APPLICATION SECURITY...APPLICATION SECURITY – Bringing order to chaos HO SHOULD ORANISATIONS...
Transcript of APPLICATION SECURITY...APPLICATION SECURITY – Bringing order to chaos HO SHOULD ORANISATIONS...
Attacks on applications are among the most costly incidents organisations can face. One coordinated attack reportedly stole US$1 billion from 50 different companies.1
As the information explosion continues, applications are proliferating and becoming increasingly diverse – moving from mainframes and servers to clouds, smartphones, wearables and other devices. The ability to create applications, once exclusive to vendors and in-house programmers, is now commonplace.
Modern applications are written in multiple languages and run on myriad devices. Organisations no longer have the luxury of managing a handful of applications. Today’s portfolios contain thousands of diverse applications that complicate lines of responsibility and introduce unknown risk.
Complex application portfolios provide fertile ground for a growing number of vulnerabilities. Attackers know that vulnerable applications open doors into organisations’ protected systems and most valuable information: more than two thirds of attacks are targeted at applications.2 Organisations that do not secure their applications present themselves as easy targets.
Good practice to reduce the risk of attacks is available, and it works. But application risk needs to be governed effectively, otherwise good practice will be applied inconsistently across the application life cycle, leaving risk unmanaged.
The ISF Application Security Framework has been developed to help organisations improve security at all stages of the application life cycle. The framework is a structured and comprehensive set of 27 good practice guidelines, derived from leading practice, expert input, standards and other guidance. The framework is supported by an iterative approach that ISF Members can use to address immediate risk and incrementally improve information security across their application portfolios.
Bringing order to chaosAPPLICATION SECURITY
APPLICATION SECURITY – Bringing order to chaosHOW SHOULD ORGANISATIONS RESPOND TO INCREASING APPLICATION RISK?
By performing successive iterations of the improvement cycle shown below to: – address immediate application risk– incrementally improve the security of their application portfolios.
2. IMPLEMENTExecute the plan to implement good practice and address the identified gaps.
4. ENHANCEIdentify and incorporate lessons learned to enable sustainable improvements.
Determine the extent to which improvements were effective. Remediate if necessary.
3. EVALUATE
1. DEFINEFor a specific group of applications, assess current practice against the framework to determine gaps. Create and agree an implementation plan.
THE ISF APPLICATION SECURITY FRAMEWORK
ApplicationSecurityRequirements
Application Security Architecture
ApplicationIntegration
ApplicationConfiguration
ApplicationDecommission
GOVERNANCE
Application Risk Management
B1 C1
C2
C3
D1 Application Procurement
D2
Application BuildD3
Threat ProtectionD4
Application Security TestingD5
E1
E2
G1Application Security OperationalProcedures
F1
F2
F3
F4
F5
F6
F7
F8
Application SecurityDesign
Application ThreatModelling
Contractual Agreements
ApplicationVulnerabilityManagement
SecurityEvent Logging
Application Monitoring
Incident Management
ApplicationBackup
Application Change Management
Application Security Audit
Application Identity andAccess Control
F9
A4
REQUIREMENTS DESIGN DEVELOPMENT OPERATIONS DISPOSALDEPLOYMENT
Application Security Governance StructuresA1 Application Security
Policies and Procedures Application Ownership
Application Register Application Security Education and Training
A2
A5
A3
A6
photo messages
Information volumes explode
Every minute...
Facebookusers share
2,460,000pieces of content
Emailusers sendAmazon generates
204,000,000messages
$83,000in online sales
40,500are sent using Snapchat (as of Jul 2014)
Mobile applications downloaded
US$ earned by mobile app providers
2.5225
270
6.8
18.6
76.5
0
20
40
60
80
2009 2011 2013 20170
100
200
300
Year
Estimated
$
2015
Billi
ons (
US$
)
Billi
ons (
Apps
dow
nloa
ded)
2590
60
22
Applications proliferate
Organisations are not keeping up
The equivalent of 106 YEARS of downtime was
services in 2014 due to 11,944 outages
suffered by Microsoft, Yahoo! and Google
of applications are tested for vulnerabilities (as of Nov 2014)
37%Only
Sources: Jack Taylor, ViralNova, Statista, NCC, Veracode, Gemalto
1 BILLION personal data records were compromised in 2014
APPLICATION SECURITY – Bringing order to chaosHOW SHOULD ORGANISATIONS RESPOND TO INCREASING APPLICATION RISK?
By performing successive iterations of the improvement cycle shown below to: – address immediate application risk– incrementally improve the security of their application portfolios.
2. IMPLEMENTExecute the plan to implement good practice and address the identified gaps.
4. ENHANCEIdentify and incorporate lessons learned to enable sustainable improvements.
Determine the extent to which improvements were effective. Remediate if necessary.
3. EVALUATE
1. DEFINEFor a specific group of applications, assess current practice against the framework to determine gaps. Create and agree an implementation plan.
THE ISF APPLICATION SECURITY FRAMEWORK
ApplicationSecurityRequirements
Application Security Architecture
ApplicationIntegration
ApplicationConfiguration
ApplicationDecommission
GOVERNANCE
Application Risk Management
B1 C1
C2
C3
D1 Application Procurement
D2
Application BuildD3
Threat ProtectionD4
Application Security TestingD5
E1
E2
G1Application Security OperationalProcedures
F1
F2
F3
F4
F5
F6
F7
F8
Application SecurityDesign
Application ThreatModelling
Contractual Agreements
ApplicationVulnerabilityManagement
SecurityEvent Logging
Application Monitoring
Incident Management
ApplicationBackup
Application Change Management
Application Security Audit
Application Identity andAccess Control
F9
A4
REQUIREMENTS DESIGN DEVELOPMENT OPERATIONS DISPOSALDEPLOYMENT
Application Security Governance StructuresA1 Application Security
Policies and Procedures Application Ownership
Application Register Application Security Education and Training
A2
A5
A3
A6
Information Security Forum
33
Application Security: Bringing order to chaos
IN A NUTSHELL
Provide the appropriate level of information, education and training about application risk to everyone
in the organisation.
WHY IT MATTERS
Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature
of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and
training for stakeholders according to their roles and responsibilities
(e.g., risk for application owners and users, security requirements
for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to
minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures
(e.g., keeping to secure coding practice, not compromising
security requirements in contracts, not letting unauthorised
people see application information, not sharing passwords
and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security
practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is,
and use the results to improve it.
Hints and Tips
• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good
Practice for Information
Security, in particular
the topics CF2.2 Security
Awareness Programme,
CF2.3 Security Awareness
Messages and CF2.4 Security
Education/Training.
Application Security Education and Training
A6
See the ISF report From
Promoting Awareness to
Embedding Behaviours:
Secure by choice, not by
chance, which provides
guidance on how to set up
and implement awareness
and training courses according
to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance
domain including activities such as “educate
executives”.
• SAMM Training and Guidance.
• Microsoft SDL, SDL Practice #1.
• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
Information Security Forum
33
Application Security: Bringing order to chaos
IN A NUTSHELL
Provide the appropriate level of information, education and training about application risk to everyone
in the organisation.
WHY IT MATTERS
Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature
of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and
training for stakeholders according to their roles and responsibilities
(e.g., risk for application owners and users, security requirements
for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to
minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures
(e.g., keeping to secure coding practice, not compromising
security requirements in contracts, not letting unauthorised
people see application information, not sharing passwords
and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security
practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is,
and use the results to improve it.
Hints and Tips
• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good
Practice for Information
Security, in particular
the topics CF2.2 Security
Awareness Programme,
CF2.3 Security Awareness
Messages and CF2.4 Security
Education/Training.
Application Security Education and Training
A6
See the ISF report From
Promoting Awareness to
Embedding Behaviours:
Secure by choice, not by
chance, which provides
guidance on how to set up
and implement awareness
and training courses according
to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance
domain including activities such as “educate
executives”.
• SAMM Training and Guidance.
• Microsoft SDL, SDL Practice #1.
• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
Information Security Forum
33Application Security: Bringing order to chaos
IN A NUTSHELLProvide the appropriate level of information, education and training about application risk to everyone
in the organisation.
WHY IT MATTERS Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature
of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and
training for stakeholders according to their roles and responsibilities
(e.g., risk for application owners and users, security requirements
for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to
minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures
(e.g., keeping to secure coding practice, not compromising
security requirements in contracts, not letting unauthorised
people see application information, not sharing passwords
and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security
practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is,
and use the results to improve it.
Hints and Tips
• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good
Practice for Information
Security, in particular
the topics CF2.2 Security
Awareness Programme,
CF2.3 Security Awareness
Messages and CF2.4 Security
Education/Training.
Application Security Education and TrainingA6
See the ISF report From
Promoting Awareness to
Embedding Behaviours:
Secure by choice, not by
chance, which provides
guidance on how to set up
and implement awareness
and training courses according
to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance
domain including activities such as “educate
executives”.
• SAMM Training and Guidance.
• Microsoft SDL, SDL Practice #1.
• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
Information Security Forum
33Application Security: Bringing order to chaos
IN A NUTSHELLProvide the appropriate level of information, education and training about application risk to everyone
in the organisation.
WHY IT MATTERS Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature
of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and
training for stakeholders according to their roles and responsibilities
(e.g., risk for application owners and users, security requirements
for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to
minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures
(e.g., keeping to secure coding practice, not compromising
security requirements in contracts, not letting unauthorised
people see application information, not sharing passwords
and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security
practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is,
and use the results to improve it.
Hints and Tips• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good
Practice for Information Security, in particular the topics CF2.2 Security Awareness Programme, CF2.3 Security Awareness Messages and CF2.4 Security
Education/Training.
Application Security Education and TrainingA6
See the ISF report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, which provides guidance on how to set up and implement awareness and training courses according
to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance
domain including activities such as “educate
executives”.
• SAMM Training and Guidance.
• Microsoft SDL, SDL Practice #1.
• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
Information Security Forum 33Application Security: Bringing order to chaos
IN A NUTSHELLProvide the appropriate level of information, education and training about application risk to everyone in the organisation.
WHY IT MATTERS Investment in education and training improves security knowledge, skills and behaviours.
ACTIONS TO CONSIDER
1 Engage with senior management to inform them of the nature of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and training for stakeholders according to their roles and responsibilities (e.g., risk for application owners and users, security requirements for procurement teams and secure coding practices for developers).
3 Focus education and training on application risk and how to minimise it. Use topics such as:
i frequency and impact of incidents
ii common threat events to applications
iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures (e.g., keeping to secure coding practice, not compromising security requirements in contracts, not letting unauthorised people see application information, not sharing passwords and not using unauthorised applications)
v particular security features in applications.
4 Update education and training as threats emerge, security practices change and development techniques evolve.
5 Monitor and evaluate how effective education and training is, and use the results to improve it.
Hints and Tips• Integrate education and training with the organisation’s security
awareness programmes.
ISF RESOURCES
See the ISF Standard of Good Practice for Information Security, in particular the topics CF2.2 Security Awareness Programme, CF2.3 Security Awareness Messages and CF2.4 Security Education/Training.
Application Security Education and TrainingA6
See the ISF report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, which provides guidance on how to set up and implement awareness and training courses according to role and responsibility.
ADDITIONAL RESOURCES
• BSIMM Training overall, with the Governance domain including activities such as “educate executives”.
• SAMM Training and Guidance.• Microsoft SDL, SDL Practice #1.• ISO 27034-1:2011, section A.9.1 Training.
1 2 3 4 5 6 7
ABOUT THIS REPORT This report describes how application risk is increasing and why managing the risk is now critical, given the impacts organisations are experiencing and their reliance on applications. It highlights a number of areas that ISF research found to be particularly important in overcoming the barriers to effective application governance and risk management. Leading CISOs ensure clear governance structures are in place. They communicate across multiple organisational levels, allowing stakeholders to visualise responsibilities clearly and understand the true extent of the risk. They facilitate skills development for those who need it, in particular application teams and risk managers.
The ISF Application Security Framework, shown on the left, is the centre of the ISF approach to addressing application risk. This structured and comprehensive set of 27 good practice guidelines, shown below, is aligned with the ISF Standard of Good Practice for Information Security and will help organisations improve governance and risk management across the application life cycle.
WHERE NEXT?
Application Security: Bringing order to chaos equips ISF Members to improve governance and risk management across the application life cycle. It does this by:– articulating the magnitude of application risk – providing practical guidance on how organisations can overcome operational barriers with clear governance,
better communications, the right skills and actions to address immediate risk– setting out an approach that incrementally improves application risk management and embeds good practice
across application portfolios.
Central to the ISF approach for protecting applications and the information they handle is the ISF Application Security Framework. The 27 good practice guidelines that make up the framework are aligned with the ISF Standard of Good Practice for Information Security and a wide set of good practice including BSIMM, ISO/IEC 27034-1:2011, Microsoft SDL and SAMM.
ISF Members will also find that this report complements the ISF Information Risk Assessment Methodology 2 (IRAM2).
The ISF encourages collaboration on its research and tools. Members are invited to join the active Application Security group on ISF Live (https://www.isflive.org/community/process/application-security), to share their experience and debate findings in this report. Please let other ISF Members know how you have translated the guidelines into effective controls to improve information security across your organisation’s application portfolio.
Consultancy services from the ISF provide Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.
The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at [email protected].
1 Kaspersky Lab (2015) Carbanak APT: The great bank robbery version 2, Securelist. http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt2 Gartner Security and Risk Summit, 23-26 June 2014, National Harbor, Maryland, USA.
CONTACTFor further information contact:
Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 [email protected]
ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.
©2015 Information Security Forum LimitedREFERENCE: ISF 15 09 02 | CLASSIFICATION: Public, no restrictions