Reaching Your Goal of Comprehensive Application Security and Risk Management
In my April 29 article, I provided you with a vendor selection checklist that can be used to evaluate application security and risk management providers. In this second article of the two-part series, we’ll take a closer look at features and functionality that you should evaluate in integrated, comprehensive application security and risk management solutions.
A comprehensive approach to security across the development life cycle can be defined as one that weaves together key features and functionality from two complementary areas:
- An integrated approach to security analysis
- An end-to-end governance, risk management and organizational collaboration
Key Security Analysis Requirements
When evaluating application security and risk management solutions, you should evaluate the following integrated security analysis capabilities:
- Comprehensive, advanced testing technologies that enable dynamic (black-box) analysis, static (white-box) analysis, run-time analysis and client-side analysis. Security risks are multidimensional in nature, and optimal testing tools utilize a full range of technologies to reduce testing blind spots and increase the likelihood that vulnerabilities will be located.
- Support for vulnerability testing on a wide range of applications which should range from in-house Web applications to packaged applications (such as SAP), legacy applications (such as COBOL-based offerings) and mobile applications. Security vulnerabilities can emerge anywhere, and organizations that take security seriously should leverage tools that address each software type they deploy, including Web and mobile applications developed in-house, third-party applications and legacy applications.
Key Governance, Collaboration and Risk Management Requirements
Key security governance, collaboration and risk management capabilities that you should evaluate in application security and risk management solutions include:
- Application inventory meaning the ability to catalog and classify all of your existing application assets. This includes the ability to profile each application, determine its business impact and, after assessment, calculate its overall security risk. Application profile templates and risk calculations should be customizable since metrics can vary based on an organization’s environment and application risk management philosophy.
- Ability to incorporate security protection throughout the development life cycle, including during coding, build, testing and production processes. This includes providing plug-ins to your integrated development environment (IDE) to help remediate issues, the option to perform security scans directly from your IDE, automated scanning for each build and the ability to review your organization’s results in an IDE or security platform.
- Policies, reporting and workflow tools to facilitate security governance and risk management. The ability to test for, discover and remediate security vulnerabilities at every stage of the development cycle — from coding to build and Q/A to production — dramatically reduces the overall cost of remediating security defects that are identified.
In the following section, you’ll find detailed guidance about the specific capabilities you should consider when making an application security and risk management purchasing decision. These general recommendations are applicable to most organizations, but we realize that your organization’s specialized requirements may differ from those outlined below.
Security Analysis Vendor Requirements Checklist
|Dynamic Analysis (Black-Box Scanning)Scans applications while they’re running.
||All relevant OWASP & WASC Threat Classification v2.0 threat classes, including:
Web 2.0 and Rich Internet Applications
Mobile application support for Android and Apple iOS, including full call and data-flow analysis of Objective-C applications on the Mac OS X platform.
Supports a broad range of IDEs: Visual Studio, Eclipse, IBM Rational Application Developer, etc.
Supports key defect-tracking tools.
Security Governance, Collaboration and Risk Management – Vendor Requirements Checklist
|Governance||Facilitates the compilation of an application inventory by profiling assets, tracking assessment statuses and calculating security risks.Provides tools to define test policies, scan permissions and scan templates for development and testing organizations. Includes out-of-the-box compliance reporting for regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), EU Data Protection Directive, Information Security Management Systems (ISO 27001), etc.|
|Collaboration||Provides tools and work flow options to manage the life cycle of security issues, including:
Offers tools to support each stage of the development process, including:
|Risk Management||Enables an enterprise view of application security risk, including:
Offers centralized control to cover production applications with regularly scheduled scans.
Integrates conveniently with network intrusion, security information and event management (SIEM) and mobile security solutions.
Making the Right Choice
Armed with the information above, we’re confident that you’ll make a wise purchasing decision. that will help you identify areas of highest application security risk in your organization and prioritize remediation efforts.
My colleague Katherine Holden contributed to this article.