Fair warning — this blog takes place from the top of my soap-box, so continue at your own risk!

We all know that application security, especially web application security is real complex, and can only be addressed by equally complex technical solutions like web application firewalls, virtual system patching, … NOT ….

Having been involved in one too many breach incident responses the last few weeks, I’m increasingly convinced that my belief that complex challenges demand simple responses is the right path. My challenge is convincing others .. so it’s up onto the soap-box. As a pure assessment firm we often end up leveraging root cause analysis post incident. Invariably, the perceived root cause “we were vulnerable to SQL injection” is actually the symptom of much more fundamental causes: “we failed to conduct proper tests before deploying”, “our developers were not sufficiently knowledgeable of web application attacks”, “we failed to understand the risks to the application”, etc.

Raise your hand if you have an SDLC. Not too bad, now; keep it up only if your SDLC:

• Is current (has been updated within the last year,
• Includes security touch-points throughout the life-cycle,
• Includes OWASP Top 10 touch points for management, developers, & testers,
• Is enforced by an IT Steering Committee (or equivalent) and includes milestones for key phases.

I could add another ten bullets … but being everyone’s hand is down by now … I think you get my point.

The good news is that there is some new and very well done guidance on integrating security into the SDLC. OWASP’s Software Assurance Maturity Model (SAMM) is a terrific new resource. Rather than define SAMM … I’ll steal the high level description from OWASP’s site:

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
• Evaluating an organization’s existing software security practices
• Building a balanced software security assurance program in well-defined iterations
• Demonstrating concrete improvements to a security assurance program
• Defining and measuring security-related activities throughout an organization

One of the things I like best about SAMM is that it was targeted at non-security personnel and non-application developers which means that it can be governed by normal business folk. SAMM helps make an S-SDLC a simple solution to a complex problem.

Remember simple ≠ simplistic … (time to climb off the soap-box and get a new cup of coffee!)

We have an on-demand webinar that talks to this specific issue, SAMM, and OWASP as a whole that I recommend you look at if this blog piqued your interest.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.