2012 Government Strategy Guide to Defending Against Cyber-AttacksRobert Haas of HP on Investing in Smarter Solutions
"With the recent publicity around some high-profile security breaches and cyber attacks, the enterprises are becoming more aware of cybersecurity surrounding their environment," says Haas, who heads application strategy and portfolio for HP's public sector division. "We're seeing an increased focus on some of the traditional approaches, as well as some new techniques that are being used to approach newer technologies as they are being introduced into the environment."
Among the top trends: application firewalls, risk-based analysis of vulnerabilities, and increased code scanning.
"User training is also a key aspect of good security programs, and we're seeing an emphasis there as well," Haas says.
In an exclusive interview about application security, Haas discusses:
- Today's top trends and threats;
- What organizations can do to increase the effectiveness of their spending and projects;
- What enterprises can do from a process perspective to enhance security;
TOM FIELD: Just to start out at the top here, why don't you tell us what you see as the current trends in application security?
ROBERT HAAS: With the recent publicity around some high-profile security breaches and cyber attacks, the enterprises are becoming more aware of cybersecurity surrounding their environment. We're seeing an increased focus on some of the traditional approaches as well as some new techniques that are being used to approach newer technologies as they're being introduced into the environment. Some of the traditional approaches that we've seen are things like defense-in-depth, where multiple layers of security defenses are used to defend against oncoming attacks. For example, if an attack goes through the network defenses, its encrypted data or tightly controlled access would prevent a breach in a particular situation.
The enterprises are also shifting from a reactive approach to more of a proactive approach. They're looking for real-time status updates and software patches, configurations and breaches. In a time of constrained budgets that we operate in right now, we're seeing an increase in risk assessments that are used to stretch the enterprise security dollar, more of a financial approach to security in that respect. Enterprises are also using code-scanning techniques and automating those processes so that it can be done as developers are building code or after the code has already been developed. In some cases, this automated code scanning is supplemented with manual reviews in particular areas. User training is also a key aspect of all good security programs and we're seeing an increase and focus on that as well. With the human element playing an increasing role in good security, the enterprises are enhancing their security awareness with training, continual messaging and even testing the individuals.
From a newer technique, a newer area perspective, we're seeing an increased focus around areas such as mobile security, where traditional enterprise boundaries have essentially faded away. Beyond standard device and network security, such as remote device whitening, enterprises are adding personas on a device that run in protected containers and allow non-business use of the same device at one point as well as connection into the enterprise data systems in another instance, all relatively securely. They're also increasing the focus on encrypting data on the device in case that device is lost.
From a cloud perspective, as we see an increasing adoption and interest in cloud to cut cost, there is a fair amount of interest in securing the data and the applications in that environment. In addition to just securing the data at rest and in transport, the companies are looking for systems that guarantee separation of user data, also known as multi-tendency. You might hear that term. Increasingly, they look for solutions that don't have data persistence after the session's closed so that data is not available to other users or even other customers if it's a public cloud. We're also seeing an increase in the usage of applications firewalls. It's that technique that has been gaining acceptance over the last couple of years as a way to separate complex application transactions from a sophisticated cyber attack.
Finally, there are also niche areas and techniques such as applications ... that are used to protect source code from prying eyes, and those are being deployed maybe a little more selectively in pilot projects. But all-in-all, a wide range of techniques are being used across the enterprise community today to address security.
FIELD: That's a great overview and of course with these trends come threats as well. What would you say are the greatest application security threats that organizations are dealing with now?
HAAS: That's a great question and the list is remarkably constant over the last couple of years. The SANS Institute for example has a list of the top 25 most common application security flaws and the list largely reflects our experience. A few of the highlights include sequel injection, and that was one that made headlines with a couple of major consumer data breaches this past year. It occurs when the user input isn't correctly filtered and it results in an unexpected code execution. The sequel injection can be addressed by an input validation or design requirements, or even an applications firewall. There are some techniques to mitigate that.
Another one is excessive elevation of privilege. This occurs when a program has more privileges than are needed to execute the task, and it can turn just an ordinary defect into a real security vulnerability, allowing the hacker to take control of an application or ex-filtrate data.
Stack overflow and arbitrary code execution is another class of problems that's related to sequel injection but it can also cause different code to execute in an unexpected manner, or in the case of an attacker, in the way they want to execute the code to take control of the application.
Zero-day vulnerability is one that's been out there and it's caused a number of issues for a wide variety of folks. It's complex because it renders essentially the typical patching model obsolete. You don't have time to develop a patch and it relies a lot on defense-in-depth as a way of eliminating it as well as some other techniques.
In addition to those, there are a few other categories that present security threats and that's neglecting to understand your security requirements in your environment, whether that's not implementing that code correctly or just flat-out not understanding the requirement that you need to encrypt passwords or other sorts of issues in your data systems.
There are also well-intentioned users. They might mistakably open a link, a picture or an e-mail that could load malicious code into a system that could be used to launch an attack. If there were a common theme for these flaws, it might be the lack of designing security into an application and checking the architecture for security robustness. When we look at all of these there is that theme. You can eliminate a large number of these flaws by architecting the security in.
FIELD: Let's talk about government specifically. With government budgets under pressure as they are, what could agencies be doing now to increase the effectiveness of their spending and their projects so that they can take advantage of the trends we've discussed, but not be taken advantage of by the threats you've outlined?
HAAS: With governments in the current time under these constrained budgets, a solid risk-based approach can help the enterprises stretch their dollar by aligning the security upgrades based on areas of highest risk. The enterprises can address the most pressing issues first. Another technique is to utilize existing assets. Enterprises often have partial implementation of systems or capabilities that if fully implemented could enhance their security. An example might be a centralized identity management system that could be extended, modernized or enhanced for applications. They could also monitor logs with an automated toolset to get better performance and better analysis of what's happening on their enterprise networks and systems today.
Another example would be to use standardized contract language to include specific security language to avoid costly retrofits later in the lifecycle. Examples might include requiring the use of a centralized identity management system or providing the standard status information to an application's program interface that could be read by a security information event monitor system.
Finally, maybe one of the other low-cost techniques would be to approach the system development lifecycle holistically. They could remove defects early in the life cycle so they don't cause re-work in the security, for security issues later after the code is already in operation. Your mileage may vary, but these approaches typically provide good starting points for the efficient use of the security dollar.
FIELD: As you know, many agencies now have transformation projects planned or in process already. Given that, how can they improve their security posture on these projects?
HAAS: Transformation activities really offer agencies a unique opportunity to review the security posture of their systems in a way that they may not have been able to do otherwise for operational reasons, time or other budget concerns. In the broader context of an enterprise, all systems are going to be replaced, managed, or retired at one point in their life cycle. To reduce costs for example, consider letting some of the applications that support a particular process or ecosystem be put on the retirement block, and by rationalizing these systems they can simultaneously reduce cost and eliminate security issues. If the functionality of these older systems is needed you might be able to migrate the capabilities to another component or application that is designed for today's cyber environment. This technique is particularly helpful if you have a self-funding transformation effort. In other words, you're not getting additional money to transform your environment.
For systems that need to be modernized there are many choices, and I'll highlight a few. I would conduct a security risk assessment to determine where your investments will generate the best return. Having a roadmap at the beginning of a project is a great place to start. I would also integrate the modernized system into an automated management and security monitoring system. A lot of them today, particularly the customized apps, don't have this capability, and it streamlines operations, lowering your cost over the longer term, as well as enabling the agency to provide more real-time operational status and security information. Another technique, I mentioned this one briefly before, is to leverage your identity management systems that have been deployed in most agencies already. With the integration of centralized identity management, it's easier to track multiple logins from different physical locations as an example. Also this approach enables passwords to be removed from source-code logic. And yes that's still a problem as we're finding out periodically.
Finally, you can separate the data from the program logic. This approach can reduce the attack area for the hackers and it simplifies data-at-rest encryption, and you can also determine whether or not an application firewall is right for your system in your situation. If you think about the newer systems or those that you're replacing, maybe there are a couple of techniques that could be applied in that situation as well, and those would be to integrate security from the beginning. Involving the business users in the security discussions is a great way for everyone to have a common understanding of what's required as well as to eliminate security problems from the very beginning.
You can also apply security reviews from the beginning, and looking at the software code, if you have to develop code for this particular new system, that can help eliminate flaws before the development starts. Designing the security into the system and architecting flaws out saves a tremendous amount of money in code re-work, as an example. You can also automate the code scanning in some cases, and this also frees up valuable manpower as well as dollars to focus on other areas.
The bottom line is that security should be a major point in a transformation. With the right choices, older, less secure systems can be retired without losing functionality, and security is increased as these older systems are retired and newer systems that are designed for today's environment are brought online.
FIELD: Many enterprises have already implemented security techniques, but they're finding themselves deluged with log data and other information. What can they do to address this problem?
HAAS: This question really gets to the heart of IT operations management and IT security operations. As agencies shift their focus from periodic inspections to continuous monitoring, there are several options available. Events can be collected and monitored with solutions known as SIEMs, which stands for Security Information Event Managers. Applications designed to utilize these systems as well as the network devices that support them generate gigabytes of log information that if processed properly, can provide a significant increase in security and situational awareness. I mentioned how individual log-in patterns can be much easier managed and analyzed over time and sometimes that's a giveaway to some security threats where an individual has logged in simultaneously from two different physical locations. Now SIEM solutions were designed to aggregate data and display real-time status and support the interactive queries. Utilizing this SIEM type of an approach requires an application to send its events to the system. Many commercial packages have that functionality today, but custom applications are a little trickier, requiring the developers to write code that specifically provides these events in an explicit manner.
Another opportunity for enterprises today is to look at IT systems that can help you respond to a security situation. Many enterprises have implemented configuration management databases. Accurate configurations not only play an important role in audits but they can also increase confidence when responding to a security situation, particularly if you need to rapidly implement patches, change ports or adjust other configurations across the enterprise. When you think about this holistically there are a number of different pieces that can play into really providing great situational awareness while simultaneously improving your enterprise security.
FIELD: Let's talk about process for a minute. What might enterprises do today from a process perspective to enhance their security?
HAAS: Security goes well beyond just tools and techniques. There are a number of things that the different enterprises can do, particularly governance, and that's an area that has increased in importance as enterprises continue to expand and new technologies such as cloud and mobility are used to automate traditional manual processes. If security governance isn't part of your process today, make sure to add it. Make sure to include your business admission partners in the security governance activities as you define the processes, priorities and mission requirements. You don't want to inhibit mission with the security, however they should work hand-in-hand together.
Another area is the regular risk assessments. This is an ongoing process that might be part of the governance activities, and even as agencies shift from these periodic security reports to continuous monitoring, the systems are changing and evolving as agencies implement major transformations and shifts to newer technologies. The result is that the leading organizations continually ask themselves whether a particular change exposes the data or risks the company's reputation in any new way. It's an important thing to do on a periodic basis.
Another approach might be to standardize the development process, and that includes security from the beginning. By evaluating the security throughout the development cycle, these agencies can consistently improve the security quality of their code, starting with the requirements in the architectural design and continuing through code testing and development. Most of the defects can be identified and removed before deployment, and this is more of a process that's deployed during the software development life cycle. There's also another technique called penetration testing, and if this is done periodically most organizations have found it to locate or help to locate threats that aren't easily found during the development process, and some cross-system threats can really only be tested in this manner. It's healthy to have this in your capabilities as well.
Finally, from another process activity, I would advocate regular security training and updates. People are the key to a good security program and regular training and reminders keep them abreast of the latest issues. The bottom line is maybe the best use of your security dollar might involve some money spent on processes rather than in other boxes or another piece of software.
FIELD: We've got time for one more question. If you could sum it up, maybe you could tell us a little bit about what some of your customers are doing specifically to address application security?
HAAS: Our customers are using a variety of techniques including all of the ones I described earlier. They're increasing their applications as part of a standard defense-in-depth approach, and that's becoming more and more common across our customer base. They recognize that not a single approach can solve all problems. We're seeing this across the entire system's lifecycle. Clients are implementing a lot of the techniques in this sort of a manner across all of the system's lifecycle and designing it in and maintaining it all the way through to the operational level.
At the enterprise level we're seeing clients focused on their governance activity as they shift from a reactive to a proactive stance. The new policies that mandate security design reviews, code scanning, real-time security operations management, they all set the stage for project and operations managers to integrate new projects. At the project level, we're seeing clients reduce their risks by reviewing requirements and architectures against security standards to eliminate security defects in the design phase before they cause possibly re-work, or worst yet, get put into operation. Clients often follow this design technique with the automated code scanning to catch the defects as they're coded in during a development. It's very difficult for even some of the best developers to catch the design defects as they're writing the code, and the automation helps them do that along the way.
In some cases, clients are using this technique for even code that's been deployed. If they're unsure about it or they can't replace it easily they use this technique to get a sense of where the issues are. The applications are being designed to include centralized identity management to take advantage of the biometric and the HSPD-12 cards that have been issued by some of our federal and state governments. For better operation security, clients are integrating their applications and alerts into their security information and event managers.
From a client perspective, sometimes it's helpful to use a couple of examples. One client of ours recently did a requirements and architectural analysis on a system as it was being modernized, and identified a critical design error that would have prevented the system from being securely patched once it was in operation. A second client took a look at their environment and realized they needed to increase the focus on their operations security, and what they had done was they started integrating all of their event logs from all of their network devices, all of their systems and also from the applications into an event manager platform. They bolstered that with rules and customized it to their environment, and as a result they had a real-time operations visibility of their network.