2.3.1 Software Engineering Teams
Responsible for the development of the applications that will be subject to testing when a bug bounty program is established.
2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response)
The various subteams that make up the root of security, subject to be vastly different based on the structure of the organization.
2.3.3 Infrastructure Teams
Responsible for the backbone of the organization that is meant for hosting applications and various assets that both stakeholders and users/customers operate.
Application security managers may have to communicate with the legal department if malicious activity is noted. Therefore, managers should have close relationships with legal representatives.
2.3.5 Communications Team
Depending on the structure of the organization, social media marketing may be up to the communications or marketing teams. Researchers may reach out via social media to disclose vulnerabilities and application security managers should be aware of this, and adequately prepare the responsible team.
It’s crucial to keep in mind that the answers to some of the questions covered in this section may be trivial. If known, that’s absolutely fantastic! When the answers are not known, future program managers may be able to find out without disrupting the team or space. Managers should make an effort to be cordial and responsive to concerns or pushback. It’s always better to know than to assume: operating in a presumptuous way can open the door to security issues or ineffective vulnerability management processes. In reality, the questions that proceed are to be used as a baseline and not as a full representation of an enterprise risk management guide.
During the processes of identifying risk, application security managers will find that many other questions arise – that’s great! Ask them! Operating in a way that creates a dialogue between the various teams and application security is a great first step toward building rapport and trust. Maintaining trust is an essential part of securing the organization, as it is impossible to remediate vulnerabilities if other teams do not trust the remediation techniques that will be placed by the application security team. While it may not initially be possible to understand how every single team works together, application security is most effective when an application security manager can envision the macrovision of enterprise security. In addition, application security managers should avoid siloing off and exercising an “unreachable” state. The resolution of vulnerabilities can occur twice as fast if managers know the other major players and innovators within the organization. Here are some questions that can be asked with explanations of why these questions should be answered.
2.5 Software Engineering
2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?
Once again, application security managers should never assume that engineers have a working knowledge of secure coding. The best way to achieve enterprise security is to understand the way software engineers build, and assist in establishing best practice. No organization is perfect. Therefore, it will take time to work with all of the teams that exist in the enterprise. Secure coding platforms such as Checkmarx Codebashing and security awareness incentives such as hacking demos, security riddles, and other fun educational events can help break down any barriers that may exist between application security and software engineering. ( https://www.checkmarx.com/products/codebashing-enterprise-application-security-training).
2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?
Evaluating the communication processes and vulnerability remediation expectations will develop over time. The question of effective communication and resolution isn’t one to ask software engineering teams, but it is a matter that should be carefully documented, and reevaluated when more data is available.
2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?
In summary, managers should identify how many applications exist and what the software development lifecycle (SDLC) looks like. Preventing vulnerabilities starts with implementing adequate application security processes beforehand.
2.6 Security Departments
2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?
Incidents are inevitable for any growing organization, and an incident that only affects a security operations team, or an application security team, is unrealistic. Application security managers will have to bridge the communication gap between engineers and management on both teams to collaborate on investigations. Establishing thorough processes in the event of an application incident that ends up affecting both teams (such as a client side web application exploit that turns into a server side exploit) isn’t negotiable. Transparency with incident resolution should be maintained between both teams. Application security managers should know what forensic tools, logging solutions, and endpoint detection response tools exist within the enterprise. Many of the tools owned by other security teams can greatly benefit the application security team during investigative or prevention processes. Team collaboration can allow for a togetherness mindset of security instead of a reluctance to provide assistance.
2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?
If a fraud team exists within the enterprise, application security will have a ton of collaboration work to do. For example, the aspects of security that the fraud team focus on are important areas of review for application security as well. If the fraud team sees instances of account takeover, application security engineers will have to brainstorm the prevention methodologies for the login page logic. Alternatively, if the fraud team starts to see a giant spike in gift card purchases, application security may have to review the application security of the gift card purchase and redemption pages to ensure that vulnerabilities do not exist. The possibilities are endless.
2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?
Compliance teams within the organization will have to review third-party security relationships as well as internal security compliance. Application security managers should understand the processes to best help in evaluating and remediating risks that may affect adequate compliance.
2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?
Читать дальше