mission critical applications in a secure fashion.
• Get an overview into existing technologies, best practices and competing approaches that will enable you to modernize your most important applications for transition to State of Texas Datacenters.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Securing And Modernizing Applications For Texas State Agencies

  1. 1. Securing and Modernizing Applications for Texas State Agencies John Dickson, CISSP Dan Cornell D C ll Gregory Genung August 26, 2009 g ,
  2. 2. Agenda • Background • Introductions • Problem: Legacy Application Proliferation • Solution: Secure and Modernize • Strategies • Questions • More Information 1
  3. 3. Denim Group Background • Privately-held, professional services organization that develops secure software and mitigates risk with existing software • Trusted partner of numerous State of Texas Agencies • Development p p p perspective influences all aspects of software security p y – All consultants regularly build software systems – Approach the problem of software security from a developers viewpoint • Thought Leaders in Secure Development Practices g p – Developed Sprajax – First Open Source AJAX vulnerability scanner – National speakers at conference such as RSA – OWASP National Leaders and Local Chapter 2
  4. 4. Denim Group DIR Contract: DIR SDD 660 • External Controlled Penetration Testing – Application Assessments IT Security Services • Risk and Vulnerability Assessment Services – Application Penetration Testing – Secure Code Reviews – Secure Application Development Services – Commercial Product Assessment – Data Security Assessment • Security Training Services – Application Security Principles Training 3
  5. 5. Introductions • Name • Organization • Role • Current Challenges and Desired Takeaways 4
  6. 6. Challenges with Legacy Applications 5
  7. 7. Challenges with Legacy Applications • Construction – Targeted at non-web platforms – Little or no thought of security – Compliance and governance regimes have come into existence after application was originally built • Management g – State of the industry has advanced – Older technologies lack modern management and monitoring capabilities – Multiple platforms, multiple technologies • Skill sets and knowledge – Talent pool is shrinking for legacy platforms and languages – Little or no knowledge of application requirements 6
  8. 8. Opportunity 7
  9. 9. Opportunity • Piggyback on data center migration to accomplish complementary goals • Move to supported platforms • Where appropriate and convenient – combine applications • Bring applications back to life • Build security in y • Allow for management and monitoring 8
  10. 10. Process • Enumerate • Classify • Plan • Remediate 9
  11. 11. Enumerate 10
  12. 12. Enumerate • What applications are you running? – How many instances? • Do D you hhave th source code? the d ? • Do you have documentation? • Who owns the applications? • What are the politics of remediating the application? 11
  13. 13. Classify 12
  14. 14. Classify • What sort of data does the application manage? – PII – PHI – Credit cards – Information about minors – Criminal background information g • What technologies and platforms are in use? • Which applications are considered “mission critical”? • What is the volume and value of transactions? • How many and what types of users? 13
  15. 15. Plan 14
  16. 16. Plan - Portfolio • Prioritize based on risk and value • Walk before you run – drive risk out of the process • Craft an organizational framework for remediated applications • Are there other mandates? – “Drop dead” dates tied to budgets • Opportunities for data sharing and business Intelligence • Processes and technologies for modern development – Continuous integration – Automated testing – Agile development 15
  17. 17. Plan - Application • Different Approaches – Migrate to data center as-is – Remediate existing application – Remediate via automated conversion – Remediate via rewrite • Determine security and compliance requirements from the outset – World today is different than when applications were originally created • Data center performance requirements • Accessibility requirements • How will you test the final application? – Automated testing has made great strides – xUnit, QASL • Who ill Wh will own and manage th application after it i remediated? d the li ti ft is di t d? 16
  18. 18. Migration 17
  19. 19. Migrate As-Is • Low cost / high risk • May require an exception from datacenter • Potential for reduced/no support • Application issues still exist – Security, quality, maintainability, compliance, accessibility, performance • “We plan to ‘end-of-life’ this application” – Really? For how long? 18
  20. 20. Remediate Existing Application (Upgrade) • Upgrade platform version – JDK or .NET version, application server version – May be required for support in the datacenter • Address security vulnerabilities and functionality that is non-compliant • Use automated tools and automated functional tests as a guide – S t a standard f personnel d i remediation Sets t d d for l doing di ti • Refactor to increase quality and maintainability • Incrementally adopt best practices – Create automated tests – Start continuous integration – Secure coding standards for all new code – Instrument for monitoring 19
  21. 21. Remediate via Automated Conversion 20
  22. 22. Remediate via Automated Conversion • Automated conversion from one platform to another – Example: PowerBuilder to Java • Pro: t P ostensibly k ibl keeps b i business l i i t t logic intact • Makes for a great science project, reality can be disappointing – Architectural issues, performance issues, security issues • Depending on amount of business logic, you may be better off rewriting 21
  23. 23. Remediate via Rewrite 22
  24. 24. Remediate via Rewrite • Use the original application as the specification – Minimizes the riskiest part of an application development project (requirements) – Use both source code and a running application – static and dynamic – Relies heavily on communication with users • Provides greatest opportunity for a truly “modern” application • Get the most benefit from security, quality and maintainability tools security – Much easier to use from the outset of a project than to bolt on later • How much business logic has to be rewritten? – What do you lose during the rewrite? Depends on type of software – Line of business applications often less challenging than system software 23
  25. 25. Remediation Strategy • Execution is key – Clearly communicate goals, standards and priorities • Beware bottlenecks B b ttl k – User acceptance testing – Actual deployment into data center • Data generation – where does test data come from? • Data migration early for legacy data – Do not want to be surprised later 24
  26. 26. Questions 25
  27. 27. For More Information Denim Group John Dickson, CISSP DIR Contract: DIR-SDD-660 (210) 572 4400 572-4400 @johnbdickson @j h bdi k Web: Blog: Dan Cornell d @d i @danielcornell Gregory Genung G G @ggenung 26