Isaca app sec presentation - v3

5 Major Application Risks
To Secure and Audit
PRESENTED BY:
KYLE LAI
PRESIDENT & CISO
KLC CONSULTING
7/21/2017
KLC CONSULTING PUBLIC INFORMATION

KLC CONSULTING PUBLIC INFORMATION 2
About Me
Kyle Lai
• Certified Security Professional (CISSP, CSSLP, CISA, CIPP/US, CIPP/G, ISO 27001 LA)
• 25+ years in IT | 20 years in Information Security (Pentest, Third-party Risk, Compliance, Engineering…)
• Experience in DoD, Financial, Energy, Healthcare, High Tech, Consulting…
• Have consulted at Microsoft, PwC, Boeing, HP, Fidelity Investment, Akamai, Cathay Pacific Airlines, Leading Oil & Gas firm
• Currently - Security Advisory Consultant for a large global oil & energy company
• Former CISO of Pactera, a Global 100 IT Consulting firm, A Blackstone / HNA Company
• Former CISO of Brandeis University – Heller School
• Author of SMAC MAC Address Changer Tool – Over 2.5 million users worldwide
• Run 3 LinkedIn Groups (i.e. Cybersecurity Community)
LinkedIn: https://www.linkedin.com/in/kylelai Twitter: @KyleOnCyber

Most Devices Are Application Driven

Agenda
• Why Talk About Application Security?
• What is Application Security?
• Risk 1: Incomplete Application Asset Inventory
• Risk 2: Lack of Secure Coding Practice (Training)
• Risk 3: Security Threat Modeling / Requirements
• Risk 4: Insufficient Security Testing
• Risk 5: Lack of Application Supply Chain Management
• Q&A

Recent Headlines
Source: Verizon Data Breach Investigation Report 2016, 2017
WannaCry

Application Development Trend: DevOps
More Frequent Application Releases
More Automation in Continuous Integration /
Continuous Delivery (CI/CD)
Reduce unplanned work through automation

Why Talk About Application Security?
Source: Verizon Data Breach Investigation Report 2016, 2017
… 60% of breaches involved web applications
either as asset effected, and/or a vector to
the affected asset.
It is quite possible, and actually common,
for a breach to feature a web application
as the vector and the asset affected.
2016
2017
33% Jump on Web
App Related Attack in
1 year!

What is Application Security?
Application security, or “AppSec,” is security
measures to
• protect its critical data from internal and
external threats by ensuring the security of all
of the software used to run the business,
whether built internally, bought or
downloaded.
• help identify, fix and prevent security
vulnerabilities in any kind of software
application.
Image Source: Veracode

Enterprise Application Security
1% of Security Budget Focuses
on Application Security
Gartner describes applications and
security with the analogy of a crown jewel in
a treasure chest:
• The sensitive data is the crown jewel
• The applications are the treasure chest
Note: Applications include more than just Web Applications.
IT Budget Devoted to Securing Applications

Risk 1: Incomplete Application Asset Inventory
• You cannot protect an application which is not accounted for, or have inaccurate info.
• Input and output of an application may come from other applications… Usually not tracked...
• Owner of the application is usually not accurately documented due to personnel movement...
• Some of the following might be missing in the asset inventory:
• Type of application: custom developed, Commercial Off The Shelf (COTS), or open source software?
• Is it a key components of other applications? (i.e. Oracle Database, SAP, SQL Server)
• Is it internal use only, external use only, and both?
• Is it used on servers, desktops, mobile, infrastructure, etc.?
• Owner name
• What type of data is collected / handled / processed?
• Any PII, PHI, Privacy Information?
• What is the data classification - highly confidential, confidential, internal, public, etc.…?

Risk 1: Recommendation
• Automated scan for new web applications discovery
• Establish and continuously update application asset inventory via tools
• Update ownership information as owner changes
• Define list of information to be gathered for each application (might use for app
risk evaluation as well) , such as:
• Custom developed, COTS, Open-Source
• Data classification
• Number of users
• Internal, external (Internet), both
• Mobile
• Technology stack (if developed internally)
• Relationship with other applications

Risk 2: Lack of Secure Coding Practice (Training)
Source: Sonatype DevSecOps Community Survey 2017

Risk 2: Lack of Secure Coding Practice (Training) cont.
• Developers do not have adequate training on secure
coding practices
• Developers are not familiar with the OWASP Top 10
vulnerabilities
• Developers not familiar with secure coding practice in new
environment or for new technologies, i.e. Cloud based platforms
• Companies limit the budget for secure coding training
• Developers want to do a good job but not
empowered to do so
• Fixing code during/post production costs 100 times
more than fixing code during the design phase (Risk)
• DevOps Movement – Automation with Increased app
release frequency, making secure coding practice and
app security training more critical

Risk 2: Recommendations
• Continue to train the developers on Secure Coding Practice (in class or CBT)
• Existing development languages and platforms
• New development languages, platform, technologies, i.e. Cloud specific security features
• Ensure developers understand the OWASP Top 10 vulnerabilities, and how
to code properly to avoid them
• OWASP Top 10 Web Application Vulnerabilities
• OWASP Top 10 Mobile Application Vulnerabilities
• OWASP Top 10 IoT Vulnerabilities
• Provide security tools (i.e. Interactive Application Security Testing (IAST)
tool) to your developers; enable them to check and fix their code security
issues during the development phase.

OWASP Top 10 Web App Vulnerabilities

OWASP Top 10 Mobile App Vulnerabilities

OWASP Top 10 IoT Vulnerabilities

Risk 3: Security Threat Modeling / Requirements
• What are the safety code requirements to build a car? (Defined)
• What are the safety code requirements to build a house? (Defined)
• What are security coding requirements to build an application???
OR

Risk 3: Security Threat Modeling / Requirements
• Industry has no common security
requirements
• Many developers are not doing security
threat modeling –
• Data Flow Diagram Analysis – Where can data be
stolen and system be hacked?
• Protocol communication between systems – Can
someone tamper with the my communications?
• Possible threats in the processes –
• What are the different security boundaries during
data flow?

• Invest the time to do
Threat Modeling
• Develop security
requirements to
reduce threats
• Developer friendly
threat modeling tools:
SD Element, Irius Risk
• Microsoft offers free
Threat Modeling Tool
(A bit more technical)

An Example of SD Element (Commercial Tool)

An Example of Microsoft Threat Modeling Tool 2016

Risk 4: Insufficient Security Testing
• Many companies do not perform enough application security
• Static Code Analysis (SAST) – Scan your source code
• Dynamic Analysis (DAST) – Scan your web application
• Interactive Testing (IAST) – Developers to test code interactively in
the development environment
• Runtime App Self-Protection (RASP) - Intercept and scan app request traffic
• Mobile App Security Testing – Test mobile application binary, API, and
back-end server interaction

• Invest in experienced security professional
• Invest in application security testing tools
• If funding is very limited, invest in either IAST or DAST to start with, to get the most value
• Expand the toolset as the application security program matures
Sorry, This One Is Not Cheap…

Risk 5: Lack of Application Supply Chain Management
A recent survey 2,292 IT
professionals found that 80 - 90%
of an application now consists of
component parts.
386 applications found similar
results with 82% of the
applications built from open
source components.
Source: 2017 State of The Software Supply Chain by Sonatype

Source: Sonatype DevSecOps Community Survey 2017
• Companies are using open source components but only 6 out of 10
organizations have an open source governance policy in place
• Increasing use of open source / third-party components makes tracking of
bill of materials difficult!
• If there’s a new vulnerability found in an open source or third-party
component, would you know if any of your application is impacted?

Source: 2017 State of The Software Supply Chain by Sonatype

• Establish an authorized list of open source components
• Make sure to establish an asset management process for open source
• Establish an Open Source policy (if not done already) -
• Evaluate needs and benefits
• Ensure no equivalent software already been deployed in-house
• Verify there is an active user community supporting the application.
• Perform quality and security testing and validation
• Defined quick approval process
• If budget allowed, investigate into tools to manage open source components (i.e.
Free: OWASP Dependency Checker; Commercial: Black Duck, Sonatype)

Note: How Mature is Your Application Security Program
• Building Security In Maturity Model (BSIMM)
• Measure maturity of Software Security Initiatives
• http://www.bsimm.com
• Free tool to assess yourself
Source: Sonatype

Q&A
Source: Sonatype
Kyle Lai
CISO
KLC Consulting
Klai [@] klcconsulting.net
@KyleOnCyber
https://www.Linkedin.com/in/kylelai
Thank you!

Isaca app sec presentation - v3

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Isaca app sec presentation - v3

Similar to Isaca app sec presentation - v3 (20)

More from Kyle Lai

More from Kyle Lai (7)

Recently uploaded

Recently uploaded (20)

Isaca app sec presentation - v3