Web Admin Blog

The first presentation of the day that I went to  was by GE’s Darren Challey and was about GE’s application security program and how he took a holistic approach to securing the enterprise.  My notes on this presentation are below:

Why is AppSec so hard?

• AppSec changes rapidly (look at difference between 2004, 2007, and 2010 Top 10)
• Changing landscape
  • Increase skill and talen t pool of technically proficient individuals willing to break the law
  • Growing volume of financially valuable data online
  • Development of criminal markets (black markets) to facilitate conversion to money
• “Attackers now have effective skills, something to steal, and a place to sell it”

• Application Security is a complete one-sided game
• Need to become an enabler (not a barrier)
• Must inject application security earlier through Guidance, Education, and Tools
• Must understand the development and deployment process and integrate rather than mandate
• NIST study on cost to repair defects when found at different stages of software development (http://www.nist.gov/director/prog-ofc/report02-3.pdf)
• Solving the problem of the enterprise (Culture Change)
• Success factors
• Form a mission and strategy
• Develop policy (but not corporate “mandate”)
• Gain executive buy-in (cost / benefit / risk)
• Understand the magnitude of problem (metrics)
• Asset inventory and vulnerability management
• Develop standards (what should I do and when?)
• Establish a formal program (strong leadership)
• Focus on education and training materials
• Develop in-house expertise, services and “COE”
• Continuous improvement, measurement, KPI
• Communicate!
• Drive a culture change (shared need, WIIFM)
• Communicate expectations with vendors
• Implement incentives (and penalties)
• Digitize after the process is solid (tools)
• AppSec program mission & structure
• AppSec program strategy
• Policy (guidance) -> Standards (Guidance) -> Training (Education) -> Metrics (tools) -> Security tools (tools) -> Inventory & tracking (tools) -> Monitor & Improve

Guidance

• “GE Application Security Working Group” (Talking to the businesses is critical!  Meet every 2 weeks.)
• Secure Coding Guidelines
• Vulnerability Remediation Guide
• Secure Deployment
• Quick Reference Card
• Contractual Language
• Desk Calendars
• Metrics: AppSec calendars helped increase visitors to key Guidance materials  (track hits to website docs when certain activities take place)

Education

• CBT1: Intro to AppSec at GE (60 min for any IT person) – why AppSec is important and what happens when you don’t do it
• CBT2: GE Best Practices for Secure Coding (90 min)
• CBT3: Attack Profiles & Countermeasures (120 min for security people)
• Developer Awareness Assessment:
  • 100’s of internally-developed questions
  • Randomized questions, timed completion
  • Vendors track their own resutls
  • Allows tailoring of training/awareness programs

Tools

• – COE AppSec assessment services
• Vendor framework & Metrics
• Compliance handbook
• Common objects repository
• GE Enterprise Application Security
• Scanning and Monitoring tools
• Automation is the way to go (but the tools are not quite there yet)

Metrics

• Measure Vendor AppSec Performance (Avg % Critical/High Vulnerabilities per Assessment vs % Assessments with Zero Critical/High Vulnerabilities)
• Is it making a difference (map avg of critical/high vulnerabilities per assessment)

Forming a Center of Excellence

• Combines the best available people, processes and tools
• Formal training & defined roles (Comprehensive training program for all auditors to ensure skills are kept current and that auditors can provide more than one type of service)
• COE Team structure (tools, research, operations, stakeholder management, queue management, application security auditors
• Application Assessment Types (black/grey box vs white box)
• Application assessment process (map of the workflow with “swim lanes” of who does each step)
• Measure number of vulnerabilities and severities
• Measure customer satisfaction (overall, ease of engagement, responsiveness)