Riniv's Take

Paved Road - Application Security Program

Paved Road - Application Security Program

Jay Riniv's photo
Jay Riniv
·

4 min read

Premise

During my latest assignments at an Insurance and a Government services firms, Part of my main Job responsibilities as a Security Architect required supporting and ramping up an App security Program. Applications primarily were hosted in data centers and at local sites and the main technologies used were Java, node.js, python on the server side, React.JS, Angular, Javascript, PHP, .NET on the front end.

What and How

Huge shoutout to @netflix security for introducing paved road concept. A model based on Trust to establish strategic partnerships between App security and different teams to share and Thrive. Prior to it, went through a horrid phase both introducing and managing the program to the teams.

chaos.jpeg

There were no defined process for either selecting on what applications qualify for security tests nor any manageable way to test, prioritize, communicate and monitor.

Identification

As mentioned in the Paved road concept - We had to spend time defining different attributes that would when collected on the various application would help us identify their risk there by prioritizing which of them have to be planned for and then subsequently work on addressing them. The attributes we based were all stored in System of Record database for each application / asset. The attributes selected were from the below categories - Business Impact, Regulatory Risk,System Significance.

  • Business Impact : Financial, Operational, Clearing/Settlement, Recovery Time Objectives (RTO), Legal / Compliance penalties

  • Regulatory Risk : COSO/SOX, SOC1 rating

  • System Significance : Data classification, No of users, No of sensitive records, Application type/hosted location, Transaction Risk Level.

Discovery Meeting

Once the application risk level were identified - depending on the priority of each app, targeting to go from Critical, High to Low ) - We decided having a central point of contact (Liaison) for each targeted app for the corresponding Line of Business was easier to communicate and co-ordinate activities. The initial few meetings were very beneficial to make them understand our intent and establish shared goals and responsibilities and more so establishing trust, partnership between sec team and the App Liaison and also to have an open communication channel between teams. One of the main takeaways from these meetings were to identify different ways security team can help creating custom modules/libraries or suggest custom tools that may help them address few Vulnerabilities identified based on the concerns they have shared.

Security Review, alignment and feedback

The intent here is to consolidate gathered vulnerabilities from other sources ((system scanning, Static/Dynamic application testing, (centrally managed), Pen test) for the targeted app - prioritize them and provide solutions (custom libraries, internal tools) that can be used to address them and share the list to the app Liaison and align on their current work load, priorities and how these reported vulnerabilities can be addressed with them. Being a smaller organization and not having an app repository as big and massive as Netflix - most type of vulnerabilities were effectively resolved using custom libraries, using Single Sign On, services security with TLS certs, Improvements in Deployments for better managing secrets. Legacy apps, which were on older version of certain frameworks, which is in path of decommission - Had to put tighter controls regards to authentication, authorization, least privilege access methods to keep them more secure than earlier.Specific care were taken in these regular scheduled meetings to ensure review and always suggest or assist in providing solution and understand to be sensitive with their current state and different initiatives that are possible getting more priority to include these that need to be addressed with them.

Framework Maturity

These initiatives have been very well received in both the organizations. Happy to say relevant paved road practices are indeed adopted and the severity 1 reported vulnerabilities have been remediated and addressed on all Critical and High risk applications. The goal to address lesser risk apps and lesser priority items for the apps are currently in progress.

Take aways

  • Systematic way to calculate application risk was mentioned.

  • An organized way to approach and implement application security practices and more importantly a process to promote security awareness across the organization were mentioned

Securityweb application