Why is AppSec so hard?

• AppSec changes rapidly (look at difference between 2004, 2007, and 2010 Top 10)
• Changing landscape
  • Increase skill and talen t pool of technically proficient individuals willing to break the law
  • Growing volume of financially valuable data online
  • Development of criminal markets (black markets) to facilitate conversion to money
• "Attackers now have effective skills, something to steal, and a place to sell it"

• Application Security is a complete one-sided game
• Need to become an enabler (not a barrier)
• Must inject application security earlier through Guidance, Education, and Tools
• Must understand the development and deployment process and integrate rather than mandate
• NIST study on cost to repair defects when found at different stages of software development (http://www.nist.gov/director/prog-ofc/report02-3.pdf)
• Solving the problem of the enterprise (Culture Change)
• Success factors
• Form a mission and strategy
• Develop policy (but not corporate "mandate")
• Gain executive buy-in (cost / benefit / risk)
• Understand the magnitude of problem (metrics)
• Asset inventory and vulnerability management
• Develop standards (what should I do and when?)
• Establish a formal program (strong leadership)
• Focus on education and training materials
• Develop in-house expertise, services and "COE"
• Continuous improvement, measurement, KPI
• Communicate!
• Drive a culture change (shared need, WIIFM)
• Communicate expectations with vendors
• Implement incentives (and penalties)
• Digitize after the process is solid (tools)
• AppSec program mission & structure
• AppSec program strategy
• Policy (guidance) -> Standards (Guidance) -> Training (Education) -> Metrics (tools) -> Security tools (tools) -> Inventory & tracking (tools) -> Monitor & Improve

Guidance

• "GE Application Security Working Group" (Talking to the businesses is critical!  Meet every 2 weeks.)
• Secure Coding Guidelines
• Vulnerability Remediation Guide
• Secure Deployment
• Quick Reference Card
• Contractual Language
• Desk Calendars
• Metrics: AppSec calendars helped increase visitors to key Guidance materials  (track hits to website docs when certain activities take place)

Education

• CBT1: Intro to AppSec at GE (60 min for any IT person) - why AppSec is important and what happens when you don't do it
• CBT2: GE Best Practices for Secure Coding (90 min)
• CBT3: Attack Profiles & Countermeasures (120 min for security people)
• Developer Awareness Assessment:
  • 100's of internally-developed questions
  • Randomized questions, timed completion
  • Vendors track their own resutls
  • Allows tailoring of training/awareness programs

Tools

• - COE AppSec assessment services
• Vendor framework & Metrics
• Compliance handbook
• Common objects repository
• GE Enterprise Application Security
• Scanning and Monitoring tools
• Automation is the way to go (but the tools are not quite there yet)

Metrics

• Measure Vendor AppSec Performance (Avg % Critical/High Vulnerabilities per Assessment vs % Assessments with Zero Critical/High Vulnerabilities)
• Is it making a difference (map avg of critical/high vulnerabilities per assessment)

Forming a Center of Excellence

• Combines the best available people, processes and tools
• Formal training & defined roles (Comprehensive training program for all auditors to ensure skills are kept current and that auditors can provide more than one type of service)
• COE Team structure (tools, research, operations, stakeholder management, queue management, application security auditors
• Application Assessment Types (black/grey box vs white box)
• Application assessment process (map of the workflow with "swim lanes" of who does each step)
• Measure number of vulnerabilities and severities
• Measure customer satisfaction (overall, ease of engagement, responsiveness)

• Barbarian Horde
  • Our castle walls must keep us safe
    • Script kiddies and DDoS

• Ninjas
  • Knowledgeable “Haxx0rs” with deliberate intent
    • Social engineering to exploits
• Vampires
  • Generally have to be “invited” in
    • Convert others to their side
    • Malware, worms, and botnets
  • Vampires are social creatures

Problems with Traditional Mechanisms

• The Barbarian Horde
  • How do we know its working?
• Ninjas
  • Ninjas are stealthy and think outside the box
  • Social Engineering can grant all manner of access
• Vampires
  • What happens if you’re the first one bit?
  • Where do you have your safeguards?

How can Flow Data help? (Packet level logging for network devices – Ex: NetFlow)

• Global Accounting
  • Who, what, where, when, how
• Barbarians
  • Who made it through the castle wall?
• Ninjas
  • Forensic data
  • “Soft-Firewall” like rules
• Vampires
  • Containment is key – one hop away
  • Policy verification

Why Flow?

• Leverage your existing network infrastructure to quickly, accurately detect, contain and remediate incidents.
• Anywhere from a 3-10% impact on processor.  Memory impact is even smaller.

Freeware flow data

• FLOW-TOOLS
• NMon

Behavioral Analysis?

• Flow data is awesome.  Why the expert system?
  • Flow data is plentiful – drinking from the firehose can hurt
• The problem of context
  • Signatures and rules may not always be appropriate
• Bobby Sue doesn’t normally upload this many files to the Net
• Who has staff available to constantly scrub files and graphs?