app sec maturity model by heybryan


									Application Security
Maturity Model

Chenxi Wang, Ph.D.
Principal Analyst
Forrester Research
December 9, 2008
Software Vulnerability is Everywhere
Web 2.0 is exacerbating the problem
What are organizations doing with respect to
              application security?
 • Many have black box scanning and penetration testing
    – Some by in-house testing team
    – Some by third-party
    – But many don’t do anything with the results
 • Fewer have rigorous SDL, code review, or source code
   analysis (white box) capabilities or practices
          So the result is …
• You are often left with applications with
  many security holes
  – COTS, Open-source, Proprietary alike
• Organizations understand importance of
  application security
  – But many don’t know where to start or what
    they need
  There is a need for
 universal metrics and
standards of operation
for application security
    An application security maturity
•   To understand what your deficiency is
•   To ascertain concrete steps for improvement
•   To evaluate success and trend progress
•   To help gauge return on investment
Essential elements of this maturity model
 • Must govern technology, people, and process
 • Must incorporate context from operational environments
   as well as development practices
    – e.g., In house development vs. outsourcing
 • Must be systematic and effective, including
    – Pragmatic steps leading to higher levels of maturity
    – Actionable guidance
The most basic level – Reactive
• Predominately reactive treatment to app security
   – Deal with vulnerabilities when they are found
   – Install patches or fixes when they are released
• No proactive or systematic methods for application
• You are always putting out fires …
• Many organizations today are Reactive
 The second level – Proactive
• Technology: Employ proactive and repeatable security
  measures for selected projects
• People: Establish responsibilities and roles for core
• Process: Proactive processes and practices
• You are more prepared than Reactive
  The second level – Proactive
• Technology examples
  – Black-box scanning
  – White-box code review capabilities
  – Third-party penetration testing
• People & process examples
  –   Code review practices
  –   Established process to deal with outsourced code
  –   Designate security liaison for selected projects
  –   Assessment, remediation and trending processes
  –   Coding guidelines and ad hoc training programs
   The third level - Proficient
• Proactive security practiced universally
• More mature policies, procedures, and
• Better use and integration of relevant
   Proficient – distinguishing features

• Full lifecycle treatment to application security
• Integrated SDL practices with operational
  procedures (configuration & patch management)
• Automated incident response procedures
• Systematic developer training and awareness
• Extensive secure coding checklists and
Proficient treatment to application security
  • Business understanding
     – How critical is this application?
     – What kinds of compliance requirements should I meet?
  • Operational understanding
     – What type of environment would the application operate
     – What kind of threats will this application face?
  • Technical understanding
     – What technologies/services I should employ ?
  • Personnel understanding
     – How should I train my developers in secure programming
     – What is the best way to work with development
The fourth level – Center of Excellence
• Elevating Proficient to a higher level program
   – With consistent executive support and commitment
   – Budget allocation for multi-year efforts
   – Centralized management of the program
   – Continuous self evaluation and improvement
   – Closely tracked success metrics and RoI calculators
Build your application
                                                                       Center of
security maturity                                 Proficient

                             Proactive                            • Mature, end-to-
                                             • Standardized         end SDLC
       Reactive                                                     program
                        • Systematic
                                               security process   • Centralized
                          security testing
 • Predominately                               throughout           management of
                          for selective
   reactive                                                         the program
                          projects           • Established SDLC
   measures: fix
                                               practice           • Systematic
   vulnerabilities if   • Established
   exploited              secure coding      • Integrated           training
                          guidelines           remediation        • Clearly defined
 • Little SDLC
                                               processes            success metrics
   capabilities         • Ad hoc
                          developer/tester   • Internal           • Established
 • Ad hoc and
                          training             compliance           self-evaluation
   manual security
                                               policies             process
From Proactive to Proficient (an application
              lifecycle view

  • Step 1: Establish accountability/reward structure
  • Step 2: Establish full lifecycle treatment of application
  • Step 3: Conduct risk analysis and understand criticality
    of different projects
  • Step 4: Allocate budgets accordingly
  • Step 5: Establish an ongoing developer training
From Proactive to Proficient (an example)

                    Source code analysis tool          Web application firewall

 •   Proactive
      – Source code analysis finds a new vulnerability in existing code
      – Fixes will occur during next patching
 •   Proficient
      – Source code analysis integrated with WAF
      – Discovery of a new vulnerability would immediately necessitate
        a change in the firewall filtering rule
From Proficient to Center of Excellence
• Step 1: Establish central management of your SDLC and
  operational security program
• Step 2: Establish clear success metrics and evaluation
  criteria throughout
• Step 3: Conduct risk analysis and understand criticality
  of different projects
• Step 3: Allocate budgets accordingly
• Step 4: Establish a regular review process
• Step 5: Establish an ongoing developer training program
   The state of software security today
• < 10 organizations have implemented large scale
  software security programs across the organization
   – Systematic training
   – Comprehensive security process for all critical
     applications, development – operation
   – Clear success metrics
• Others are at different levels of maturity
Keep in mind this picture?
 85% of code flaws are introduced during coding

•   Organizations need a software security
    maturity model
•   Build up your application security
•   Plan for long term developer training and
    capacity building
         Thank you.

• Chenxi
  Wang           • Email
 Forrester       • Blog
Click on the questions tab on your screen, type in your question
               (and name if you wish) and hit submit.

To top