Part 3: The best practices guide for application security. The comprehensive business guide to application security (a three-part series)

Part 3: The best practices guide for application security

The comprehensive business guide to application security (a three-part series)

Table of contents

Introduction . . . . 3

Implementing best practices through the HP Application Security Maturity Model . . . . 3

The Application Security Maturity Model . . . . 4

Level 0–Ad Hoc . . . . 4

Level 1–Risk Aware . . . . 5

Level 2–Basic Lifecycle Program . . . . 6

Level 3–Enterprise View . . . . 7

Level 4–Center of Excellence . . . . 8

Summary . . . . 10

Introduction

Software is the circulatory system of the global econ omy . It manages our financial transactions, it tracks the products in our ports’ shipping containers, it monitors a sick person’s vital signs, and a lot more . Innovations in software development are changing our perceptions of the Internet, reshaping enterprises, and giving birth to significant new businesses . From Web 2 .0 to Cloud Computing, not only is software driving global change, it is dictating the ever increasing pace of that change .

No matter your industry, your enterprise is no doubt impacted by these trends, whether through your own soft-ware development initiatives, outsourced development, or through the strategic procurement of commercial software . Your goals of creating new markets, gaining a competitive advantage, achieving organi zational effi-ciencies, and communicating efficiently may be intertwined with your efforts to introduce software innovations . A key success factor in leveraging the business benefits of software is assuring that it is implemented securely . Standing still is not an option, but failure to take appro priate measures to focus on software quality and security introduces unnecessary risk within your enterprise and often results in a situation where the organization takes one step forward and two steps back .

As we near the end of the first decade of the 21st century, the software industry has the benefit of a grow-ing body of knowledge that can be applied to software quality and security . What we have learned is that the organizations, which are most successful at securing software take a full lifecycle approach to the issue and make a program level commitment .

This white paper is part three of HP’s three-part Application Security for Business Educational Series, intended to help executives understand the importance of application security to their business . We encourage you to read the full series:

• Part 1: The mandate for application security

• Part 2: The comprehensive business commitment to application security

• Part 3: Implementing best practices through the HP Application Security Maturity Model

Implementing best practices through the

HP Application Security Maturity Model

Making a program level commitment to application security should be comprehensive, providing end-to-end development lifecycle coverage while spanning the domains of People, Process, and Technology . However, a roadmap for arriving at a comprehensive program must be flexible, recognizing that all organizations will have unique starting points, resources, and other constraints governing their program . A time-honored meth-odology for attaining a high level of program competency is to seek continuous improvement through a maturity model . HP has developed the Application Security Maturity Model, which defines key characteristics of an application security program within progressive levels of competency .

By understanding this maturity model, it becomes possible to develop a customized roadmap of tangible steps to improve your application security within a time frame and budget that aligns with your organization .

Reactive and tactical Proactive and strategic

Unmanaged risk

Business-optimized ROI

Level 0

Ad hoc

Level 2

Basic lifecycle

program

Level 3

Enterprise

view

No business mandate Firewall/IDS approach Sporadic assessments Process and policies Security lifecycle Compliance audits Developers, QA and security Policy enforcement Best practices Third-party accountability Enterprise management application health

Level 4

Center of

Excellence

Risk/ROI metrics Business alignment Executive dashboard Cost/schedule predictability

Level 1

Risk

aware

Web inventory Regular assessments Reactive security Figure 1 . HP Application Security Maturity Model

4

The Application Security Maturity Model

The Application Security Maturity Model contains five levels, which define an increasingly sophisticated appli-cation security program . Most levels contain both descriptions of typical environments, some of which may be negative, as well as positive actions which are needed to progress through the model . The higher levels should be considered to be cumulative of all of the positive actions recommended within previous levels . This maturity model is intended to be vendor agnostic, however we will place the HP Application Security Center Software within appropriate levels to promote a greater understanding of the specific actions an organization should take when executing their own roadmap . More information about the HP Application Security Center Software is included in Appendix A .

Level 0—Ad Hoc

Level 0, Ad Hoc, defines an organization which has virtually no program at all to promote security within its application development .

The organization is not aware of security mandates arising from regulations or other origins, or management has simply decided that these mandates are not applicable to their business . Perhaps even worse, the organiza-tion does not understand the risks inherent in possible security flaws within their software, and the associated costs to the business . These organizations are surely producing insecure software, and either knowingly or unknowingly taking the chance that these vulnerabilities will not be discovered and exploited . In some cases these are poorly managed organizations, however in many cases they are excellent companies who care greatly about quality within other realms and may otherwise have robust IT security programs, and simply haven’t “connected the dots” to understand the consequences of vulnerable applications .

5

The developer teams, while certainly conscientious about the generic issues (authentication, authorization, etc .) of security for several years, are not implementing any specific programs related to security and often see it as antithetical to time-to-market drivers .

Typically, the positive actions observed within Level 0 organizations come only from conscientious individuals, primarily within the information security department, acting on their own without a specific corporate mandate . If you are one of these individuals, here are some suggested actions:

1 . Send relevant news items and papers such as this to key stakeholders within the organization . 2 . Encourage various stakeholders to attend seminars or webcasts demonstrating application hacking .

3 . Download a free trial of a tool, such as HP WebInspect, to demonstrate vulnerabilities within the organiza-tion’s own software . You need to make sure you have permission from organizational stakeholders, and ideally you should be testing applications that are not in production use .

For virtually any organization within Level 0, the goal should be to progress to the next level quickly . Level 1—Risk Aware

In Level 1, Risk Aware, the organization has a basic awareness of the application security compliance mandates and business risks that apply internally . Often this is driven by a fairly pervasive requirement, such as Payment Card Industry/Data Security Standards (PCI/DSS) and similar regulations . IT audit and external examiners may be catalyzing influences in driving organizational awareness . This will result in initial corporate policies regard-ing secure application development, which will proscribe standards for education, testregard-ing, and compliance . The security and developer teams may collaborate on security awareness programs for developers . The typical developer awareness course that makes a strong initial impact is along the lines of “Web Application Hacking,” where developers see their own applications or similar software hacked by an educator with penetration testing and assessment skills . This demonstration is augmented by a discussion of top development mistakes leading to security vulnerabilities, such as a failure to perform input validation . Driving awareness of the Open Web Application Security Project (OWASP) Top Ten,1 _{a listing of the ten most common Web application errors related}

to security vulnerabilities, within both the developer and security teams is also a key educational initiative .

6

Level 1 organizations will typically acquire a tool, such as HP WebInspect, for application security testing . The intended objective of HP WebInspect will be to test applications for an acceptable level of security that are currently in production as well as new applications prior to production usage . Often this is called “Bolted On Security,” because a version of the application has already been coded without specific security specifications stated within the requirements gathering and software design phases . However, we have observed an interest-ing organizational effect when a tool like HP WebInspect comes into use . It is often used to test other applica-tions which may be in production already, finding important flaws . Developers will become interested and seek to have their own applications scanned prior to any required tests . HP WebInspect may also provide a baseline of the organization’s current application security status—we may find developers to be better or worse than we expected .

Level 1 organizations are relatively unsophisticated when it comes to processes specifically geared towards secure software development . Generally, these organizations are utilizing project management methodologies to drive the program, with loosely documented software development lifecycles .

To get to Level 1, an organization should take these positive actions:

1 . Basic policies should be documented and communicated concerning secure application development stan-dards and pre-production application security testing requirements . The policies should reference applicable regulations and other mandates, such as PCI/DSS .

2 . A tool such as HP WebInspect should be used to test applications before being put into production usage . It may also be used as a catalyst to help enforce application security awareness .

3 . Application developers should have some required security education, such as “Web Application Hacking” and a related course in proper coding to avoid common mistakes .

4 . Drive awareness of the OWASP Top Ten within both application developers and IT security . Level 2—Basic Lifecycle Program

The transition from Level 1 to Level 2, Basic Lifecycle Program, represents a strategic transformation in an orga-nization’s approach to application security . At the heart of this level is the recognition that security must be “Baked In” to the entire application development lifecycle as opposed to being “Bolted On” at the very end . Vulnerabilities in software cease to be exclusively the responsibility of an individual, but instead are an organi-zational responsibility . The recognition of the lifecycle approach to application security drives several important positive actions within the enterprise .

7

In Level 2, an organization’s application development lifecycle process is clearly documented and multiple security checkpoint milestones are integrated into the process . Security requirements are determined during the process of defining the business and functional requirements . Software architects articulate security specifi-cations within design documents used by developers . Developers will have secure coding practices and their application components will be security tested during the coding phase, creating an accelerated feedback loop . Quality Assurance (QA) teams will have a suite of negative functional tests to assure that applications do not allow insecure actions in addition to performing the positive functional testing . IT Security, which in many cases was the organization’s early adopter of application security evangelism, will drive a more formalized documentation of compliance mandates and drive their inclusion within lifecycle testing .

As a further recognition of the lifecycle approach to security, technology tools will proliferate throughout the lifecycle . For example, developers and architects will utilize HP DevInspect within their Integrated Development Environments (IDE) to facilitate vulnerability testing . QA will use HP QAInspect, integrated within their testing solutions, such as HP Quality Center, to create and execute a full battery of security tests during quality testing . The security team will continue to perform both pre- and post-production testing of applications with HP WebInspect . Some level 2 organizations will begin using a management console such as HP Assessment Management Platform to provide an integrated view of their lifecycle security .

Level 2 organizations increase their use of enterprise risk management to enhance the decision making during milestone checkpoints . Organizations may have some quantitative risk metrics, such as the value of assets and the cost of downtime . Most metrics used by Level 2 organizations will be qualitative, such as a High/Medium/ Low ranking of security vulnerabilities that are identified .

Another consequence of the adoption of a lifecycle philosophy towards application security is an expansion of earlier educational initiatives into all constituen cies of the application development lifecycle . Developers will still have the majority of the educational curriculum, which may drill down into courses for specific development environments . However, all key stakeholders require awareness education at the very least, including business units creating the demand for new and updated applications .

Positive actions organizations should take to reach Level 2 program maturity:

1 . Document Application Security Lifecycle, with clearly articulated security checkpoints throughout the lifecycle . 2 . Use technology enablers throughout the lifecycle, for example HP DevInspect for application devel opers,

HP QAInspect for quality assurance professionals, and HP WebInspect for pre- and post-production testing . 3 . Organizations should consider a management tool, such as HP Assessment Management Platform, for an

integrated view of the lifecycle .

4 . Expand educational curriculum to include all stakeholders .

5 . Use risk management and risk metrics to improve decision making as it relates to security vulner ability ranking . Level 3—Enterprise View

If you consider Level 2 as establishing a comprehensive framework for the lifecycle approach to application security, Level 3 is focused on filling out the framework and integrating the practices to provide, for the first time, a true enterprise view of application security in the enterprise .

A key organizational dynamic that drives an organization towards Level 3 maturity is executive sponsorship . This does not mean that the executive team is fully involved with application security, but that one of its mem-bers may take a formal sponsorship role in the application security program, or will at least be an informal champion and influencer within the rest of executive management . The champion’s role in differing organiza-tions can vary widely: It may be the chief information officer (CIO), chief financial officer (CFO), legal counsel, or even a marketing executive who may see application security as a business differentiator .

Level 3 organizations seek to build upon their application security lifecycle framework by instituting a best practices approach to the components that comprise the lifecycle . For example, rather than merely providing the education and tools to enable a developer to build a robust encryption module, the organization may encourage or require very specific encryption technology, specifying vetted crypto algorithms, key management solutions and central encryption libraries . The organization may also audit and modify the lifecycle process itself, possibly using recognized quality improvement processes to streamline appli cation development and lower defect counts .

8

The organization may develop an application security resource center, with information about the best educa-tional courses, an updated reading list, and comprehensive policy documentation among the resources included . All personnel with responsibilities that touch application development are aware of the application security resource center, and know to refer to the center for guidance . Centralized management of the overall program is needed at this point, and many organizations leverage a tool such as HP Assessment Management Platform to provide a real-time and comprehensive view of the application security program and to accelerate process automation .

A variety of metrics are commonly established by Level 3 organizations to provide means to gain continuous improvement over time . People can be measured in several ways, such as the number of courses completed and certifications obtained, as well as being tested for mastery of specific knowledge . Testing tools can provide quantitative vulnerability metrics as well as qualitative severity rankings . One of the critical family of metrics developed by Level 3 organization are business case models, such as Total Cost of Ownership, Balanced Scorecard, and other common IT measurement models . Defensible business cases are critical for executive oversight and to maintain the health of the overall application security program .

An observation made of Level 3 organizations is that their increasing sophistication and understanding of the dependencies and complexities of software lead them to turn outside to business partners and include them in their application security program . Driving security accountability in outsourced application development and commercial off-the-shelf (COTS) software is a key hallmark of a Level 3 organization .

Positive actions organizations should take to reach Level 3 program maturity:

1 . Develop a strong commitment to established best practices related to all phases of the application develop-ment lifecycle .

2 . Identify an executive sponsor .

3 . Establish application security resource centers with comprehensive program information and detailed corporate policies .

4 . Leverage a management tool such as HP Assessment Management Platform for comprehensive application lifecycle information .

5 . Mandate accountability in third parties, such as outsourced developers and COTS software . Guidance for doing this is provided in the earlier section “Creating Accountability in Outsourced and Procured Software Applications .”

6 . Develop business case models measuring financial metrics of your application security program, such as those offered by the DHS “Build Security In” Web site .

Level 4—Center of Excellence

Level 4, Center of Excellence, characterizes high performing organizations with a commitment to quality and alignment of software to business strategy . Level 4 organizations result from a multi-year commitment to an application security program and across the board improvements to the baselines established in a Level 3 program .

The Security Center of Excellence is comprised of people representing multiple groups within the organization who define enterprise security policy and procedure, measure overall security posture, and manage the pro-gression of the application security program across the enterprise . While this initiative typically is driven by information security, the diversity of parti cipation and enterprise support are critical success factors, will extend into the lines of business (LOBs) and often the office of the CFO . The Security Center of Excellence are the security mentors for the entire organization and are often conducting training and resolving complex security challenges .

A key indicator of Level 4 organizations is alignment with the business strategy and its risk appetite . A mature application security program understands the costs and timeframes required to develop software to an arbitrary security quality level and can respond to shifting business requirements with maximum agility . An application that addresses an emerging market may fit a high reward/low risk profile and can be shepherded more quickly through the complete applic ation lifecycle . An organization’s risk appetite may vary widely depending on a

9

specific business initiative, and the application security program needs to reflect this flexibility . Organizations at this level typically understand business cases for application security, and know the costs avoided and encum-bered by making various risk-based decisions (e .g ., What is the cost of developing an unscheduled patch for XYZ vulnerability?) .

Level 4 organizations have executive dashboards which report key metrics to C-level executives and enable timely and accurate decision making . These dashboards tend to be an aggregation of data from lifecycle management software solutions such as HP Assessment Management Platform, combined with enterprise risk management data and financial reporting . Organizations instituting Governance, Risk and Compliance Management (GRC) measurements tend to be focused on applying these dashboards to a variety of business functions .

The educational curriculum in a Level 4 organization has not only a comprehensive set of application security courses, but is also organized in an efficient way to maximize learning effectiveness . For example, security curriculum roadmaps provide an employee with a specific route to attain security mastery for their role in the enterprise, such as a .NET or database developer . These roadmaps are also aligned with personal professional development and career goals .

At the end of the day, an organization with Level 4 maturity can develop software in a predictable timeframe at a predictable cost with a predictable security quality . Exceptions and outliers should be accounted for by the program itself . Obtaining Level 4 maturity is more of an outcome of diligent improvement in all of the positive actions stated previously rather than a new set of steps, however the following items should be considered if you seek to achieve Level 4 maturity:

1 . Are you able to adjust your application security lifecycle’s controls based upon the risk profile of a given application?

2 . Do you have an executive dashboard reporting system that puts application security within the context of key enterprise risk and financial metrics?

3 . Have you integrated application security management tools like HP Assessment Management Platform into other management platforms?

4 . Do you have a mature educational curriculum that provides professional development and career growth for key roles within your application security program?

5 . Do you have metrics that indicate your application security quality has improved over multiple years? 6 . Are your executives active participants within your application security program and do they provide the

Foundation

Enterprise Web application security and risk management

HP Application Security Center

HP Assessment Management Platform

Policy and

compliance administrationCentralized Vulnerability andrisk management Alerts andreporting Distributedscanning

HP DevInspect

Source code testing for .NET and Java™

applications under development

HP QAInspect

Security testing integrated with HP Quality Center

Intelligent engines Hybrid analysis Reporting SecureBase SmartUpdate Security toolkit Open APIs

HP WebInspect

Pre- and post-production application assessment

10

Summary

The costs and consequences of insecure software create a compelling mandate towards securing software, par ticularly Web applications . Achieving a full application security program spanning people, process, and technology requires a roadmap with a series of actionable steps that can be flexibly applied to a wide variety of organizations . The HP Application Security Maturity Model incorporates a best practices approach to secur-ing applications that has been proven in numer ous enterprises . We recommend benchmarksecur-ing your organiza-tion against this five-level maturity model and taking the steps outlined to progress towards developing a highly mature and effective application security program:

• Level 0: Ad Hoc. This level defines an organization that has no application security program . Individual champions within this organization should take steps to drive awareness of the issues within key stakeholders . Awareness can often be aided by the use of a tool such as HP WebInspect to identify security vulnerabilities within selected internal applications .

• Level 1: Risk Aware. An organization is beginning to tie application security to regulatory requirements and basic business risks . The organization should be promoting developer education and performing regular testing of applications . Level 1 companies have taken some sound application development practices and transformed them into corporate policy .

• Level 2: Basic Lifecycle Program. At this level, an organization understands the need to build security into the lifecycle process that develops applications, and takes steps to enable all phases of the lifecycle . Tools such as DevInspect for developers, QAInspect for quality assurance professionals and WebInspect for security professionals . These organizations have a documented application security development lifecycle and risk management is being used to assist in related decision making .

11

• Level 3: Enterprise View. These organizations have a level of sophistication which drives towards the imple-mentation of best practices within their application lifecycle, have a mature resource center, require account-ability from third-party application developers and have an executive sponsor . Level 3 companies will often use a tool such as HP Assessment Management Platform to provide comprehensive visibility into the applica-tion security program in real time .

• Level 4: Center of Excellence. Top level organizations have truly integrated application security with the busi-ness, and can use a variety of risk metrics to adjust the application development process towards optimal business results . These organizations have experienced a tangible increase in application devel opment quality internally and within the supply chain .

There is no doubt that you have important business reasons to care about application security . This white paper attempts to provide you with a working roadmap to answer the question of how you can secure software appli-cations . The question facing you is, when will you take action? Will it be before a negative event occurs that undermines the business, or will if be afterwards? As part of your initiative to identify application security solutions, we recommend reading the other two parts to this series:

• Part 1: The mandate for application security

• Part 2: The comprehensive business commitment to application security

HP and the HP Application Security Center have a permanent commitment to providing comprehensive research, best practices, education, technology, and products to enable your enterprise’s own Security Center of Excellence and mature enterprise security program .

Appendix A . HP Application Security: solutions

spanning the application lifecycle

HP Application Security Center software products are tailored to integrate with all phases of a business’s com-plete application lifecycle and are continuously updated to deliver an accurate and comprehensive assessment of Web sites and Web applications, including the latest Web 2 .0 technologies .

In the section below we would like to provide a brief introduction to the products, and position them in the context of the guiding principles in the previous section .

HP DevInspect. HP DevInspect can be seamlessly implemented within a variety of integrated development environments used by enterprise programmers, including Microsoft® _{Visual Studio}®_{, Eclipse, and IBM Rational}

Application Developer, provides your team with a solution that is easy to deploy, easy to use, and easy to real-ize value . The HP Hybrid Analysis, the patent-pending core of HP DevInspect, combines static analysis (“white box”) and dynamic testing (“black box”) to provide the most precise results; taking the guesswork out of what to fix . In addition, HP SecureObjects, provided as part of HP DevInspect, can be applied to automatically reme-diate any security vulnerability . By installing HP DevInspect on the developer’s desktop, we are able to begin fixing vulnerabilities during the initial coding phase of the lifecycle . Our research has shown that not only does HP DevInspect reduce vulnerabilities during the critical coding phase, but the tool creates a feedback loop with the developers, increasing their awareness of security issues introduced during the development process . While organizations will not hesitate to deploy HP DevInspect to internal developers, you should consider encouraging or mandating this tool with outsourced developers . HP DevInspect could be used to provide inter-im milestone reporting on the delivery of quality code and drive more accountability of outsourcing .

HP QAInspect. HP QAInspect applies highly sophisticated security testing to the quality assurance testing stage of the application development lifecycle . HP QAInspect integrates directly into the market leading QA solution, HP Quality Center ,allowing security tests to be run in conjunction with functional tests or as a standalone secu-rity validation, all from within a familiar interface . HP QAInspect has been designed from the ground up to fit effortlessly into existing quality organizations and methodologies . From require ments gathering to test planning to test execution, HP QAInspect truly establishes security as a pillar of application quality management .

Technology for better business outcomes

To learn more, visit www .hp .com/go/securitysoftware

© Copyright 2009 Hewlett-Packard Development Company, L .P . The information contained herein is subject to change without notice . The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services . Nothing herein should be construed as constituting an additional warranty . HP shall not be liable for technical or editorial errors or omissions contained herein . Java is a U .S . trademark of Sun Microsystems, Inc .

4AA1-9816ENW, February 2009

HP WebInspect. HP WebInspect provides leading edge Web application testing capabilities for security profes-sionals, with the ability to identify the most current, highest risk vulnerabilities within your Web applications . The tool provides expert guidance for less experienced security professionals while increasing the efficiency of experienced penetration testers and application security experts . Depending upon the scope of the application, several security testers may be needed from different organizations . While these testers may have a variety of techniques to identify vulnerabilities, there are distinct business process advantages to using an integrate tool to manage their assessment . HP WebInspect validates the configuration of your applications to be sure your application is secure from threats .

Vulnerabilities detected in a HP WebInspect report can more easily be remediated by a developer using HP DevInspect . The same issues can also be flagged by the QA department as the application is re-tested . Using a common test suite facilitates productivity during the iterative processes characterized by the application development lifecycle .

An additional point to be made about a tool like HP WebInspect is that it can also be used as an acceptance testing measurement for commercial, off the shelf software . Enterprise software can be highly dynamic, and the customization process can created unintended vulnerabilities . The ability to perform black-box testing can drive accountability during the procurement process and negotiations pertaining to pricing and support .

New vulnerabilities are being discovered every day . The HP Web Application Security Research Group are the industry leaders in Web application security research and provide daily updates to HP WebInspect via SmartUpdate to verify that you are always testing for the latest vulnerabilities .

HP WebInspect also provides you with the ability to continue to analyze both your existing and new Web applications throughout their life in production reducing the risk to your business .

HP Assessment Management Platform. The HP Assessment Management Platform is used to assess and manage application security risk throughout the enterprise and entire lifecycle . Security professionals use HP Assessment Management Platform to define their entire application security program, including security poli-cies, testing permissions, testing schedules, running distributed scans, and more . It is the backbone of the HP Application Security Center, giving your organization visibility, scalability, and control over your application security initiatives .

HP SaaS for HP Application Security. Is time, skills or cost a challenge for you? With HP, application security does not need to be a challenge for you or your organization . With over eight years experience in offering Software-as-a-Service (SaaS), HP Software as a Service for HP Application Security enables you to establish or augment your security program and start decreasing vulnerabilities more quickly .

HP Professional Services. HP also provides a full set of professional services programs to meet your needs including product implementation and training, penetration testing, vulnerability scanning, and security program consulting services .

The HP Application Security Center provides the most robust and complete solution for protecting your business from application security breaches . Our suite of products provides a complete lifecycle approach to application security across development, QA and production . It is a true enterprise solution that provides accelerated ROI benefits compared with traditional security assessment methods by using proven technologies .