Ten years into Web applications and organizations are still wrestling with security issues, said Jeff Williams,...
CEO and cofounder of Aspect Security Inc., and chair of the OWASP Foundation. "Every application we look at has dozens of flaws, and certainly some critical ones, and those are the folks who've self-selected for a security review," he said.
Now throw in new technology like Ajax and Web services, and organizations are barely scratching the surface of understanding the accompanying security issues, he said. "That's a recipe for introducing serious security flaws," according to Williams.
At the heart of the matter has been the lack of a programmatic, repeatable approach to building security into the software development life cycle, according to Stephen A. Barlock, North America Security Practice Lead for Accenture. Now organizations such as Accenture, in a recently announced partnership with Symantec, and Aspect Security are launching services to help address this need.
Last month, Accenture and Symantec Corp., in Cupertino, Calif., announced Accenture and Symantec Security Transformation Services, a joint organization that will build and implement data security solutions. The organization will help mitigate security risk in three key areas: compliance, security monitoring and management, and application security. And in September, Columbia, Md.-based Aspect Security announced a new set of services designed to accelerate an organization's application security initiatives.
"Application-level security has been the lagging element in security thinking," Barlock said. "First, this skillset in a typical IT shop around developer-level expertise focused on security issues and building secure applications is completely lagging. Also, the organizational structure itself is not properly constructed to deal with this skillset. The other problem is, it's been easy enough historically to solve security problems at the infrastructure level, so we've taken our eye off the ball about how to write secure applications. With firewalls we've taken an infrastructure approach to security."
But now with security threats and vulnerabilities moving up the stack, that infrastructure approach is breaking down, Barlock said. "There is a real need with clients to build at the broad IT level a repeatable process, to build security into the development life cycle," he said. The joint offering, he said, will address repeatable processes in application security for both development and testing/remediation. "Symantec has acquired a large pool of specialized application-level developers deeply skilled in security. [This partnership is] about leveraging their deep expertise on the people side and marrying that with Accenture's global scale and repeatability processes."
"Our customers are demanding more from Symantec—they're looking to transform the SDLC in their organizations," said Symantec's Mark Perry, vice president of global security transformation services.
Perry said while Symantec has done a lot of work related to training development personnel, as well as penetration testing and code reviews, the company "never had the opportunity to come up with a complete programmatic approach to address the problem." Accenture brings to the table a global scale, IT outsourcing capability, application development and methodology, Perry said.
As part of the joint offering in the application security area, Accenture and Symantec will be developing an application security framework that will include risk analysis, threat modeling, secure coding practices, security reviews and training, Perry said.
The companies are putting together a team of consultants from both organizations to do asset development and IP creation, and the joint organization will have a 50-50 investment model, Perry said.
"Bringing two of the big players together, we've got immense scale, deep technical knowledge, and the best of both worlds coming together for customers," Perry said.
Application security is a specialized area, and skills are limited in today's marketplace, said Allan Carey, program manager of security services and identity management at International Data Corp., in Framingham, Mass. "If an enterprise isn't able to retain skills in-house or have the internal capability, it makes sense for them to look outside to partner to provide services," he said.
"Symantec and Accenture work together from a security perspective already," Carey continued. "This is providing additional capability for Accenture to deliver application security services to their target market, and an opportunity for Symantec to get visibility into those customers. I think [the relationship] implies the large enterprises are interested in this area."
According to Carey, "it's becoming an emerging area of interest for enterprises to address application portfolios and review their applications [for security]. The other angle is, when developing code, making sure that security is taken into consideration throughout the SDLC, instead of just testing during QA prior to GA or prior to releasing to production."
For Aspect Security's Williams, he's "happy to see the big companies jumping into this space. I do think it's a huge market opportunity. Folks are starting to get past the initial pen test-panic-fix cycle and get to some fundamental improvements to produce secure software. We just announced our acceleration services but we've been doing this kind of work since 2002."
While many organization are doing some kind of penetration testing, it's difficult to make the process reproducible, Williams said. "There's generally some high-level policy in place, but it hasn't been translated down to the level that affects developers. We need to make sure the policy in place really makes a difference to developers. Developers aren't going to think about security all the time, you have to translate it for them. But if you give them guidelines they'll adapt to it easier, and it makes it easier to do reviews of applications."
Williams advises organization to start with security requirements and security testing processes. "Think of it as bookending the process -- get the right the process in front and do testing at the end. Then use this to build on existing processes."
Next he recommends establishing a threat modeling process, then the integration of secure coding practices. Most organizations today are still at the stage of getting their requirements right, he said.
"You can't change culture overnight to produce secure code," Williams said. "It will take training, processes, technology—and it's best when those are all aligned. When you put best practices guidelines in place the training should reflect that, so all the pieces work together."