Application Security Management -
The Business Issue:
Clients have continually had web application security assessments completed by various vendors. They recognize, as many do, that an ongoing program to identify and correct critical vulnerabilities identified by such testing is an integral part of a web application security management program. However, the security robustness of applications significantly varies between different application development groups (both their internal and externally sourced groups).
This is exacerbated by the inevitable addition of new developers, project managers, teams and outsourcing arrangements becoming involved as a result of acquisitions, new hires or pricing sensitiveness of outsourcing contracts. Inevitably, security vulnerabilities discovered during multiple testing efforts become a management and mitigation issue. The basic issue becomes: How can maximize the Return On Investment (ROI) from our application testing program?
Working with various clients and depending on the maturity of their application security program, KoreLogic has developed custom solutions unique to each client which includes one or more of the following:
- Application Development Security Standard - Using our clients Software Development Lifecycle (SDLC) as basis, KoreLogic developed this additional security standard critical and foundational to the program. This tool is kept sufficiently succinct to encourage its use during a busy development project and focused on the most common and preventable errors (i.e., what an experienced attacker looks for). Development managers, QA and security use this standard as a baseline measurement for all newly developed applications as well as for any application undergoing revisions prior to taking into production. Any issues annotated are treated as changes or defects just as if a functional problem in code existed and their remediation handled through same QA process.
- Customized Development Training - KoreLogic through its many years of security experience has found that nothing hits home more with your development teams as seeing specific examples of their own coding which have created security vulnerabilities. The point is not to criticize but instead learn and change tendencies. Application developers are challenged to make the code work functionally, they are not incentivized to make it secure. In order to bridge this gap and to emphasize the need for security, KoreLogic develops customized application security training class specific to the customer (completed in conjunction with a testing effort). We include customer-specific instances; recurring flaws discovered during assessments that year; and examples of application development techniques that thwarted successful attacks within the curriculum. In addition, KoreLogic has found this to be a great forum to introduce and train developers on the current Application Development Security Standard. KoreLogic recommend this training be required of all developers, project managers and security teams.
- Establish Program Metrics - For programs progressing in maturity (items above established), KoreLogic develops a metrics program which will allow you to track and report the occurrence of critical, recurring vulnerabilities it discovers during the QA process, pre- and post-production assessments. Key metrics are collected and analyzed, quantitative measurements for quality and process performance are documented. Metrics provide the foundational information you need to justify changes in the security standard, additional training, improvements in the QA process and/or assessment efforts.
- Developer Support Website - To provide a forum for easily accessible knowledge repository (tools, standards, best practices, FAQs, blogs) for developers to seek or contribute web application security development program, KoreLogic will support your efforts to develop such a Intranet site.
The result of solutions established above create a mature application security management program which provide the business with the following:
- Identify, communicate, and better manage the prevention of recurring application vulnerabilities. Thus lessening the potential for business data leakage, customer data loss, loss of functionality and/or business liability.
- Improved security consistency across multiple development groups.
- Available performance and trend tracking of application vulnerabilities to allow business action based on factual historical and event data.