Pay more attention to security issues in applications

In all aspects of information system security, there are too many things that require special attention from CIOs and CSO personnel. Many people have been numb to reminders from various aspects. However, the security experts should remind these owners again. There is no doubt that there are sufficient reasons to prove that the following will
The issues discussed should be listed as their focus, which is software security (also known as application security ).

CIOs need to be involved in software development processes

Some may ask, have CIOs and CSO who have been the principal person in charge of information security been testing the security of application systems over the years? Why are they not considering application software security? Here, I will explain it first.

Over the years, CIOs have gradually approached this level for information security. For example, they have entered the network layer through the operating system and recently began to consider the application layer. However, what we want to talk about here is that this "closeness" is too superficial. Yes, we have purchased a variety of security products. We have installed firewalls, intrusion detection systems, and intrusion protection systems, there are also personal firewalls, anti-spam and anti-spyware systems, anti-virus, etc. We are constantly buying and installing the system. We hope that a product or a software combination can ensure the normal operation of our business.

However, the fact below is undeniable that today our business activities are carried out largely on the basis of application software. Although these systems are fully considered in terms of security, I do not advocate completely abandoning these security measures, but we cannot expect them to provide the application software security we need.

The only way to solve this problem is to get started as soon as possible and participate in the software development process, that is, to enter the software security field, including software design, development, and software security testing.

Based on the author's experience, because of the adoption of software outsourcing, software development work in large enterprises is decreasing in scope and development workload. For enterprises, as long as the software meets the needs of these enterprises. Therefore, in most cases, CIOs of an enterprise are not closely related to the real development of software. It can be said that few CIOs are actually involved in the actual development of software, in addition to the upcoming delivery of software that has been developed, the so-called security testing of the software is required. In this case, the Test is usually a Penetration Test, which is exactly what we have done badly in software security.

To ensure software security, you must be involved in the entire process from the early stage of software product development to the end of the software. At this stage, it is difficult to see people doing this. In fact, such tools (or services) are indeed needed ).

It sounds simple, but it is not easy to do. This is easy to understand, because there are too many obstacles to be crossed before reaching this goal. CIOs, even the most qualified information security engineers, are rarely able to say that they are very proficient in software development. They do not know which technologies can help them. On the other hand, for developers, they lack an understanding of the attack tools and technologies of modern software, and do not have the ability to independently develop software that can respond to these attacks.

Bridge the gap

There is a great gap between developers and information security personnel. This is a real gap that must be crossed, the solution is not as simple as sending IT staff to participate in software training or sending software developers to participate in "hacker homes". In fact, IT is much more difficult and complex than this solution, this involves collaboration between multiple teams or organizations.

First of all, we can see that there are many software development processes. There are very primitive methods of development that advocate personal heroism, and there is also an ancient concept of software development lifecycle theory. Although the software process varies, these methods all have one thing in common, that is, there will be a set of products at last. These products include design documents (depending on the software process and specific content), software source code and test plans/results.

If we carefully review these products, we can find that there are still opportunities for improvement in security, and there are even many opportunities for us to improve the security of software. Next we will give a brief introduction to these opportunities.

Many (but not all) software developers will take collecting and organizing functional requirements as the first step in software development. They will form requirement documents or use cases, it is used to describe how users end up using the software.

This step is the first opportunity to ensure the security of software products. One approach is to conduct the commonly referred Abuse Case Analysis ). This is a simple method. The idea is to check whether some functions in the software may be abused by attackers. For example, assume that a Web application wants to add a newsgroup subscription function to it. This feature may be abused by attackers. For example, hackers can use tools to automatically subscribe to the service for tens of thousands of times, so that the next time a newsgroup email is sent, this Web application will send to these subscribers and become a spam producer. If these issues are not taken into account in the page design and subscription processes, they may eventually have a very bad impact on the enterprises running these applications.

Almost all software developers are designing their designs into documents. Here we also have the opportunity to evaluate the design from a security perspective. As people know, there are several ways to do this (I will not repeat it here). These methods have one thing in common, that is, they will be analyzed in depth, including components, interfaces, and other objects that may be attacked.

To a minimum, design reviews should include at least understanding the business activities supported by the software, carefully studying specific designs, and communicating with the designers. In addition to business risk analysis, technical evaluation is also required. Once discovered, they should be recorded immediately and prioritized. If necessary, modify and improve the design, or, at least, formulate corresponding countermeasures for these risks, especially those critical ones.

It sounds like a conventional saying. However, in addition to extremely complex situations, only software developers and information security engineers can work together to accomplish the above objectives.

Collaboration

Coding for a long time, for various reasons, information security personnel have not been involved in the software development process. In fact, it is one of the most difficult tasks for information security personnel to review the process with developers, this requires a deep understanding of the technologies and programming languages used during development.

The good news is that there are already several practical commercial software that can help developers analyze the security of their source code. Together, developers and information security personnel can analyze the analysis results of these tools and evaluate the problems and possible consequences discovered by the analysis tools to improve software security.

As described earlier, many security tests today are just attack tests. Even the so-called "application attack test" is just a "black box" test, which uses some attack tools and technologies that we already know very well to remotely attack the software.

But this is not enough. In the field of software testing, Coverage is a common method for evaluating the test results. Overwrite involves many aspects, such as the percentage of code that has been run during testing to all code.

According to the coverage theory, unless for special reasons, attack testing is only an integral part of security testing, it must work with code check, error condition check, and boundary check to ensure software security. This is a complete process.

Here, CIOs need to play their roles. Because software testing is usually part of the work of the Software Quality Assurance Team, QA testers are more concerned about whether the software meets functional requirements and compliance with relevant specifications. In other words, they test how the software works, it does not care how the software is cracked or abused by someone with ulterior motives.

In order to fully test the security of application software, in addition to functional aspects, the test plan and scenarios must consider how attackers conduct attacks. This is also where people responsible for information security are involved.

There is no doubt that the security of application software is very complicated. It is just a bit tricky here. However, the most fundamental problem is that most CIOs are not aware of the need to intervene in the software development process and discover opportunities to work with software developers to ensure software security. On the other hand, CIOs also need to have a full understanding of technology development to effectively take advantage of this opportunity. At present, we need to establish a cooperative environment and atmosphere in the enterprise. In practice, we hear that CIOs and developers use too many "we" and "they" to name each other. Obviously, to ensure the security of application software, developers alone, or various testing tools and products alone cannot achieve this, and everyone needs to make joint efforts.