Securosis

Research

Building an Enterprise Application Security Program: Use Cases

This post will discuss security and compliance use cases for an enterprise application security program. The following are the main issues enterprises need to address with enterprise application management, in no particular order. None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps. Compliance Compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard (PCI-DSS) remain the primary drivers for security controls for enterprise applications. Most compliance requirements focus on baselining ‘in-scope’ applications – essentially configuration assessments – to ensure known problem areas are periodically verified as compliant. Compliance controls typically focus on issues of privileged user entitlements (what they can access), segregation of duties, prompt application of security patches, configuring the application to promote security, and consistency across application instances. These assessment scans demonstrate that each potential issue has a documented policy, that the policy is regularly tested, and that the company can produce a report history to show compliance over time. The audience for this data is typically the internal audit team, and possibly third-party auditors. Change management & policy enforcement Beyond external compliance requirements enterprises adopt their own policies to reduce risk, improve application reliability, and reduce potential for fraud. These policies ensure that system and IT administrators perform their jobs – both to catch mistakes and to help detect administrative abuse of assigned privileges. Examples include removal of unneeded modules which contain known vulnerabilities, tracking all administrative changes, alerting on – and possibly blocking – use of inappropriate management tools, disabling IT administrators’ access to application data, and detecting users or permissions which could provide ‘backdoor’ access to the system. All of which means these policies are specific to an individual organization, are more complex, and require a great deal more than application assessment to verify. Effective enforcement requires a combination of assessment, continuous monitoring, and log file analysis. And let’s not beat around the bush – these policies are established to keep administrators – of IT, databases, and applications – honest. The audience for these reports is typically internal audit, senior IT management, automated change management systems, and the security group. Security A debate has raged for 15 years about whether the greatest threat to IT is external attackers or malicious insiders. For enterprise applications the distinction is less than helpful – both groups pose serious threats. Further muddying the waters, external parties seek privileged access, so they may be functioning as privileged insiders even when that is an impersonation. Beyond attack detection, common security use cases include quarterly ‘reconciliation’ review, watching for ad hoc operations, requests for sensitive data at inappropriate times or from suspicious locations, and even general “what the heck is going on?” visibility into operations. These operations are commonly performed by users or application administrators. Of all the use cases we have listed, identifying suspicious acts in a sea of millions of normal transactions is the most difficult. More to the point, while compliance and policy enforcement are preventive operations, security is the domain of monitoring usage in near-real time. These features are not offered within the application or supporting database platform, but provided through external tools – often from the platform vendor. Transaction verification As more enterprise applications serve external users through web interfaces, the problem of fraud growing. Every web-facing service faces spoofing, tampering, and non-repudiation attacks, and often (and worst) SQL injection. When successful these attacks can create bogus transactions, take partial control of the supporting database, and cause errors. But unlike general security issues, these attacks are designed to create fraudulent transactions and constructed to look like legitimate traffic. How companies detect these situation varies – some firms have custom macros or procedures that look for errors after the fact, while others use third-party monitoring and threat intelligence services to detect attacks as they occur. These tools are designed to detect users who attempt to make the application behave in an unusual manner – relying on metadata, heuristics, and user/device attributes to uncover misuse by application users. Use of sensitive information Most enterprises monitor the use of sensitive information. This may be for compliance, as with payment data access or sensitive personal information, or it may be part of a general security policy. Typical policies cover IT administrators accessing data files, users issuing ad hoc queries, retrieval of “too much” information, or any examination of restricted data elements such as credit card numbers. All the other listed use cases are typically targeted at specific user or administrative roles, but policies for information usage apply to all user groups. They are constructed to define uses cases which are not acceptable, and alert or block them. These controls may exist as part of the application logic, but are typically embedded into the database logic (such as through stored procedures), or provided by a third-party monitoring/masking tool deployed as a reverse proxy for the database. The next post will detail how enterprise applications differ from other platforms, and how those differences create security gaps for off-the-shelf tools. Share:

Share:
Read Post

Apple Security and Privacy Updates

I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld. I do probably need to write up the bit where local apps that are iCloud enabled seem to save document drafts on iCloud once you start writing, as opposed to when you save the documents in iCloud. This means any open drafts, in many text editors, load data into the cloud even if you only want to save them locally. Apple states they remove this data once you save the file to your local drive, but it is a bizarre design decision from a company that has made so many security and privacy improvements recently. So, um, don’t open up a TextEdit window and paste your temporary (or permanent!) passwords in it, unless you save the file someplace local first. Now on to the articles: First is an older Macworld article, Why Apple Really Cares About Your Privacy. This one predated Apple’s big public privacy push, and is the key piece that ties the rest of these together. Basically, Apple is using privacy against Google (and to a lesser degree certain other competitors) because the differences in business models makes it difficult for anyone else to differentiate on privacy to the same degree. This is an excellent alignment of economics to improve security and privacy, and I expect it to define a lot of what we see in the coming years. The next three articles show how Apple is following through on its privacy messaging within products: To start Apple dramatically improved the data security of iOS, much to the chagrin of folks in law enforcement. You likely read this all over the place, but this piece ties together a lot of context I didn’t see in other articles. Also, as an emergency responder, my arguments cannot be dismissed with the “if you only saw what we see” argument. I have seen more than my fair share of horrible things, including horrible things happening to children, so I get it. But that is no excuse to sacrifice fundamental civil liberties. Part of the problem is that some people in law enforcement are so used to getting access to whatever they need for an investigation that they see it as a legal right, and don’t understand that today’s technologies cannot include lawful access capabilities without deeply compromising security. Next up I wrote a piece detailing how Spotlight Suggestions handles privacy. While less of a big picture issue, this highlights the steps Apple is taking to harden their pro-privacy stance down to low-level feature design. Not that they always get it right – as illustrated by that iCloud issue. This next piece also relates to privacy, but is more about the business landscape Apple is working within. I discussed the real reason some merchants are blocking Apple Pay. Many of you understand the reasons merchants hate credit card companies (Hello, PCI!), and Apple is merely caught in the middle. For the record, I wish we would get half as many comments on Securosis articles as on this one! One last article ties the series up (even though it wasn’t the last one published) and serves as a good bookend to the privacy piece: The last piece is the most important for the long term. You Are Apple’s Greatest Security Challenge. Yes, Apple made mistakes with the celebrity photo thefts. Mistakes that those of us in cloud security are very familiar with. But, to their credit, they also deal with a scale and scope very few organizations need to consider. Including some key differences from Google, who has been doing a better job on this front. It is a very nuanced issue, and the decisions Apple makes here will have profound repercussions for the ecosystem. That’s it for now. It seems there is Apple-related security news every week. A lot of the headlines are total BS, like the article a few years back claiming a major security flaw in iPhones, when it was really a problem in every GSM phone on the planet. But that doesn’t get page views, and Apple security has become the “if it bleeds, it leads” of the tech world. Share:

Share:
Read Post

Friday Summary; October 31, 2014

I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really? This will be the one of the shorter Friday Summaries I have written because … it’s here. The puppy I predicted would be landing in my home has arrived. Early, in fact. I am sure it’s because the breeder was exhausted by him. He is slightly ornery, possessed of limitless energy, and fearless. Which means he is into everything all the time. Say hello to ‘Satchmo’: I don’t usually talk about my pets much on this blog, but it has been years since we had a new puppy in the house, and you forget all the lifestyle changes that come with a new puppy. Plus he’s very cute, and seems to get along with everyone great. He has only been here a short time but he’s worn me out. And my wife. And my adult Boston. And everything else that lives here … except the Boxer. Boxers never get tired, so I think the rest of us are going to take a nap while those two play. Happy Halloween all! Halloween on a Friday is the best, so have fun! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian and Chris Eng will talk integrating security into Agile next week. Favorite Securosis Posts Adrian Lane: Incite 10/29/2014: Short Memory. I am actually FAV-ing my “Card of the Sith” Incite in this week’s post. Rich: [Building an Enterprise Application Security Program New Series. Ho boy, is this a big topic. Adrian jumps into one of the most painful issues for enterprises to deal with: internal apps. Mike Rothman: Firestarter: It’s All in the Cloud. I had fun recording this week’s Firestarter. Though we did miss Adrian. There was no one to keep Rich and me on track! Other Securosis Posts Building an Enterprise Application Security Program: Use Cases. Apple Security and Privacy Updates. New Research Paper: Trends in Data Centric Security. Old School (Computer). Favorite Outside Posts Adrian Lane: Challenges With Randomness In Multi-tenant Linux Container Platforms. Containers seem to have caught fire, and I expect them to be the ‘struts’ of this generation. But stressing any hot new approach turns up systemic flaws. A good discussion by James Bayer. Rich: Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize. This is interesting. I did an interview on the tool, based on a high-level description (trust me – I warned the reporter I would need to see it working for a real assessment). It sounds like a Chef/Puppet competitor. But this gathers different information, which is more security relevant, and then enables you to query it like a database. That is very interesting. Might have to play with it! Mike Rothman: SHE’S A WRECK. What a courageous post by aloria, baring her issues with brutal honesty and candor. Thankfully she made it through, but understand that her bipolar disorder is a daily battle. Rarely do we get to see the people behind the avatars, the unvarnished challenge of being imperfect and human. as we all are. Pepper: AT&T, Verizon Using ‘Perma-Cookies’ to Track Customer Web Activity. I didn’t think I needed a VPN but I am now considering paying for Cloak. Research Reports and Presentations Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Top News and Posts UPnP Devices Used in DDoS Attacks Chip & PIN vs. Chip & Signature Adobe’s e-book reader sends your reading logs back to Adobe–in plain text. *sigh* Automated NoSQL exploitation with NoSQLMap CurrentC for mobile payments and exclusivity CurrentC site hacked Alleged Dropbox hack underlines danger of reusing passwords Blog Comment of the Week This week’s best comment goes to Pat Bitton, in response to Old School. I always hark back to the operating code for dBase II and WordStar both fitting on a single 360K floppy. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.