VIEWS: 58 PAGES: 24 POSTED ON: 4/15/2010
Application Security Maturity Model Chenxi Wang, Ph.D. Principal Analyst Forrester Research December 9, 2008 Software Vulnerability is Everywhere Web 2.0 is exacerbating the problem What are organizations doing with respect to application security? • Many have black box scanning and penetration testing – Some by in-house testing team – Some by third-party – But many don’t do anything with the results • Fewer have rigorous SDL, code review, or source code analysis (white box) capabilities or practices So the result is … • You are often left with applications with many security holes – COTS, Open-source, Proprietary alike • Organizations understand importance of application security – But many don’t know where to start or what they need There is a need for universal metrics and standards of operation for application security An application security maturity model • To understand what your deficiency is • To ascertain concrete steps for improvement • To evaluate success and trend progress • To help gauge return on investment Essential elements of this maturity model • Must govern technology, people, and process • Must incorporate context from operational environments as well as development practices – e.g., In house development vs. outsourcing • Must be systematic and effective, including – Pragmatic steps leading to higher levels of maturity – Actionable guidance The most basic level – Reactive • Predominately reactive treatment to app security – Deal with vulnerabilities when they are found – Install patches or fixes when they are released • No proactive or systematic methods for application security • You are always putting out fires … • Many organizations today are Reactive The second level – Proactive • Technology: Employ proactive and repeatable security measures for selected projects • People: Establish responsibilities and roles for core parties • Process: Proactive processes and practices • You are more prepared than Reactive The second level – Proactive • Technology examples – Black-box scanning – White-box code review capabilities – Third-party penetration testing • People & process examples – Code review practices – Established process to deal with outsourced code – Designate security liaison for selected projects – Assessment, remediation and trending processes – Coding guidelines and ad hoc training programs The third level - Proficient • Proactive security practiced universally • More mature policies, procedures, and practices • Better use and integration of relevant technologies Proficient – distinguishing features • Full lifecycle treatment to application security • Integrated SDL practices with operational procedures (configuration & patch management) • Automated incident response procedures • Systematic developer training and awareness programs • Extensive secure coding checklists and guidelines Proficient treatment to application security • Business understanding – How critical is this application? – What kinds of compliance requirements should I meet? • Operational understanding – What type of environment would the application operate in? – What kind of threats will this application face? • Technical understanding – What technologies/services I should employ ? • Personnel understanding – How should I train my developers in secure programming – What is the best way to work with development organizations? The fourth level – Center of Excellence • Elevating Proficient to a higher level program – With consistent executive support and commitment – Budget allocation for multi-year efforts – Centralized management of the program – Continuous self evaluation and improvement – Closely tracked success metrics and RoI calculators Build your application Center of security maturity Proficient excellence Proactive • Mature, end-to- • Standardized end SDLC Reactive program application • Systematic security process • Centralized security testing • Predominately throughout management of for selective reactive the program projects • Established SDLC measures: fix practice • Systematic vulnerabilities if • Established exploited secure coding • Integrated training guidelines remediation • Clearly defined • Little SDLC processes success metrics capabilities • Ad hoc developer/tester • Internal • Established • Ad hoc and training compliance self-evaluation manual security policies process testing established From Proactive to Proficient (an application lifecycle view • Step 1: Establish accountability/reward structure • Step 2: Establish full lifecycle treatment of application security • Step 3: Conduct risk analysis and understand criticality of different projects • Step 4: Allocate budgets accordingly • Step 5: Establish an ongoing developer training program From Proactive to Proficient (an example) Source code analysis tool Web application firewall • Proactive – Source code analysis finds a new vulnerability in existing code – Fixes will occur during next patching • Proficient – Source code analysis integrated with WAF – Discovery of a new vulnerability would immediately necessitate a change in the firewall filtering rule From Proficient to Center of Excellence • Step 1: Establish central management of your SDLC and operational security program • Step 2: Establish clear success metrics and evaluation criteria throughout • Step 3: Conduct risk analysis and understand criticality of different projects • Step 3: Allocate budgets accordingly • Step 4: Establish a regular review process • Step 5: Establish an ongoing developer training program The state of software security today • < 10 organizations have implemented large scale software security programs across the organization – Systematic training – Comprehensive security process for all critical applications, development – operation – Clear success metrics • Others are at different levels of maturity Keep in mind this picture? 85% of code flaws are introduced during coding Summary • Organizations need a software security maturity model • Build up your application security competency • Plan for long term developer training and capacity building Thank you. Questions? • Chenxi Wang • Email Principal firstname.lastname@example.org Analyst Forrester • Blog Research blogs.forrester.com/srm Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit submit.
Pages to are hidden for
"app sec maturity model"Please download to view full document