Accelerating Application Security Conversations

Information security is a priority for everyone. The news is filled with stories of companies having data stolen, systems being defaced, and physical theft of equipment. Corporate Information Security Officers (CISO) have a prominent and growing role in most corporations. CISO are dedicated to making sure that all policies are being enforced and best practices are being followed. They are focused on availability, auditability, and security. It is a tough job.

When talking about the security of applications, the job of the information security team gets even tougher. There always seems to be a tension between application development teams and information security teams. Applications teams are struggling with business requirements and application constraints. Security teams have a mountain of standards that must be adhered and every application handles security differently. As a result, application teams are often in fear of all the questions and additional work that the security team will put on them. Conversations between them often get side tracked on minor issues because of misunderstanding. And the complexity of the conversation gets worse when you add a SaaS solution (like Workday or Salesforce) or an IaaS platform (like AWS or Azure.)

My favorite tool to help facilitate these discussions is to use a framework to discuss the issues. Frameworks give focus, structure, and consistency to the discussion. It creates a systematic way to move from one area of an application to another. And if you start at the inner circle and work outward, you can add additional controls that complement existing controls.

Every application/system has some commonality. Data is physically stored somewhere at some point. The application must share data within and outside of the system. Each control in the framework protects against specific threats but leaves certain vulnerabilities. Applications have users and a visual interface to use the application. The data presented can be captured (on purpose or accidentally) and shared outside of the organization.

I recommend an application security framework that looks at each of those areas and ensure that controls exist to protect each area. What makes security tough for applications, you need to have multiple controls to protect your system. In fact, you will need to have multiple controls in each area or layer to fully protect the application.

And before we get any further, I need to confess that framework is focused on application security. It is focused to help application teams and security teams work through issues. Enterprise infrastructure provides a ton of protection to application security between firewalls, web application firewalls, and other devices. However, applications often get these services automatically. Plus, there are tons of frameworks to secure enterprise infrastructure and manufacturers have detailed guides and white papers to ensure security. Applications and systems often do not have the same level of practice and the integration patters are often light on security.

The diagram below shows how the controls in the four areas above can be layered to provide a more complete security. In our discussion, we will be looking from the inside out and look at some of the controls that might be implemented in each layer.

Data Theft is the first area of focus. Theft can come in multiple forms. It can be physical theft of a device like a hard drive or an individual gaining access to server and directly reading data files. There are differe

nt controls like turning on drive encryption so the drive can only be read by the original computer. Drive encryption prevents access to data if a drive is stolen or retired without being properly erased. However, drive encryption still allows bad acting applications and administrators to read data on the disk. Another control is to turn on database encryption. Database encryption prevents a user on the server to skip the security on the database server and reading the file directly. But again, the data can still be accessed by anyone with credentials (stolen, bad acting, or vulnerability). Another technique is to use external encryption on highly sensitive data like account numbers or social security numbers. Data is encrypted before being stored in the database and decrypted after being retrieved by a service. This adds an extra layer of protection against theft.

Data Transport is another focus area. Data must be secured from people electronically eavesdropping or misdirected information. In-flight Data needs to be secured as it moves across the network. This includes both encrypting traffic between machines and the exchange of data files between systems. Transport level protocols like TLS (https) are critical to securing credentials and the data being transmitted. Data files being shipped should use asymmetric encryption algorithms like PGP to ensure confidentiality between machines and organizations. With SaaS solutions, Cloud Access Security Brokers can add additional encryption protections between a SaaS solution and the destination device. Security controls for data transport are great to prevent people from listening in.

The third category is Access & Privilege. While data transport and data theft prevent unauthorized access, access & privilege limit the user’s ability to do only what they need to do their job. The first control required in this category is authenticate users to confirm their identity. Once the application has confirmed the identity of the user, the application must assert control and only allow the user to perform actions that they are authorized to perform. The application must also limit the visibility of data to only the data that is required to do the job.

The final area is to stop data leakage. All the controls above do a great job of preventing unauthorized access to a system. There is another security risk of authorized users accidently or fraudulently releasing sensitive data. The user could be well intentioned and sending a report home to do work at night. The user might want to remove customer data to bring to a new job. The first control is to implement Data Loss Prevention (DLP) that can block transmission of data outside of the company. The technology uses list of sensitive data to scan email and data transfers for potential leaks of data and blocks transmissions that match criteria. The design of an application needs to consider how sensitive data is shared with the DLP solution for scanning. DLP coupled with disabling USB ports are an effective way to reduce leakage. Logging combined with user behavioral analytics is an effective way to identify users who are stealing data slowly over time. It identifies changes in usage patterns by a user or by comparing peers.

One common application security control that was not listed above is Data Masking. The concept of data masking is that sensitive data is substituted with fake data in a way that allows the application to continue to work. Often lower environments have less security controls to allow development of the solution and wide mix of people (employees, consultants, and offshore outsourcing) using the system. By using fake data, there is no risk of sensitive data being leaked either by accident or on purpose. This is by far the most difficult control to implement within an enterprise.

When building the framework, I would make sure that everyone has the same understanding of each control that you are evaluating. At the very least, each control should have a description, what it protects, and what it doesn’t protect. Having these definitions upfront in the discussion is critical to keep the conversation focused and reduce any confusion.

Application security is a tough subject. There are no perfect set of controls. Everyone has to look at the system and find the right balance of controls to balances business need, technological constraints, and security. It takes entire team to do a full assessment. Having a framework and definitions for each control can really improve conversations amongst the team and drive toward a more secure solution.