Improving Application Security After An Incident

Cory Scott Matasano Security

Where Do Application Security Programs Come From?

Would be nice.

Maybe.

Definitely.

Where we are and where were going.

An incident, you say?

Could be a near miss Or an unfortunate impact Thats fine, well pull out our trusty
dusty (network) response plan...

FAIL

Traditional Network Incident Response

Root cause is one or more of the Theres an app for that. And a process template. And an audit guideline. Whew... All Done! Usually one neck to choke.

following: credentials, access control, patch, or configuration.

Application Anarchy!
Could be one of many root causes. Could be the fault of the developer, the

framework author, third-party plug-ins, application operations, poor requirement definition, client-side security, etc etc. youre going to need some process for it too... practice?

Theres probably an app for some of that. But Quick - how do you audit a secure coding How many necks can you choke?

Queue Foreshadowing Music Here

Oh, the people youll meet!

Internal Auditors (grr!) External Auditors (eep!) Executives (*cringe*) Development Managers (hey, you!) Network Security People (...) Application Security Salesmen in your
C[X]Os office (WTF!)

The Opportunity & The Problem

Taking the root cause to the bank

You can prove that the Quick Fix is not

The Fix.

Youve just got some funding for an

appsec program. Congratulations! OR show that youre going to do something meaningful with it. OR trenches until the next one.

You may be getting funding... IF you can You may have to go back into the

But then...

AppSec Stallout!

Management priority shift. Fatigue, fear, and loathing. Bought the $PRODUCT, the problem is solved. Right? Right? Got the Pentest, all clean! Right? X days without a workplace incident, all good! Analysis Paralysis Auditor Pile-On The LCD of Compliance

READY... FIRE... AIM!

Assessment Strategies to Prevent Stallout

Identify High-Risk Applications

Emphasis on high-risk Enforce the two-sentence rule to

identify loss potential insufficient

Existing inventories are usually Dont fight against intuition Get it over with

Scoping is Critical

Get this wrong and youve just wasted thousands of dollars.

Scoping is Collaborative
Get everyone to the table, including: Application Owner Development Guy Information Security Guy The Tester Ambiguity at the beginning is okay, but not
at the end. Respect the fact that this make some people uncomfortable.

Best of both worlds

Embrace Design Reviews in addition to

implementation-oriented assessments HOWEVER: Questionnaires are to Design Reviews what Web Vulnerability Scanners are to Penetration Testing

Flexible & Standardized at the same time?!

Define a targeted short-list of

Design review Tools Code review Manual Penetration Testing

vulnerabilities and weaknesses.

Assessment choices are good!

Standardize approach and deliverable for

each choice.

Pick your battles and weapon of choice

The first few engagements are the most
important.

Insert a QA checkpoint and a postassessment feedback process.

Pick friendly application teams to start. Bring in external teams at the beginning to
crib off of their approach and delivery.

Management Strategies to Prevent Stallout

Get funding for remediation upfront

Strike while the iron is hot (and the wallet is
open).

Rule of thumb: remediation cost equals

assessment cost.

Consider a two-level approach for each Youll make friends!

app: a pre-approved not-to-exceed amount and a separate budget request for larger initiatives.

Assign Specialists

Understand the business unit Maintain a watchlist of applications Scope and schedule assessments Assist in Incident Response

Process Change

SDL improvements Small steps with pilot groups Leverage specialists Vendor management Give them a risk assessment that
they can self-operate to start

Encourage reusable assessments

Detection & Response

You worked so hard to get situational

awareness, dont lose it!

First on your wish-list: logging and Specialists can help in preparation

and response.

audit trails that you didnt have preincident that would have helped you respond faster and with less legwork.

Metrics
KRIs KPIs

# high-risk applications # of assessments performed Code/component coverage for each assessment Assessment coverage per business unit # of vulnerabilities opened for each application # of vulnerabilities addressed with a plan # of vulnerabilities closed or remediated

Vulnerabilities still open for each application Applications within open vulnerabilities that have suffered a successful attack within the last year Applications with open vulnerabilities with no clear path towards remediation or where the risk has been accepted by the business unit