System Development in an Age of Security by Leticia Smith
March 2016 – A topic of discussion at the San Francisco RSA Conference this year was the System Development Life Cycle (SDLC) and issues related to it with the integration of security. Attackers leverage weaknesses in all platforms to pivot across the enterprise. System administrators and managers need solutions that allow them to monitor applications and network traffic across all ports to spot any anomalies and prevent attackers before they can advance.
Security needs to be considered at the onset of application design and development. At a minimum, developers must consider all elements in the subnet. Malware, in a current attack, often will exploit vulnerabilities in the core software plus the services and associated plug-ins that each system uses. These extend to the network services that the system is dependent upon, such as BGP, DNS or even attack vulnerabilities hidden in simple power supplies and UPS devices. The security landscape is aggravated by BYOD Access that is on poorly managed employee-owned devices, unmanaged vendor access and rogue wireless access that adds complexity and extend the attack surface in unpredictable ways as variables in the creation of the defense surface.
A focused and continuous vulnerability assessment process should use automated scans with coverage on both the network devices along with the vulnerabilities and weaknesses across the environment. The extent of the environment includes cloud services, virtual infrastructure, application servers, web servers and various data stores such as DAS, NAS, SAN and Cloud storage.
These security measures have to minimize false positives, validate findings with manual inspection and have online resources. The goal is to create a management program that directly provides detailed requirements for procedures and automatically recommends specific security controls. This system will ensure communication between groups to foster teamwork and support a secure and compliant configuration management process for all technical assets.
- Road Map (as a team, develop a 5-10 and 20 year technical plan and budget)
- Asset Management (asset lists, owners, data flow, network diagrams)
- Change Management (ATO, Exceptions and Approvals)
- Data Classification (for efficient risk-based protections)
- Secure Build Environment and Security Testing Processes
- In-house teams should consider security requirements across the product lifecycle. For validation of their efforts they may chose static or dynamic analysis tools for code review and reporting, good results can be obtained by proxy, scanning using a range of open or closed toolsets, fuzzing, protocol analysis
- Security training for developers, repository admin security – secure settings for SSL/VPN/ No shared accounts, patch development tools cleartext credentials such as connection strings to be avoided and if they cannot, they should be documented as an exception so they can be corrected in the future.
- Dev – Test – QA – PROD
- Steady State - Patching/Backup/Rest ore
- End of Life Procedures
- Technical Standard Compliance - Requirements/Testing
- Procedures, As-Built Diagrams, Firmware/Patch level, Job Aid Documentation
- Protection from message replay and MiM attack paths targeting the EPP System
- End-Point Protection administration automation (wizard-based install, remote agent distribution, asset discovery, rogue detection, whitelist maintenance, reporting etc.)
- Redundancy (native load balancing, standby/failover, no single point of failure)
- Firewall Rule Audits create different firewall policies based on connection type (i.e., different network interface cards [NICs] or different networks), as well as dynamically apply policy based on network location — for example, Wi-Fi policy, corporate LAN policy and public Internet policy.
Strategy to avoid Security Control Evasion
- HTTP Evasion & Compression
- HTML Obfuscation
- Payload Encoding
- Executable Packers (Download)
- Executable Packers (Execute)
- Layered Evasions
- Risk Management Programs
- Procurement/ Vendor Management – Supply Chain
- Cross-Border Issues
- Endpoint DLP that is integrated into the EPP suite offers the promise of more content-aware port/firewall and encryption policies
- Optimizing Security Protection in Virtualized Environments a Priority
- Multi-Tenant Issues (cloud compliance)
- Application control should extend to the execution of browser helper objects/controls within the context of browsers
- Technical Policy, Standards, Training, Gap Assessments and Audit
- Exception Approval Process (regular review)
- Insurance/ Bonds/ Legal Review
- ATO Process Reporting to Board and Acceptance (or not) of Risk