Sunday, April 19, 2009

5-phase approach in successful vulnerability management

Know the problem

Many people have wrong perceptions on the issues. Examples of these perceptions includes

  • Vulnerability Management = Apply Software Patch
  • Vulnerability only occurs in Microsoft operating system products
  • Vulnerability Management is only needed by large enterprise

The fundamental of software cycle is that software always contains programmatic errors, referred as bugs. Traditionally, these bugs may be just programmed not according to the initial software specifications. However, nowadays, the issues of bugs may become more complicated. The problems may involve insecure coding methods that lead to memory leakage or privilege escalation.

No software is perfect without any issues. Software vendors pay efforts to fix the discovered problems.

Understand the current situation – Scanning, Assessment and Trending

Does it mean I just apply all the software patches and the problem is solved? Not exactly. The author suggests a vulnerability assessment with an experienced security consultant. This assessment process involved vulnerability initial scans and trend analysis. The security consultant should provide a trend report and suggestion on how to develop a vulnerability management strategy. Vulnerability situation of a specific part of the enterprise can be better that that of the others. For example, the server farm contains less vulnerability. This is quite typical as the server farm may be administrated from different group of people, and the hardening procedures of production server may be different from other machines in the enterprise.

Develop vulnerability management strategy

Vulnerability management strategy is important for enterprise of all sizes. If a specific part of the infrastructure components do not contain any customized software (for example, an email server running Microsoft Exchange 2007 and Microsoft Windows Server 2003), the vulnerability strategy will be quite different from the infrastructure components running an in-house developed CRM application. It is essential to have security professionals to review and assess the vulnerability management strategy. This makes sure the strategy is practical and met the industrial baseline requirements.

Implement the vulnerability management strategy

Once the vulnerability management strategy is defined and confirmed, it comes to the implementation. Tools helping implementation of the strategy is equally important as the strategy itself. Tools may include vulnerability scanner, patch management software, patch testing software, etc. These tools can automate the vulnerability management strategy and hence improve the overall security situation of the enterprise.

Continued reassessment

Regular reassessment of the strategy is crucial. The review should include strategy execution review, enterprise-wide vulnerability trend analysis and the strategy itself. The author recommends the strategy should be reviewed every year by an information security professional.

Saturday, April 18, 2009

Security Ingredients in Software Development

Security is a basic requirement in every software development. However, most of the system analysts missed this fundamental requirement. This is because when the system analysts started the requirement engineering process, they are focus on the business requirements and the end users are not able to provide insight on information security.

The “Security” term used here essentially refers to the CIA Triad, which contains Confidentiality, Integrity and Availability. That means apart from the business requirements to solve real world business problems, the target application must also solve the information security requirements at the same time.

Confidentiality ensuring that information is accessible only to those authorized to have access. This typically refers to authentication and authorization. That is to confirm one’s identity and to allow if the specific individual access based on access control technique. In the past, this means username and password combination for authentication and access control list for authorization. There are other techniques nowadays. The system should check against the individual’s access rights to allow or deny the individual’s access to specific resources. Security features should also protect unauthorized access. For example, if the application has already included authentication and authorization. However the related data travel on the network and stored on the database without appropriate protection will still make confidentiality to fail. Data in transit protection and data at rest protection should also be considered, typically using encryption if local laws allows.

Integrity refers to the consistency and accuracy of the data. This extended into who had accessed and modified the data. Accessed and/or modified the data through the developing application should be logged to provide audit trail. Moreover, additional controls should be applied to make sure data in transit and data at rest are protected. This means if the data is being modified unexpected, the developing application should have ability to detect the situation. Typical technique to ensure integrity is combination of hashing, digital signing and encryption.

Availability guarantee the developing system’s features are available when needed. This includes not only the security features, but also other systems features. In terms of security, the developing system should have ability to against deny of service attack. High availability configuration, tarpit applied on failed authentication and other redundant arrangements are mainstream practices for availability.

To sum up, the following are typical security ingredients:

  • Authentication
  • Authorization
  • Critical data item storage encryption
  • Digital signature
  • Hashing
  • High availability and other redundant arrangements
  • Tarpit
  • Transport layer encryption

The author hopes this article reminds the system analysts that they should include these considerations into their requirements engineering process, making resulting application more secure and hence making the world more secure.