Archive for the ‘SDLC’ category

« noFUD – No Fear Uncertainty or Doubt home page

Shrinking Budgets: Application Security Tools vs Process Tradeoff

May 10, 2010

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.

Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned ahead. Unluckily, he had planned for a 6% reduction not a 15% reduction. After some brainstorming and taking some tough decisions he had cut costs by 10%. Now began his quest for the elusive final 5%. His organization had started the transition from being a network security centric organization to a more application security centric organization around 15 months ago. So, a solution posed by one of his managers was to drop the security engineering process integration program and replace it with a set of static analysis tools they had just evaluated. This strategy had paid of handsomely for them in the network security field. Ron, one of the leading application architects in the organization was opposed to the idea. Thus started a turf war, which left some angry, most frustrated and everyone confused.

Unlike most managers, Alok reached out for advice. He asked me to share my experience with customers in similar budgetary situations & maturity. This is how our conversation went:

Alok: So I think the automated security tools can help us reduce risk and save us money. Unfortunately, I have to reduce budget and I’m thinking of buying <snip> tool to drive efficiency. What do you think?

Akshay: I’m sorry that you have had a budget cut. A lot of my clients have been facing a similar situation. Before I answer your question can you tell me what value you expect to derive from the tool?

Alok: We are looking to get standardized security bugs and find all the vulnerabilities that exist in our code base.

Akshay: Do you know how the tool compares to a manual security code review. I mean, what kind of coverage does it give you? And is that coverage good enough for your organization?

Alok: No, we haven’t examined that. Assume that it is. Should we go ahead? You know I can get more done with less by buying the tool and getting rid of my contingent vendor staff.

Akshay: Well, the tool that you mentioned will need to be used by both your development team and your security team. Have you considered the cost of training people to use it?

Alok: No. What other impacts and costs may there be?

Akshay: I imagine the development staff  is also being reduced. I imagine that they will resist taking on additional work while having to let go off people. In my experience when clients by static analysis or other tools , a large portion of them end up as shelfware. Not enough thought is given to how to integrate this in existing into development lifecycles. Application security is fundamentally a process problem and you can’t solve it just by using tools.

In my opinion, this is a great time for forward looking organizations to re-engineer their development process to integrate security into the process. People are the biggest resistors of change. Culture change is the toughest challenge when moving to a SDL like process. The prevailing lean development team, a more malleable workforce and forward looking leadership can and should be leveraged in these tough economic times to make the organization healthier for the future.

- Akshay

Categories: Application Security, Information Technology, Leadership, SDL, SDLC, Security, Strategy, Tools

Comments: 1 Comment

Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?

June 14, 2008

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea for their security problems. However, threat modeling may not be the solution to their immediate problems. Now I recognize that this may be a controversial statement.

Recently, I have been involved in several situations where organizations with their heart in the right place have made threat modeling mandatory as part of the development process, with limited success. My point is that threat modeling as part of a mature SDLC is a desired end state though not necessarily the initial step. Let’s examine this argument.

Firstly, threat modeling depends on several elements of a SDLC to be fairly mature. Most importantly it depends on requirement and specification gathering process to be rigorous. Also, an enterprise must have well defined standards and policies in place to act as input into the threat modeling process. Without these elements of the SDLC in place, the threat modeling process will be isolated and have a reduced impact.

Secondly, a threat model is a security plan only and is useless without any committed follow-up action as part of development and testing. Most enterprises do not allocate sufficient time and resources to implement the findings of the threat model. A large portion of organizations don’t even have a security assessment team in place. These teams are consumers of the threat modeling process that actual carry out the most crucial task of reducing risk by implementing countermeasures.

Thirdly, it is practically feasible to create threat models only for new projects or those undergoing incremental changes. As a result, legacy applications do not benefit from threat modeling. This leaves a huge gap in the enterprises’ risk profile.

Finally, most nascent application security programs need quick and demonstrable ROI. The threat modeling process ROI can take several months or even years to be quantifiable because it is an incremental process that is dependant on several other SDLC processes to be effective. There are other areas where investment can bring in more immediate ROI. These areas include security assessment team, security training for developers and definition of countermeasures for  common vulnerabilities.

For organizations with nascent application security processes, I recommend that they us the following framework to evaluate if they are ready to adopt threat modeling:

  • Does a security baseline exist?
  • Is the SDLC process fairly well defined and followed during development?
  • Has the organization agreed upon countermeasures for common vulnerabilities?
  • Are developers trained to avoid common vulnerabilities?
  • Do developers do a self review of code for security vulnerabilities?
  • Does a security assessment team exist?

If the answer to more than two of the questions above is no then the organization is probably not ready for adopting threat modeling.

Previous post in series Next post in series

Categories: Application Security, Business, Governance, SDLC, Security
Tags: , ,

Comments: 1 Comment

Application Security Development Lifecycle 4: Finding the right security talent

June 1, 2008

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, ” Great!! Now where do I find another 20 people like these?” (pointing to my team)…

I thought about it a while and so Mr. B here is your answer: Information security education has been pursued by several tertiary education (i.e. universities) for several decades now. In 1999, the NSA got into the act and issued a list of  National Centers of Academic Excellence in Information Assurance Education (CAEIAE) to 7 universities:

    James Madison University
    George Mason University
    Idaho State University
    Iowa State University
    Purdue University (No longer a CAE)
    University of California at Davis ( I went to grad school here)
    University of Idaho

These CAEs are accredited for 5 years and have to reapply  for designation after that period. The CAEs were set up in an effort to promote higher education in information assurance, and in turn, increase the number of professionals with this critical expertise. NSA’s establishment of this program was based on the growing demand for professionals with information assurance expertise in various disciplines.

The current list of universities in this list include the original universities (except Purdue) and the following:

California State University, San Bernardino
Georgetown University
Southern Polytechnic State University
The University of Tennessee at Chattanooga
University of Arkansas at Little Rock
University of Denver
University of Missouri – Columbia
University of Nevada, Las Vegas
West Chester University of Pennsylvania
West Virginia University
Air Force Institute of Technology
California State Polytechnic University, Pomona
DePaul University
East Carolina University
New Mexico Tech
Northeastern University
Nova Southeastern University
Oklahoma State University
Polytechnic University
The University of Texas at San Antonio
Towson University
United States Air Force Academy
University at Buffalo, the State University of New York
University of Maryland University College
University of Nebraska at Omaha

Watch this space for more on information security education and where to find the right people.

Previous Post

Categories: Application Security, Business, Education, SDL, SDLC, Security, Strategy

Comments: 1 Comment

How Microsoft IT does Secure Application Development: Webcast

May 26, 2008

I will be discussing Microsoft IT’s approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft’s IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs.

Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200)

Register Online 

Audience: Technology Decision Maker.
Duration:60 Minutes
Start Date: Thursday, May 29, 2008 11:00 AM Pacific Time (US & Canada)

Event Overview

Join this webcast to learn how Microsoft IT’s Application Consulting and Engineering (ACE) team secures Microsoft’s internal business applications.  The ACE team will share state of the industry, application security challenges, and how application security fits into the development lifecycle for IT.  Learn about the ACE team’s methodology and processes developed in the areas of application security and performance optimization.

You can find more details here.

Categories: Application Security, Conference, Microsoft, SDL, SDLC, Speaking

Comments: Be the first to comment

Follow

Get every new post delivered to your Inbox.