By Ann Grove, Logical's President
Although some developers see threat modeling as a low-value, high-effort exercise, the process provides a helpful, holistic view to find, identify, and evaluate risks that wouldn't otherwise be recognized.
That was the contention of John Misczak (@johnmisczak) at an OWASP Philly (@phillyowasp) event Friday. Misczak is a senior consultant at Security Risk Advisors, a security and compliance services and products company. The day's theme was web application security in agile environments. (See the next blog post to learn about better integrating the security team into the development team.)
Misczak said that a good threat model picks up problems that are not identified by other security assessments such as penetration tests (pen tests).
Let's look at the top five of the Misczak Top 10 areas that a threat model should address:
I have helped prepare threat model reports for a security consultancy client and the results were presented much like the results of a pen test with a list of findings (security weaknesses), and, for each finding, the assets impacted, a risk rating, a description of the problem, and recommendations. Therefore, I asked Misczak if organizations track and resolve threat model findings using the same methods applied for pen test findings. Misczak said many organizations do not track pen test findings to closure, and so should use a different approach to ensure that all threat model findings are fully addressed.
For those interested in threat modeling, Misczak recommended checking out a new, open-source OWASP threat modeling tool, Threat Dragon. Available for Windows, Mac, Linux (soon), or via web app, the tool includes system diagramming and a powerful rule engine to auto-generate threats/mitigations.
About the Author
Ann Grove, president of Logical, is a chapter leader for OWASP's Baltimore Chapter.
By Ann Grove, Logical's President
In agile environments where software changes are released at a hectic pace, many organizations believe it no longer makes sense for a security team to focus primarily on looking for security weaknesses late in the development process. That approach is costly and sometimes forces the delay of a release. Instead, agile teams want to better integrate the security function early in development.
But how? That was the question that Zane Lackey (@zanelackey) addressed today at an OWASP Philadelphia (@phillyowasp) event. Lackey is Chief Security Officer at Signal Sciences, the security monitoring and defense company he founded. His past roles include Director of Security Engineering at Etsy.
With agile, release cycles are "orders of magnitude" faster than they were a few years ago, Lackey noted. Pre-agile development models such as waterfall typically yielded a release every 12 to 18 months, whereas agile shops may release code several times a day, he said.
At this pace, “security is successful only if it is baked into the Dev/DevOps process,” Lackey said.
Below, we will walk through Lackey's top recommendations on securing web applications in agile environments:
Employ Security by Design with Static Analysis
A static analysis tool is a debugging tool that examines code for known issues without executing an application. Typically, static analysis is run on a designated frequency such as weekly or monthly.
To implement static analysis, Lackey recommends beginning with classes of vulnerability that are the easiest to address. This also demonstrates to the organization that static analysis can deliver both value and velocity. The analysis tool should be “tuned” for each class to eliminate most false positives before moving onto the next class, Lackey says, rather than attempting to tune all classes at once. For instance, a team can start with command execution and later move on to XSS, SQLi, Directory Traversal, etc.
In addition, rather than instituting automatic blocking to prevent disallowed primitives, Lackey recommends talking to developers. Through conversation, the security team can learn what a developer is attempting to protect and discuss how that can best be accomplished through hashing, encryption, file system operations, or another method.
Finally, Lackey recommends building proactive alerting so that leaders are advised when sensitive or rarely changed portions of the codebase are modified. He suggests alerting development and security engineers to changes to key platform protections, rather than blocking so that approvals are not needed during an emergency. For instance, a team can establish an alert for a hash change on key files, authorization of primitives, session management, encryption wrappers, etc. This provides accountability without impacting velocity.
Provide Continuous Feedback with Penetration Testing and Bug Bounties
Lackey discussed two primary sources of security visibility: penetration tests and bug bounty programs.
Penetration testing (pen testing) was “real-time enough when software was released every 18 months,” Lackey said. The purpose of pen testing in organizations with bounties has shifted; the value of pen tests now is that they are more directed.
Many organizations augment pen tests these days with bug bounty programs which provide truly real-time and continuous feedback. Through bounty programs, organizations compensate or reward external volunteer testers for finding weaknesses or bugs in the product being tested. The emergence of bounty platforms such as HackerOne and Bugcrowd make bounty programs more manageable, for instance for international payments, Lackey said.
Increase Security Visibility
To increase security visibility, Lackey recommends developing capabilities to detect attacks as early as possible in the attack chain. This is especially important when a bounty program is planned, in case a bounty hunter discovers a bug that he or she decides not to report, Lackey said. The hunter could decide to sell the bug to hackers or use the bug for a live exploit later.
In addition, organizations should continuously test and refine their vulnerability and incident response processes and mature their forensic capabilities.
Organizations realize it is no longer feasible for security teams to primarily focus efforts late in development when discovered bugs are costly and may delay scheduled releases. Security teams in agile environments are increasingly participating in the early phases of web application development and are collaborating with, educating, and empowering developers. Even in fast-paced agile environments, secure development is possible with techniques such as integrating security into design, providing continuous security feedback, and making security visible, Lackey said.
We can move faster than attackers for the first time.
Ann Grove is a Certified Information Privacy Professional and security enthusiast with 15+ years of writing experience.
By Ann Grove, Logical's President
So you've hired a consultant or agency to develop a marketing deliverable such as a blog post, white paper, or video. Now is not the time to wash your hands of the project. Instead, increase the effectiveness of the content and improve the outcome by providing your consultant with some key documents you likely already have on hand if you have a marketing team:
Your marketing consultant also need at least one more resource: a Subject Matter Expert (SME) or collaborator. Occasionally we meet a client who wants the Logical writer to develop content with minimal direction and no team interaction, but a technical review is still required.
Our most successful projects are typically those where the client takes the time to discuss things like market trends, industry news, and product differentiation. The client's deep industry knowledge enhances our keyword-optimized and targeted content, resulting in high-performing results.
Ann has passion for producing content that people rely on for buying decisions. She takes all of the stress out of outsourcing security content and compliance analysis with no-obligation consultations. Reach Logical today using our Contact page.