May 19, 2014 By Neil Jones 4 min read

Reaching Your Goal of Comprehensive Application Security and Risk Management

In my April 29 article, I provided you with a vendor selection checklist that can be used to evaluate application security and risk management providers. In this second article of the two-part series, we’ll take a closer look at features and functionality that you should evaluate in integrated, comprehensive application security and risk management solutions.

A comprehensive approach to security across the development life cycle can be defined as one that weaves together key features and functionality from two complementary areas:

  1. An integrated approach to security analysis
  2. An end-to-end governance, risk management and organizational collaboration

Key Security Analysis Requirements

When evaluating application security and risk management solutions, you should evaluate the following integrated security analysis capabilities:

  • Comprehensive, advanced testing technologies that enable dynamic (black-box) analysis, static (white-box) analysis, run-time analysis and client-side analysis. Security risks are multidimensional in nature, and optimal testing tools utilize a full range of technologies to reduce testing blind spots and increase the likelihood that vulnerabilities will be located.
  • Support for vulnerability testing on a wide range of applications which should range from in-house Web applications to packaged applications (such as SAP), legacy applications (such as COBOL-based offerings) and mobile applications. Security vulnerabilities can emerge anywhere, and organizations that take security seriously should leverage tools that address each software type they deploy, including Web and mobile applications developed in-house, third-party applications and legacy applications.
  • Broad coverage of Web-based technologies including development tool kits such as JavaScript, Ajax, Adobe Flash and Flex. Web services and service-oriented architecture (SOA) technologies should be reviewed at the level of the XML parser, application and SOA infrastructure.

Key Governance, Collaboration and Risk Management Requirements

Key security governance, collaboration and risk management capabilities that you should evaluate in application security and risk management solutions include:

  • Application inventory meaning the ability to catalog and classify all of your existing application assets. This includes the ability to profile each application, determine its business impact and, after assessment, calculate its overall security risk. Application profile templates and risk calculations should be customizable since metrics can vary based on an organization’s environment and application risk management philosophy.
  • Ability to incorporate security protection throughout the development life cycle, including during coding, build, testing and production processes. This includes providing plug-ins to your integrated development environment (IDE) to help remediate issues, the option to perform security scans directly from your IDE, automated scanning for each build and the ability to review your organization’s results in an IDE or security platform.
  • Policies, reporting and workflow tools to facilitate security governance and risk management. The ability to test for, discover and remediate security vulnerabilities at every stage of the development cycle — from coding to build and Q/A to production — dramatically reduces the overall cost of remediating security defects that are identified.

In the following section, you’ll find detailed guidance about the specific capabilities you should consider when making an application security and risk management purchasing decision. These general recommendations are applicable to most organizations, but we realize that your organization’s specialized requirements may differ from those outlined below.

Security Analysis Vendor Requirements Checklist

Dynamic Analysis (Black-Box Scanning)Scans applications while they’re running.
All relevant OWASP & WASC Threat Classification v2.0 threat classes, including:
  • SQL Injection
  • Cross-Site Scripting
  • HTTP Response Splitting
  • O/S Commanding
  • LDAP Injection
  • XPath Injection

Web 2.0 and Rich Internet Applications

  • JavaScript & Ajax
  • Adobe Flash & Flex
  • HTML5

Web Services/SOA

  • SOAP/XML parser issues (for example, external entities and XML
    blowup)
  • Application-layer issues
  • Infrastructure issues
Static Analysis (White-Box Scanning)Scans source code and bytecode for security issues. Identifies code-level security defects within your IDE.Performs automated code security analysis as part of the build process for centralized software code scanning.Provides key performance indicators (KPIs) to help developers learn and master best practices.Supports a broad range of languages: Java, JavaScript, Objective-C, C, C++, .NET, PHP, Perl, Visual Basic 6, PL/SQL, COBOL, SAP, etc.

Mobile application support for Android and Apple iOS, including full call and data-flow analysis of Objective-C applications on the Mac OS X platform.

Supports a broad range of IDEs: Visual Studio, Eclipse, IBM Rational Application Developer, etc.

Supports key defect-tracking tools.

Other Types of Analysis Glass-Box Analysis Combines Dynamic Analysis with a run-time agent to link potential exploits with line-of-code details to assist in your remediation efforts.Client-Side Analysis: Static taint analysis of client-side JavaScript.
Scroll to view full table

Security Governance, Collaboration and Risk Management – Vendor Requirements Checklist

Governance Facilitates the compilation of an application inventory by profiling assets, tracking assessment statuses and calculating security risks.Provides tools to define test policies, scan permissions and scan templates for development and testing organizations. Includes out-of-the-box compliance reporting for regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), EU Data Protection Directive, Information Security Management Systems (ISO 27001), etc.
Collaboration Provides tools and work flow options to manage the life cycle of security issues, including:
  • Prioritizing vulnerabilities and opening issues based on risk.
  • Assigning ownership for each issue, utilizing a portal order defect tracking system.
  • Tracking event resolution.
  • Re-testing and comparing results to confirm remediation.
  • Providing integration with defect tracking systems.

Offers tools to support each stage of the development process, including:

  • Code: Scanning code, managing work items and remediating vulnerabilities from your IDE.
  • Build: Integrating security testing as a natural element of build extension testing; finding and fixing defects before releasing builds.
  • Test: Incorporating security testing into quality planning; executing basic security test scripts from quality management platforms.
  • Security: Building security test scripts for use by non-security experts; focusing preproduction audits on the most advanced threats; managing test policies and scan permissions; collaborating with development to prioritize findings and assign stakeholder ownership.
Risk Management Enables an enterprise view of application security risk, including:
  • Visibility of applications and processes via an application risk dashboard.
  • Provides trending analysis and key performance indicators to monitor open issues, remediation cycles and current state of application risk.
  • Aggregates dynamic and static testing and correlates results between various types of analysis.

Offers centralized control to cover production applications with regularly scheduled scans.

Integrates conveniently with network intrusion, security information and event management (SIEM) and mobile security solutions.

Scroll to view full table

Making the Right Choice

Armed with the information above, we’re confident that you’ll make a wise purchasing decision. that will help you identify areas of highest application security risk in your organization and prioritize remediation efforts.

My colleague Katherine Holden contributed to this article.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today