Developers and QA Doing Security Testing: I've Got Management Buy-In, Now What?

By Dan Cornell

One of the things I do is answers questions as an "expert" for the web site SearchSoftwareQuality.com and they recently posted an answer I gave to a question about how to get developers and quality assurance folks to do security testing. You can see my blog post about this here as well as the original question and answer here. After I posted this online, Aaron Weaver on Twitter asked a great question: "What else beside management buy-in?"

I had to admit - this was a great question and my original response did kind of boil down to:

• Decide if you really want developers and QA to be performing security testing
• If so, you have to get management support to make it happen

That's all well and good, but doesn't really address the whole issue which could be summed up in the question "Assuming I want developers and QA to be performing security testing AND I have management buy in how do I do this successfully?" So I figured I would provide some more thoughts based on our experience working to get developers and QA folks to help out with security testing.

In short:

1. Understand your goals for dev/QA security testing and let the involved parties know what the goals are
2. Learn about what they are currently doing so you can set proper expectations
3. Provide them context-specific training and support so they can be successful
4. Follow up later to see if you are getting what you wanted

Let's look at each of these in a little more detail:

1 - Know and Communicate Your Goals

What exactly is it that you want to get from having developers or QA folks perform security testing? If you're hoping that providing them some testing tools will magically solve your software security problem you are in for a rude awakening so it is important to be realistic. Are you hoping that developers can catch certain types of security bugs early so you don't have to deal with them later? Is your security group understaffed and you're hoping that QA can help shore you up with some manual application penetration testing? You need to know your goals up-front, be realistic about what you can achieve and make sure that the developers and QA testers know their role in the process. If you can't tell these folks what you want them to do - management buy-in or not - they aren't going to be successful in doing it. Also it is probably a good idea at this point to take some measurements of the current state of affairs - how many security bugs are making it past development and QA? How long - calendar time and level of effort - does it take to fix vulnerabilities once they're identified? This will be important later.

2 - Learn About Current Development and QA Processses

Once you know the outcomes you want to see, it is really important to understand what practices, tools and processes developers are QA already have in place for development and testing. Is the team doing Test-Driven Development (TDD)? Are they using a Contininuous Integration (CI) environment with an existing set of unit and functional tests? Or is the situation, candidly, a mess with no processes, little or not automation and no real framework for making changes. Our sample size isn't really big enough yet to state this quantitatively, but one of the things we found doing some stastistics on software security remediation projects was that teams that had good, "modern" development practices in place were able to fix vulnerabilities with less disruption and effort. The same goes for integrating security testing into the activities of development and QA teams - the maturity of their overall environment is going to be an indicator of what you can expect these folks to be able to do on the security front.

3 - Provide Context-Specific Training and Support

After you know what you want developers and testers to do and have reality-checked these goals against the ground truth of what the teams are capable of, you need to show them what you want them to do and the more specific and context-relevant you can make this education, the more successful you are going to be. I used to think that teaching the principles of secure development was sufficient - if developers know they need to do input validation and contextual encoding they'll go out and find the appropriate resources for their particular environment, right? I also used to think that all developers loved to spend their free time looking at different tools and figuring out how they could be useful in their environment. In short, I was an idiot. (Arguably I'm still an idiot, but that is probably something to explore in other blog posts...) Developers and testers already have jobs to do and, prior to your current initiative, those jobs probably didn't require them to do security testing. Management buy-in is helpful to spur actions, but development and non-security testing still has to get done. Assuming you want to developers and testers to adopt new practices and new tools at any sort of scale you need to show them what they need to do and be as specific and prescriptive as possible so that you minimize the impact on ... all the other stuff the developers and QA testers are supposed to do.

4 - Follow Up

If you've crafted your developer and QA security testing program along these lines so far hopefully you're in a position where you can see some results. So next you need to check and see if you're actually getting the results you want. If you wanted developers to start running a static analysis tool and catching things like SQL injection and cross-site scripting (XSS) before it got to pre-deployment testing you should check to see if that is actually happening (you did remember to check and see how many SQLi and XSS you were finding before you made this change, right?) If it is - fantastic! If not - why not? This post is predicated on the assumption that you have enough management buy-in to get these teams to change their behavior. If you like having management buy-in and want to continue to have it in the future you'd best have answers to questions like "I authorized you to spend $X on application security testing - what did we get from that?"

Watching This In Action

I had the opportunity to run through this process with a group who was rolling out a static analysis tool to their developers recently. They had purchased enough licenses for the majority of their developers and wanted to use the static analysis tool to decrease PCI-relevant findings before applications got in front of PCI auditors. We worked with them to understand their development environment and how code was developed, tested and ultimately deployed to production. Based on this we crafted a very specific rollout and training plan. Part of this program development was a conversation like this:

Me: "... and we can show them the different types of analysis the tool can perform - it has some really cool capabilities"

Security Rep: "Don't care"

Me: "... and we can show them how to write their own custom rules - that can be really helpful tuning the tool to work for applications in your environment"

Security Rep: "Don't care"

Me: "... and ..."

Security Rep: "I just want you to show them how to install the IDE plugin, how to click the button to run a scan, and how to interpret and address the results the scan kicks out. Any other problems - they can come to me for help."

And that's exactly what we did. Did we strike a "grand bargain" to radically change the way this organization develops software? No. Did we turn all of their developers into secure software development gurus? No. But what we did accomplish was:

• Took an investment of money and staff time
• Acquired a new technology and rolled it out by changing the organization's processes and training the relevant staff on what they need to do to be successful
• Put the developers in a position to find and address important vulnerabilities earlier in their development process
• Reduced the vulnerability count in their software and made their PCI audits less painful (with graphs to prove it!)

Was this a "home run" for the cause of software security in this organization? No. Was it a solid single or double? Yeah I think it was. And, possibly more important, it provides a track record of success that can be used to make further advancements. I'll take it.

Contact us to talk about the roles development and QA can play in building secure software.

--Dan

dan _at_ denimgroup.com

@danielcornell

Search Software Quality: Who Is Responsible for Software Security Testing?

By Dan Cornell

Search Software Quality published another of my answers to reader questions:

When devising an application security plan, how do you get developers and testers to assume responsibility for security when many don't see it as part of their jobs?

You can see my full answer online where I talk about different strategies for assigning responsibility for testing (sorry - registration required). For those looking for a quick preview, I talk about:

• Is this actually something you want developers and QA to be responsible for?
• Crafting rewards (and penalties) to be applied to development and testing teams
• Common drivers that help justify the need for application security testing

Developers and QA teams definitely have a role to play in building and deploying secure applications, but you need to understand what role you want them to play in your organization and craft incentives accordingly. Often, getting the required clout to make this happen often requires some external factors to help justify the invesment.

Contact us for help building an effective software security program for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

Denim Group at InnoTech San Antonio 2013: Smart Phones Dumb Apps

By Dan Cornell

Folks headed to InnoTech San Antonio on Wednesday April 17th, 2013 should stop by the Denim Group booth and say howdy. Also, I'll be giving an updated version of my Smart Phones Dumb Apps talk at 1:00pm. The abstract for that talk is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

So if your organization is building - or using - mobile applications on platforms like Android and iOS (iPhone/iPad) you probably want to drop by. This is a fun, interactive presentation with a lot of examples that helps demonstrate why mobile security isn't just about MDM and dealing with BYOD. You also need to pay attention to the applications getting deployed on these mobile operating systems if you want to protect both your organization's and your customers' data.

Also if you want a FREE admission to InnoTech San Antonio 2013, head to www.innotechsan.com and use the code SPK13C to register.

 Contact us if you want to meet up at InnoTech San Antonio 2013 and talk about mobile application security.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture

Smart Phones Dumb Apps Scripts Updated

Search Software Quality: Stamping Out Cross-Site Scripting and SQL Injection

By Dan Cornell

Search Software Quality published another of my answers to reader questions:

Why are SQL injections or XSS (cross-site scripting) errors still the biggest problem in application security, particularly web application security? What tests or processes can we use to reduce this problem?

You can see my full answer online where I talk about taking a multi-pronged approach to addressing these issues (sorry - registration required). For those looking for a quick preview, I talk about:

• Knowing you application attack surface (you can't defend what you don't know about)
• Training developers to build applications that aren't susceptible to common attacks
• Verifying that training was effective by implementing a testing program

It is certainly possible to build applications that don't contain these errors, but few organizations have been successful implementing a comprehensive approach for dealing with these issues. However, by understanding the scope of the problem and the steps required to get it under control, organizations can make significant progress.

Contact us for help finding and eliminating common errors like SQL injection and cross-site scripting (XSS) from your applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles

Search Software Quality: Expanding Cloud-Based Technologies - Application Performance Issues

Search Software Quality: Data Security in a SaaS World

RSA 2013 Video: What's Ailing Enterprise Software Security Management?

By Dan Cornell 

I caught up with Jan Stafford from TechTarget while in San Francisco for RSA 2013 about a week and a half ago. One of the things we talked about were challenges enterprises are facing getting their software security programs firing on all cylinders. You can see the write-up here and the video online here:

Apparently people weren't joking when they told me I needed a haircut before I left for RSA...

The article also has a great point from John Dickson, which is that rolling out software security programs in any large enterprise involves a large internal selling component to get development groups on-board with what security teams need from them. Check it out.

Contact us for help getting your software security program on the right track.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles

ThreadFix 1.1 Release Candidate Now Available

Search Software Quality: Data Security in a SaaS World

RSA 2013 Video: What's Ailing Enterprise Software Security Management?

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

By Dan Cornell

 

I will be up at BSides Austin 2013 in a couple of weeks. Thursday March 21st I will be giving a short training class from 4:00pm through 6:00pm titled "Developing Secure Mobile Applications." The brief abstract is:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

We've only got two hours so I can't teach you everything about building and testing secure mobile apps (assuming I even knew everything about the subject...) but I can help make you smarter. Should be a good time.

Also on Friday March 22nd from 1:00pm to 2:00pm I will be giving a talk titled "Implementation Patterns for Software Security Programs" The abstract for this talk is:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

This should be a fun one because we talk through war stories of things we've seen be successful as well as things we've seen go horribly wrong.

Contact us if you want to meet up at BSides Austin 2013. The last time I checked there were still tickets available.

--Dan

dan _at_ denimgroup.com

@danielcornell

Search Software Quality: Data Security in a SaaS World

By Dan Cornell

Search Software Quality published another of my answers to reader questions:

As a security administrator, I am concerned abou the security of my company's data as it moves between two vendors' SaaS applications. Am I wrong to think that there's a weak link there? What steps can I take to test, monitor and strengthen security when data is en route?

You can see my full answer online where I talk about the importance of understanding how your data is going to be handled and negotiating appropriate legal controls before you start to load sensitive data into SaaS applications (sorry - registration required). For those looking for a quick preview, I talk about:

• Understanding the SaaS provider's data handling procedures as well as the procedures of any partners who will also have access to sensitive data
• Shaping your use of the SaaS platform to turn off features that could result in data being communicated to additional parties
• Maintaining the right to test the security of the SaaS applications on a periodic basis.

SaaS applications can provide great benefits, but you have to understand what data they are going to be allowed to manage and what assurances the provider can give that this will be done correctly. And the time to negotiate these points is before contracts are signed and the provider already has access to your data.

Contact us for help making sure the SaaS applications you rely on treat your data right.

--Dan

dan _at_ denimgroup.com

@danielcornell

Security Snafu on ThreadFix: Don't Code Your Own Vulnerability Management System

By Dan Cornell

Recently Securty Snafu took a look at ThreadFix and posted some thoughts. First I wanted to thank them for taking a look - we're always thrilled to have folks work witih ThreadFix and provide feedback. Also I wanted to emphasize a couple of things they mentioned:

• If You're Thinking About Rolling Your Own Application Vulnerability Management System: Don't - This is something we've encountered over and over again as we've talked to different organizations in the course of developing ThreadFix. We have found so many home-grown, in-house vulnerabilty management solutions. What we typically see in these cases is that something got built to solve a specific need and then the project ballooned, resulting in a whole bunch of code that no one wants to maintain. We think ThreadFix is a great alternative in cases like this because it provides all the basics of importing and consolidating vulnerability results, is under active development and is freely available under the Mozilla Public License (MPL). Commercial support is available for organizations who are interested so they don't have to rely on tracking down internal resources that have probably moved on to other initiatives. This provides a much better base for most vulnerability management programs than a bunch of unmaintainable in-house code. And if you need special functionality, you can fork ThreadFix and build your in-house solution on it as a base (or have us do it for you). But before you do that, be sure to understand that...
• ThreadFix's API Makes It Possible To Integrate It With Your Processes - Every organization handles vulnerability management a little different and some handle it very differently. With ThreadFix we've tried to implement the basic workflows that we see over and over again and we've provided a REST-based API that can be used to drive ThreadFix's behavior and to integrate it with the wide variety of tools and processes that interact with organizations' vulnerability management initiatives. Josh Sokol and I talked about this in our presentation "The Magic of Symbiotic Security" (take a look at the bottom of this post if you want to watch a video of this presentation) In addition to the REST API we also provide a command-line tool to simplify these integrations. With the combination of these facilities, it should be possible to integrate ThreadFix into your continuous integration builds, GRC system and so on.

Again - thanks to Security Snafu for taking a look at ThreadFix. We hope that having a resource like ThreadFix available will make organizations think twice before rolling their own vulnerability management solution. It covers the basics, can be extended and modified and it is free. With commercial support available what is not to like?

Contact us for help building your vulnerability management program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

Search Software Quality: Expanding Cloud-Based Technologies - Application Performance Issues

By Dan Cornell

Search Software Quality published another of my answers to reader questions:

The cloud changes the application performance management picture, depending on how much or how little data is managed through cloud services. What are the implications of the broadening use of the cloud on application performance issues?

You can see my full answer online where I talk about the different concerns you should look into for Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) application components (sorry - registration required). For those looking for a quick preview, I lay out situations where you should (hopefully) be able to rely on your vendors to meet performance goals - backed up by your SLA, of course - as well as situations where you have to focus on crafting an infrastructure setup to meet your performance goals yourself. I also briefly look at current performance management tools and situations where you might need to roll some of your own solutions to gather the data you will need..

Contact us for help building mobile, web and cloud application with critical security and performance requirements.

--Dan

dan _at_ denimgroup.com

@danielcornell

Smart Phones Dumb Apps Scripts Updated

By Dan Cornell

Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries - mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.

Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable - vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.

Keep an eye on this space - at Denim Group we've been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we're looking at making more of what we've been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.

Contact us for help building secure mobile applications and setting up security assessment program for your organization's mobile strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell