Slides - owasp

advertisement
Improving Application
Security After
An Incident
Cory Scott
Matasano Security
Where Do Application
Security Programs Come
From?
Unlikely.
Maybe.
Most likely.
An incident, you say?
• Could be a near miss
• Or an unfortunate impact
• That’s fine, we’ll pull out our trusty dusty
(network) response plan...
FAIL
Traditional Network
Incident Response
•
•
•
•
•
•
Root cause is one or more of the following:
credentials, access control, patch, or
configuration.
There’s an app for that.
And a process template.
And an audit guideline.
Whew... All Done!
Usually one neck to choke.
Application Anarchy!
•
•
•
•
•
Could be one of many root causes.
Could be the fault of the developer, the framework
author, third-party plug-ins, application operations,
poor requirement definition, client-side security, etc
etc.
There’s probably an app for some of that. But
you’re going to need some process for it too...
Quick - how do you audit a secure coding
practice?
How many necks can you choke?
Queue Foreshadowing
Music Here
Oh, the people you’ll meet!
• Internal Auditors (grr!)
• External Auditors (eep!)
• Executives (*cringe*)
• Development Managers (hey, you!)
• Network Security People (...)
• Application Security Salesmen in your
C[X]Os office (WTF!)
The Opportunity &
The Problem
•
•
•
•
Taking the root cause
to the bank
You can prove that the Quick Fix is not the
fix.
You’ve just got some funding for an appsec
program. Congratulations! OR
You may be getting funding... IF you can
show that you’re going to do something
meaningful with it. OR
You may have to go back into the trenches
until the next one.
AppSec Stallout!
•
•
•
•
•
•
•
•
Management priority shift.
Fatigue, fear, and loathing.
Bought the $PRODUCT, the problem is solved.
Right? Right?
Got the Pentest, all clean! Right?
X days without a workplace incident, all good!
Analysis Paralysis
Auditor Pile-On
The LCD of Compliance
READY... FIRE...
AIM!
Assessment Strategies to Prevent Stallout
Identify High-Risk
Applications
• Emphasis on high-risk
• Enforce the two-sentence rule to
identify loss potential
• Existing inventories are usually
insufficient
• Don’t fight against intuition
• Get it over with
Scoping is Critical
• Get this wrong and you’ve just wasted
thousands of dollars.
Scoping is Collaborative
• Get everyone to the table, including:
• Application Owner
• Development Guy
• Information Security Guy
• The Tester
• Ambiguity at the beginning is okay, but
not at the end. Respect the fact that this
make some people uncomfortable.
Best of both worlds
•Embrace Design Reviews in addition to
implementation-oriented assessments
•HOWEVER:
•Questionnaires are to Design Reviews
what Web Vulnerability Scanners are to
Penetration Testing
Flexible & Standardized at
the same time?!
• Define a short-list of vulnerabilities and
weaknesses.
• Choices are good!
•
•
•
•
Design review
Tools
Code review
Manual Penetration Testing
• Standardize approach and deliverable
for each choice.
Pick your battles and
weapon of choice
• The first few engagements are the most
important.
• Insert a QA checkpoint and a postassessment feedback process.
• Pick “friendly” application teams to start.
• Bring in external teams at the beginning
to crib off of their approach and delivery.
Management Strategies to Prevent Stallout
Get funding for remediation
upfront
• Strike while the iron is hot. (and the
wallet is open)
• Rule of thumb: remediation cost equals
assessment cost.
• Consider a two-level approach for each
app: a pre-approved “not-to-exceed”
amount and a separate budget request
for larger initiatives.
• You’ll make friends!
Assign Specialists
• Understand the business unit
• Maintain a watchlist of applications
• Scope and schedule assessments
• Assist in Incident Response
Process Change
• SDL improvements
• Small steps with pilot groups
• Leverage specialists
• Vendor management
• Give them a risk assessment that
they can self-operate to start
• Encourage reusable assessments
Detection & Response
• You worked so hard to get situational
awareness, don’t lose it!
• First on your wish-list: logging and audit
trails that you didn’t have pre-incident
that would have helped you respond
faster and with less legwork.
• Specialists can help in preparation and
response.
Metrics
•
KRIs
•
Vulnerabilities still open for each application
•
•
•
Applications within open vulnerabilities that have suffered a successful
attack within the last year
Applications with open vulnerabilities with no clear path towards
remediation or where the risk has been accepted by the business unit
KPIs
Download