Jardine Software

by

Understanding the “Why”

If I told you to adjust your seat before adjusting your mirror in your car, would you just do it? Just because I said so, or do you understand why there is a specific order? Most of us retain concepts better when we can understand them logically.

Developing applications requires a lot of moving pieces. An important piece in that process is implementing security controls to help protect the application, the company, and the users. In many organizations, security is heavily guided by an outside group, i.e.. the security group or 3rd party testers.

Listen to the podcast of this topic

Looking at an external test, or even a test by an internal security team, often the result is a report containing findings. These findings typically include a recommendation to guide the application team in a direction to help reduce or mitigate the finding. In my experience, the recommendations tend to be pretty generic. For example, a username harvesting flaw may come with a recommendation to return the same message for both valid and invalid user names. In most cases, this is a valid recommendation as it is the reason for the flaw.

But Why? Why does it matter?

Working with application teams, it quickly becomes clear the level of understanding regarding security topics. The part that is often missing is the Why. Sure, the team can implement a generic message (using the username harvesting flaw above) and it may solve the finding. But does it solve the real issue? What are the chances that when you come back and test another app for this same development team that the flaw may exist somewhere else? When we take the time to really explain why this finding is a concern, how it can be abused, and start discussing ways to mitigate it, the team gets better. Push aside the “sky is falling” and take the time to understand the application and context.

As security professionals we focus too much on fixing a vulnerability. Don’t get me wrong, the vulnerability should be fixed, but we are too focused. Taking a step back allows us to see a better approach. It is much more than just identifying flaws. It is about getting the application teams to understand why they are flaws (not just because security said so) so they become a consideration in future development. This includes the entire application team, not just developers. Lets look at another example.

An Example

Let’s say that you have a change password form that doesn’t require the current password. As a security professional, your wheels are probably spinning. Thinking about issues like CSRF. From a development side, the typical response “Why do I need to input my password when I just did that to login to change my password?” While the change will most likely get made, because security said it had too, there is still a lack of understanding from the application team. If CSRF was your first reason, what if they have CSRF protections already in place? Do you have another reason? What about if the account is hijacked somehow, or a person sits at the user’s desk and they forgot to lock their PC? By explaining the reasoning behind the requirement, it starts to make sense and is better received. It dominos into a chance that the next project that is developed will take this into consideration.

When the business analysts sits down to write the next change password user story, it will be a part of it. Not because security said so, but because they understand the use case better and how to protect it.

If you are receiving test results, take the time to make sure you understand the findings and the WHY. It will help providing a learning objective as well as reduce the risk of not correcting the problem. Understand how the issue and remediation effects your application and users.

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

5 Things to Improve Your Application Security Program

Application security is on the top of everyone’s todo list, and it isn’t as easy as it seems. There are lots of moving parts supported by lots of solutions. We know it is not possible to do everything. James Jardine, our CEO, put together a webcast the other day with a few different things you can do to help improve your application security program.

Watch the Full Video

You might be surprised by the list, since it does not deal directly with the traditional recommendations of static or dynamic analyzers or threat modeling. Instead, he takes a higher level approach to look at how the program as a whole can be improved. Here is a quick rundown of the list (watch the free video for much more insight):

Getting the App Teams Involved

Neither the security teams or the applications can do it all alone. Although many may not want to admit it, we need each other. Traditionally, I have seen security teams trying to take on too much of the burden when it comes to tools and security aspects of an application. Unfortunately, they usually do not have the required skillets or the access to fix many of the issues that are identified. It is important to start getting the application teams, that includes the developers, business analysts, testers, and others all involved with the security of the application. Application security is everyone in the company’s responsibility. The app teams are capable of managing tools like static and dynamic analyzers and even doing some level of security testing. The critical first step in this process is having good solid communication and collaboration between the different teams.

Identify Skill-sets and Resources

Building on the process of getting the application teams involved, we need to understand what resources and skillets we currently have in our organization. Take the time to evaluate your resources to understand what is available. In addition, you need to understand what skillets you need for your tasks. There may be specific technical skill sets, like a specific programming language, or they may be management type skill sets you need. This is where the hard work comes in. It requires you to really understand what your goals are to help determine how you will get there. Once the lists are compiled, it is easier to identify which skill-sets or resources are in need. This leads us to the ability to then determine how we gain those skill-sets. It may be through hiring new resources, or it might just be that you need to provide some training to existing resources. Without having a solid understanding of what you want, you may find yourself hiring resources that don’t help move the program forward.

Training

Training is very important, in fact, it is a must have for the different teams. With the traditional separation of security and development, development doesn’t have as much security experience or training. As you move towards getting more application team involvement, training is the foundation to build upon. The team must have the resources to understand security at a high enough level to be efficient at the tasks they are responsible for. Don’t expect better application security if the teams are not getting the support they need.

Application Inventory

Do you have an application inventory where you track all of your applications? For most companies the answer is no, or we track some applications but they are not kept up to date. An application inventory helps quickly identify the applications, their data classifications, 3rd party library usage, and much more. With the reliance on so many 3rd party libraries, this can be useful when a library is found to be vulnerable. How do you know if it effects your applications or which ones? How do you know which apps have had penetration tests, or are even required too. The application inventory plays a key role in helping understand these decisions.

Policies and Procedures

Last, but not least, do you have policies and procedures in place regarding application security. These policies are what guide the teams into performing better security. If there are no guidelines in place, you can be sure that it will be much more difficult to get good compliance. Take the time to create the policies you need to help define how application security should be handled. Extend those policies and guidelines out to different pieces, such as static or dynamic scanning. How should those tools be used, who is responsible, when should they be executed. Defining the program helps guide the roadmap to an improved application security program.

Watch the Full Video

Jardine Software focuses on helping companies retrieve more value out of their programs. Contact us to discuss your concerns and understand how we can help improve your application security program.

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Webcast: Introduction to Penetration Testing for Application Teams

In most organizations it is the security team that initiates and manages the penetration tests. The application teams are called upon to ensure that an environment is available, credentials are created, and to remedy any findings in the report. Many application teams don’t even get the full report, rather just a listing of the findings. This listing often doesn’t include the needed details.

In this presentation, James Jardine focuses on educating application teams on what a penetration test is and how to extract the most value from it. Application teams learn how to participate in the engagement and better understand the report.

You can watch the recorded session at any time at: https://youtu.be/I1PukF8Glh0

https://youtu.be/I1PukF8Glh0

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Introducing the Security Learning Opportunity (SLO)

We are happy to announce the release of the Security Learning Opportunity (SLO) template. SLO is a free template that helps application teams continue their security education through the use of security related items identified within the business applications.

Benefits

  • Relevant to the business – Identifying issues that relate directly to the business, or a business application helps the team understand the impact of the issue. Typical training uses purposely vulnerable applications or examples from other companies for reference.
  • Continuous education – Training needs to be re-enforced throughout the year. SLO provides an opportunity to participate in small learning sessions over time in addition to what resources may get through a 2-4 day class held annually.
  • Effective use of time – SLO is designed to be a short task, allowing the application team to focus more time on building great applications.

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

SLO helps organizations share the information that typically gets handled by one or two developers. Often times, when a vulnerability is discovered, it is handed to one developer to fix. Unfortunately, the other developers are never made aware, leading to a continuation of creating the same issues going forward. The SLO hopes to help solve that issue. The developer, or other team member, can fill out the template and then easily share the results with the rest of the team. This is great if the remediation should be done consistently within the applications.

For example, you find CSRF and decide on a specific way to mitigate it. You will want all of the developers to understand how this mitigation works and how to implement it going forward. If only one developer looks at the issue, resolves it, and moves on, it leaves all the other developers in the dark. It also helps testers and other team members understand the significance of the issue and ways to identify it.

SLO is designed to require only a short amount of time and is composed of 2 phases.

Phase 1: Identification and Analysis (Est. 30 minutes)

During the first phase, a team member will identify a security issue that makes sense to share with others. Don’t get caught up trying to create a SLO for every security issue identified. The trick is to identify things that can be shared on a mass scale and provide value to the other team members. Once an issue is identified, some analysis is performed to determine the following items:

  • Description of the issue
  • Risk the issue presents
  • How to identify/test for it
  • Remediation

It is estimated that it should take around 30 minutes to complete the identification and analysis phase of the project.

Phase 2: Sharing the Information

The real value of the SLO is realized when the information captured is shared with the team. There are multiple opportunities to share the information.

  • With the group during dev meeting or stand up
  • Share via email or internal collaboration site
  • Include as part of yearly or other security training classes

Sharing the information can be anywhere from 5-30 minutes, depending on the issue identified.

Download It Now

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

Company Profile

Jardine Software Inc. was founded in 2002. Originally focused on software development, we now focus on helping development teams and … Read More...

Resources

Podcasts
DevelopSec
Down the Security Rabbithole (#DTSR)

Blogs
DevelopSec
Jardine Software

Engage With Us

Contact Us

Jardine Software Inc.
Email: james@jardinesoftware.com



Privacy Policy