Monday, November 10, 2014

Security Measures on a Budget - Part 3

In this article I want to cover what you and your team can do for your application security. Chances are you don’t write your own software packages, and if you do I’m not sure I can help you much! There are still plenty of measures that you can take to ensure that you’re buying a good product, the products that you currently have are secure, or ways that you can secure applications that you already possess. There are certain sets of application security rules. Some that pertain to web applications, others that pertain to writing secure code, and more that are still being worked on and directed. I’ll go over some of them here as well as some software hardening guides for applications.
OWASP otherwise known as the Open Web Application Security Project (http://owasp.org) is one of the largest collaborations of application security practices and guidelines. “Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” They publish a great guide called the OWASP top 10. Which lists the top ten most common web vulnerabilities and how to go about combatting them. If you are looking at getting a web application or hosting one in the cloud, it’s always a good sign if the engineers on the project know about OWASP or have hardened their application to those standards. They cover such a wide area of views on this topic as well. From secure coding practices, to CISO communications and planning initiatives, to local chapter meetings, and some great literature and classes.
Another organization that is near and dear to my heart is called I Am The Cavalry (http://iamthecavalry.org). I currently volunteer for them as well. They are a somewhat newer organization and they are working on building information security frameworks into public infrastructure from the ground up. They are currently focusing mostly on the automotive industry, but are also making headway into healthcare devices, critical infrastructure, and other embedded systems. One of the practices that they would like to implement is a guide on secure software purchases. I had originally joined due to the fact that working in healthcare I would see a lot of different software packages and you realize how poorly written and configured the majority of them are. I love the passion that the organizers had and I wanted to help with their initiative.
In a less security conscious environment it would be much easier to look at the bells and whistles of what a software can do, and less on what a malicious person could do with it. This isn’t just an anomaly in healthcare software and devices, it affects every industry. When you look at a software package things like price per user, licensing fees, hardware costs, administrative overhead, and the like all usually come into play. There is so much more that should be assessed before spending a good part of your budget on a software that you might be building your company up with. Here is a good basic list to start with as a checklist for when you are working with your software vendors:
                    1.        The use of Java:
                                1.1.        Java on workstations is extremely exploitable. The less you have it in your environment the better. Vendors will sometimes not only require it, but require outdated, unsupported versions of it. This is usually a deal breaker for me.
                    2.        Firewall rules:
                                2.1.        While the local workstation/server software firewall isn’t the end-all-be-all of PC security, it does definitely help. Don’t let the software vendor tell you that you need it turned off.
                                2.2.        Small exceptions are fine. Find out what port or .exe needs allowed through.
                    3.        Anti-virus:
                                3.1.        Lots of people in the infosec industry say that anti-virus is dead. There are so many malware and rookits out in the wild that it doesn’t matter. But I believe it does.
                                3.2.        Security is a process, and processes have lots of moving parts. A/V should not only be installed on all of your endpoints, but it should be running scheduled and live scans as well.
                    4.        Windows Updates:
                                4.1.        Make sure you know who’s responsibility it is to keep the workstations/servers/appliances up to date. It’s very painful if the software company has a difficult approval process for updates.


            Whatever software you have implemented in your organization, chances are there is a good hardening guide out there for it. Particularly vulnerable applications include Wordpress, IIS, Apache, & Exchange (as well as every other mail server platform). If you have any specific questions feel free to reach out to me on twitter @infosystir.

No comments:

Post a Comment