Application Security - Making It Work

1
www.iansresearch.com
©2014 IANS
Application Security:
Making It Work
Diana Kelley

2
©2014 IANS
Session Overview
 Overview of the Challenge
 Further Investigation of the Challenge
 Options for Addressing the Challenge
 Plan of Action
 External Resources
 Implementation and Next Steps

3
©2014 IANS
!
How do you ensure
the investment is
being used
effectively?
How do you
measure the
program?
Why does
application security
receive short shrift
from many
executives?
How do you
justify and
allocate
funds?
What can you
do to address
these issues?
Overview - Questions

4
©2014 IANS
Why Application Security Matters
http://money.cnn.com/2014/01/15/technology/security/starbucks-app-passwords/
http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1
http://www.pcworld.com/article/170457/getting_serious_about_sql_injection_and_the_tjx_hacker.html

5
©2014 IANS
Impact on the Business
 Hard dollar costs - Do you have a
spare $256 million?
 Legal and regulatory - Do you have
time and resources to battle
lawsuits and the FTC?
 Brand reputation - Can
you afford to lose
customer trust?

6
©2014 IANS
Benefits of Application Security
 Cost savings
• Legal
• Report and response
• Breach notification
 Readiness
• Compliance and regulations
• Faster deployment
 Customer trust
• Privacy protection
• Trusted Technology Provider Framework (Open Group)

7
©2014 IANS
Further Investigation - Sizing
Images and *Content Source: IBM X-Force 2013
Mid-Year Trend and Risk Report September 2013
“SQL injection (SQLi) remains the
most common breach paradigm”*

8
©2014 IANS
Source: WhiteHat Security, Website Security Statistics Report,
https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Overall window of exposure to serious* vulnerabilities (2012)
- Latest available data

9
©2014 IANS
Image source: https://www.appthority.com/resources/app-reputation-report
App Reputation Report Highlights
• Overall, 83% of the most popular apps are
associated with security risks and privacy issues.
• iOS apps exhibited more risky behaviors than
Android apps overall.
• 91% of iOS apps exhibit at least one risky behavior,
as compared to 80% of Android apps. 95% of the top
free apps and 78% of the top paid apps exhibited at
least one risky behavior.

10
©2014 IANS
Further Investigation – Trends
 Development time is accelerating
• DevOps Revolution
Image source: http://dev2ops.org/2010/02/what-is-devops/

11
©2014 IANS
Further Investigation - Trends
 Componentized development
• Applications are up to 90% open source components

12
©2014 IANS
Further Investigation – Trends
 Mobile
• More platforms, faster release cycles, shift to client
Image source: http://www.appcelerator.com.s3.amazonaws.com/pdf/q4-2013-devsurvey.pdf

13
©2014 IANS
Further Investigation - Trends
 Internet of Things (IoT)
• Remote access
• IP enablement
http://www.forbes.com/sites/andygreenberg/2014/02/05/this-iphone-sized-device-can-hack-a-car-
researchers-plan-to-demonstrate/

14
©2014 IANS
Options for Addressing the Challenge
 Do nothing
 Do some testing
 Testing and mitigation
 Build security into the SDLC

15
©2014 IANS
Plan of Action – Do Nothing
 Examples
• Just don’t do anything
• It’s too hard
 Pros
• It’s easy!
• And unfortunately – fairly common
 Cons
• Lost data
• Legal and compliance issues
• Brand reputation
• For health, automotive and CI – possible loss of life

16
©2014 IANS
Plan of Action – Do Some Testing
 Examples
• Hire a pen-tester to dynamically test applications in production
 Pros
• Relatively easy to get started
• Minimal impact on development process
 Cons
• Exposure
• Cost to fix
• Lack of collaboration/improvement

17
©2014 IANS
Plan of Action – Testing and Mitigation
 Examples
• Perform dynamic testing
• Use Web application firewalls (WAF) or other app-layer protections
• Test only new, highly sensitive/critical apps
 Pros
• Multi-layered approach
• Less time-consuming than testing the full portfolio
 Cons
• Blind spots
• False sense of security
• Lack of collaboration/improvement

18
©2014 IANS
Plan of Action – Build Security In
 Examples
• Mature security program from requirements to production
• Integrated approach - Dev to Ops
• Risk management directs testing/remediation activity
• Quantitative analysis of program success
 Pros
• High level of application security assurance
• Fosters collaboration and continuous improvement
• Lays groundwork for future
 Cons
• Resources for tools, training and program management
• Culture challenges

19
©2014 IANS
External Resources – Vendor Guidance
Image source: http://www.drdobbs.com/the-7-touchpoints-of-secure-
software/184415391
http://bsimm.com
http://www.microsoft.com/security/sdl/default.aspx

20
©2014 IANS
External Resources - OWASP
 More than just the Top 10!
https://www.owasp.org/index.php/OWASP_Project_Inventory#Flagship_Projects

22
©2014 IANS
External Resources – CERT and Open Group
http://www.opengroup.org/getinvolved/forums/trusted
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards

24
©2014 IANS
Implementation – 3 Lessons Learned
 Cultivate champions
 Track success
 The right picture’s worth a thousand words
Image source: http://blog.denimgroup.com/denim_group/2013/06/threadfix-12-rc1-now-available.html

25
©2014 IANS
Next Steps – Top 3 Takeaways
1. Securing applications is a business imperative
2. There are excellent guides, resources and tools to help you
build/mature your program
3. Get started building/maturing your program now so you
will be ready for tomorrow

Application Security - Making It Work

More Related Content

What's hot

Similar to Application Security - Making It Work

More from IANS

Recently uploaded

Application Security - Making It Work