February 29, 2008 Operationalizing Application Vulnerability Management

Vulnerability Management

by Chenxi Wang, Ph.D.

EXECUTIVE SUMMARY

Criminals want access to your assets, and one of their preferred methods is to exploit vulnerabilities lurking in your applications. To protect your organization’s applications and the information assets contained in them, security and risk professionals must mitigate application vulnerabilities before attackers find and exploit them. The current crop of application security products and services helps, but does not provide a complete solution. Moreover, technology alone won’t completely solve your problem. Organizations need to consider application vulnerability management (AVM) as an ongoing process, and focus on process improvement. Strategically build your AVM on the foundation of risk management, supplement vulnerability management with an incident response plan, and look to asset and configuration management for complementary capabilities. Tactical considerations include utilizing application firewalls for “right-now” protection, seeking security technologies for next generation applications, and, whenever possible, leveraging services to lower your total cost of ownership (TCO).

TABLE OF CONTENTS

The Changing Market Forces Around Application Vulnerability Management Operationalizing AVM

The Role of Technologies and Services Developing A Comprehensive AVM Program RECOMMENDATIONS

Strategic And Tactical Steps Towards AVM

NOTES & RESOURCES

Forrester interviewed many vendor and user companies including: Cenzic, Core Security Technologies, Fortify Software, Microsoft, Ounce

Labs, SPI Dynamics, and Watchfire, and many of their customers.

Related Research Documents

“HP and IBM Try To Pull Security Testing Into The Mainstream”

September 21, 2007

“Managing Application Security From Beginning To End”

August 14, 2007

“The Forrester Wave™: Web Application Firewalls, Q2 2006”

June 23, 2006

Operationalizing Application Vulnerability

Management

by Chenxi Wang, Ph.D.

with Jonathan Penn and Allison Herald

2 3 4

11 6

THE CHANGING MARKET FORCES AROUND APPLICATION VULNERABILITY MANAGEMENT

Cyber attackers have for years assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners. As these products mature and IT security teams learn to better handle network security, we are seeing a visible increase in attacks moving up the stack to target application-level vulnerabilities.1

Businesses have a great deal to be concerned about regarding application vulnerabilities. Symantec reports that 61% of all vulnerabilities discovered today can be attributed to application-level flaws.2 Forrester’s recent security survey showed that 77% of enterprises and SMBs consider application security an important IT initiative, and 35% have already adopted or plan to adopt application security measures in the next 12 months (see Figure 1).

So how can you protect your organization’s application assets? If you manage the development process, you need to actively build security into application development.3 Then, establish a vulnerability management process for applications in operation including legacy, outsourced, and packaged as well as in-house developed applications.

Figure 1 Application Security Is A High Priority For IT Shops

Source: Forrester Research, Inc.

44663

“How important is application security to your IT security organization in the next 12 months?”

1-1 Don’t know Very important Important Somewhat important Not important 5% 18% 42% 35% 1%

Base: 2,112 security decision-makers

“What is your organization’s interest in adopting application security technologies and services?”

1-2

Don’t know Already adopted Will pilot or adopt in the next 12 months Interested, but no plans to adopt Not interested 35% 24% 14% 21% 6%

Base: 429 security decision-makers Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2007

Business Drivers

In addition to increased threats targeting applications, business drivers that support operational application security initiatives include:

·

Regulatory requirements. Thepayment card industry (PCI) standards, which include an application security mandate, are a major factor in awareness of and interest in AVM.4 Merchants covered by PCI compliance must incorporate code-level audits or Web application firewalls to mitigate security vulnerabilities. Other regulations like Sarbanes-Oxley, Graham-Leach-Bliley, the Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA) demand similar measures, as vulnerable applications erode business integrity and data privacy.

·

Reputational damage from data breaches. Businesses that collect customers’ personal and financial information are expected to keep such information from prying eyes. A security breach such as the TJX incident, in addition to incurring regulatory penalties, can result in the loss of customer confidence and business reputation.5 _{These consequences are difficult to} measure in actual dollar terms, but often have a direct impact on business.6

·

Financial consequences of security breaches. The cost of application security breaches, especially those that result in data being compromised, can be substantial. Forrester estimates that cost per record for a security breach is approximately $305 for companies in a highly regulated industry.7 _{This cost can be prohibitively high for companies that handle hundreds of} thousands or millions of data records.

Given these business drivers, and the fact that software outsourcing (and offshore outsourcing) is becoming increasingly common, the risk of exposure simply cannot be ignored.8

OPERATIONALIZING AVM

Managing security vulnerabilities for operational applications is a multi-faceted process that includes, at a high level, information gathering, analysis, remediation, and audit. These different facets are part of an ongoing operational process (see Figure 2).

·

Information gathering or discovery. This is the phase in which application vulnerabilities are uncovered. The various sources of vulnerability discovery include, but are not limited to, application vulnerability scanners, the software manufacturer, and third party penetration tests.

·

Analysis. Vulnerabilities that are discovered should be analyzed to understand their relevance,

root causes, risk criticality, and corresponding mitigation methods. The purpose of this analysis is to identify critical vulnerabilities, guide mitigation, and determine resource allocations. This step is critical, as vulnerability discovery without risk analysis will offer little operational

Figure 2 High Level AVM Process Diagram

·

Remediation. The remediation phase includes implementation, testing, and installation of changes to application code, system architecture, or configurations to mitigate or eliminate identified vulnerabilities. Remediation might also take the forms of workarounds or disabling of services.

·

Audit. Your discovery-analysis-remediation process should be subject to regular auditing and review. The purpose of auditing is to review the effectiveness of your AVM program and update AVM processes if necessary. The auditing process should include evaluating mean-time-to-fix

history and performing targeted penetration tests against the system.

As systems and applications change often, you should conduct these tasks — information gathering, analysis, remediation, and auditing — in a continuous fashion to ensure that you stay on top of new vulnerabilities and risk factors.

THE ROLE OF TECHNOLOGIES AND SERVICES

You can enlist a variety of technologies and services to help manage application vulnerabilities in your operational environment. Because today’s commercially available technologies and services comprise a sparse capability map that is far from a complete solution, you will likely have to fill in the missing pieces to create an approach that works for your environment. As a start, however, you should consider these technologies and services.

Information Gathering Tools And Services

·

Automatic application scanning and penetration testing. Automatic scanning technologies use “black box testing” that sends malformed inputs to the application and scrutinizes the responses for vulnerabilities and unexpected behavior.9 Penetration testing will go further to actually exploit the vulnerability and observe consequent behaviors. Service offerings in this

Source: Forrester Research, Inc. 44663

Auditing

Remediation Discovery

area are well suited to providing periodic, on demand scanning. In-house tools might require additional testing apparatus to achieve full automation. Available Web application scanners include AppScan from IBM/Watchfire, Hailstorm from Cenzic, WebInspect from HP/SPI Dynamics, WVS from Acunetix, and a new pen testing tool from Core Security Technologies. Service vendors include Cenzic, Watchfire, and WhiteHat Security. Tools that focus on protocol penetration testing include Codenomicon and Mu Security.

·

Manual penetration testing services. Many consulting and systems integrator organizations like Deloitte, IBM, and PricewaterhouseCoopers (PWC) offer manual penetration testing services. Manual tests that use human intelligence to guide the penetration steps can uncover hard-to-locate errors, and often more accurately reflect the actions of an actual attacker. These services augment automatic tools to offer a more in-depth vulnerability investigation. Service outfits that specialize in security penetration testing include Cigital, Independent Security Evaluators (ISE), McAfee/Foundstone, and Security Innovation.

·

Public vulnerability databases and vulnerability sharing clubs. Public databases and vulnerability sharing clubs are valuable sources of vulnerability information. Bugtraq, the National Institute of Standards and Technology (NIST) NVB, the United States Computer Emergency Readiness Team (US-CERT), and the Open Source Vulnerability Database (OSVDB) are notable public vulnerability databases.10 _{Many of these databases conform to MITRE’s} Common Vulnerability and Exposures (CVE) language, which standardizes descriptions of vulnerabilities. For-profit vulnerability sharing clubs like Symantec’s DeepSight, VeriSign’s iDefense, and 3Com’s Zero Day Initiatives are gaining popularity. These clubs sometimes provide faster to market information because they offer financial incentives for the discovery and submission of zero-day flaws. Your software manufacturer’s vulnerability announcement, e.g., from Microsoft, and Oracle, is also an important source of vulnerability information.

Analysis Capabilities

Technologies that aid application level vulnerability analysis are the least developed capabilities in the entire application vulnerability management landscape. Many scanning tools include a rudimentary level of analysis and remediation guidance. But the advanced capabilities largely missing from the market today are:

·

Contextual analysis. In order to efficiently isolate root causes and identify fixes, vulnerability reports need to include contextual information like architectural composition, exploitation methods, and probabilities of exposure. This information can significantly reduce time-consuming guesswork for developers and expedite time to remediation.

·

Cause correlation. Correlation analysis can eliminate multiple vulnerabilities due to the same root cause and help development teams more accurately focus on causes rather than symptoms.

·

Alignment with enterprise risk management. AVM analysis should be part of the IT risk analysis in the large. This alignment ensures that attention is focused on vulnerabilities that truly matter and resources are properly allocated.

Although few tools today offer these capabilities, some products like AppScan and WebInspect are beginning to include simple but promising forms of correlation and contextual analysis.11 Organizations should leverage this available functionality and develop solution components that do not yet exist within commercial offerings.

Remediation Tools

Remediation, for the most part, should involve human effort because each fix requires

implementation and testing and sometimes necessitates complex changes to existing operational environments. For certain cases, however, automatic means exist. Mature auto-remediation capabilities available today include patch management and Web application firewalls.

·

Patch management. Patch management systems provide capabilities like acquiring, testing, and installing patches. Available products that automate patch management tasks include RingMaster Software’s Automated Patch Management, Lumension Security/PatchLink Update, and Gibraltar Software’s Everguard.

·

Web application firewalls. A Web application firewall (WAF) sits in front of a Web application and filters Web traffic. Unlike network firewalls, a WAF has application semantic knowledge like input range and format and lexicon information to detect anomalies and policy violations. A WAF can be used to implement dynamic filtering policies (to mitigate certain vulnerabilities),

install workarounds, and disable access to a particular interface without changes to the application code. In many cases, using a WAF is a quicker and cheaper way to mitigate the impact of Web application vulnerabilities. Leading WAF vendors include Breach Security, Citrix Systems, F5 Networks, and Imperva.

·

Other tools. Related technologies like network access control (NAC) can be used for

remediation actions like quarantining machines and devices from the enterprise environment until they have been scanned for vulnerabilities.

Taken together, the commercial offerings available today do not yet provide a complete solution, nor do they offer easy integration with enterprise risk management efforts. Without this integration, vulnerability management will not graduate from a niche security offering to an enterprise initiative.

DEVELOPING A COMPREHENSIVE AVM PROGRAM

The first step in developing an AVM program is defining a set of policies that will govern the processes of AVM. You should define the policies within the context of your overall IT risk

objectives. Instead of adopting a policy that reads, “Thou shall not have any vulnerability in your applications,” consider taking your top IT risks and define a set of policies that addresses every risk objective. For example, if unauthorized disclosure of customer data is a critical risk, your policy should include: “My applications that handle customer data, in any way, shape, or form, should be secure against actions designed to breach private consumer data.”

Once you’ve established the policies, you can further expand the high level framework — discovery, analysis, and remediation — with concrete process steps that are governed by the policies (see Figure 3).

Figure3 The Application Vulnerability Management Process

Source: Forrester Research, Inc. 44663 Auditing Risk assessment and policy definition Discovery External vulnerability sources App. scanning Remediation Design Actuate Test Vulnerability analysis

Prioritize Identify root_{cause and} fix Vendor resources Report and request change Aquire update

Vulnerability Discovery

Identifying vulnerabilities is an essential step towards risk mitigation. The key is to establish a systematic process for discovering new and relevant vulnerabilities. Your process should include these elements:

·

Leverage external sources. Subscribe to your vendors’ vulnerability announcement lists, public vulnerability databases, and, if applicable, vulnerability sharing clubs. The key here is to filter the lists for vulnerabilities that are relevant to you.

·

Implement a regular application scanning and penetration testing process. Analogous to regular health checkups for humans, you need to periodically test the security health of your operational application assets. The best way to achieve this is through application scanning tools that support auto-scheduling or on-demand services. Critical applications should be scanned, at a minimum, once a month if not more frequently. Other applications should be scanned quarterly.

·

Attain application asset management. As an added benefit, many application scanning tools can discover, classify, and help inventory application assets. Today’s enterprise environment can contain tens of thousands of applications. The ability to classify and catalog application assets is an increasingly critical business function. Asset management should provide information like versioning, vulnerability tracking, configuration, patching, and asset values. You can use a standalone asset management system to achieve this function, but it will likely require custom integration with your vulnerability management solution.

Your policies pertaining to vulnerability discovery should state how often scanning is to be performed, for what assets, and how extensively.

Vulnerability Analysis

IT risk assessment is a crucial step in vulnerability analysis. Risk assessment helps answer questions like which vulnerabilities have critical business impact and how you should prioritize your

remediation tasks. More specifically, the analysis stage should include:

·

Root cause identification. This step often needs the help of your developers. But before you go back to developers or your vendor, you should perform as much context and aggregation analysis as possible to help isolate root causes. Viewing vulnerabilities in aggregation and in the operational context enables you to more accurately isolate root causes and eliminate false positives. For example, a buffer overflow error in your database application could result in the disclosure of confidential data, but a contextual analysis might reveal that the database does not take user inputs directly and the intermediary program performs boundary checks, in which case the risk is significantly reduced.

·

Risk prioritization. Often, an application scanning produces a list of vulnerabilities with associated CVSes to indicate their criticality.12 _{However, a single CVS score carries limited} information, which might or might not apply to your particular environment. You must augment that score with your own IT risk assessment to prioritize vulnerabilities within applications that have a critical impact on your business, and decide on the appropriate mitigation measures.

Remediation

Determining the root causes of vulnerabilities should immediately kick off a remediation process. The actual remediation steps will vary depending on the nature of the root cause and your

application life cycle and operational environment. But you must establish a standard process that governs the remediation practice (see Figure 4).

·

Initiate a trouble resolution process. Once you determine the root cause of a vulnerability, you should issue a trouble ticket to track and monitor the progress of remediation. You might have to manually integrate the scanner’s trouble tickets with your ticket resolution system.

·

Go to the vendor for available cures. If a vendor-supplied patch is available, patching is the easiest way to mitigate your risks. If no patch is available, you might elect to report back to your vendor and request a patch.

·

Instigate an in-house fix. This includes implementing workarounds or code-level fixes. Potential workarounds include installing specific application firewall rules, adding additional access controls, or application migration. You need to work with the application owner or the enterprise architect to design and thoroughly test changes before they go live.

Figure 4 AVM Remediation Process Flow Overview

Source: Forrester Research, Inc. 44663

Acquire patch

Ticket resolved Test and install

changes Design a workaround or implement fixes Report to vendor Is a vendor-supplied patch available? Issue trouble ticket,

kick off a monitored trouble resolution process

·

Manage the remediation process. Use an enterprise workflow system to automate the delegation of (prioritized) tasks that control mitigation of vulnerabilities.

Note that changes (due to remediation) in your operational environment can lead to new

vulnerabilities or make old vulnerabilities regress. It is therefore imperative that you continuously perform and monitor vulnerability discovery.

Audit

The audit function should be carried out by a team independent of the personnel responsible for vulnerability management. Policy-setting management should determine the frequency of audits based on the risk of your business functions. The auditing process should include:

·

Log analysis. Test the general effectiveness of your AVM program by analyzing vulnerability management records, application scanning logs, and relevant security event information.

·

Controls assessment. Run compliance tests of AVM controls, such as remediation processes for

particular categories of vulnerabilities.

·

Incident post-mortem. Review existing policies and procedures whenever a critical security breach occurs. Analyze how the breach happened and whether it was due to an untreated vulnerability. Assess whether there is a need to update existing policies and procedures to mitigate similar circumstances.

The audit reports should assess whether the vulnerability management processes and procedures are effective and, if they are not, describe deficiencies as well as suggested corrective actions.

Auxiliary Procedures

In addition to the core processes described above, a number of additional procedures that have

significant impact on operational security should be treated as part of your application security program.

·

Develop an application security awareness and training program. This includes training for

developers and operations personnel as well as general employee education. Awareness efforts should include regular communication to executives and external evangelization. Developer and employee training should be an ongoing effort, not a one-off engagement at the time of hire.

·

Document your vulnerability management history. Document the steps you followed from

vulnerability discovery to elimination, communication between the members of your team, actions taken to mitigate the vulnerabilities, and effects to the action. Some day you might need this history information. When did you discover the vulnerability? What did you decide to do about it and why? What was the priority of dealing with it compared to other vulnerabilities? Such information can be especially important for audits and post-incident investigations as well as for improving the vulnerability management process.

R E C O M M E N D A T I O N S

STRATEGIC AND TACTICAL STEPS TOWARDS EFFECTIVE AVM

AVM is a complex subject. Effective approaches require the collaboration of security personnel, application owners, and the risk management team. Security professionals need to approach this both strategically and tactically. On the strategic front:

·

Build your AVM on the foundation of IT risk management. Understanding the risk priority of business and related IT functions is the only way to develop a pertinent vulnerability management program. You should allocate resources for each AVM process according to the risk impact on your business functions, and design specific steps to meet acceptable risk tolerance levels.

·

Back up application vulnerability management with a solid incident response plan. Vulnerabilities are a fact of life. You do your best to eliminate them. But if an undiscovered vulnerability is exploited, you need a contingency plan to mitigate your risk exposure.

·

Augment your program with components outside of the information security space.

Vulnerability management spans security, application life-cycle management, and enterprise architecture. Thus, you’ll need to look beyond pure security for augmenting capabilities like IT asset and configuration management. As with integration to patch management, you need to develop a process for integrating your AVM discovery and analysis results to these other management systems in order to effect changes to IT assets and/or configurations. Tactical considerations include:

·

Web application firewalls that offer right-now protection. If you operate a Web application, chances are you are under attack. A Web application firewall (WAF) can shield your application from known malicious threats and provide much-needed protection. In some cases, you can use the WAF to implement dynamic workarounds while buying time to properly track, verify, and remediate vulnerabilities within your system.

·

Managed services for lower TCO. Application security tools are maturing, but they still require significant effort to master and integrate into your enterprise environment. Organizations should consider managed application security offerings like scanning services and managed Web application firewalls to lower cost of ownership. Small organizations, in particular, will find economic benefits in outsourcing vulnerability management tasks.

·

Don’t forget protection for next generation applications. The popularity of Web 2.0 led to a

plethora of applications that use non-traditional programming techniques (e.g., Microsoft AJAX, Flash, client-side input). These applications pose difficulties for traditional black-box scanners. Scanning technologies that support Microsoft AJAX and Web 2.0 testing are a big plus.

ENDNOTES

1 _{Forrester evaluated leading Web application firewall vendors across 101 criteria. Improvements in network} security mean that attackers are commonly probing Web servers and Web applications for an easy way in, and Web application firewalls have grown along with this kind of attack. See the June 23, 2006, “The Forrester Wave™: Web Application Firewalls, Q2 2006” report.

2 _{Source: “Symantec Internet Security Threat Report,” March 2007. (http://eval.symantec.com/mktginfo/} enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_03_2007.en-us.pdf). “Symantec Internet Security Threat Report,” September 2007. (http://eval.symantec.com/mktginfo/

enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf). 3 _{Organizations that develop applications in-house have a decision to make: wait until someone exploits a}

vulnerability in the system and fix it, or proactively build in security early on in the development process to mitigate vulnerabilities before attackers find them. A proactive application security program should extend to every relevant phase of the application life cycle, from conception to operation. Program success hinges on the commitment and support of executive management. Security personnel need to work with application owners and business stakeholders to prioritize resources and ensure that proper measures are implemented throughout the life cycle. See the August 14, 2007, “Managing Application Security From Beginning To End” report.

4 _{In September 2006, PCI incorporated new application security requirements in section 6.6 that demand} the inclusion of new application security measures. Many organizations are enlisting the help of application scanning technologies and services to meet this particular requirement (https://www.pcisecuritystandards. org/).

5 _{TJX International is a $13 billion, US-based retail empire that owns TJ Maxx, Marshalls, and a number of} other well-known consumer brands. It was revealed in March 2007 that attackers using antennas outside of various retail locations were able to tap into the in-store wireless network and steal more than 45 million credit card and account numbers. The incident is believed to be the worst data breach ever in the US history. 6 _{Customer advocacy drives real loyalty, a willingness to buy and borrow more from, and save and invest}

more with, a firm a consumer already uses. When consumers rate their financial institutions on customer advocacy, insurers rank highest, led by USAA. Many brokerages, especially full-service firms like A.G. Edwards, were rated higher this year than last. The largest US banks continue to bring up the rear, their credit card operations scoring just as poorly as their banking operations. Top-rated firms like credit unions, on the other hand, manifest customer advocacy by emphasizing product independence and delivering solutions that take the whole customer relationship into account. See the June 25, 2007, “Customer Advocacy 2007: How Customers Rate Banks, Brokerages, Insurers, and Credit Card Issuers” report. 7 _{Trying to determine the cost of a data breach is no easy task. Calculating the expenses of legal fees, call}

centers, lost employee productivity, regulatory fines, stock plummets, and customer losses can be dizzying if not impossible. Many factors should be part of the data breach cost calculation, and more than just those associated with losing money. Although studies might not be able to determine the exact cost of a security

breach, the loss of sensitive data can have a crippling impact on especially an ill-prepared organization’s bottom line, so it’s important to be able to make an educated estimate of the cost. See the April 10, 2007, “Calculating The Cost Of A Security Breach” report.

8 _{In software development contracts, require that your business partner have developed and/or engineered} its software without any undocumented application code that bypasses any security controls. Furthermore, require that best practices in secure coding be followed. See the September 4, 2007, “Managing Information Risk In Business Partner Relationships” report.

9 _{Web application security scanners operate differently from other vulnerability scanners. Web applications} consist of custom code containing common classes of vulnerable defects, not known vulnerabilities. The Web application vulnerability scanning products probe these custom applications looking for instances of those common vulnerability classes.

10 _{The National Vulnerability Database (NVD) of the National Institute of Standards and Technology is the} US government repository of standards-based vulnerability management data. This data, in part, enables automation of vulnerability management, security measurement, and compliance.

11 _{IBM/Watchfire produces the AppScan product. HP/SPI Dynamics produces the WebInspect product line.} Both products have built-in analysis capabilities that aim to reduce false positives and more accurately identify root causes.

12 _{MITRE and a number of other organizations jointly created the Common Vulnerability Scoring System} (CVSS) that provides a universal language for conveying the severity of vulnerabilities. The US National Institute of Standards and Technology (NIST) participated in the Special Interest Group of CVSS, and adopted the scoring system for its National Vulnerability Database. The CVSS has been adopted as an industry standard by many organizations including PCI DSS.

Forrester Research, Inc. (Nasdaq: FORR) is an independent

technology and market research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. For more than 24 years, Forrester has been making leaders successful every day through its proprietary research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com. Brazil Canada Denmark France Germany Hong Kong India Japan Korea The Netherlands Switzerland United Kingdom United States 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: [email protected] Nasdaq symbol: FORR

www.forrester.com

For a complete list of worldwide locations, visit www.forrester.com/about.

For information on hard-copy or electronic reprints, please contact the Client

Resource Center at +1 866.367.7378, +1 617.617.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.