Over the years with information security, I have come across a lot of challenging situations from negotiating a security fix with a team or bringing about process changes or change in the way security is perceived altogether. Given the sheer size of the security landscape, there are many security alert ingress points that need to be looked at on a day-in & day-out basis to ensure security of your enterprise.Security artifacts from Threat Modeling, Architecture/Design Reviews, Code Reviews, Vulnerabilities in consumed 3rd party libraries, In-House and 3rd party VAPT, Customer Security Concerns, Changing Threat Landscape, APT, Alerts from SIEM etc. could prove to be overwhelming and a security personnel can easily get lost in this huge set of information unless there is a clear prioritization matrix and a lot of automation to help filter false positives and arrive at actionable insights.
In retrospection you may discover that we need to invest a lot of time in filtering out false positive and do context switching to cover various ingress points. In the current threat landscape we cannot afford to miss any security vulnerability citing the scalability problem of the security team.
What we need is automation of most of these repeated activities, build a correlation to learn, understand and dwarf attack vectors, share information among the security community to help other enterprises as well.
The challenge that security community faces is also of scalability. I have seen wonderful results in terms of securing the products by empowering the engineering community with security mindset and formulate a rewarding ‘Security Champion’ program within organization. The champions acts as extended team and understand the dynamism of the product better than any interacting security team would ever be able to achieve. Security is also about communication, relation, trust, common sense and commitment. I mean ‘Do not try to solve everything with technology’; sometimes there are simpler & innovative ways to address a security threat.
Another challenge in the security is the neglected behavior towards security issues over other functional requirements. Mostly every organization has a ‘risk acceptance’ process that business can use to defer a security issue for a future release. How do you overcome such a situation? This is where communication & trust play an important role, you got to establish the credibility with the team to influence the fix sooner than later. On certain occasions it is feasible to create a PoC to demonstrate the vulnerability but how about most of the cases wherein a full exploit will eat away your time and will impact other deliverables? Trust play’s an important role here that you developed by establishing credibility.
Often, the low severity security items are ignored or takes a lot of release cycles to fix. Everyone understands the ‘Power of compounding’, how about we apply the same to ‘power of chaining’ security issues and then analyzes the severity of it? The common vulnerabilities on a site that you would come across will revolve around ‘Mixed content’, ‘XSS’, ‘URL Redirection’, ‘Directory traversal’, ‘Banner Grabbing’, ‘Insecure Cookies’ etcbut when it is chained together it could result in a critical security flaw. The authorization bypass vulnerability by fuzzing mutable parameters in an API has been predominant and results in a devastating security flaw. It is basically connecting dots and architecting a complete exploit story. With rich functionality set of HTML5, deviations from RFC’s among different vendors, abundance of free app’s bundling vulnerable osstp and thanks to path management cycle, the attackers have all the time in the world to exploit the vulnerabilities before it could be officially patched.
So how do we ensure product security?