The key to improving a web security program is having a comprehensive metrics program in place – a system capable of performing ongoing measurement of the security posture of production systems, exactly where the proverbial rubber meets the road. Doing so provides direct visibility into which areas of the SDLC program are doing well and which ones need improvement. Failure to measure and understand where an SDLC program is deficient before taking action is a guaranteed way to waste time and money – both of which are always extremely limited.
Below is a step-by-step strategy for building a website security program that yields results:
1) Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security.
2) Find your websites – all of them – and prioritize: Prioritization can be based on business criticality, data sensitivity, revenue generation, traffic volume, number of users, or other criteria the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment.
3) Measure your current security posture from an attacker’s perspective: This step is not just about identifying vulnerabilities; while that is a by product of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current exposure to them is. Just finding vulnerabilities is not enough. Measure your security posture the same way a bad guy would before they exploit the system – fixing those vulnerabilities first is what’s important.
4) Trend and track the lifecycle of vulnerabilities: At a minimum, measure how many vulnerabilities are introduced per production code release, what vulnerability classes are most prevalent, the average number of days it takes to remediate them, and the overall remediation rate. The result provides a way to track the organization’s progress over time, and serves as a guide for which of the SDLC-related activities are likely to make the most impact. Anything measured tends to improve.
5) Fast detection and response: Historically it has been prudent to operate under the assumption that [all] networks are compromised, or are at least hostile. This is the case especially since everyone is only one zero-day away from a break-in. Borrowing from that frame of reference, application security professionals are well advised to take a similar approach and focus on the impact of that assumption. Start by asking the question: “If my application is already vulnerable what action(s) should I begin taking?” If an organization is breached, the real damage happens when the adversary is in the system for days, weeks, or months. If an intruder can be successfully identified and kicked off the system within hours, the business impact of a breach can be substantially minimized.
Each Application Security program must be tailored to their environments, taking into account everything from corporate culture to regulatory requirements. One of the lessons learned from the research resulting in the WhiteHat 2013 Website Statics Report is that there are no “Best Practices” that can be widely applied without these considerations and result in a measurable impact. Elements of an Application Security program that work for those in the Retail industry will not work for the Banking sector.
By Gabriel Gumbs, Director of Solutions Architecture at WhiteHat Security
