Ten years into Web applications and organizations are still
wrestling with security issues, said Jeff Williams, CEO and
cofounder of Aspect Security Inc., and chair of the OWASP
Foundation. "Every application we look at has dozens of flaws, and
certainly some critical ones, and those are the folks who've
self-selected for a security review," he said.
Now throw in new technology like Ajax and Web services, and
organizations are barely scratching the surface of understanding
the accompanying security issues, he said. "That's a recipe for
introducing serious security flaws," according to Williams.
At the heart of the matter has been the lack of a programmatic,
repeatable approach to building security into the software
development life cycle, according to Stephen A. Barlock, North
America Security Practice Lead for Accenture. Now organizations
such as Accenture, in a recently announced partnership with
Symantec, and Aspect Security are launching services to help
address this need.
Last month, Accenture and Symantec Corp., in Cupertino, Calif.,
announced Accenture and Symantec Security Transformation Services,
a joint organization that will build and implement data security
solutions. The organization will help mitigate security risk in
three key areas: compliance, security monitoring and management,
and application security. And in September, Columbia, Md.-based
Aspect Security announced a new set of services designed to
accelerate an organization's application security initiatives.
"Application-level security has been the lagging element in
security thinking," Barlock said. "First, this skillset in a
typical IT shop around developer-level expertise focused on
security issues and building secure applications is completely
lagging. Also, the organizational structure itself is not properly
constructed to deal with this skillset. The other problem is, it's
been easy enough historically to solve security problems at the
infrastructure level, so we've taken our eye off the ball about how
to write secure applications. With firewalls we've taken an
infrastructure approach to security."
But now with security threats and vulnerabilities moving up the
stack, that infrastructure approach is breaking down, Barlock said.
"There is a real need with clients to build at the broad IT level a
repeatable process, to build security into the development life
cycle," he said. The joint offering, he said, will address
repeatable processes in application security for both development
and testing/remediation. "Symantec has acquired a large pool of
specialized application-level developers deeply skilled in
security. [This partnership is] about leveraging their deep
expertise on the people side and marrying that with Accenture's
global scale and repeatability processes."
"Our customers are demanding more from Symantec—they're looking
to transform the SDLC in their organizations," said Symantec's Mark
Perry, vice president of global security transformation
services.
Perry said while Symantec has done a lot of work related to
training development personnel, as well as
penetration testing and code reviews, the
company "never had the opportunity to come up with a complete
programmatic approach to address the problem." Accenture brings
to the table a global scale, IT outsourcing capability,
application development and methodology, Perry said.
As part of the joint offering in the application security area,
Accenture and Symantec will be developing an application security
framework that will include risk analysis, threat modeling, secure
coding practices, security reviews and training, Perry said.
The companies are putting together a team of consultants from
both organizations to do asset development and IP creation, and the
joint organization will have a 50-50 investment model, Perry
said.
"Bringing two of the big players together, we've got immense
scale, deep technical knowledge, and the best of both worlds coming
together for customers," Perry said.
Application security is a specialized area, and skills are
limited in today's marketplace, said Allan Carey, program manager
of security services and identity management at International Data
Corp., in Framingham, Mass. "If an enterprise isn't able to retain
skills in-house or have the internal capability, it makes sense for
them to look outside to partner to provide services," he said.
"Symantec and Accenture work together from a security
perspective already," Carey continued. "This is providing
additional capability for Accenture to deliver application security
services to their target market, and an opportunity for Symantec to
get visibility into those customers. I think [the relationship]
implies the large enterprises are interested in this area."
According to Carey, "it's becoming an emerging area of interest
for enterprises to address application portfolios and review their
applications [for security]. The other angle is, when developing
code, making sure that security is taken into consideration
throughout the SDLC, instead of just testing during QA prior to GA
or prior to releasing to production."
For Aspect Security's Williams, he's "happy to see the big
companies jumping into this space. I do think it's a huge market
opportunity. Folks are starting to get past the initial pen
test-panic-fix cycle and get to some fundamental improvements to
produce secure software. We just announced our acceleration
services but we've been doing this kind of work since 2002."
While many organization are doing some kind of penetration
testing, it's difficult to make the process reproducible, Williams
said. "There's generally some high-level policy in place, but it
hasn't been translated down to the level that affects developers.
We need to make sure the policy in place really makes a difference
to developers. Developers aren't going to think about security all
the time, you have to translate it for them. But if you give them
guidelines they'll adapt to it easier, and it makes it easier to do
reviews of applications."
Williams advises organization to start with security
requirements and security testing processes. "Think of it as
bookending the process--get the right the process in front and do
testing at the end. Then use this to build on existing
processes."
Next he recommends establishing a threat modeling process, then
the integration of secure coding practices. Most organizations
today are still at the stage of getting their requirements right,
he said.
"You can't change culture overnight to produce secure code,"
Williams said. "It will take training, processes, technology—and
it's best when those are all aligned. When you put best practices
guidelines in place the training should reflect that, so all the
pieces work together."