Today, every organization makes sure that their their IT infrastructure is
secure, by using firewalls, IPS, etc, making it extremely difficult for
perpetrators. Even hackers know this fact, which is why they're trying to
discover new ways to attack. The soft spot here turns out to be application
vulnerabilities. So organizations today are slowly realizing that while their
network, OS, and standard apps that ship with the OS are adequately-secured,
their third party applications infrastructure is vulnerable to malware attacks,
and therefore needs to be secured. This is easier said than done, because
application security is still a comparatively newer domain than infrastructure
security, and would require some time to grasp.
The focus therefore is now gradually shifting to application security and its
testing. Companies are now looking for applications to secure their business.
What makes matters even more difficult is the fact that most applications have
become Internet ready, which has made the security threats even more
sophisticated and rampant.
As applications are getting bigger and more complex, ironically the coding
skills to ensure their integrity have not evolved in a similar fashion. No one
knows whose applications will be the next target. So it is becoming increasingly
important for all companies to focus on improving application security. Each
application author needs to ensure that their application vulnerability is not
the one exploited in an attack.
According to various research reports, 75% of application and software
security breaches and vulnerabilities are the reasons for majority of the
exposures. A hacker will always try and find the easiest place to attack, i.e.
the weakest link. Since application vulnerabilities are most common, it is quite
natural that the hackers would attack them. Application developers have usually
focused on parameters such as functionality, performance etc. of the application
because that's what their customers or application users have always demanded.
Focus on security of the application has been considerably low, as it has not
specifically asked for. As it is said, most investments are made to 'get'
something. But investments in security are required so that we 'don't get'
something-which is 'not get' compromised or exposed. Hence it is extremely
difficult to quantify and justify.
Developing security standards
Standards is a term used when there is a large scale acceptance of a way of
doing things. Hence the seed of every standard is of course the 'best practice'.
However organizations can start by adopting best practices such as secure coding
guidelines, developer trainings on secure coding principles, application risk
assessments, security testing, etc.
Security standards allow for a common basic level of application security
development and testing across organizations and industries. This raises the bar
for the attackers. It should be set up in a way that they are used consistently
and measurably across organizations. Each organization needs to finetune their
security standards for their applications based on their customer base and the
data they manage.
Organizations should stick to some points. Firstly, setting up a security
core team that can set up a suitable security architecture, and benchmark
against the industry. Then assess the current security practices and conduct a
gap analysis followed by identifying the security processes for the SSDL is
another important step. After that, providing training to identified development
teams and follow through with handholding throughout the SSDL. And finally,
facilitating the rollout and stabilization of the process across the
organization is another key job.
Basically there are several standards or schools of thought, the most notable
being ISO-27001 for computer security. Unfortunately, there is currently no
standard for application security testing, though doing most of the above would
be a good start. It actually depends on what the person or organization wants to
secure in the first place-they should list out the needs and objectives, then go
through a risk management exercise, first with themselves and then with a
qualified consultant.
A security standard is at the end of the day but a reference guide. It should
not give the user a false sense of comfort.
Building a security team
Building a security team today is a challenge because many organizations
seem to have a 'mental block' prioritizing the budget and management power to
make this happen. They are yet to fully appreciate the importance of security,
which is still perceived as a cost and an inconvenience on the side which is why
there is suddenly the plethora of compliance and regulatory policies.
Perhaps one of the biggest challenges to build a security team is a lack of
suitably qualified and experienced personnel. IT security is a fairly new
industry. Shortage of QA professionals with security testing expertise is a real
problem. Until recently there were no CISO/CSO or compliance officers or IT
auditors. These days, to meet the professional and technical manpower shortage,
many countries are having universities and schools starting courses and giving
degrees and diplomas focused on IT security.
|
|
Organizations seem to have 'a mental block' while Anthony Lim, Director, Asia Pacific Security BU |
Security Standards should be set up in a way that they Sridhar Jayanthi, Sr VP Engineering, Managing |
The challenges start right from prioritizing companies to finding talent. The
team is always chasing a moving target. The whole process involves a huge
learning curve and a lot of expertise to understand the whole dynamics of
security. Getting support from the management and showing RoI on secure
development processes is perhaps one of the greatest challenges in this field.
Guidelines for distinguishing a security bug from a functional issue is very
tough to create.
Challenges to build a smart tool
With the increased level of sophistication, a good start would be for
developers to add 'security' as a key design parameter or requirement when
creating applications. How much security to consider needs to be derived out of
the risk the application faces in terms of its use and deployment. One cannot
expect the developers to think only of security, because finally applications
are built to aid business and not to act as a hindrance. Key is to build in the
right amount of security right from the inception of the application across the
software development lifecycle. One should always use their mind and keep that
open to develop applications. Building a security tool is a challenge given the
diversity of software applications and systems. No single security tool can
address all phases of the development life cycle, or all potential threats to
applications.
Another point one must remember is that a security tool is also a software.
Hence all rules about software security also apply to these tools. In fact the
tool itself should be secured more. The big challenge faced by security tools is
of automation. The hacker is a person who has all the time in the world and most
importantly a 'human', hence can think differently and sometime outside any set
'algorithms'. Hence the protection mechanism which tries to defend against this
irrational attacker finds it difficult to handle the variations. Hence a good
security posture would also be a combination of a tool (automation) and
expertise (human).
A smart security tool would be one that enforces the processes and workflow
for the Secure Development Life cycle. A tool should be developed which would
centralize the management and execution of various stages of the SSDL and would
also be modified by each company for its requirements and processes. After
developing the whole thing should be transparent to the end-user.
Setting up standards
Some challenges are the ever-changing face of IT security, getting
knowledgeable persons, providing training to employees, being able to show RoI
to the company on the investments required for a stable, robust and sustainable
secure development process, and of course the constant pressure of lack of time.
In many ways the business challenges are similar to those of investing in
insurance. The RoI is not clear until there is a security violation. There is a
need to create individual standards keeping the customer's demand in mind.
The first challenge is how to go about finding a standard they can learn,
understand and finally implement. Secondly, the company has to decide what they
want to secure, which staff and departments are involved, who will own and
manage the initiative and at best hire a consultant to advise on, or seek peers'
experiences.
Developers vs Testers
There are several differences from a skilled and experienced standpoint. An
important aspect to talk about here is 'psychology' or the difference in
thinking. The developer is a 'builder' or 'creator'. He wants to build something
for good use for good users. Hence his focus is on giving good features,
performance, etc. Adding security controls reduces the good experience of the
good users. Hence he doesn't like it. Also developers are proud of what they
have built and hence get very defensive when mistakes are pointed out, and try
and show that the mistake is not there, rather than fixing it. The security
testers' job is to find mistakes. They are more concerned about how the bad guys
would attack the system than not how the good guys would use it. To them the 5
locks on the room is good security as that would help stop the bad guys. In fact
they would be unhappy if they find all locks are of the same type and would
insist on having different types of locks so that it is difficult for the
hackers to unlock or crack it. Testers tend to overlook the practical
difficulties in building security controls. All this leads to conflicts between
developers and testers which leads to development of insecure applications. A
balanced approach is what is required and both teams need to work together to
secure all necessary applications..
Though there is no 100% solution for application security, still all should
look at the efficiency and effectiveness of security testing which is cost
effective and increase customer satisfaction level.