Hello Andy,
> Once an application is released or put into production, what are
> organizations doing to keep the applications secure? As new
Some organizations purchase web application security scanners and perform
periodic
scanning (this could be done by the soc) or use a service such as whitehatsec
to perform continuous application level scanning. It usually boils down to
company resources,
finding qualified people to configure/run a tool, and/or budget.
If you're using a service ideally they should be identifying the false
positives and removing
them from your reporting. If you're using a tool you'll need someone qualified
to be able
to identify if an issue is real or not and remove it.
For the sake of saying it no tool can find all issues and having a human/tool
combination
is really required. Tools do very poorly at logic flaws which are often the
most damaging.
For more critical applications (dealing with Personal Identifiable Information)
or those dubbed risky
one off deep dive pen tests may be needed in addition to continuous
scanning/monitoring. This
will depend on frequency of application changes, budget, and resources.
> vulnerabilities and classes of exploits are released, how is that
> information being fed back to developers so they can update/patch in
> the software. At the network most organizations have a Network
After the scanning is performed typically you'll have an assigned security
resource (this could
even be a QA/dev person depending on available resources) that files tickets
with development
(if this process isn't automated) to address each issue and owns the
responsibility to follow-up
on each discovery. Remediation timelines will vary depending on the flaw and
unless their is a
policy/management buy-in of some sort, forcing development to fix things in a
given timeframe
may be difficult. It is important to iron out the process regarding false
positive identification
otherwise development will take you less seriously when an issue is filed.
> Is there a formal method other than reacting to incidents? Is there a
Yes by proactively monitoring and testing your applications for 'security
defects'
(pen testing/security assessments).
> sort of Operations or Intelligence cell that proactively finds and
> processes new information and feeds that info back to the design and
> development teams so they can update the software?
>
It is important to note that development people aren't security people
and they never will be (no matter how much the security people want them to be).
Sure they will get better and stop making certain mistakes over time but most
developers aren't monitoring the usual security outlets for the latest threats
to see if their code may be affected. It is typically the job of a security team
(local, service, or SOC) or auditing team (regarding compliance e.g PCI/SOX) to
ensure that a given application is reviewed against the latest threats at the
time
of the evaluation. Depending on your setup a SOC may handle monitoring/incident
response and scanning.
Hope this helps.
Regards,
- Robert
http://www.cgisecurity.com/ Application Security news and more
http://www.webappsec.org/ The Web Application Security Consortium
http://www.qasec.com/ Software Security Testing
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___