In this article I want to cover
what you and your team can do for your application security. Chances are you
don’t write your own software packages, and if you do I’m not sure I can help
you much! There are still plenty of measures that you can take to ensure that
you’re buying a good product, the products that you currently have are secure,
or ways that you can secure applications that you already possess. There are
certain sets of application security rules. Some that pertain to web
applications, others that pertain to writing secure code, and more that are
still being worked on and directed. I’ll go over some of them here as well as
some software hardening guides for applications.
OWASP otherwise known as the Open
Web Application Security Project (http://owasp.org) is one of the largest
collaborations of application security practices and guidelines. “Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” They publish a great guide called the OWASP top 10.
Which lists the top ten most common web vulnerabilities and how to go about
combatting them. If you are looking at getting a web application or hosting one
in the cloud, it’s always a good sign if the engineers on the project know
about OWASP or have hardened their application to those standards. They cover
such a wide area of views on this topic as well. From secure coding practices,
to CISO communications and planning initiatives, to local chapter meetings, and
some great literature and classes.
Another organization that is near
and dear to my heart is called I Am The Cavalry (http://iamthecavalry.org). I
currently volunteer for them as well. They are a somewhat newer organization
and they are working on building information security frameworks into public
infrastructure from the ground up. They are currently focusing mostly on the
automotive industry, but are also making headway into healthcare devices,
critical infrastructure, and other embedded systems. One of the practices that
they would like to implement is a guide on secure software purchases. I had
originally joined due to the fact that working in healthcare I would see a lot
of different software packages and you realize how poorly written and
configured the majority of them are. I love the passion that the organizers had
and I wanted to help with their initiative.
In a less security conscious
environment it would be much easier to look at the bells and whistles of what a
software can do, and less on what a malicious person could do with it. This
isn’t just an anomaly in healthcare software and devices, it affects every
industry. When you look at a software package things like price per user,
licensing fees, hardware costs, administrative overhead, and the like all
usually come into play. There is so much more that should be assessed before
spending a good part of your budget on a software that you might be building
your company up with. Here is a good basic list to start with as a checklist for
when you are working with your software vendors:
1.
The use of Java:
1.1.
Java on workstations is extremely exploitable. The less
you have it in your environment the better. Vendors will sometimes not only
require it, but require outdated, unsupported versions of it. This is usually a
deal breaker for me.
2.
Firewall rules:
2.1.
While the local workstation/server software firewall
isn’t the end-all-be-all of PC security, it does definitely help. Don’t let the
software vendor tell you that you need it turned off.
2.2.
Small exceptions are fine. Find out what port or .exe
needs allowed through.
3.
Anti-virus:
3.1.
Lots of people in the infosec industry say that
anti-virus is dead. There are so many malware and rookits out in the wild that
it doesn’t matter. But I believe it does.
3.2.
Security is a process, and processes have lots of
moving parts. A/V should not only be installed on all of your endpoints, but it
should be running scheduled and live scans as well.
4.
Windows Updates:
4.1.
Make sure you know who’s responsibility it is to keep
the workstations/servers/appliances up to date. It’s very painful if the
software company has a difficult approval process for updates.
Whatever
software you have implemented in your organization, chances are there is a good
hardening guide out there for it. Particularly vulnerable applications include
Wordpress, IIS, Apache, & Exchange (as well as every other mail server
platform). If you have any specific questions feel free to reach out to me on
twitter @infosystir.
No comments:
Post a Comment