Wednesday, January 2, 2013

Application Security Questionnaires - The Time is Now!

Back in 2009, I posted a note talking about vendor software security vulnerabilities and how they undermine our security. Way back in the early 2000's, I was quoted in a USA Today article on Cybersecurity saying that I was surprised that there weren't many product liability lawsuits against software vendors. In my 2009 blog post, I said I feared that comment only caused software vendors to modify their EULAs instead of fixing the problem.

This problem has been around since the first program was written. The difference is that people are actively searching for these bugs to gain access to an organization's network and data.  I believe it is the fundamental vector for APT (I hate that term) attacks. Mudge told President Clinton about this problem in the late 1990's. 

I still hope vendors will actually check their code for common vulnerabilities. However, here are some recent instances that are telling me otherwise.

1. Vendor www application fails a standard vulnerability scan from a commercial and freeware scanning tool. XSS flaws across multiple pages in their hierarchy were the most common error.

2. Vendor supplied password of "changeme" resulted in a compromise while they were onsite installing the software. They were surprised to find out our network was "open" to the net.

3. Vendor password requirements undercutting our password strength requirements.

We're in the process of modifying a Security Questionnaire for Software Vendors doc that we had in place for a number of years. It's outdated now but it did ask www app vendors if their software was vulnerable to any of the flaws mentioned in the OWASP Top 10 Security Risks ( https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ).  There have been a number of efforts to create an Application Security Questionnaire but they haven't gained acceptance.

Why? These questionnaires are site-specific by nature. It's hard nee impossible to create a consensus document that addresses all sectors (.com, .mil., .edu, .org, etc.) of business or government.  There is vendor resistance to any "requirements" clause. The recent flap caused by such a requirement in one of the recent Federal cybersecurity bills in Congress are examples of this resistance.  To them, I say "if you had done it in the first place, there wouldn't be this attempt to 'regulate' you."

Some of these include:

  1. http://www.sans.org/appseccontract/
  2. https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project
  3. http://searchsoftwarequality.techtarget.com/answer/Security-requirements-for-any-Web-application
For more links, google "application security requirements" for some useful links.


Here is my wishlist for software vendors:

  1. Train your programmers in secure coding techniques. If they still leave security holes in your code, find another place for them in your organization.
  2. Run a vulnerability scanner against your products. Your customers will start doing that soon. It's much worse for your reputation if the customer runs a scanners and finds errors.
  3. Pay attention to the results in #2 and fix the problems before releasing it.
  4. Do NOT assume the network will "protect" your application. 
  5. Follow some sort of best practices for password strength guidelines. Don't ever convert everything to upper or lower case only.
  6. Never store user passwords in the clear. That's just plain idiotic.
  7. Store sensitive data in an encrypted format. It can be done with the common database systems properly. See #1.
The purpose of a site questionnaire is to provide the customer with information about the security of the vendor applications they are considering purchasing. "Failing" the questionnaire isn't an automatic no-buy action. It informs the customer that additional security controls must be in place.

The questionnaire is another component in a risk-based security management strategy. If the software is needed for business purposes and the user accepts the risk, then purchase can continue.

The time of software vendors letting the customer debug their code has to come to an end immediately. OS vendors have done this and the number of OS issues has been reduced. It's time for application vendors to step up and deliver.

1/2/2013 RCM




Posted by at

25 comments:

  1. AnonymousJuly 23, 2015 at 9:49 PM

    I'm also visiting this site regularly, this web site is really nice and the users are genuinely sharing good thoughts.http://www.huffingtonpost.com/shane-paul-neil/big-data-bigger-breaches-_b_6109928.html

    ReplyDelete
  2. Justin BieberAugust 1, 2015 at 4:11 AM

    Keep it up!! You have done the nice job having provided the latest information.online payday

    ReplyDelete
  3. UnknownAugust 3, 2015 at 10:24 PM

    Hi, I just desired to give you quick thumbs up on your work, really fantastic blog!
    online payday advance loans

    ReplyDelete
  4. AnonymousAugust 6, 2015 at 2:36 AM

    I love this information and will spend amongst my friends too. Thanks insurance rate

    ReplyDelete
  5. Chris PrattAugust 7, 2015 at 3:26 AM

    This is a great post; it was very edifying. I look ahead in reading more of your work.whole life insurance quotes

    ReplyDelete
  6. AnonymousAugust 24, 2015 at 4:30 AM

    Only some of the posts are like that otherwise I don’t like most of the post. This is completely overwhelming. roof repair Sugar Land

    ReplyDelete
  7. UnknownAugust 31, 2015 at 4:57 AM

    The quality of your articles and contents is great.paydayloans

    ReplyDelete
  8. AnonymousSeptember 8, 2015 at 10:58 PM

    I have really seen a number of crappy posts but this is the special one for me because it has really favorably influenced me. Good luck…. Car repair Arlington Heights Illinois

    ReplyDelete
  9. UnknownSeptember 24, 2015 at 2:25 AM

    Hmm good idea!! I am happy to check this site and have added this in my bookmark list. Kitchen remodel Lakeville

    ReplyDelete
  10. Paul RyanOctober 8, 2015 at 10:41 PM

    Good blog along with the excellent quality stuff and I’m sure this will be greatly helpful.Businessman

    ReplyDelete
  11. Chris MorrisOctober 9, 2015 at 3:39 AM

    I’m eager to find the valuable information and for me this is the right place to get the good stuff.online payday loan

    ReplyDelete
  12. UnknownOctober 15, 2015 at 10:52 PM

    Cool blog! Because of the way you explained, the things you defined, I have been adorer of your site… easy online payday loans

    ReplyDelete
  13. UnknownOctober 28, 2015 at 10:59 PM

    Hi, just desired to let you know, I enjoyed this blog post. It had been funny. Carry on posting! niche profit full control

    ReplyDelete
  14. UnknownNovember 9, 2015 at 11:19 PM

    Thanks to have a great blog, everyone will be in love with this blog writing surely because it has quality stuff. personal cash advance

    ReplyDelete
  15. UnknownDecember 7, 2015 at 10:04 PM

    Hi to everybody, it’s really good for me to come on this site, it gives obliging Information. water softener reviews

    ReplyDelete
  16. UnknownDecember 9, 2015 at 10:45 PM

    Whether somebody pursuit of his vital thing, hence he or she desires to be accessible that at length, hence that thing is maintained over here.forklift train the trainer certification

    ReplyDelete
  17. UnknownDecember 21, 2015 at 9:08 PM

    Hmm quite interesting site! I really like that thing; I want you to post some more things on that. New York Brain Injury Lawyer

    ReplyDelete
  18. donnajacobJanuary 7, 2016 at 4:12 AM

    This is really an excellent blog as well as its content. Vine Vera Reviews

    ReplyDelete
  19. UnknownJanuary 8, 2016 at 8:58 PM

    Your blog! What should I say in its praise… relevant, lastly something which surely helped me? Thanks depression and life insurance

    ReplyDelete
  20. donnajacobJanuary 13, 2016 at 3:12 AM

    You guys present there are performing an excellent job. Vine Vera Skin Care

    ReplyDelete
  21. donnajacobJanuary 13, 2016 at 4:02 AM

    I feel happiness to read the content that you are posting.
    wraps

    ReplyDelete
  22. UnknownJuly 21, 2016 at 6:03 AM

    I am just pretty happy to sign up ones own guestbook these days,Your own feedback and listed below are excellent in my opinion,incidentally I should say also definitely will teach some great supplements for your needs every.
    Natural Stone and Tile exporters

    ReplyDelete
  23. UnknownJuly 21, 2016 at 6:04 AM

    You have a very inspiring way of exploring and sharing your thoughts. It is very uncommon nowadays, lots of sites and blogs having copy pasted or rewritten info. But here, no doubt, info is original and very well structured. Keep it up.
    luxury escapes

    ReplyDelete
  24. UnknownJuly 21, 2016 at 6:05 AM

    Thanks for making such a cool post which is really very well written.will be referring a lot of friends about this.Keep blogging.
    Angel investment in India

    ReplyDelete
  25. YK AgencyJanuary 2, 2019 at 3:39 AM

    cybersecurity risk management wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated.

    ReplyDelete

Subscribe to: Post Comments (Atom)