Securing and Modernizing Applications for Texas State Agencies

John Dickson, CISSPD C llDan CornellGregory Genung

August 26, 2009g ,

Agenda• Background• Introductions• Problem: Legacy Application Proliferation• Problem: Legacy Application Proliferation• Solution: Secure and Modernize• Strategies• Questions• More Information

1

Denim Group Background

• Privately-held, professional services organization that develops secure software and mitigates risk with existing software

• Trusted partner of numerous State of Texas Agencies• Development perspective influences all aspects of software securityp p p p y

– All consultants regularly build software systems– Approach the problem of software security from a developers viewpoint

• Thought Leaders in Secure Development Practicesg p– Developed Sprajax – First Open Source AJAX vulnerability scanner– National speakers at conference such as RSA– OWASP National Leaders and Local Chapter

2

Denim Group DIR Contract: DIR SDD 660

• External Controlled Penetration Testing – Application Assessments

IT Security Services

• Risk and Vulnerability Assessment Services– Application Penetration Testing – Secure Code Reviews – Secure Application Development Services – Commercial Product Assessment

Data Security Assessment– Data Security Assessment

• Security Training Services– Application Security Principles Training

3

Introductions• Name• Organization• Role• Current Challenges and Desired Takeaways

4

Challenges with Legacy Applications

5

Challenges with Legacy Applications• Construction

– Targeted at non-web platformsLittle or no thought of security– Little or no thought of security

– Compliance and governance regimes have come into existence after application was originally built

• Managementg– State of the industry has advanced– Older technologies lack modern management and monitoring capabilities– Multiple platforms, multiple technologies

• Skill sets and knowledge– Talent pool is shrinking for legacy platforms and languages– Little or no knowledge of application requirements

6

Opportunity

7

Opportunity• Piggyback on data center migration to accomplish complementary goals• Move to supported platforms• Where appropriate and convenient – combine applications• Bring applications back to life• Build security iny• Allow for management and monitoring

8

Process• Enumerate• Classify• Plan• Remediate

9

Enumerate

10

Enumerate• What applications are you running?

– How many instances?

D h th d ?• Do you have the source code?• Do you have documentation?• Who owns the applications?• What are the politics of remediating the application?

11

Classify

12

Classify• What sort of data does the application manage?

– PIIPHI– PHI

– Credit cards– Information about minors– Criminal background informationg

• What technologies and platforms are in use? • Which applications are considered “mission critical”?• What is the volume and value of transactions?• What is the volume and value of transactions?• How many and what types of users?

13

Plan

14

Plan - Portfolio• Prioritize based on risk and value• Walk before you run – drive risk out of the process• Craft an organizational framework for remediated applications• Are there other mandates?

– “Drop dead” dates tied to budgets

• Opportunities for data sharing and business Intelligence• Processes and technologies for modern development

– Continuous integration– Automated testing– Agile development

15

Plan - Application• Different Approaches

– Migrate to data center as-isRemediate existing application– Remediate existing application

– Remediate via automated conversion– Remediate via rewrite

• Determine security and compliance requirements from the outsetDetermine security and compliance requirements from the outset– World today is different than when applications were originally created

• Data center performance requirements• Accessibility requirements• Accessibility requirements• How will you test the final application?

– Automated testing has made great strides – xUnit, QASL

Wh ill d th li ti ft it i di t d?• Who will own and manage the application after it is remediated?

16

Migration

17

Migrate As-Is• Low cost / high risk• May require an exception from datacenter• Potential for reduced/no support• Application issues still exist

– Security, quality, maintainability, compliance, accessibility, performance

• “We plan to ‘end-of-life’ this application”– Really? For how long?

18

Remediate Existing Application (Upgrade)• Upgrade platform version

– JDK or .NET version, application server versionMay be required for support in the datacenter– May be required for support in the datacenter

• Address security vulnerabilities and functionality that is non-compliant• Use automated tools and automated functional tests as a guide

S t t d d f l d i di ti– Sets a standard for personnel doing remediation

• Refactor to increase quality and maintainability• Incrementally adopt best practices

– Create automated tests– Start continuous integration– Secure coding standards for all new code

Instrument for monitoring– Instrument for monitoring

19

Remediate via Automated Conversion

20

Remediate via Automated Conversion • Automated conversion from one platform to another

– Example: PowerBuilder to Java

P t ibl k b i l i i t t• Pro: ostensibly keeps business logic intact• Makes for a great science project, reality can be disappointing

– Architectural issues, performance issues, security issues

• Depending on amount of business logic, you may be better off rewriting

21

Remediate via Rewrite

22

Remediate via Rewrite• Use the original application as the specification

– Minimizes the riskiest part of an application development project (requirements)Use both source code and a running application static and dynamic– Use both source code and a running application – static and dynamic

– Relies heavily on communication with users

• Provides greatest opportunity for a truly “modern” application• Get the most benefit from security quality and maintainability tools• Get the most benefit from security, quality and maintainability tools

– Much easier to use from the outset of a project than to bolt on later

• How much business logic has to be rewritten?What do you lose during the rewrite? Depends on type of software– What do you lose during the rewrite? Depends on type of software

– Line of business applications often less challenging than system software

23

Remediation Strategy• Execution is key

– Clearly communicate goals, standards and priorities

B b ttl k• Beware bottlenecks– User acceptance testing– Actual deployment into data center

• Data generation where does test data come from?• Data generation – where does test data come from?• Data migration early for legacy data

– Do not want to be surprised later

24

Questions

25

For More InformationDenim GroupDIR Contract: DIR-SDD-660(210) 572 4400

John Dickson, CISSPjohn@denimgroup.com@j h bdi k(210) 572-4400

Web: www.denimgroup.comBlog: denimgroup.typepad.com

@johnbdickson

Dan Cornelld @d idan@denimgroup.com@danielcornell

G GGregory Genungggenung@denimgroup.com@ggenung

26