Neil MacDonald

DevOps seeks to bridge the development and operations divide through the establishment of a culture of trust and shared interest among individuals in these previously siloed organizations. However, this vision is incomplete without the incorporation of information security, which represents yet another silo in IT. Breakdowns in communications and processes across development, operations and security are the root cause of the vast majority of critical system downtime, including downtime caused by breaches in security. For example, Gartner research shows that 75% of successful attacks occur against previously known vulnerabilities for which a patch or secure configuration standard was already available (actually, this used to be about 90%, but advanced and targeted attacks have changed the equation).

Conventional wisdom believes the agile nature of the DevOps vision is fundamentally at odds with the historically static and cumbersome nature of information security. I disagree. I believe that security can support a unified vision of DevOpsSec, but to do this, information security must change in multiple ways including security infrastructure becoming more adaptive and programmable and making information security representation an integral part of DevOpsSec teams from the genesis of new applications and services.

I’ve just published a research note for clients DevOpsSec: Creating the Agile Triangle that makes the argument for DevOpsSec and outlines the major areas of change for information security to support a unified DevOpsSec vision. My colleague, Cameron Haight, from the IT Operations side of Gartner research joined me on the research note. He has pioneered much of the research on DevOps for Gartner and increasingly he is being asked how DevOps can be adopted without sacrificing security. Increasingly, I am being asked how to rationalize the agile nature of DevOps with the need for security testing. Together, we teamed up to deliver the first in a series of research notes on how to deliver DevOpsSec.

Development, operations and security are fundamentally intertwined. A well-designed, developed and managed system is the foundation of a secure system. DevOps must evolve to a new vision of DevOpsSec that balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications and services.

Submit a Comment »

Category: Application Security Next-generation Security Infrastructure     Tags: Adaptive Security Infrastucture, application security testing tools, Defense-in-Depth, DevOpsSec, Next-generation Data Center, Next-generation Security Infrastructure, Security-Summit-NA

Share

I called this a “security no brainer” years ago and the advice is absolutely still relevant today.

In Gartner’s latest Magic Quadrant for Dynamic Application Security Testing (DAST) solutions for clients, one of the evaluation criteria we looked at was whether or not the vulnerability knowledge of the DAST solution could be exported and used by a web application firewall (WAF – for example Imperva, F5, Citrix, Barracuda, DenyAll, ModSecurity, Bee Ware, etc ) to protect the vulnerability application from attacks (note that this is conceptually identical to using network or host-based IPSs to shield from attacks on endpoints until patches can be applied)

Before I start a firestorm of comments, let me be clear: we believe the vulnerable application should be fixed if possible (just like vulnerable endpoints should ultimately be patched). WAFs should be viewed as a way to shield vulnerable web applications until they can be fixed/patched. However, this isn’t always possible in a timely manner. Sometimes the backlog of applications in development prevents a timely fix. Sometimes the organization doesn’t have the expertise to fix the application because the person that wrote it has left (or the development was outsourced/contracted). In other cases, there may be limited access to the source code. Regardless, what if we’ve got a vulnerable web application that we can’t fix in a timely manner?

That’s where DAST/WAF integration comes in. Most DAST solution providers will link directly to WAF providers to provide specific protection from a vulnerability. The DAST tool discovers the vulnerability and the WAF helps to shield from attacks on that vulnerability. Makes sense doesn’t it?

Here’s a couple of things to keep in mind:

• Look for explicit WAF support. Some DAST solution providers will talk about exporting vulnerability knowledge in XML and how this could be consumed by a WAF… leaving out the part where you have to perform the translation from a generic XML-based representation of the vulnerability into the native WAF rule syntax. Make sure both your WAF provider and DAST solution provider state explicit out of the box support for this integration.
• Even with explicit integration, don’t expect DAST vulnerability information to flow to a WAF without requiring human intervention and testing.
• Favor DAST solutions that allow you to quickly and easily retest/replay a specific vulnerability with the WAF in place to confirm that the protection is working as expected.
• To check for false positives, use testing scripts or recorded sessions to exercise the web application with the WAF rule in place. Favor WAF solutions that can place new rules in a “monitor only” mode for a period of time before being placed into blocking mode.

If you haven’t evaluated DAST solutions recently, it is time to take another look. The market continues to evolve rapidly. If a vulnerable web application can’t be fixed in a timely manner, don’t leave yourself exposed. Look for explicit, out of the box support for WAF rule generation in your next DAST or WAF solution evaluation.

6 Comments »

Category: Application Security Security Intelligence     Tags: Application Security, application security testing tools, Best Practices, Security No-Brainer

Share

We’ve just published a new Magic Quadrant for Dynamic Application Security Testing (DAST) for Gartner clients. In Gartner research, we use the term DAST to refer to testing solutions and techniques that are designed to test an application from the “outside in” to detect conditions indicative of a security vulnerability in an application in its running state.

DAST solutions have been around for years, so you’d might think the market is fairly static. Not at all. DAST solutions must and have evolved well beyond the security testing of back-end web applications. In order to dynamically test the next-generation of applications, new DAST capabilities are required and not all vendors support them equally.

Here are several areas where DAST solutions are evolving:

(1) Dynamic application security testing as a service. The market for dynamic testing as a service is growing and some of the DAST solutions we evaluated – Qualys, Veracode and WhiteHat – only offer their solution as a service. However, many organizations tell us they prefer to use a product and a service from the DAST vendor — for example, testing their more-sensitive applications on-premises using a DAST product, and testing their less-sensitive applications via DAST as a service, or testing deployed applications as a service, with testing of applications in the QA phase of the development process using on-premises DAST products.

(2) The ability to crawl and test Rich Internet Applications (RIA). A hallmark of Web 2.0 applications is the use of RIA, mostly in the form of JavaScript (The “J” in Ajax) and Ajax frameworks. In addition, many applications include large amounts of client-side logic in the form of Adobe Flash, Flex, and Microsoft’s Silverlight. The use of client-side RIA logic complicates how applications are crawled and how traditional DAST testing is performed, since the JavaScript and other types of code are rendered at the client, not at the server.

(3) HTML5  More recently, interest has shifted to the use of HTML5 for RIA. HTML5 isn’t a single standard and the multiple standards that collectively represent HTML5 are at different levels of maturity and adoption. Testing HTML5 and keeping up with the fluid standards is an emerging requirement for all DAST solutions.

(4) The ability to crawl and test applications that use other types of interfaces carried over web protocols. For example, many DAST solutions test Web services using protocols and formats, such as Simple Object Access Protocol (SOAP), representational state transfer (REST), Extensible Markup Language (XML) and JavaScript Object Notation (JSON).

(5) Static application testing capabilities (SAST). For comprehensive application security testing, applications should be able to be tested from the “inside out” using static analysis and from the “outside in” using dynamic analysis. Several vendors now offer organizations both DAST and SAST solutions.

(6) Interactive Security Testing. Building on #5, some of the testing providers enable interaction between their static and dynamic security testing techniques. One of the most common ways is to instrument the application while it is being tested dynamically. This provides more detailed information (such as identifying the line of code where a vulnerability occurs and assessing the code coverage of testing). While this may not be suitable for production applications, this approach is quite useful in QA testing in order to provide more meaningful results to developers.

(7) Comprehensive fuzz testing. Some DAST solutions are designed specifically to expand well beyond Web protocols to include non-Web protocols (for example, remote procedure calls, Server Message Block, Session Initiation Protocol [SIP] and so on) as well as data input malformation. This is especially critical for the dynamic security testing of applications used within embedded devices, such as storage appliances, telecommunications and networking equipment, directories, automated teller machines, medical devices and so on.

(8) Testing mobile and Cloud-based applications. Ideally mobile applications would be tested with SAST and DAST; however, pure DAST testing can add value. Beyond the use of RIA and HTML5 discussed previously, most Android and iOS applications (even when written as native applications) are Web-like in nature and communicate over Web or RESTful HTTP-based protocols. At a minimum, the exposed interfaces of the applications should be testable using DAST. Many of the mobile applications communicate with cloud-based applications on the back end, which must also be tested. In addition, many applications have specific code paths for supporting mobile devices. In order to test these properly, DAST solutions must emulate a number of mobile browsers.

These are just a few examples of how the market for DAST solutions is anything but static. The market is evolving rapidly and requires that successful solutions here continue to adapt as well. If you haven’t evaluated DAST solutions in a while, it’s time to take another look.

1 Comment »

Category: Application Security Applications Cloud Cloud Security     Tags: Application Security, application security testing tools, Cloud Security

Share

I’m just back from Gartner’s US 2011 Data Center Summit held this week in Las Vegas. In my previous post, I talked about information security vendor’s concerns on the potential impact of the Eurozone crisis on information security spending.

Here, I want to outline the top security-related  issues and concerns that I discussed with attendees at the conference:

• Interest in securing the next-generation virtualized data center remains high with most of the questions focused on the separation of workloads of different trust levels (e.g. PCI, DMZ, dev/test) in virtualized environments. In most cases, this will involve the use of software-based virtualized security controls. Specific to PCI, one attendee indicated their QSA had accepted PCI and non-PCI related workloads on the same physical host without all workloads being considered in scope (in this case, they used externalized physical firewall-based separation).
• Several attendees asked if I was aware of any publicized incidents of hypervisor breaches. I’m not, but that doesn’t mean that they won’t (or haven’t) happened. The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at this layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
• I had several questions on optimizing antimalware scanning in a virtualized environment. Trend Micro has been an early innovator here with its integration with VMware’s vShield Endpoint APIs, but there are other options and approaches, each with pros and cons.
• In terms of cloud security, most questions revolved around extending enterprise virtualized data centers to public cloud IaaS providers in hybrid scenarios and how to protect this.
• The second most common cloud security issue discussed was the use of encryption and other approaches to securing data in the cloud. Since cloud isn’t one thing, our approaches to securing data in the cloud will be different at different layers.

It was a great conference with record-setting attendance. It’s clear to me that virtualization, mobilization and cloud computing are transforming the enterprise data center and that information security needs to evolve to support this. Based on the interests from attendees of the conference in information security, I’d say they feel exactly the same way.

1 Comment »

Category: Cloud Cloud Security Next-generation Data Center Next-generation Security Infrastructure Virtualization Virtualization Security     Tags: Cloud Security, GartnerDC, Hypervisor Security, Information Security, Next-generation Data Center, Next-generation Security Infrastructure, Virtualization Security, vShield

Share

I’ve just gotten back from Gartner’s Data Center Conference in Las Vegas. Like Gartner’s recent US Symposium and European Symposium, the conference had record attendance and interest in information security was high.

I’ll place the top security-related issues from non-vendor attendees in a separate post.

On the vendor side, I had several information security providers ask me about the potential impact of the Euro crisis on information security spending. Many of the vendors are right in the middle of their 2012 revenue forecasting and budget planning process so the question is top of mind. My recommendation to them was to bound their forecast and budgets with a worst case and best case envelope around their most likely forecast.

Gartner is following the developments closely and we have several resources available to clients and vendors to navigate this turbulent period. First, there is a webcast planned to discuss the impact of the Eurozone crisis that is open to all. Second, there is a special report being developed for Gartner clients that addresses the issue from multiple angles across all of Gartner research. The first research note for this set has already published for clients “CIOs Should Address the Impacts of the Euro Crisis on Their Enterprises Now”. Third, my European colleague has a just posted a survey to gather data for use in his research and his blog posts on the topic.

Comments Off

Category: Information Security Next-generation Data Center     Tags: GartnerDC, Information Security, Next-generation Data Center, symposium

Share

I spent the last week in Barcelona with 4,000+ attendees at the 2011 Gartner European Symposium. It was a new venue for Gartner (we were displaced from Cannes by the G20), and I’m happy to say it was a fantastic with record attendance.

Security was front and center of attendee interests. We had a total of 23 security sessions throughout the 4 days. Like US Fall Symposium, I was fully booked with 1-1 sessions where attendees are able to meet and discuss their issues and questions with analysts.

The top issues of our European attendees differed from those at Gartner’s US Fall Symposim. Here’s what was top of mind in Europe:

1) Protecting information. I had a large number of discussions on how to move information security beyond just a “bottoms up” approach to information security. These organization felt they had a good handle on traditional firewalling, IPS and endpoint protection but hadn’t done much for information protection beyond encrypting laptops. In addition to encouraging them to think about information security protection as a process, we also discussed specific technical controls such as database activity monitoring, file activity monitoring and web application firewall/monitoring solutions.

2) Cloud security. Cloud isn’t one thing, security isn’t either, so these discussions varied. Most were focused on how to better secure access to cloud-based services at the Software-as-a -service level. There were some questions on IaaS, but only one on securing PaaS. In that case it was a leading -edge client moving their entire business as a service provider to Microsoft’s Azure platform and we discussed encryption options within Microsoft’s Azure.

3) Hosted Virtual Desktop  (or if you prefer, Virtual Desktop Infrastructure). In these conversations, the interest was driven primarily as a way to provide access to legacy Windows applications while maintaining control of the information. Several conversations were on the pros/cons of VDI as compared to traditional terminal services.There are strengths and weaknesses to each approach. In a separate roundtable on virtualization and security that I moderated, the preference of the attendees of the session was to use full VMs (VDI/HDV) rather than terminal services..

4) Application security This is really a form of #1 above, but focusing on securing the applications that handle the sensitive information. Most had adopted some amount of security testing, but were interested pushing testing further back into software development. There was a significant amount of interest in testing as a service offerings, many of which are quite inexpensive as compared to testing in house. In most of these cases, testing as a service wasn’t replacing what they were doing, just augmenting it.

Overall, the biggest difference I saw in the interests of European attendees from US attendees was the intense interest on specific ways and mechanisms to augment traditional “bottoms up” security mechanisms with a “tops downs” approach to protecting information. Both are needed.

That’s a good sign that information security organizations are understanding that in a world where IT increasingly doesn’t own or control much of the IT stack (end user device, network, server, OS, etc), our focus absolutely must shift up to various ways to protect the information.

1 Comment »

Category: Application Security Cloud Security Virtualization Security     Tags: application security testing tools, Cloud Security, GartnerDC, Information Security, symposium

Share

Last week I attended Gartner’s US Symposium conference in Orlando. With 8,000+ attendees (25% of which were CIOs) and at least 1,000 more analysts, vendors and support staff, you can imagine it was quite a scene.

In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

1 Comment »

Category: Application Security Beyond Anti-Virus Cloud Cloud Security Information Security Microsoft Security Next-generation Security Infrastructure Virtualization Virtualization Security     Tags: Adaptive Security Infrastucture, Beyond Anti-Virus, Cloud Security, Context-aware Security, DC-Summit-NA, Endpoint Protection Platform, Information Security, Microsoft Security, symposium, Virtualization Security

Share

Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made. The goal? More-accurate security decisions capable of supporting more-dynamic business and IT environments as well as providing better protection against advanced threats.

In this 2010 research note that provided a definition and framework for understanding context-aware security The Future of Information Security is Context Aware and Adaptive, I used the term “next-generation IPS” to describe how advanced intrusion prevention systems were becoming context aware in order to make improved security decisions (faster, more accurate and better suited to detect advanced threats).

Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made.

In the research note, I provided several examples of how information security infrastructure was evolving to become context-aware, including next-generation IPSs:

Intrusion prevention systems (IPSs) — Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Network Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives.

We’ve just published this research note for clients that outlines the key attributes of a next-generation IPS. Context-awareness in the form of application, identity, content and environmental awareness is the foundation for a next-generation IPS.

As I have observed several times, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management systems, secure web gateways, secure email gateways, data loss prevention systems … all of it.

The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.

Comments Off

Category: Next-generation Security Infrastructure Security Intelligence     Tags: Adaptive Security Infrastucture, Context-aware Security, Endpoint Protection Platform, Next-generation Security Infrastructure, symposium

Share

Traditional data loss prevention has been focused on looking for signatures and patterns of sensitive data at rest within the organization and as it moves throughout the organization, including to destinations outside of the enterprise (the latter is where most organizations have started).

<digress> You noticed I didn’t use the term “DLP”. That’s because I believe data loss prevention is just one of many controls that need to be mapped to a broader data lifecycle protection process that I believe is the real “DLP”. I digress – that’s another discussion…   </digress>

I had an interesting request for a client a while ago. They wanted to look through all of their file shares for inappropriate data. In their case, an employee had been discovered with dozens of gigabytes of pirated music that was being stored on their enterprise servers that represented a potential legal liability for the organization.The client wanted to search all of their repositories for potentially inappropriate data – such as music files, video files, sexually explicit images and so on. We already have data loss prevention tools that rummage through our systems looking for sensitive data, why not expand this capability to inappropriate data? Taking this further, how about inspecting source code files and scanning these for potentially unlicensed or insecure open source libraries (lPalamida, Black Duck and others provide this today as a point solution).

At the time, none of the data loss prevention tool vendors provided this capability and I directed the client the single enterprise third party tool I was aware of that specialized in detecting inappropriate content.

I don’t see how these use cases are so different that it requires different tools for these use case. Learn a data pattern or signature and look for it by crawling through data repositories. Could be sensitive, could be unlicensed, could be inappropriate – same problem. It seems like a security no-brainer for data loss prevention tools to evolve to support the use case of identifying potentially inappropriate data usage in addition to sensitive data usage.

1 Comment »

Category: Information Security Next-generation Security Infrastructure Security Intelligence     Tags: Defense-in-Depth, Information Security, Next-generation Security Infrastructure, Security No-Brainer

Share

I’ve made it a point over the past 6 months to ask clients if they are combining their endpoint protection platform contracts across desktops, laptops and servers. In most cases (about 75%), the answer is yes – contracts are being combined in order to reduce complexity and costs.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

• All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
• Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
• Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
• Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
• Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
• Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
• Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
• Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

2 Comments »

Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure     Tags: Adaptive Security Infrastucture, Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Lockdown, Next-generation Security Infrastructure, Reducing Complexity, Reducing Cost, Windows

Share