▲
E-Guide
BEST PRACTICES FOR WEB APPLICATION SECURITY SearchSecurity
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development
T
How to review your Web application security assessment tools, strategy
he threat landscape and increase of Web
app attacks has forced security teams to tackle Web app security through secure software development. This expert eGuide offers pointers for using Web application security assessment tools and developing an application security assessment strategy.
PA G E 2 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
TACKLING WEB APPLICATION SECURITY THROUGH SECURE SOFTWARE DEVELOPMENT Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
Dan Cornell The importance of information security has permeated many enterprises to varying degrees, yet software security—and in particular Web-based software development— remains a vexing challenge for chief information security officers. It’s a great understatement to say that Web development teams have not traditionally been focused on security. Their incentives, and consequently their priorities, have been tied to implementing new features and meeting deadlines. Many development teams aren’t even aware that what they do affects security; instead they view security as a job handled not by developers, but by products such as firewalls and antimalware systems. However, the changing threat landscape and increasing frequency of Web application attacks has forced security-focused organizations to address Web application security through secure software development. The simple truth is that security measures that are “bolted on” after the software development PA G E 3 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
process is complete have proven to be powerless in countering Web application attacks. For instance, firewalls only control the traffic allowed to pass over networks, but Web applications must be exposed outside the firewall in order to be accessed by legitimate users. Antimalware is similarly ineffective; it only looks for malicious code, not problems with legitimate applications. Attackers have come to learn that nearly all Web applications can be exploited via the mistakes developers made when building them. Using any one of a long list of common Web application vulnerabilities, an attacker can make the software misbehave in any number of ways, including granting access to unauthorized data. For CISOs, countering Web application attacks through secure software development is often a daunting proposition. While the scope of many CISOs is growing and often includes C-level access and influence, in few cases does that reach extend into the software development organization. Affecting a fairly significant set of changes to the way in which applications are developed requires not only evangelism to make the case for secure development, but also pragmatism in providing effective tools and training. Security managers must seize the opportunity to position themselves as trusted resources to foster secure software development within their organizations. PA G E 4 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
EVANGELIZING THE NEED FOR SECURE WEB DEVELOPMENT
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
In order to take on this role, security managers must be able to work hand-inhand with development teams. However, developers can be wary of outsiders attempting to impose standards and behavior on them. To enable security teams to have a positive impact on software security in their organizations, it is critical that the security professionals build and maintain credibility with developers. The problem is that most information security professionals do not come from a strong development background—especially backgrounds in modern Web application development environments. This makes it challenging for them to effectively communicate with the development team. For that reason, security professionals shouldn’t be afraid to say “I don’t know” when discussing highly technical issues, yet they can’t let developers brush them off or obfuscate important issues with technical mumbo-jumbo. Evangelism is, therefore, a balancing act. Security professionals can improve their credibility with developers by providing information on real-world threats and security-related business demands that is customized for the organizations and development team needs. Companies fall under a variety of regulatory and compliance requirements, PA G E 5 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
ranging from the Payment Card Industry Data Security Standard (PCI DSS) for those accepting credit card transactions, Health Insurance Portability and Accountability Act (HIPAA) for those dealing with personal medical information and the various customer data breach notification laws. Providing the developers with data that demonstrates the negative impact to organizations that have suffered a breach or compliance failure provides valuable context that enables the developers to understand the importance of incorporating security into their development process. There are a number of sources available that provide this kind of detail. For example, vendors WhiteHat Security and Veracode report on their application testing efforts and the prevalence and longevity of different classes of software vulnerabilities. In addition, the annual Verizon Data Breach Investigations Report (DBIR) describes the types of attacks being used in actual breaches. Security teams that curate and distribute this information internally can help the development team focus on the most relevant and critical security concerns. PROVIDING SECURITY TOOLS AND TRAINING
Security pros must understand the tools used by the development team in order to better integrate security into their work flow. Security tools are a valuable PA G E 6 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
component of any software assurance program, and security professionals can support development teams by understanding how developers use their tools while looking for ways to augment and tune those toolsets. In addition, when putting security tools such as automated security code analysis tools or dynamic Web security scanners into developers’ hands, security teams must remember that these tools need to be configured and tweaked, and that the Web developers will use these types of tools differently than the security team would. These tools can be a great help in identifying common— and dangerous—Web application flaws like cross-site scripting (XSS) and SQL injection, but can overwhelm development teams with information that lacks relevance and can be hard to understand. For example, default rule sets and reporting are geared toward penetration testers and other security professionals. However, before exposing the developers to these tools, security teams need to ensure the rules being used focus on high-impact vulnerabilities with signatures that have a low likelihood for false positives. Failing to properly tune the security testing tools like this can result in output that the developers find overwhelming, irrelevant and even detrimental, forcing them to waste time chasing after false positives. Also, each tool’s reporting capabilities need to be modified to include PA G E 7 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
information that helps the development team locate vulnerabilities in software code, as well as include specific remediation recommendations that make those reports more actionable. Some Web developers will be more comfortable with source code security scanners because they show the specific lines of code responsible for the bad application behavior. Other Web developers might be more comfortable with dynamic Web application scanners because offer working example payloads showing how a vulnerability might be exploited. Security professionals need to get a feel for how their Web development teams work and tailor tool recommendations accordingly. The objective of putting new tools in developers’ hands should be to transition vulnerabilities into software defects. Vulnerability data might be of some interest to developers, but typically what they really care about are software features and defects they need to address to alleviate security concerns. This may seem like a subtle difference, but it is an important one because it reflects the way that developers plan and manage their workloads and can highlight the lack of understanding that many security teams have about the internal operations of development teams.
PA G E 8 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
THE NEED FOR ONGOING COLLABORATION
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
Tools should also help facilitate communication between security pros and developers. When a security analyst emails a lengthy PDF report detailing found vulnerabilities to the development team, that can be perceived as a hostile or standoffish way to communicate. A more effective approach is to use the systems developers are already using, namely defect tracker tools, to demonstrate that they understand the software development process and want to work with development teams. Rather than simply emailing out impersonal reports, security professionals should use the results from security testing activities as an opportunity to sit down with development team leads to discuss the findings and begin the process of using vulnerability data from the report to identify Web application software defects. This collaborative approach to resolving vulnerabilities provides better opportunities for security teams to work hand-in-hand with Web development teams to address flaws in production Web applications, and mutually improve the security of future Web application deployments. Security teams can also identify security champions within the development ranks to maintain lines of communication. These champions are developers who gain special recognition for his or her commitment to security by PA G E 9 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
taking on additional security duties in the way of training, communication, or evangelism. There are a variety of reasons a developer might want to be recognized as a security champion: some may see it as an opportunity for career differentiation and professional development, while others might have a personal interest in software security. Regardless, this is a great way to scale the software security efforts beyond what the security team can manage alone. Seeding each development team with a programmer who serves as a goto security resource facilitates the information flow from security teams to development teams. These security champions help developers implement and improve secure development processes, and can escalate complicated or important issues back to security teams. These ongoing personal relationships help both the security and development team members take a long-term view that is less focused on the results of a particular assessment or the status of a specific vulnerability, and more focused on the ongoing process of securing the organization’s software. CONCLUSION
For a CISO to successfully facilitate Web application software security, developers cannot see security as a tax levied on them. Instead of being a roadblock PA G E 1 0 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development
to development team success, security teams instead need to make themselves a valuable resource for developers. Just as effective security professionals act as a risk management resource for managers and executives, they need to act as security enablers for development teams, helping them build secure Web applications with minimum hassle. Secure software does not happen overnight, but by taking a long-term, relationship-based view of the process, the security team can ensure a harmonious, team-focused effort, which ultimately will result in Web applications developed with far fewer security flaws.
How to review your Web application security assessment tools, strategy
PA G E 1 1 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
HOW TO REVIEW YOUR WEB APPLICATION SECURITY ASSESSMENT TOOLS, STRATEGY Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
Cory Scott Web application security assessments often fail to produce meaningful results, leaving enterprise security teams scratching their heads about what went wrong. Some are quick to blame the tools in use, others blame lack of application security training and talent in the information security team, and many cases, the assessment is treated like a checklist item that is given little time, planning or forethought. Web application security assessments need to get close enough to the application to develop a threat model, look for common vulnerability patterns, and customize their approach based on an evaluation of the technologies rather than using a one-size-fits-all approach. In this tip, we’ll explore each of these points. Does your Web application security assessment start by getting a grasp of the business purpose and justification for why the application exists in the first place? Unless you can clearly state what the application requirements PA G E 1 2 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
and expectations for performance are, you can't begin to assess it for vulnerabilities. After all, what may seem like a broken function may actually be an intended feature; what appears to be sluggish performance may be perfectly normal. Don't let the application development team bury you in jargon or cryptic acronyms; if you don't know what something means, ask. Developers often forget that the Web application security assessment team is missing context that has already been established within their group. Get out the whiteboard and draw out the system as you understand it, and let them correct you or add that context. Once you have a good understanding of the application, build a quick threat model. The following questions will help you to determine which vulnerabilities have meaningful effects on the application. ���Who is likely to attempt to abuse this application? Anonymous users on the Internet? Your customers? Internal users? ���Where is the trust boundary and what attack surface is exposed to untrusted or semi-trusted users? ���What assets are worth protecting? Common assets include the integrity PA G E 1 3 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
of the application's data, availability of the service, the confidentiality of user or company data, or the underlying operating system or network. Don't forget about client-side threats, where user sessions and browser integrity can be targeted. ���What incidents have taken place in the past and what concerns keep the application team up at night? ���What security requirements were important enough to be documented, and more importantly, what requirements were assumed or implied without being documented? Web applications often share a set of "deadly features" that have a common and frequent pattern of vulnerabilities that usually are platform-independent. Things such as file download and upload, custom session management, authorization and access control, homegrown single sign-on, password storage and reset mechanisms, email functionality and search functionality often have critical flaws because of the subtle complexity required to implement them safely. Make sure you identify these potential problem areas when you assess an application, as they are likely to require careful attention. An assessment approach should be customized to the situation at hand. PA G E 1 4 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
If the application is a third-party product where source code is not available, dynamic vulnerability analysis with tools may be the preferred approach, and if the application has a high-risk posture, manual penetration testing may be the logical next step. Where source is available, work hand-in-hand with the development team to use source code analysis tools to look for vulnerabilities. Don't just throw Web application security assessment tools over the wall and ask developers to run them. Get feedback on each tool's strengths, and invest time in learning how to set tools up effectively to get sufficient coverage. Quickly throw out classes of findings that are not relevant to your threat model or prone to false positives when you first starting using static code analysis tools to avoid fatigue. When using dynamic analysis tools such as Web application vulnerability scanners, make sure the tool "understands" your application as much as possible, including where all the application endpoints are and what functionality exists. Too many people rely exclusively on a tool's capabilities to discover content and test it effectively without verifying the most sensitive parts of the application are covered. Manual penetration testing should be considered for high-risk applications, sometimes in conjunction with code review or dynamic analysis. Leverage your PA G E 1 5 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
penetration testing resources to look for things that are difficult to automate, such as threats targeted at data leakage, authentication and authorization bypass, and cryptographic vulnerabilities. When putting this approach together, realize that organizational change takes time. People that are used to steamrolling through the assessment process may be hesitant at first to dedicate the necessary time to produce a meaningful Web application security assessment. A step-wise approach that shows the value for time spent incrementally will often break down some of the defensive barriers.
PA G E 1 6 O F 1 7
SPONSORED BY
BEST PRACTICES FOR WEB APPLICATION SECURITY
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS
Home Tackling Web application security through secure software development How to review your Web application security assessment tools, strategy
TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more —drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.
WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets.
PA G E 1 7 O F 1 7
SPONSORED BY
