Tuesday, March 2, 2010

Parallels Between Software Assurance and Irregular Warfare

By Mike Boberski

Whether it's the OWASP Top 10 or the CWE/SANS Top 25, problems that the domain of Software Assurance (SwA) explores are perhaps “the” central security challenge confronting cyberspace for the foreseeable future. And, these problems are not “traditional” in the same sense that “traditional” warfare is distinct from “Irregular Warfare (IW)”.

IW tactics such as guerrilla warfare, subversion, and sabotage in cyberspace take the form of attacks on the design and construction of application and service interfaces, and on the design, construction and even the unexpected passing of messages (nefariously-crafted or otherwise) input to and output from application and service interfaces. Simply, traditional cyberspace security controls (firewalls, operating system controls, and so on) do not protect against attackers that call applications and services in unintended ways.

Senior leaders across both public and private sectors are asking relevant questions such as What are the top vulnerabilities to my application, but not crucial questions such as What application-level security requirements does my application meet, and will meeting those requirements make my application secure enough for my purposes?

While there’s a growing need for tools that provide repeatable solutions to these types of complex, enduring, and increasingly threatening cyberspace problems, there is a remarkable dearth of such tools. A notable exception is OWASP. OWASP is considered by many to be providing thought leadership and creative solutions to SwA problems. OWASP solutions include:

· OWASP Secure Software Development Contract Annex (Contract Annex) – provides a way to build security in before the building begins, whether it’s in a contract or a policy.

· OWASP Application Security Verification Standard (ASVS) – provides a way to figure out if your application is “this” secure or “T—H—I—S” secure, whether it’s by vulnerability scanning, code review, penetration testing, or architecture review.

· OWASP Enterprise Security API (ESAPI) – provides technical security controls that you can add into your solution stack to guard against attackers calling your applications and services in unintended ways (by providing for example user data input validation controls), whether it’s Java, .NET, PHP, or a laundry list of other languages.

Are you asking the right questions? :-)

No comments: