While operating systems and networks may have gotten most of the attention lately as the favorite targets of hackers, the vast majority–at least 70 percent–of successful cyber attacks happen because of vulnerabilities in applications that are being compromised, according to Gartner Analyst John Pescatore.
To help stop vulnerabilities before they reach the code stage, HP Enterprise Services announced last week a new security service, HP Comprehensive Applications Threat Analysis Service (CATA), which provides architectural as well as design and security requirements guidance alongside recommendations for security controls and best practices.
John Diamant, who created and leads HP’s enterprise-wide security quality program, spoke to TNNI at the recent DGI Cyber Security Conference & Expo in Washington, D.C., about how the number of latent and undiscovered vulnerabilities multiplied across all applications can easily be in the millions.
“Consider a typical government or commercial website or application, those most likely have one or more latent vulnerabilities, which means there is a risk the application could be compromised and allow an attacker to steal information, to modify information–all kinds of things,” he said.
The typical approach in the industry to address software assurance or reducing vulnerabilities has been to test the systems to find flaws and fix them after they have been introduced into the code, resulting in a sort of “test and fix” model, Diamant said.
“What we are doing with our service and capability is moving much earlier in the development cycle to say, ‘we should do all of that, but it’s really important to design security in and make sure you understand what your security requirements are: what does it need to defend against, what regulations are required to be applicable to meet the regulatory requirements from a security standpoint, what types of defenses does it have to have, what types of information are going to be stored’ … and then make sure it’s designed to be very resilient with respect to attacks,” he said.
As it is virtually impossible to write bug-free code, no security posture should depend on never making a mistake, Diamant noted.
“Instead of never making a mistake, what we say is, ‘we can assess and guide architecture and design to be resilient so that an arbitrary defect has a much lower probability of becoming a security defect,'” he said. “By doing this, we can end up having a much greater level of assurance in the design of the application up front, significantly reduce any rework involved when you later do security testing [or] find security problems, and then go back and fix them, and also significantly reduce the risks.”
This kind of approach would also slice the cost involved in rework done after implementation and before a release. Designing something right the first time around diminishes the need to go back and fix whatever defect has been discovered, Diamant said.
“There [also] is a cost associated with security patching; it’s not just the cost to the people developing the software, but also the people who are deploying that software,” he said. “There’s this constant patch cycle: ‘oh, a new security vulnerability, we’ve got to patch your computer to get up to date with that. [CATA] will reduce significantly the number of security patches that are necessary.”