AppSec DC: Neal Ziring on Application Assurance
Neal Ziring, Technical Director in the Information Assurance Directorate (IAD) at NSA, said that the role for developers is changing and they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also said the recent operating system and platform security implementations have helped push the attackers up the stack to the web applications.
Applications have become the primary target of the attackers because they are numerous and diverse in nature which gives the attackers a broader attack surface. Also, applications are moving much more into network and cloud computing environments which makes it easier to get information for attackers.
The application assurance aspects should be incorporated into the software development lifecycle (SDLC) process including the later phases like product upgrades and retirement steps to plan for secure decommissioning of the software products. He discussed what the developers should look for in each phase of the process from an application assurance stand-point.
- Requirements: It's important to understand the key legal, regulatory, privacy constraints that apply to the application.
- Design: Applications should be designed for visibility and management of security metrics.
- Coding: Don't write your own implementations of security aspects like Cryptography. Instead use OS, Platform, and Library services that are available.
- Testing: Developers should include security testing from unit testing phase onwards. Also, stress test the security functionality to ensure that the applications are still secured when running under load.
- Deployment: Application deployment step should include the security implementation.
- Operation: Audit intelligently to support visibility and facilitate continuous monitoring of the applications.
Neal talked about four aspects of application assurance which include the resilience, visibility, governance and management.
Resilience: This focuses on designing the applications such that they behave gracefully when under attack and the applications don't have to be down for too long to fix any security issues.
Visibility: You need to have visibility into all parts of IT stack including applications. Visibility is very important when applications under attack. It should cover the entire security posture including operating systems security posture. Security Content Automation Protocol (SCAP) is a good tool for managing this aspect. Visibility is also important because only the application level code knows how many input validation errors or SQL injection instances occurred which is critical in fixing the security vulnerabilities.
Governance: Governance is critical in any organization and requires lot more access control and oversight. Developers should not hardcode the governance rules in application code. Instead, the security governance policies should be stored in rules files or off-load them to a centralized "Policy Service".
Management: Applications have access to and interact directly with critical data so the management of the applications in the assurance area is very important.
Neal also talked about the emerging application security challenge areas which include the mobile applications (not only on the device but the back-end infrastructure that serves the applications to the mobile devices), cloud computing, Web 2.0 and composable web services and Trusted Computing especially in the government sector.