Chief Security Officer White Paper Series for SPI Dynamics CSO White Paper Series Managing Risk and Reducing the Cost of Web Application Security Featuring SPI Dynamics WebInspectTM Version 1.0 By Jim Reavis January, 2004 Copyright 2003, Reavis Consulting Group 1 Chief Security Officer White Paper Series for SPI Dynamics Table of Contents Introduction.....................................................................................................................2 Understanding Risk .........................................................................................................2 How Web Applications and Web Servers Create Risk .....................................................4 Using SPI Dynamics' WebInspect to Managed and Mitigate Web Risks .........................5 Calculating Return on Security Investment ......................................................................7 Summary.........................................................................................................................9 References.......................................................................................................................9 Introduction Corporations are increasingly being asked to use quantitative methods to protect intellectual property and secure digital assets. This has led Chief Security Officers to apply risk management principles and develop Return on Security Investment (ROSI) calculations in order to effectively manage risk. This paper shows how SPI Dynamics' WebInspect is an essential component of web application and web server risk management. The reader will learn: · · · · · The definition of risk management as it applies to information security Primary web application and web server vulnerabilities that create risk How SPI Dynamics' WebInspect reduces risk Calculating ROSI for web security assessment See how others are using WebInspect to reduce risk Understanding Risk Risk is defined by the dictionary as "the possibility of suffering harm or loss". Risk is all around us every day, and our actions often indicate both conscious and subconscious decisions we have made to reduce risk in our lives. In cyberspace, we often fail to understand risk as clearly as we do in the physical world and fail to act appropriately to reduce it. Understanding risk means that you can quantify the probability of loss and the impact upon the organization. Quantifying risk can be simplified if thought of as a mathematical equation: Risk = Value of the Asset X Severity of the Vulnerability X Likelihood of an Attack In this equation, you can provide a weighting of 1-10 (10 being the most severe or highest) for each risk factor, and by multiplying the factors arrive at an aggregate risk value for any asset. Let's take an example of the e-commerce server that performs 40% Copyright 2003, Reavis Consulting Group 2 Chief Security Officer White Paper Series for SPI Dynamics of all customer transactions for the organization and assume it has a very severe and easy to exploit vulnerability: E-commerce Server Risk = 10 (Value of the Asset) X 10 (Severity of the Vulnerability) X 10 (Likelihood of an Attack) E-commerce Server Risk = 1000, the highest risk ranking possible. Now take a comparative example of a moderate vulnerability with the e-commerce server versus a severe vulnerability with an Intranet server used to publish internal announcements: E-commerce Server Risk = 10 (Value of the Asset) X 4 (Severity of the Vulnerability) X 4 (Likelihood of an Attack) E-commerce Server Risk = 160, a moderate risk ranking. Intranet Server Risk = 2 (Value of the Asset) X 8 (Severity of the Vulnerability) X 6 (Likelihood of an Attack) Intranet Server Risk = 96, a lower risk ranking. Even though the Intranet server has a more severe vulnerability, the value of the asset creates a lower relative risk value than the e-commerce server. Understanding risk allows management to make wise decisions about the deployment of scarce resources to optimize the protection of their assets. Risk management is a process of managing an organization's exposure to threats to its assets and operating capabilities. The goals of the process are to provide the optimal level of protection to the organization, within the constraints of budget, law, ethics and safety. Risk management is an iterative process, which should lead to continuous improvement in an organization's security infrastructure. Risk management is often characterized as a lifecycle of processes, and while there are many different opinions on the varying methodologies, there is general consensus on the four main strategies for coping with risk: 1. Avoidance. In some cases, the risk of a particular activity, application or new host system may far outweigh the probable benefits. In these cases, the prudent decision is to avoid the activity altogether. A theoretical example of this may be an email archival system. It may be useful for organizational users to have access to all of their old emails for many legitimate business purposes. However, the potential usage of archived emails for litigation to the organization's detriment could make this system too risky to be practical. The organization may decide to not go forward with the email archival system to avoid the risk. Copyright 2003, Reavis Consulting Group 3 Chief Security Officer White Paper Series for SPI Dynamics 2. Acceptance. In other cases, the prudent course of action may be to simply accept the risk. Often the guiding principles used when accepting risk are in dealing with situations where the cost is significant to effect a reduction in the overall risk. One example could be paying for an operating system upgrade for 1,000 host machines when one feels the existing systems are only slightly more vulnerable than hosts running the new operating system. In this case, one may choose to do nothing and accept the risk of the older operating system. 3. Transference. Another approach to take in dealing with risk is to transfer it to another entity. The most common way to do this is via insurance. You may not be able to guarantee that hackers will not penetrate a critical host despite your best efforts to protect it. Insurance is a common sense approach to reducing risk that you cannot otherwise control. However, cyber insurance for issues like e-commerce loss is still immature and often provides incomplete coverage. 4. Mitigation. Most often, corporate security departments will choose risk mitigation ­ taking some actions and making some investments to measurably reduce risk in a given scenario. Mitigation is at the heart of the Chief Security Officer's job and sets the stage for the activities that determine budget, priorities and investment justification. In many instances, we cannot simply avoid, accept or transfer risk. Instead, the risk is inherent within the business initiatives and the CSO must take the leading role in determining the actions to take to reduce that risk. How Web Applications and Web Servers Create Risk Compromised web servers can damage organizations in many ways, from surrendering customer privacy data, accepting The Impact of Breaches on Market Value fraudulent transactions to indirectly damaging corporate prestige via a A study conducted by the University of Texas' defaced homepage. While it may seem School of Management concluded that publicly that a myriad of bad things can happen traded companies suffer severe and immediate as the result of a million different financial consequences as a result on Internet vulnerabilities, we can actually security breaches. categorize the core "points of pain" of According to the study, companies lose 2.1% of web security into a few main areas: Default configuration. Web servers are often installed with default configurations, which may not be secure. This can include unnecessary samples and templates, administrative tools and predictable locations for server utilities. This can lead to several types of attacks that allow hackers to gain complete control over the web server. User input validation. Web sites/applications need to be interactive in order to be useful. However, web applications that do not perform sufficient validation of user input Copyright 2003, Reavis Consulting Group 4 their market value within two days of the breach becoming public knowledge. This translated to an average of $1.65 billion in lost market capitalization. Chief Security Officer White Paper Series for SPI Dynamics screens allow hackers to directly attack the web server and its sensitive databases. Invalid input leads to many of the most popular attacks. Encryption. It is a sad fact that although modern encryption algorithms are virtually unbreakable, they are underutilized. In years past, performance considerations were cited as a factor in limited usage of encryption. However, today's high performing CPUs and specialized cryptographic accelerators have broken down price/performance barriers related to encryption. The issue with limited encryption has more to do with poor application design and a lack of awareness among developers. Nearly all web traffic passes in the clear, and can be snooped by an alert hacker. Secure data storage. While it is critical to secure data in transit, it is just as important to ensure that data is being stored securely. This includes encrypting data at rest, but it does not stop there. Many web applications store sensitive files on publicly accessible servers, rather than on protected servers. Other applications do a poor job of cleaning up temporary files, leaving valuable data accessible to the hacker who knows how to find it. Session management. Many web applications do a poor job of managing unique user sessions. This can include many things, from using weak authentication methods, poor cookie management, failure to create session timeouts and other session weaknesses. This often leads to session hijacking and other compromises of legitimate user identities. Maintenance. Not keeping web servers updated with the latest vendor patches, as well as neglecting to perform continued testing of proprietary web applications creates more risk. These major problems are usually the result of a lack of due care in the web application development and maintenance processes. In organizations where security is not "baked in" to both the business planning and application development processes, there can be an appalling lack of awareness for the need to incorporate security best practices from day one. This is often done for expediency's sake and a mistaken impression that they are saving money. However, as we will see, building security into web application development actually achieves cost savings, while adding security later is a more expensive proposition. Using SPI Dynamics' WebInspect to Manage and Mitigate Web Risks SPI Dynamics' WebInspect products are powerful tools for assessing the comprehensive security posture of web serving systems and applications. WebInspect products identify both the known vulnerabilities common to the chosen technology components as well as the critical vulnerabilities unique to that integrated system including detailed remediation reports. WebInspect is software designed to be used to mitigate risk for all of the previously mentioned web security "points of pain". Identifying and solving major web server risks requires involvement from many people within the organization. SPI Dynamics has defined an Application Lifecycle, which is useful in demonstrating the Copyright 2003, Reavis Consulting Group 5 Chief Security Officer White Paper Series for SPI Dynamics process for developing web applications and how different groups are involved. WebInspect can be used by these different players all through the lifecycle. Lifecycle Phase Audit Development Quality Assurance Production Organizational Resources Software architects, security consultants Software architects, application developers QA testers Webmasters, security operations professionals How WebInspect is Used Vulnerability and risk assessment, penetration testing Software design, prototype checking, modular code testing Testing, identifying and tracking software bugs Perform a vulnerability assessment of web sites already in production Table 1 - WebInspect in the Application Lifecycle Web applications have been around long before sophisticated technologies like WebInspect have existed to test and assess them. For this reason, it has been typical for many WebInspect users to perform vulnerability assessments of web sites that are already in production. In many cases, security Case Study: Manulife consultants will not be a part of the entire Application Lifecycle and will Manulife Financial, a leading financial services only have access to the production web group operating in 15 countries and territories site. However, we believe that worldwide, keeps up with web application security emerging best practices dictate that vulnerabilities by using SPI Dynamics' WebInspect web application vulnerability Enterprise Edition. assessment solutions like WebInspect As more sophisticated hacker methods are developed should be used throughout the lifecycle to take advantage of network and application and that web applications should be vulnerabilities, companies are being forced to hardened well before they reach the constantly improve security measures to protect production stage. confidential data. "In order to stay ahead of the game, it is our company's policy to take a proactive approach versus a reactive approach to information security, said Edward Liebig, Director, IT Security, Manulife USA Annuities. Manulife USA chose WebInspect as a key element of its overall IT security strategy and implemented the solution across the application lifecycle and throughout the organization including the web development, quality assurance, security operations and auditing phases. WebInspect products assist developers in identifying security risks within their code and help reinforce secure programming practices. As such they continually reinforce and support educational and awareness initiatives for secure programming. For software quality assurance groups, WebInspect automates much of the quality testing, allowing QA greater accuracy and faster turnaround in quality testing of web applications. Outside consultants Copyright 2003, Reavis Consulting Group 6 Chief Security Officer White Paper Series for SPI Dynamics and IT security engineers can perform vulnerability assessments and penetration testing, providing external validation to the developer groups that security risks are being mitigated. Calculating Return on Security Investment Justifying an information security budget is the toughest job the CSO must face. Developing a Return on Security Investment (ROSI) model is a difficult task, but extremely powerful in pushing through expenditure requests. Nothing is more challenging than proving the existence of something you cannot see ­ in this case the security threat that did not become an attack and cause harm. However, both commercial and academic research has made progress in calculating ROSI. It is common sense that the most cost effective way to solve any problem is to catch the issue as early as possible. This is the thrust of research that compares the cost of remediating software vulnerabilities at different stages during the application development lifecycle. MIT, Stanford and @Stake have collaborated on an extensive project known as Hoover, containing hundreds of case studies from companies who have had extensive security assessments performed on e-business applications. In a paper titled "Tangible ROI through Secure Software Engineering", @Stake cites both the Hoover research as well as software quality assurance research by IBM in describing the Remediation Cost Multiplier by Phase model. This metric shows that with each successive stage in the application development lifecycle an exponentially higher cost is required to remediate vulnerabilities (@Stake uses a slightly different nomenclature for the lifecycle than SPI Dynamics, but it is essentially the same processes). Figure 1 shows that for each dollar spent remediating a vulnerability during the initial design phase, much larger amounts of dollars must be spent in remediation for the same vulnerability during later stages. Case Study: Moody's KMV Moody's KMV, the world's leading provider of quantitative credit analysis tools and a SPI Dynamics' WebInspect user, developed its own ROSI model by comparing the time investment required to assess web applications manually versus an automated solution. Moody's KMV has over ten significant web applications, each having 3-4 significant updates annually, according to Mario Duarte MKMV's security manager. "Web-based product audits must be conducted. The question is ­ how?" said Duarte. In order to answer this question, Duarte selected an actual MKMV web application and performed both a manual and automated audit. The findings were compelling: a manual audit took 52 hours, while the automated audit took 10 minutes plus an hour for documentation. The findings from each method of assessment were of comparable quality. According to Duarte, manually auditing all web applications would require two additional full time employees. Lacking staff resources or automated assessment software would limit MKMV to auditing a maximum of 25% of its applications per year, slowing business productivity and increasing risk for the organization. In the final analysis, automating web application assessment provides MKMV a net savings of nearly $200,000 per year, while offering complete coverage of MKMV's web assessment needs. Copyright 2003, Reavis Consulting Group 7 Chief Security Officer White Paper Series for SPI Dynamics Remediation $ Cost Multiplier by Phase Design 1.00 Implementation 6.50 Testing 15.00 60.00 Maintenance Figure 1 - Remediation Cost Multiplier (source @Stake) The nature of each vulnerability is unique such that some software bugs will inevitably be found in every phase of development. It is neither feasible, nor wise to concentrate all secure software development initiatives within any single phase. However, it is quite apparent that the most important lesson of the multiplier metric is that the vulnerabilities need to be detected and repaired before the application is put into production. Using the multiplier metric, Table 1 shows the production cost savings achieved by investing $90,000 into secure application development during the pre-production phases. Development Phase Design Implementation Testing Total Expenditures Production Cost Savings $15,000 $30,000 $45,000 $90,000 $900,000 $276,923 $180,000 $1,356,923 Table 2 - Remediation Cost Sample Calculation This metric can create a model which seems to good to be true. However, consider the cost of even one hour of downtime on public web servers used for interacting with customers, and it becomes apparent that proactive hardening of web applications is the most cost effective route to protect web servers and the sensitive information they house. Not only is it much more expensive in hard development costs to repair bugs to production systems, but at this point we have increased the risk of loss or damage to valuable company information as well as indirect costs (loss of reputation, customer attrition, legal liability, etc.). Copyright 2003, Reavis Consulting Group 8 Chief Security Officer White Paper Series for SPI Dynamics As seen earlier, WebInspect is a key solution that can be used during every point of the web application development phases and is an important component of the investment into "baked in" security. Summary Risks are an inevitable fact of web servers and web applications. Chief Security Officers must devise risk mitigation strategies in order to best respond to these threats. This paper shows that the best practice for web server risk mitigation is to invest into pre-production solutions. In fact the ROSI model shows that this will actually provide significant financial savings compared to risk mitigation occurring while the web server is in production use. Chief among the pre-production phases are Design, Implementation and QA Testing. SPI Dynamics' WebInspect is the appropriate product to assist software architects, programmers, security engineers and QA testers in achieving these cost savings. We recommend that Chief Security Officers refocus their web security investments into these early stages of web application development and feel that WebInspect from SPI Dynamics is a key investment. References @Stake, "The Security of Applications: Not All Are Created Equal", February 2002 http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf @Stake, "Tangible ROI Through Secure Software Engineering", Q4 2001 http://www.sbq.com/sbq/rosi/sbq_rosi_software_engineering.pdf CIO Magazine, "Finally, A Real Return on Security Spending", Feb 15, 2002 http://www.cio.com/archive/021502/security.html NIST, "Return on Security Investment (ROSI) and IT Security Capital Investment Planning", June 2003 http://csrc.nist.gov/roi/ NIST, "Risk Management Guide for Information Technology Systems", October 2001 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Srinivasan Raghunathan, Huseyin Cavusoglu and Birendra Mishra, University of Texas at Dallas, "The Economics of IT Security", 2002 http://www.utdallas.edu/~huseyin/security.html Copyright 2003, Reavis Consulting Group 9 Chief Security Officer White Paper Series for SPI Dynamics About The CSOinformerTM White Paper Series is a service of Reavis Consulting Group. All content, unless otherwise noted, is the sole property of Reavis Consulting Group. Please send all inquiries to: Reavis Consulting Group 2553 Crescent St Ferndale, WA 98248 (360) 739-9629 (360) 380-1119 Fax www.reavis.org www.csoinformer.com research@csoinformer.com Copyright 2003, Reavis Consulting Group 10