Published on 14-Mar-2013
"AppScan helped us create a self-service model. We could take the product and put it in the hands of the developers and QA testers so that they could identify and fix security vulnerabilities before production." - Sujata Ramamoorthy, Director, Information Security, Cisco
A huge challenge that many companies face in closing application vulnerabilities is one of time and resources. Security teams are often responsible for the security of thousands of applications; but don’t have enough security experts on staff to handle the workload. It was a problem that Cisco faced several years ago.
With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing.
Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment.
Drove a 33 percent decrease in number of security issues found; reduced post-deployment remediation costs significantly; freed security experts to focus on deep application vulnerability assessments
Ask Sujata Ramamoorthy, director of Information Security for Cisco, about the importance of application security and she points to the research. “The majority of attacks today—more than 70 percent—occur at the application layer,” she says. “It’s a real threat for companies.”
However, a huge challenge that many companies face in closing application vulnerabilities is one of time and resources. Security teams are often responsible for the security of thousands of applications. However, they typically don’t have enough security experts on staff to handle the workload.
It was a problem that Cisco, a worldwide leader in networking, faced several years ago. With a small security team and an application portfolio of nearly 2,500 applications, security staff worried that they were becoming a “bottleneck” in application security testing.
“We only had four subject-matter experts on our team to test applications along with two pentesters [penetration testers] from our professional services organization,” explains Ramamoorthy. “We couldn’t scale to support all the applications with so few resources.”
Shifting the focus from security to software quality
Instead of hiring additional resources, the Cisco Information Security (InfoSec) team transformed security testing from a security issue into a software quality initiative.
“A lot of companies keep security close to the InfoSec organization and they can't scale,” says Ramamoorthy. “For us, the question was: How can we put this skill into the DNA of the application development teams so that it wasn’t just a challenge for the security team, it was an opportunity to improve software quality overall?”
Targeting input validation vulnerabilities
The answer for the Cisco InfoSec team lay in empowering developers to identify “high-volume, low-complexity” vulnerabilities during the application development process.
“We found that input validation vulnerabilities—such as cross-site scripting and SQL injection—showed up time and time again in the top 10 vulnerabilities,” says Ramamoorthy. “We felt that with the right tools developers could easily find and fix these vulnerabilities early in the application development process.”
The InfoSec team had used IBM Rational® AppScan (now IBM Security AppScan Standard) for several years and found that IBM Security AppScan Enterprise provided a web-based platform that would enable developers and QA staff to easily perform baseline application vulnerability assessments.
“Any tool we chose had to be easy-to-use and fit into the development process,” says Ramamoorthy. “AppScan helped us create a self-service model. We could take the product and put it in the hands of the developers and QA testers so that they could identify and fix security vulnerabilities before production.”
Gaining buy-in from developers
How did the InfoSec team gain buy-in from developers and QA personnel to conduct baseline application vulnerability assessments?
“There was pushback,” says Ramamoorthy. “Part of our work was to show the developers that a majority of attacks were occurring at the application layer. We also shared the idea with our CIO and she recognized that the effort was really about software quality.”
A Proof of Concept demonstration provides turning point
A common concern among developers was the time required to conduct baseline application vulnerability assessments. How much, they wanted to know, would it lengthen the development lifecycle?
To answer this question, the InfoSec team launched a Proof of Concept (POC) demonstration with three IT teams and 20 applications. Cisco Partner Security architects—Cisco IT administrators and developers who had been trained to help foster security governance within their areas—participated in the pilot to help demonstrate how IBM Security AppScan software could help improve software quality.
“In the POC, we showed that it wouldn’t take developers more than a day to assess a small application for input validation vulnerabilities and no more than three days for a large application,” says Ramamoorthy. “Once they saw this, they felt that it was an acceptable timeframe.”
Reflecting new requirements in IT policies
Along with education, the InfoSec team found it was crucial to include its new security testing requirements in IT policies.
“As we launched this work, we were in the process of deploying a new data center that would enhance resiliency,” says Ramamoorthy. “We included in our policy that all applications had to undergo baseline vulnerability testing before they could move to this new environment. This was a significant motivator for the development teams to participate in the program.”
Driving a 33 percent reduction in security issues found
Approximately 1,250 developers, QA personnel and application verifiers use IBM Security AppScan Enterprise to test their applications before deployment. Nearly 2,000 applications have been tested to date.
By integrating security testing throughout the software development life cycle, Cisco has been able to reduce its risk and decrease remediation costs following deployments.
“We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment,” says Ramamoorthy. “And it’s significant to note that our developers can still meet their deadlines and deliver high-quality applications without adding a great deal of time or cost to the process.”
Additionally, by finding and fixing input validation vulnerabilities themselves, developers can begin to gain insight into how to build more secure applications.
“My hope is that through this process we’ll be able to see patterns regarding application development or coding issues so that developers can avoid these types of issues to begin with,” says Ramamoorthy.
This approach has been so successful that other organizations within Cisco have adopted it as well.
“Our Product Development teams that build web-based software solutions for customers are using our program as a model for their security assessments,” says Ramamoorthy.
Enabling security experts to focus on complex vulnerabilities
By moving to this new testing model, the InfoSec team is able to support the Baseline Vulnerability Management initiative with 20 percent of a person’s time and use their expertise on design issues and Deep Application Vulnerability Assessments (DAVA).
“We’re better able to prioritize the applications that may be at greater risk,” says Ramamoorthy. “Under our DAVA program, we use IBM AppScan Standard and other security tools to target complex vulnerabilities that are typically difficult to find.”
● IBM® Security AppScan® Standard
● IBM Security AppScan Enterprise
For more information
To increase the business value of your IBM security solutions, participate in an online community. Join the IBM security community at: http://instituteforadvancedsecurity.com
For more information about Cisco, visit: www.cisco.com
Products and services used
© Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America February 2013 IBM, the IBM logo, ibm.com, AppScan, and Rational are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. WGC12349-USEN-00