Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions

Posted on May 24th, 2009 by Drazen Drazic

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

He called me back about half an hour later and if I had to repeat the first two minutes, I’d probably be beeping out 90% of the of the conversation. While this new application was now the core business system, it still received data/input from a dozen or so other applications – none of which he could confirm had ever been security tested before or to his knowledge knew whether they had “effective” security controls in place on them. (Not to say there wasn’t). Each application had one type or another level of access into the new application. Further, he later confirmed (after I threw more questions at him), that numerous people had various levels of direct access into their databases that bypassed application controls altogether – supposedly justified. Worse…in fact, he wasn’t able to confirm at the time of our discussion that anyone in the organisation with the right knowledge and tools could even be blocked from accessing the databases directly.

He now knew the answer already without me having to go on with a long sermon. Securus Global could test and find the new critical/core business application itself faultless and secure in it’s own right, but, what value is that when assessed as part of an overall system?! What started as a discussion about the security of one application ended up being a worrying assessment of their whole enterprise security.

Is this organisation’s dilemma unique/different to those in other organisations? From our experience, no, and the larger the organisation and the more complex the environment(s), the worse it is. (As I talked about here).

Further, there’s been a lot written in recent times in blogs and other sites about security in SDLC, with some even suggesting and/or questioning whether there is any actual value and investment benefits to having security built in at all phases of the SDLC vs. post code completion security testing and subsequent remediation of identified issues. You have to wonder whether some experts actually understand what it means to develop a complex application (and system) as opposed to just security-testing them. (It’s another world and not always understood by security people). I wonder if some experts have just run out of things to write about when they publish stuff like that. (No doubt some of you probably accuse me of similar based upon some of my posts. )

Yes, my CIO friend knows I am writing this and gave his approval for a generic case study of his circumstance.

A few related posts:
The 7 Reasons why Business are Insecure
Various rants on application security
Assortment of Risk Management failings
Link to “The Anatomy of Security Disasters”