Baltimore Application Security 2010

Application Security Executive Breakfast on Thursday February 25th starting at 8am

Keynote Speaker

Don Gray, Solutionary

Featured Speakers

Ryan Berg, IBM

Steve Wolford, Oracle

Roger Thornton, Fortify

Featured Member

CSO Breakfast Club Member Jason Taule Discusses Application Security

When it comes to application security, CSO Breakfast Club member Jason Taule suggests that today’s CISO faces multiple threats.  All good CISO’s ask themselves “What’s on my network” Jason says, but he goes on to point out that the answer needs to beyond the typical hardware-centric response to include software as well. 

Regardless of where the software comes from it may contain weaknesses and the CISO needs to be vigilant about several different scenarios.  First there is the concern over vulnerabilities that exist in third party applications that one acquires from the outside and deploys internally in the CISO’s internal environment.  These issues are obviously related to weaknesses on the part of the third party developer but they are not just related to common business applications such as Microsoft Office; they also occur in open source applications that come either as stand-alone utilities or worse are bundled inside of “solutions” and thus are less obvious.

Second, organizations need to be concerned about the software they develop for their own purposes.  In these instances there is the threat posed by insiders intentionally inserting malcode or vulnerabilities into an application that will run in one’s own environment. 

Finally, depending on what the company does, the CISO may also need to to be concerned with applications the organization is building to run in other environments, particularly when the business is software development.  The last thing the CISO of any software company wants is to have a customer breach traced back to a vulnerability in their product.

Regardless of which scenario one is dealing with Jason notes, “There is no such thing as perfect security.”  So, how to address these threats?  For Jason, creating an Application Security Initiative is a good place to start.  His approach is to engage the engineers from the beginning with specific training in application security.  This becomes part of creating a comprehensive program that defines all parameters and results in checklists that cover every aspect of security in application development.  Finally, introducing and implementing tools into the mature process assures a standardized, disciplined approach.  Jason has implemented Fortify in his environment for static application security testing and HP WebInspect for dynamic code testing.  Jason notes that either type of testing provides risk reduction, but the ideal program will incorporate testing of both types.

If necessary, manual code reviews could also be implemented, when circumstances call for such measures.  A critical part of a successful application security initiative is securing sign-off by both the business owner and the company CTO.  Having all stakeholders on board will ensure a greater chance of success.

In addition, as with other information security programs, it is important that a scorecard or dashboard be used to monitor progress on an ongoing basis. 

Other considerations for the CISO focused on application security include periodic network scanning to the hash level, assuring a trusted supply chain (meaning patches must come hash-defined).  Finally, it makes sense in today’s environment to move from blacklisting to whitelisting, although one needs to be careful to avoid the attendant challenges, such as how to deal with what is currently in place and the problems presented when legitimate applications get blocked by the whitelisting approach.   

Finally, Jason recommends that the CISO “Always know what’s on the network and from whom it was obtained.”  

Jason Taule is the CISO at General Dynamics Information Technology Health IT Solutions in Towson, MD.  He maintains a series of certifications including CMC, CPCM, CISM, CGEIT, CHSIII, CDPS and NSA-IAM.  Jason is also a member of the CSO Breakfast Club Advisory Council.