The New Frontier of Cybersecurity: Accelerating Software Security Assurance

Page 1

THE NEW FRONTIER OF CYBERSECURITY:

ACCELERATING SOFTWARE SECURITY ASSURANCE

INDUSTRY PERSPECTIVE

The New Frontier of Cybersecurity: Accelerating Software Security Assurance 1


INTRODUCTION Today, the overwhelming majority of security vulnerabilities are software issues. So when network perimeters eroded and it became clear that traditional network security was insufficient by itself, Software Security Assurance (SSA) became a primary focus of government information assurance and compliance models. Traditional approaches to SSA have been mostly gated approaches via expert testers. However, increased automation in static and dynamic analysis testing tools allowed agencies to evolve and scale practices to the broader organization to meet growing needs. Now, as the government pushes forward with cloud adoption and DevOps there’s a greater need than ever for cloud-based SSA. With the proliferation of highly automated development operations environments and the accelerated development times they offer, developers more than ever want increased ownership of their own SSA testing to meet the strict security and compliance requirements established in the DISA Security Technical Implementation Guide (STIG) and Risk Management Framework (RMF). The Fortify on Demand solution from HPE provides agencies the power to clear their backlogs of insecure and untested apps, tap into a huge resource pool of application security experts and keep their applications secure from constantly evolving threats now and in the future. In this industry perspective, GovLoop, HPE and TSPi partnered to discuss the current state of application security in government, the importance of FedRAMP and how it has allowed U.S. agencies leverage the Fortify on Demand service to increase their agility and reduce cyberrisk and costs.

Industry Perspective 2


SECURITY FOR GOVERNMENT AGENCIES The security of data has always been a top concern for government agencies. In recent years, however, the government has been acting under a mandate to use more cloud services, a move that can save a lot of money versus having to support a locally installed solution. But those two goals were not always in agreement, which is one of the reasons why the Federal Risk and Authorization Management Program, or FedRAMP, was created. FedRAMP is a government wide program that helps to define standardized approaches to security assessment, authorization and continuous monitoring for cloud products and services. The goal of FedRAMP is to certify secure ways of conducting business, and to identify safe companies and products that the government can use. This “do once, use many times” approach is estimated to save the government 30 to 40 percent of the costs required to conduct agency security assessments for new products and services. It is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DoD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council, as well as private industry. FedRAMP provides a uniform approach to risk-based management while

improving the trustworthiness, reliability, consistency and quality of the federal security authorization process. Fortify has been producing software security products since 2003 and in 2010 launched their Fortify on Demand service. When FedRAMP started operating they recognized the benefits it would afford to government agencies and invested early, receiving their Authority to Operate in 2015. To date, Fortify on Demand is the first and only SaaS product authorized for government use to identify vulnerabilities in web, mobile and thick-client applications in a single mature offering. “Fortify on Demand is highly secure, and is housed at a U.S. data center run only by U.S. nationals,” said Dylan Thomas, Senior Product Manager at HPE Security. “Under the GSA’s FedRAMP program, we underwent a stringent security review and were granted an Authorization to Operate at the FISMA Moderate level from the Joint Authorization Board, so most agencies can begin using it right away. We even have DoD agencies using it for their Impact Level II and lower needs.” “The government needs application security, and it wants to use more cloud services without adding additional security concerns,” said Fortify Solution Architect Matt Fisher. “With Fortify on Demand, we can do all of that for agencies while making things easier at the same time.”

THE GOALS & BENEFITS OF FEDRAMP GOALS

BENEFITS

¢¢ Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations ¢¢ Increase confidence in security of cloud solutions ¢¢ Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP ¢¢ Ensure consistent application of existing security practice ¢¢ Increase confidence in security assessments ¢¢ Increase automation and near real-time data for continuous monitoring

¢¢ Increase reuse of existing security assessments across agencies ¢¢ Save significant cost, time and resources – “do once, use many times” ¢¢ Improve real-time security visibility ¢¢ Provide a uniform approach to risk-based management ¢¢ Enhance transparency between government and cloud service providers (CSPs) ¢¢ Improve the trustworthiness, reliability, consistency and quality of the federal security authorization process

The New Frontier of Cybersecurity: Accelerating Software Security Assurance 3


THE EVOLUTION OF APPLICATION SECURITY “For a few decades, folks have focused on infrastructure security while at the same time all of the data has been moving to the application layer, so now, the software layer itself is ripe with vulnerabilities,” said Fisher. “We focus on helping developers, information assurance managers and CISOs assess and reduce the risk in their own software.” Application security was almost always an afterthought for most organizations. If it was practiced at all, typically a small team with expertise in application security would run a scan of an app that was developed in-house and interpret the results, but only after it was completed. Later, the developers would get the report and be forced to go back and change large portions of their work. “If application testing was performed, it was done very ineffectively,” Fisher said. “After a developer finished their work, they would often be told that they met all the requirements and to take the app live, so that’s good for them, right? But then the security team comes along and identifies vulnerabilities, and forces everything to be redone and recoded, obviously creating big delays in production schedules. In addition, due to the release pressure many organizations had to accept more risk than they probably would have liked. When you factor in how the pace of development has accelerated – where entire build and test cycles are being highly automated – the idea of keeping application security as a single gate isn’t feasible anymore. Developers now want to perform their own application security testing because it lets them produce secure products faster.” Fortify software operated on-premises provided the application security tools directly to the developers so that they could incorporate them into the development processes. They still had to have some expertise regarding application security, and setting everything up for testing was still a manual process, but it was orders of magnitude better than the way it was handled before. Fortify on Demand – which was just named the leader in the 2017 Gartner Magic Quadrant for Application Security Testing – is the next step in that evolution, removing almost all the manual processes and the need for large teams of in-house application security experts. Fortify on Demand can be set to automatically scan software in development through out-of-thebox integration with the most popular continuous integration

systems. Developers quickly receive a detailed report explaining every vulnerability uncovered during the most recent build, right down to highlighting the specific lines of code that need to be fixed. Mistakes can be eliminated almost instantaneously while software is still in development, and then re-checked to ensure the fix is complete. Most importantly, all Fortify on Demand assessments include optional review by in-house security experts, saving development and security teams significant time traditionally spent auditing the direct output of vulnerability assessment tools. By the time the application is finished and ready for validation, any potential vulnerabilities or hidden threats will have long since been eliminated through a scalable approach to both static and dynamic testing. This puts security teams in a much better position, able to simply double-check and verify that apps are clear of vulnerabilities, rather than sending a program back for extensive recoding. “Fortify on Demand can eliminate code vulnerabilities throughout the early stages of design and modeling, up through the code and implementation phases, and then continuing on through testing, validation, staging and production,” Thomas said.

“The pace of development is increasing, not just in the commercial sector, but in the federal sector as well. Organizations require an application security solution that seamlessly integrates across the software lifecycle.” - Matt Fisher, Fortify Solution Architect at HPE Security And Fortify on Demand is not just useful when developing software. Commercial off-the-shelf (or COTS) apps and programs that an agency wants to use can be put assessed in a secure fashion without requiring the vendor to provide access to the application source code. “Agencies that have COTS software and want to know how safe it is, even though they probably don’t have access to the source code, don’t need to worry,” said Thomas. “Fortify on Demand can help with that through our vendor management program.”

Industry Perspective 4


Fortify on Demand also works well for native mobile applications written for iOS, Android, and Windows Mobile. During the development process, the Fortify solution can analyze mobile code to identify static vulnerabilities as the app is being created. However, unlike web applications, most popular mobile apps feature a multitier architecture where there is a piece of software installed on the device itself, a public network, and a back-end infrastructure of web services that provides the rich functionality users expect. For these mobile applications, black-box or dynamic testing of the running application requires a modified testing approach. Fortify on Demand first looks at the client application, examining the general behavior, including requested permission levels and, very importantly for government, what data is being stored on the device and how securely that is done. For

example, a mobile app collecting sensitive information and storing it locally in an unencrypted format would be unsuitable for many government agencies. Fortify on Demand will then determine what off-site servers are being accessed, pointing out if those might be of questionable reputation, and performing an in-depth assessment of the back-end services for critical vulnerabilities like SQL injection. “By looking at the network traffic between the device and the back-end web services, and then also assessing those back-end web services as well, Fortify on Demand provides the most cohesive picture of the security of any mobile app,” Thomas said. “When scanning for vulnerabilities with mobile apps, it’s about more than just the binary sitting on the device. You also need to look at the network and then the back-end web services that the app is calling. Fortify does that.”

CLEARING THE APPLICATION SECURITY BACKLOG Starting from scratch and helping to eliminate vulnerabilities in programs being developed is a great thing, and highly necessary when trying to maintain a secure network. But with the popularity of web and mobile apps exploding, many agencies have a backlog of programs that need to be scanned for vulnerabilities. Even if an agency has the on premise version of Fortify, it still would need to have people in place to schedule those scans and interpret the results. A core reason why Fortify on Demand was created was to allow organizations to leverage outside expertise as a surge capability and to better distribute tasks between scarce internal and readily available external resources. Every Fortify on Demand customer has access to a large technical account management team with application security expertise. Each Fortify on Demand user can reach out to those teams in a variety of ways, from starting a ticket to get more detailed information about the results of a scan to scheduling

a conference call with their Technical Account Manager (TAM) for a deeper explanation. Manpower is often the missing link leading to backlogs of untested apps, which is sometimes true even if an agency had access to the original Fortify solution. Adding access to a technical account team with Fortify on Demand can quickly cut that backlog down to nothing, with the technical teams providing most of the heavy lifting. “The TAM team provides a world-class baseline of expertise and help, but for customers that really need to go to the next step, Fortify on Demand also offers higher levels of service where the account management team goes to the next level, serving as a dedicated, full-time security program manager,” Thomas said. “That way, the Fortify on Demand service can even act as your entire Software Security Assurance program.”

“When we say that Fortify on Demand provides application security as a service, we mean it. That starts with the actual testing process, running the tools and then interpreting and reviewing the results. But then it goes beyond that, to also making sure that our customers can successfully remediate those findings.” - Dylan Thomas, Senior Product Manager at HPE Security

The New Frontier of Cybersecurity: Accelerating Software Security Assurance 5


GETTING STARTED WITH FEDRAMPAPPROVED FORTIFY ON DEMAND Like with most organizations today, applications are beginning to drive many of the interactions between people and government, and even between government and its employees. But they are also one of the key weak points working against maintaining good network security. Even as apps become the new security perimeter, the number of trained application security personnel remains critically low. “Application security has been brought to the forefront, which comes with the challenge of finding the right people to do it,” Thomas said. “Fortify on Demand delivers application security as a service to enable federal customers to tackle this critical need.”

Fortify on Demand is the first and only SaaS solution that has been authorized by government through the FedRAMP program for finding and fixing vulnerabilities in web, mobile and thickclient applications. “The FedRAMP accreditation is valuable because now agencies can take advantage of the tools and services offered by Fortify on Demand to eliminate vulnerabilities in their apps,” Fisher said. “And the service is instantly available and easily procured in just a few days compared to months of procuring traditional software.” Fortify on Demand is thus ready to help secure the new application security perimeter for any government customer.

About HPE

About TSPi

About GovLoop

Hewlett Packard Enterprise (HPE) Security helps organizations detect and respond to cyber threats while safeguarding continuity and compliance to effectively mitigate risk and incident impact. Delivering an integrated suite of market-leading products, services, threat intelligence and security research, HPE Security helps customers proactively protect the interactions among users, applications and data, regardless of location or device.

Technology Solutions Providers, Inc. (TSPi) is a certified Small Disadvantaged Business providing performance driven end-to-end IT solutions to federal government customers. For over 15 years our business model, as well as our key to success, is based upon maintaining long-lasting relationships by delivering performance driven results. Our federal government customers can readily attest to our in house expertise, commitment to quality, reliability, and exceptional performance. TSPi is Capability Maturity Model Integration (CMMI) Level 3 appraised and International Organization for Standardization (ISO) 9000, 20000 and 27000 certified.

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

Learn more at hpe.com/software/fod

Industry Perspective 6

For more information about this report, please reach out to info@govloop.com.


The New Frontier of Cybersecurity: Accelerating Software Security Assurance 7


1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop

Industry Perspective 8


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.