How to measure your application security program’s efficiency
Updated: May 6, 2021
One of the organization’s biggest assets is knowledge. A 2018 Cyber Breach & Trends Report cited over 2 million cyber incidents that year causing at least $45 billion in losses. Application security (AppSec) programs ensure that the information assets and security groundwork of an organization are secure and safe from breaches and hacks. To achieve this goal, there needs to be a collective effort from knowledgeable personnel and the right tools. You have the right workers and a plan laid out. Now, you want to measure your AppSec program’s efficiency to know it really works. But how?
Security Software Design Lifecycle
System design is an essential part of AppSec programs that cannot go neglected. In an increasingly digital world, the threat and business risk of security breaches has led to security being a quintessential part of software design. A Secure Software Design Lifecycle (SSDLC), or a security process model integrated with development, provides a proper framework for building secure applications and safeguarding your organization’s assets. This framework looks at security in software development at a fundamental level, building processes that can procure highest quality at low costs, during all stages of a software development project (needs analysis, planning, software design, software development or code writing, testing and deployment of software).
The building blocks of a successful SSDLC are:
Threat modeling basically creates and identifies potential issues that can arise from new applications so that contingency plans can be put in place. Whether these are old or recently developed, all applications used in an organization need to go through a threat modeling process.
Creating a threat model requires a thorough analysis of software infrastructure, business environment, software quality and technical aspects such as functions and user experience to hone in on the risks or potential downsides to the software.
This strategic approach not only provides a glimpse of an application’s capabilities and risks, it is also a scalable and cost-effective model that prevents the cost of resolving issues later on in the application life cycle. There are 4 steps to threat modeling:
● Step 1: Diagram - What are we building?
● Step 2: Identify - What could possibly go wrong?
● Step 3: Mitigation - What are we doing to prevent these from happening?
● Step 4: Validation - Did our previous steps work? If not, what does?
During application development, one of the most important things is to ensure that the team has a secure coding practice. New softwares usually go through an extensive code review where the system is run to check on usability. Here, the code is experimented and used to identify any glitches or faults in function. At the same time, there is an opportunity for developers to pay attention to how vulnerable the code is in order to make further refinements.
Generally, here are some secure coding practices to keep in mind:
● Secure coding is most effective when incorporated into the development process from the beginning
● Take on a different perspective to gain insight on motives and methods of attack
● Never be nonchalant to your risk
Integrating these practices of secure coding can ensure maximum safety in a world of ever-present cyber crime.
Application Security testing
Implementing a SSDLC includes having the accurate performance metrics to track the success of an AppSec program. For each organization and individual software, the required metrics may vary. Executives have to craft out their desired metrics through analysis of the company’s objective and goals, and the application’s desired outcome.
It is important to note that not everything has to be measured. Metric design requires thoughtful planning and curation to gain a fundamental understanding of risk and drive organizational goals. Some practices are:
● Align activities with the firm’s goal
● Keep reports and measurements clear and easy to understand
● Have internal or industry benchmarks to conduct comparisons
● Do away with unimportant metrics to prevent overloading data
With that in mind, these are some of the best tests when it comes to application security testing:
Static Application Security Testing (SAST)
SAST, or white-box method testing, allows the tester to have higher visibility to the inner workings of the system from implementation to design. This methodology is more developer-focused and inspects the software in the context of codes. SAST can be conducted as soon as the code is deemed to be feature-complete. In other words, white-box testing comprises of the application being tested from the inside-out approach. Since the SAST only runs on code, developers will not be able to identify potential threats from the program actually running.
Dynamic Application Security Testing (DAST)
DAST, the black-box methodology, is basically the opposite of SAST. With this outside-in approach, the tester is not given any access or information on the application framework and examines it from a consumer perspective. DAST focuses on execution and is therefore only conducted after the development process is over. Unlike SAST, this method is able to pinpoint any run-time or exploitable vulnerabilities from using the software.
Identifying weaknesses in an application is a complex task. You can do this through cross-referencing data from SAST and DAST. Leveraging on the benefits between the methods is also known as Hybrid Analysis Mapping (HAM).
Penetration testing, or pen testing for short, is the process of simulating attacks onto the application to discover potential exploitable vulnerabilities. The organization engages the help of an ‘ethical hacker’, who basically takes on the role of a hacker to see how feasible the threat is. Essentially, you are looking at five types of pen tests;
● Open-box - testers will have access to certain security information of the organization prior to the test;
● Closed-box - testers are given no information except for the name of the company;
● Covert - teams are unaware of said pen test taking place, including security and IT personnel in charge of attack management and response;
● External - looks at the organization’s external technology (e.g websites) that are prone to outsider attacks;
● Internal - assesses internal network and software to mimic attacks from the company’s employees.
Bug bounty programs are offered by organizations or cyber security vendors to offer an incentive, or bounty, to those who report bugs in the cyberscape. These programs leverage on a competitive model to employ highly-skilled bug bounty hunters, mostly researchers or ethical hackers, to discover vulnerabilities in the organization’s network and receive rewards in the form of monetary, recognition or services.
Companies can rely on either in-house security teams or external vendors to set up a bug bounty environment as a solution to detecting potential threats. Bounty hunters are able to monetize their resources to seek out problem areas at a scalable level for firms. In fact, bug bounties are rising in popularity among tech giants and rewards have spiked 26% in 2020.
Software Composition Analysis (SCA)
Software Composition Analysis in AppSec focuses mainly on managing open source codes. Open source programming has proliferated in the past few years, with rapid digital transformation trends and market competition. The caveat, though, is that companies are now more exposed to cyber security risks. Thus, SCA is an essential tool for the many companies who rely on software to build open source applications.
So how exactly does SCA help mitigate the risks of open source programming? SCA tools are used to perform scans of the organization’s code and give visibility on open source components, including software licenses, direct and indirect dependencies and exploitable vulnerabilities.
Traditionally, SCA was done through manual scans, tracking and approval, resulting in false positives and a slower detection rate. Following the explosive growth in open source codes, SCA has evolved to require developer-friendly tools, automation and smart detection for better accuracy.
Web Application Firewalls
Web Application Firewalls (WAF) are used to track and filter HTTP traffic between applications on the web and the Internet. In a nutshell, a firewall is a shield to protect web applications from cyber attacks due to cross-site forgery, cross-site scripting, SQL injection and other threats accessible through the Internet. Since the firewalls only detect HTTP traffic, this methodology is unable to navigate other risks and attacks, and is usually an integrated tool among a robust cyber security system employing a suite of other tools.
Besides running tests to detect potential risks posed to an organization’s system, security controls are measures that safeguard security risks. Controls make the groundwork of a reliable cyber security system by avoiding, detecting, and minimizing malicious attacks to a company’s digital assets.
Security controls can be categorized into: physical controls, administrative controls and technical controls. It can also be helpful to realize the issues associated with the need for these controls. After which, security departments are able to assign the appropriate application components to execute the functionality of the controls.
Physical controls are any means of restricting physical attacks and accessibility. You can use a mix of technological tools and physical hardware to design a more secure system to protect valuable amenities. Such measures may include security systems, surveillance cameras and passcode-required software.
Physical security measures can grant selective access not only to outsiders but the people of an organization. Even in smaller office spaces or buildings, there may still be loopholes that management may miss out when placing controls, and the implemented system can be refined through penetration testing.
Also referred to as procedural controls, this strategy encompasses all human aspects of security management. Administrative controls are the part of AppSec that defines personnel practices that can protect, monitor and secure resources. The scope of administrative controls includes but is not limited to: NDA contracts, protocol background checks on all new employees, policies and standard operating procedures (SOP).
Technical or Logical Controls
These are mechanisms that rely on technology to mitigate risks and reduce vulnerabilities within an organization’s network through machine learning and automation. Risk management is administered through antivirus software, encryption or firewalls.
Due to the technical nature of these solutions, there will be some level of threat associated with using security applications. Similarly, you can employ the same tactics to identify and discover vulnerabilities in your security controls through the tests mentioned above. Doing so, through means like Dynamic Application Security Testing, can further affirm the effectiveness of the application in accordance with the organization’s cyber security objectives.
How to tell which of these controls are working better than the others
The different security controls are just a component of a larger AppSec strategy, often to protect, mitigate and minimize loss of precious data. Security controls should not be implemented on a whim. Higher management and security teams need to collaborate to approach application security strategically by first defining control objectives, before deciding on the type and purpose of controls.
Security controls are integrated into the SSDLC process by securing data and assets, as opposed to application security testing which uncovers underlying or overlooked issues. Hand in hand, these components work together to ensure that organizations are safe from malicious attacks and cyber crime.
Information is crucial in today’s competitive market, and knowing whether your AppSec is running efficiently is vital to the success of your organization. Some organizations tend to leave application security till after the development stage, leading to issues in launch date, higher cost to fix vulnerabilities, lack of time to mitigate said risks or larger management issues may arise.
Enso helps alleviate consumer woes in application security by providing the tools needed to supercharge your SSDLC program. With Enso’s Security Posture Management Platform, organizations can now automate their security processes and coordinate operations with zero disturbance. Every organization will have different requirements and objectives, which is why Enso aims to tailor SSDLC programs to suit the varying AppSec needs of their partners. Such programs and activity can be time consuming and confusing, especially for companies who are not well-versed or have a limited capability. By tapping into existing technologies and using collaboration tools, this dynamic application security solution can discover, calibrate and protect your assets with higher speed and accuracy, contributing to organizational success.