Reaching Your Goal of Comprehensive Application Security and Risk Management
In my April 29 article, I provided you with a vendor selection checklist that can be used to evaluate application security and risk management providers. In this second article of the two-part series, we’ll take a closer look at features and functionality that you should evaluate in integrated, comprehensive application security and risk management solutions.
A comprehensive approach to security across the development life cycle can be defined as one that weaves together key features and functionality from two complementary areas:
- An integrated approach to security analysis
- An end-to-end governance, risk management and organizational collaboration
Key Security Analysis Requirements
When evaluating application security and risk management solutions, you should evaluate the following integrated security analysis capabilities:
- Comprehensive, advanced testing technologies that enable dynamic (black-box) analysis, static (white-box) analysis, run-time analysis and client-side analysis. Security risks are multidimensional in nature, and optimal testing tools utilize a full range of technologies to reduce testing blind spots and increase the likelihood that vulnerabilities will be located.
- Support for vulnerability testing on a wide range of applications which should range from in-house Web applications to packaged applications (such as SAP), legacy applications (such as COBOL-based offerings) and mobile applications. Security vulnerabilities can emerge anywhere, and organizations that take security seriously should leverage tools that address each software type they deploy, including Web and mobile applications developed in-house, third-party applications and legacy applications.
- Broad coverage of Web-based technologies including development tool kits such as JavaScript, Ajax, Adobe Flash and Flex. Web services and service-oriented architecture (SOA) technologies should be reviewed at the level of the XML parser, application and SOA infrastructure.
Key Governance, Collaboration and Risk Management Requirements
Key security governance, collaboration and risk management capabilities that you should evaluate in application security and risk management solutions include:
- Application inventory meaning the ability to catalog and classify all of your existing application assets. This includes the ability to profile each application, determine its business impact and, after assessment, calculate its overall security risk. Application profile templates and risk calculations should be customizable since metrics can vary based on an organization’s environment and application risk management philosophy.
- Ability to incorporate security protection throughout the development life cycle, including during coding, build, testing and production processes. This includes providing plug-ins to your integrated development environment (IDE) to help remediate issues, the option to perform security scans directly from your IDE, automated scanning for each build and the ability to review your organization’s results in an IDE or security platform.
- Policies, reporting and workflow tools to facilitate security governance and risk management. The ability to test for, discover and remediate security vulnerabilities at every stage of the development cycle — from coding to build and Q/A to production — dramatically reduces the overall cost of remediating security defects that are identified.
In the following section, you’ll find detailed guidance about the specific capabilities you should consider when making an application security and risk management purchasing decision. These general recommendations are applicable to most organizations, but we realize that your organization’s specialized requirements may differ from those outlined below.
Security Analysis Vendor Requirements Checklist
Dynamic Analysis (Black-Box Scanning)Scans applications while they’re running.
|
All relevant OWASP & WASC Threat Classification v2.0 threat classes, including:
- SQL Injection
- Cross-Site Scripting
- HTTP Response Splitting
- O/S Commanding
- LDAP Injection
- XPath Injection
Web 2.0 and Rich Internet Applications
- JavaScript & Ajax
- Adobe Flash & Flex
- HTML5
Web Services/SOA
- SOAP/XML parser issues (for example, external entities and XML
blowup)
- Application-layer issues
- Infrastructure issues
|
| Static Analysis (White-Box Scanning)Scans source code and bytecode for security issues. |
Identifies code-level security defects within your IDE.Performs automated code security analysis as part of the build process for centralized software code scanning.Provides key performance indicators (KPIs) to help developers learn and master best practices.Supports a broad range of languages: Java, JavaScript, Objective-C, C, C++, .NET, PHP, Perl, Visual Basic 6, PL/SQL, COBOL, SAP, etc.
Mobile application support for Android and Apple iOS, including full call and data-flow analysis of Objective-C applications on the Mac OS X platform.
Supports a broad range of IDEs: Visual Studio, Eclipse, IBM Rational Application Developer, etc.
Supports key defect-tracking tools. |
| Other Types of Analysis |
Glass-Box Analysis Combines Dynamic Analysis with a run-time agent to link potential exploits with line-of-code details to assist in your remediation efforts.Client-Side Analysis: Static taint analysis of client-side JavaScript. |
Scroll to view full table
Security Governance, Collaboration and Risk Management – Vendor Requirements Checklist
| Governance |
Facilitates the compilation of an application inventory by profiling assets, tracking assessment statuses and calculating security risks.Provides tools to define test policies, scan permissions and scan templates for development and testing organizations. Includes out-of-the-box compliance reporting for regulations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), EU Data Protection Directive, Information Security Management Systems (ISO 27001), etc. |
| Collaboration |
Provides tools and work flow options to manage the life cycle of security issues, including:
- Prioritizing vulnerabilities and opening issues based on risk.
- Assigning ownership for each issue, utilizing a portal order defect tracking system.
- Tracking event resolution.
- Re-testing and comparing results to confirm remediation.
- Providing integration with defect tracking systems.
Offers tools to support each stage of the development process, including:
- Code: Scanning code, managing work items and remediating vulnerabilities from your IDE.
- Build: Integrating security testing as a natural element of build extension testing; finding and fixing defects before releasing builds.
- Test: Incorporating security testing into quality planning; executing basic security test scripts from quality management platforms.
- Security: Building security test scripts for use by non-security experts; focusing preproduction audits on the most advanced threats; managing test policies and scan permissions; collaborating with development to prioritize findings and assign stakeholder ownership.
|
| Risk Management |
Enables an enterprise view of application security risk, including:
- Visibility of applications and processes via an application risk dashboard.
- Provides trending analysis and key performance indicators to monitor open issues, remediation cycles and current state of application risk.
- Aggregates dynamic and static testing and correlates results between various types of analysis.
Offers centralized control to cover production applications with regularly scheduled scans.
Integrates conveniently with network intrusion, security information and event management (SIEM) and mobile security solutions. |
Scroll to view full table
Making the Right Choice
Armed with the information above, we’re confident that you’ll make a wise purchasing decision. that will help you identify areas of highest application security risk in your organization and prioritize remediation efforts.
My colleague Katherine Holden contributed to this article.
Major Events Content Strategist for IBM Security