Entropy and the art of secure software development


Those who paid attention in science class should not be surprised by the almost daily deterioration in business information security. Entropy, the second law of thermodynamics, is defined by Merriam Webster as "the degradation of the matter and energy in the universe to an ultimate state of inert uniformity." For some reason, many of those in the application development world seem to think they are not governed by the laws of thermodynamics. I would suggest otherwise.

Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking

StartFragmentConsider the following scenario: Acme corporation is developing a new web application. They have a well-defined software development life cycle function and follow development best practices. Their developers receive ongoing security training, and consider OWASP Top 10 in their development effort. They use a commercial tool for checking their code and conduct internal and external vulnerability testing. Any defects discovered are fed immediately back to the developers for resolution. They deploy their application in accordance with a defined change management process, with executive review and approval. Everything done, by the book, a model development operation. Once a version is done and tested, they immediately focus on the new functionality requested by marketing for version two.EndFragment

Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking

StartFragmentIn a static world, their "secure" application would pass additional vulnerability testing next week, next month and next year. Sadly, the information security world is anything but static, with the pace of deterioration increasing monthly. Examples of the changes that impact ongoing application security include:EndFragment Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking StartFragment

  • Operating system patches and configuration changes on server and client

  • Browser changes

  • Discovery of previously unknown vulnerabilities

  • New hacking techniques

StartFragmentSome years ago, maintaining good information security was much like a chess match -- relatively slow moving, and at least somewhat predictable. Now, it is more like running NORAD -- a constant, rapid flow of new information that must be considered and addressed. Thus, if you are resting comfortably in the knowledge that your web application was secure last month, you are resting on an invalid assumption.EndFragment

Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking

StartFragmentSoftware in general, and web applications in particular, must be continually evaluated and monitored. We cannot control the changes that occur, so we must make good security practices a continuous process.EndFragment

Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking

StartFragmentThe recent CareFirst breach serves as a great example of how not to ensure adequate ongoing information security. According to a report in CSO Online, the vulnerability was first discovered in 2014, and was believed by company officials to have been resolved. Ten months later, they learned that they were wrong. The good news is that they apparently discovered the issue proactively, but they offset that success by failing to add the issue to their ongoing monitoring process.EndFragment

Another timely example is the U.S. government breach reported this week. According to a New York Times article, they were warned about the vulnerabilities by the inspector general last year. They might have considered the vulnerabilities a low priority at the time, but once again entropy prevailed.

Add to article pages only Sailthru pagination css [if lte IE 8]> <link href="/www.idge/css/webfonts/ss-ie8.css" rel="stylesheet" /> <![endif] fav and touch icons js google_dfp needs jquery defined first All JavaScript at the bottom, except for Modernizr which enables HTML5 elements & feature detects Begin Eloqua Tracking

StartFragmentUntil we accept as an industry that secure systems and networks are a rapidly moving target, we will continue to hear breach reports like that of CareFirst. We must succeed in integrating appropriate information security practices into our day-to-day operations. I would suggest the following ideas to help accomplish this.EndFragment

StartFragment

  • Security monitoring must be someone's daily focus. Larger organizations are creating security operations centers, which do for security what network operations centers do for network stability. Smaller organizations may not be able to afford such an operation, but this does not relieve them of the responsibility. They must dedicate someone to this, be it an employee or a vendor.

  • The security monitoring process must be dynamic, adapting to day-to-day changes in the threat landscape. The person or persons overseeing this must have time to read, study, and think, applying their findings to the monitoring process. An organization with the same person responsible for daily security monitoring and keeping up with threat intelligence and new discoveries is destined to failure.

  • Tools need to be part of the monitoring strategy. There are a wide variety of automated monitoring and testing tools available, and using some of them is essential to keeping up with changes in a cost-effective manner.

  • Automated tools cannot be installed and ignored. This may seem to contradict the above point, but both are true. Tools are important to the process, but no single tool can be assumed to be right and current all of the time. Some redundancy, either multiple tools or a single tool with human monitoring and testing, is essential to the process.

I confess that I have never read any books by William S. Burroughs, but one of my favorite quotes is attributed to him: “When you stop growing you start dying.” We in the information security world must grow every day to keep up, because I can assure you that the hackers do.

EndFragment

EndFragment

#sdlc #owasp

Featured Posts
Recent Posts
Archive
Follow Us
  • LinkedIn Social Icon
  • Facebook Basic Square
  • Twitter Basic Square

ToGoCIO

 

LET'S TALK: 678-341-3630
  • Facebook Social Icon
  • Twitter App Icon
  • Google+ Social Icon
  • LinkedIn App Icon

© 2016. togoCIO, LLC