Skeletons in the Closet           Securing Inherited Applications                         Dan Cornell© Copyright 2011 Deni...
Overview for Today’s Session   •    The Problem   •    Information Gathering   •    Application Scoring   •    Risk Rank &...
Some Key Questions for Today’s Session   • Where do you start?   • What applications represent the biggest risk?   • What ...
Key Goals for Today’s Session   • Understand risk-based options for managing the security of inherited     applications   ...
Personal Background          • 13-years information software development and security          • Works with CIOs and CSOs ...
What you Don’t know CAN Hurt You    •       Passion: Get security            professionals to ask a better            set ...
Denim Group Background          – Professional services firm that builds & secures enterprise            applications     ...
Denim Group Background          “CSRF Explained”   http://threadstrong.com/courses-csrf-explained.html© Copyright 2011 Den...
Background – the Current State of Affairs   • Creating meaningful enterprise-wide software security initiatives is     har...
Key Facts   • 66% have adopted a risk-based approach to remediation of     application vulnerabilities   • 71% have an exe...
Step 1 – Information Gathering   • Build a Portfolio of Applications   • Collect Background Information          –   Devel...
Step 1 – Information Gathering   • Build a Portfolio of Applications   • Collect Background Information          –   Devel...
Step 1 – Information Gathering (Continued)   • Determine the Scale          –   Lines of Code          –   Dynamic Pages  ...
Step 2 – Application Scoring   • Business Importance Risk          – Business Function (customer interface, internal but p...
Step 2 – Application Scoring (Continued)   • Technology Risk          – Authentication (methods, enforcement)          – D...
Step 2 – Application Scoring (Continued)   • Assessment Risk          – Technical Assessment (assessment activity, vulnera...
Example Application Analysis   •    Patient portal for hospital system   •    Connects to back-end Electronic Medical Reco...
Application Comparisons   Application #1   • Publicly accessible staff scheduling application   • 1 million lines of code ...
Application Comparisons   Application #2   •    External company website with limited functionality   •    Site build it i...
Application Comparisons   Application #3   •    J2EE-based corporate E-commerce site   •    500K lines of code   •    Lots...
Application Comparisons   Application #4   •    3rd-party software-as-a-service (SaaS) CRM platform   •    Sensitive clien...
Results Comparison   • Let’s analyze our results   • Apply quantitative decision-making analysis concepts          – Want ...
So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved   22
Potential Follow-up Options   • End of Life   • Remediate   • Potential Testing Approaches          – Tailoring to Documen...
What you can do now!   • Collect or scrub your initial application inventory   • Develop relationships w/ 3rd parties who ...
Conclusion   • Managing the security of inherited applications can present the most     severe headaches for someone build...
Resources   •    “Web Application Security Portfolios, ISSA Journal, May 2009, Coblentz, Nick.   •    Open Web Application...
Contact     Dan Cornell     dan@denimgroup.com     (210) 572-4400     www.denimgroup.com     blog.denimgroup.com     Twitt...
Upcoming SlideShare
Loading in …5
×

Skeletons in the Closet: Securing Inherited Applications

4,766 views

Published on

Many security officers worry less about the security of new applications being built and more about the security of hundreds of applications they inherited. What applications represent the biggest risk? What attributes make them more or less risky? What are the most cost-effective courses of action given budget constraints in today’s business environment? This interactive workshop will help participants understand how to attack this problem and create a risk-based approach to managing the security of an existing application portfolio using tools like the OWASP ASVS model. The session will decompose an example application to determine how to conduct a bottom-up risk profile for future risk comparison against other applications. The audience will also participate in an exercise comparing different applications to better understand the ranking process. The audience will leave with a framework, action plan and basic understanding of the risk-ranking process that they can immediately apply to their work environment.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,766
On SlideShare
0
From Embeds
0
Number of Embeds
63
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Skeletons in the Closet: Securing Inherited Applications

  1. 1. Skeletons in the Closet Securing Inherited Applications Dan Cornell© Copyright 2011 Denim Group - All Rights Reserved
  2. 2. Overview for Today’s Session • The Problem • Information Gathering • Application Scoring • Risk Rank & Tradeoff Analysis • Discussion • Conclusion, Next Steps, and Q&A© Copyright 2011 Denim Group - All Rights Reserved 1
  3. 3. Some Key Questions for Today’s Session • Where do you start? • What applications represent the biggest risk? • What attributes make applications more or less risky? • What are the most cost-effective way to manage the risk of inherited applications? • What approaches might work for your organization?© Copyright 2011 Denim Group - All Rights Reserved 2
  4. 4. Key Goals for Today’s Session • Understand risk-based options for managing the security of inherited applications • Develop a framework for ranking risks with specific applications • Understand some of the decision-making factors that come into play when risk-ranking applications • Apply one tactic from what you learn today next week at your organization© Copyright 2011 Denim Group - All Rights Reserved 3
  5. 5. Personal Background • 13-years information software development and security • Works with CIOs and CSOs to build successful software security initiatives • Educates both developers and non-developer security professionals how to build secure applications and manage application risk© Copyright 2011 Denim Group - All Rights Reserved 4
  6. 6. What you Don’t know CAN Hurt You • Passion: Get security professionals to ask a better set of questions • Today’s presentation focuses on helping you increase your IQ in the arena of software portfolio risk© Copyright 2011 Denim Group - All Rights Reserved 5
  7. 7. Denim Group Background – Professional services firm that builds & secures enterprise applications – Secure development services: • Secure .NET and Java application development • Post-assessment remediation • Secure web services – Application security services include: • External application assessments • Code reviews • Software development lifecycle development (SDLC) consulting • Classroom and e-Learning instruction for developers© Copyright 2011 Denim Group - All Rights Reserved 6
  8. 8. Denim Group Background “CSRF Explained” http://threadstrong.com/courses-csrf-explained.html© Copyright 2011 Denim Group - All Rights Reserved 7
  9. 9. Background – the Current State of Affairs • Creating meaningful enterprise-wide software security initiatives is hard • The vast majority of info regarding software security focuses on writing more secure code or SDLC process improvement • Most organizations have hundreds or thousands of legacy applications that work! – They represent money already spent – ROI? – They are viewed “part of the plumbing” by management – The code base can be millions of lines of code • Focus on web applications – Other software risks must be taken into consideration • Web services, Saas, certain desktop applications© Copyright 2011 Denim Group - All Rights Reserved 8
  10. 10. Key Facts • 66% have adopted a risk-based approach to remediation of application vulnerabilities • 71% have an executive or team with primary ownership and accountability for application security • 66% have defined communications channels between security, operations, and development teams – Source: “Securing Your Applications: Three Ways to Play,” Aberdeen Group, August 2010© Copyright 2011 Denim Group - All Rights Reserved 9
  11. 11. Step 1 – Information Gathering • Build a Portfolio of Applications • Collect Background Information – Development Details – Vendor (if any) – Audience – Hosting Details • Assess the Data – Type (CCs, PII, ePHI, etc) – Compliance Requirements© Copyright 2011 Denim Group - All Rights Reserved 10
  12. 12. Step 1 – Information Gathering • Build a Portfolio of Applications • Collect Background Information – Development Details – Vendor (if any) – Audience – Hosting Details • Assess the Data – Type (CCs, PII, ePHI, etc) – Compliance Requirements© Copyright 2011 Denim Group - All Rights Reserved 11
  13. 13. Step 1 – Information Gathering (Continued) • Determine the Scale – Lines of Code – Dynamic Pages – Concurrent Users – User Roles • Assess the Underlying Technology – Infrastructure (OS, hardware, etc) – Platform (.NET, Java, PHP, etc) – Versions • Assess the Security State – Assessment Activity (type, date, etc) – Vulnerabilities (high, medium, low) – Protection (IDS/IPS, WAF)© Copyright 2011 Denim Group - All Rights Reserved 12
  14. 14. Step 2 – Application Scoring • Business Importance Risk – Business Function (customer interface, internal but public-facing, departmental use only) – Access Scope (external, internal) – Data Sensitivity (customer data, company confidential, public) – Availability Impact (serious, minor, minimal, or no reputation damage)© Copyright 2011 Denim Group - All Rights Reserved 13
  15. 15. Step 2 – Application Scoring (Continued) • Technology Risk – Authentication (methods, enforcement) – Data Classification (formal approach or not) – Input / Output Validation (structured or not) – Authorization Controls (resource checks in place or not) – Security Requirements (explicitly documented or not) – Sensitive Data Handling (controls in place like encryption or not) – User Identity Management (procedures in place for account creation, access provisioning, and change control or not) – Infrastructure Architecture (network segmentation, patching)© Copyright 2011 Denim Group - All Rights Reserved 14
  16. 16. Step 2 – Application Scoring (Continued) • Assessment Risk – Technical Assessment (assessment activity, vulnerabilities still present) – Regulatory Exposure (unknown, subject to regulation) – Third-Party Risks (outsourced development, SaaS hosting, etc)© Copyright 2011 Denim Group - All Rights Reserved 15
  17. 17. Example Application Analysis • Patient portal for hospital system • Connects to back-end Electronic Medical Record system • Microsoft.NET 3.5 framework • Currently functionality being enhanced by internal development team • Contains Electronic Patient (EPI) Data • Audited once for PCI compliance in 2007 • Scanned by outside 3rd party for application security vulnerabilities in 2009© Copyright 2011 Denim Group - All Rights Reserved 16
  18. 18. Application Comparisons Application #1 • Publicly accessible staff scheduling application • 1 million lines of code • Written in classic ASP by an outsourced company that is no longer under contract • <$1M year sales goes through the application in a $5B company • No mitigating security technologies in place • Still processes orders efficiently; supported by application maintenance group© Copyright 2011 Denim Group - All Rights Reserved 17
  19. 19. Application Comparisons Application #2 • External company website with limited functionality • Site build it in Microsoft SharePoint 2007 technologies • Custom web parts provide some interactivity • Site actively managed by corporate marketing team • Not in scope for past outside security audit given marketing responsibility© Copyright 2011 Denim Group - All Rights Reserved 18
  20. 20. Application Comparisons Application #3 • J2EE-based corporate E-commerce site • 500K lines of code • Lots of revenue ($$$) for the company • Regular security audits and scans by 3rd parties • Web services to various internal applications© Copyright 2011 Denim Group - All Rights Reserved 19
  21. 21. Application Comparisons Application #4 • 3rd-party software-as-a-service (SaaS) CRM platform • Sensitive client data includes in database • Functionality allows sales people to export data • Managed by VP of Sales • Software application “in the cloud”© Copyright 2011 Denim Group - All Rights Reserved 20
  22. 22. Results Comparison • Let’s analyze our results • Apply quantitative decision-making analysis concepts – Want to understand what level of effort addresses the highest amount of risk • Tradeoff analysis© Copyright 2011 Denim Group - All Rights Reserved 21
  23. 23. So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved 22
  24. 24. Potential Follow-up Options • End of Life • Remediate • Potential Testing Approaches – Tailoring to Documented Risk – Work identified list from top to bottom • Application Security Verification Standard – Levels of application-level security verification that increase in breadth and depth as one moves up the levels – Verification requirements that prescribe a unique white-list approach for security controls – Reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete.© Copyright 2011 Denim Group - All Rights Reserved 23
  25. 25. What you can do now! • Collect or scrub your initial application inventory • Develop relationships w/ 3rd parties who can help you through the identification process • Find a peer that is conducting the same risk ranking • Exhaust Open Web Application Security Project (OWASP) resources! • Familiarize yourself with OWASP OpenSAMM© Copyright 2011 Denim Group - All Rights Reserved 24
  26. 26. Conclusion • Managing the security of inherited applications can present the most severe headaches for someone building a software security program • A risk-based approach is really the only economically feasible approach given the size/complexity of the problem • Understanding certain attributes of inherited applications is critical to applying a risk-based management approach© Copyright 2011 Denim Group - All Rights Reserved 25
  27. 27. Resources • “Web Application Security Portfolios, ISSA Journal, May 2009, Coblentz, Nick. • Open Web Application Security Project Open Software Assurance Maturity Model, www.owasp.org • Open Web Application Security Project Application Security Verification Standard, www.owasp.org • “How-to-Guide for Software Security Vulnerability Remediation,” Dan Cornell, Denim Group, October 2010 • Cloud Security Alliance • “Securing your Applications,” Aberdeen Group, Brink, Derek, August 2010© Copyright 2011 Denim Group - All Rights Reserved 26
  28. 28. Contact Dan Cornell dan@denimgroup.com (210) 572-4400 www.denimgroup.com blog.denimgroup.com Twitter: @danielcornell© Copyright 2011 Denim Group - All Rights Reserved 27

×