2.4 Important Questions
It’s crucial to keep in mind that the answers to some of the questions covered in this section may be trivial. If known, that’s absolutely fantastic! When the answers are not known, future program managers may be able to find out without disrupting the team or space. Managers should make an effort to be cordial and responsive to concerns or pushback. It’s always better to know than to assume: operating in a presumptuous way can open the door to security issues or ineffective vulnerability management processes. In reality, the questions that proceed are to be used as a baseline and not as a full representation of an enterprise risk management guide.
During the processes of identifying risk, application security managers will find that many other questions arise – that’s great! Ask them! Operating in a way that creates a dialogue between the various teams and application security is a great first step toward building rapport and trust. Maintaining trust is an essential part of securing the organization, as it is impossible to remediate vulnerabilities if other teams do not trust the remediation techniques that will be placed by the application security team. While it may not initially be possible to understand how every single team works together, application security is most effective when an application security manager can envision the macrovision of enterprise security. In addition, application security managers should avoid siloing off and exercising an “unreachable” state. The resolution of vulnerabilities can occur twice as fast if managers know the other major players and innovators within the organization. Here are some questions that can be asked with explanations of why these questions should be answered.
2.5 Software Engineering
2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?
Once again, application security managers should never assume that engineers have a working knowledge of secure coding. The best way to achieve enterprise security is to understand the way software engineers build, and assist in establishing best practice. No organization is perfect. Therefore, it will take time to work with all of the teams that exist in the enterprise. Secure coding platforms such as Checkmarx Codebashing and security awareness incentives such as hacking demos, security riddles, and other fun educational events can help break down any barriers that may exist between application security and software engineering. (https://www.checkmarx.com/products/codebashing-enterprise-application-security-training).
2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?
Evaluating the communication processes and vulnerability remediation expectations will develop over time. The question of effective communication and resolution isn’t one to ask software engineering teams, but it is a matter that should be carefully documented, and reevaluated when more data is available.
2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?
In summary, managers should identify how many applications exist and what the software development lifecycle (SDLC) looks like. Preventing vulnerabilities starts with implementing adequate application security processes beforehand.
2.6 Security Departments
2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?
Incidents are inevitable for any growing organization, and an incident that only affects a security operations team, or an application security team, is unrealistic. Application security managers will have to bridge the communication gap between engineers and management on both teams to collaborate on investigations. Establishing thorough processes in the event of an application incident that ends up affecting both teams (such as a client side web application exploit that turns into a server side exploit) isn’t negotiable. Transparency with incident resolution should be maintained between both teams. Application security managers should know what forensic tools, logging solutions, and endpoint detection response tools exist within the enterprise. Many of the tools owned by other security teams can greatly benefit the application security team during investigative or prevention processes. Team collaboration can allow for a togetherness mindset of security instead of a reluctance to provide assistance.
2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?
If a fraud team exists within the enterprise, application security will have a ton of collaboration work to do. For example, the aspects of security that the fraud team focus on are important areas of review for application security as well. If the fraud team sees instances of account takeover, application security engineers will have to brainstorm the prevention methodologies for the login page logic. Alternatively, if the fraud team starts to see a giant spike in gift card purchases, application security may have to review the application security of the gift card purchase and redemption pages to ensure that vulnerabilities do not exist. The possibilities are endless.
2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?
Compliance teams within the organization will have to review third-party security relationships as well as internal security compliance. Application security managers should understand the processes to best help in evaluating and remediating risks that may affect adequate compliance.
2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?
IoT is a large attack vector. The security of Internet-connected devices may be up to a dedicated team, such as an edge team, or may fall into the purview of a security operations team. Nonetheless, the exploitation of IoT devices is an important consideration for application security as these devices might directly connect to or host enterprise applications.
2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?
Vulnerability management processes are complex, and when teams are dedicated to such efforts, the attack surface does end up reduced. However, knowing how the processes are coordinated for resolution is necessary for application security managers. For example, if a security researcher abuses a server identified from the web application because it’s out of date, the vulnerability management team will have to assist, and knowing what type of collaboration will need to occur is quite important.
2.7 Infrastructure Teams
2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?
Even though application security isn’t responsible for the security of servers, pivots can take place and a researcher