|
Looking at What Makes Good Application Security Knowledge
by Drazen Drazic |
|
It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it - stopping before obvious alarm bells start to ring?
What is "security" trying to protect you against?
There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s "security" by definition but are many blinkered in regards to what the full definition of "security" encompasses? I think so.
Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y - all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:
If it stopped there, we’d never be able to stop a lot of breaches, frauds and "non-policy" behaviour. (Gees…..we’re not now are we in a lot of cases?) But, many in our industry, behave and promote the "technical" side as the be-all and end-all and then just want to sell you things that may, (generally not) stop the "technical" side of things.
Have a think about that…..seriously……What a load of BS!
I keep re-linking to this one about Application Security Reviews. I do it for a reason. If you have read through this post and the link(s) in it, you’ll know what I am talking about. I won’t go on about what I have discussed in the links. Have a read again. We’re not going to stop fraud and malicious activity having that narrow focused view on what "Application Security" and "Security" in general is. It just makes no sense.
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
 |
Building a Web Application Security Program | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
"Systems" view vs "Application view" - holistic view and strategy is key.
Lets look at "Application Security". You can vulnerability test, penetration test, security test, run app scanners…whatever you want to call it…but does that give you a decent level of confidence that you know where your issues may lie to prevent fraud/protect your business? Will fixing those problems identified in these types of testing make your organisation more secure? Yeah? Well to a small degree. BUT, what is "security" trying to protect you against? You’ve done this type of testing, but what about:
- Security Architecture; System Development, System Management
- User Administration and Review; Logical Access, Access Controls, Access Review, Segregation of Duties
- Application Administration and Usage; System Maintenance
- System Security; Network Security, Integrity, Confidentiality, Availability, Non-Repudiation, Physical Security, Third Party and External Connections
- Security Logging and Monitoring; Audit Logs, Monitoring
- System Maintenance and Support; System Access, Change Control
- Handling and Storage of Information and BCP; Backup and Storage, Business Continuity Planning, Destruction of Data
- Legal and Regulatory
- Exception to Policies and Standards; Non-compliance Scenarios
If you’re not doing these things as a minimum as part of your application/systems security reviews, you’ll fail and always be wide open to fraud and business risks.
I question some people’s credentials as "Application Security Experts" when all they can talk about is technical vulnerabilities and attack vectors. That just makes you a coding problem expert who has good hacking skills to break code…not an Application Security Expert. If you want to be an expert in application security, you need to understand a little more and maybe fraud like that mentioned at the start of this post could be averted in more cases. Not sorry if that upsets some "Experts".
Applications/Systems that cannot be hacked into because they have been penetration tested and problems fixed, and are protected by FWs, IDS/IPS and WAFs are easy game if you haven’t really looked at the "security" of the applications/systems.
Tags: IT security, PCI Compliance, Penetration Testing, Product Assurance, QualysGuard, Security Assessments, Security Strategy, Vulnerability Assessment, Web Application Security
This entry was posted on Saturday, January 30th, 2010 at 9:30 AM and is filed under Community Manager, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Comments
-
Jonas says:
Can we republish this again and again for all the haxors who think a pen test will sort the security issues for applications. This and the links just demo how little a penetration test actually can highlight security issues. I’ve sent this post through to my whole division for education.
A penetration test is only worth its salt after all of the above has been carried out!
@Drazen, I would be interested to hear about your experience on what you recommend versus what companies just do at a minimum.
Like or Dislike:
0 
0 -
Drazen Drazic says:
Hello Jonas,
Thanks for the kind words.
Your question is an easy one to answer but difficult in application. It’s the old building awareness and understanding issue.
Even in our own industry, many believe technical level testing, given the expertise required and the awesome results that can be attained (”hey we just hacked you!”) are the be-all and end-all.
You see it in “our” (security people’s) forums, IRC, Twitter etc all the time. What’s the next big attack vector? That’s good and really cool at times but that mindset that our technical experts and researchers are our saviours alone is just BS.
In the scope of things, the majority of security risks really lie in the other areas I mentioned. In theory and in practice! We’ve lost focus.
But, saying that, importance on all levels is key. My point in the post being, don’t forget the key areas and I think we have been for a long time while we try to be all fancy with it!
If I had to prioritise and I only had to choose between one review - web app pen test vs audit of areas I mentioned, the latter would win out each time! No brainer!
Ideally organisations think about this and do both but budgets and lack of knowledge/awareness as I mentioned restrict that.
We as an industry have an obligation to promote a full/holistic view and not a narrow technical focus which pidgeon-holes us further into an area that business has trouble dealing with.
DD
Like or Dislike:
0 0
|
| Making The Buy For Trust Seal VeriSign At SES VeriSign Now a Symantec Company |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Cloud Identity, Trust and the Liability Elephant. I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on... Greek Heroes, Facebook and Trust When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that... PCI for the Cloud For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us... |
|
