Security Guidance and its “Specificity Knob”
While speaking at a conference out west an interested attendee challenged me: “You said I should make my security standards as specific as possible, but the other speaker said, ‘Keep them general’, what gives?” This type of exchange happens all too often in the software security space these days. I could do a piece on that alone, but instead, I’ll address the challenge.
The confusion stems from two competing goals driving standards creation: 1) providing useful security know-how that benefits developers and 2) obtaining ‘coverage’ of all the security concepts, technology stacks, and development/deployment platforms your organization uses. To be useful to developers–to truly change the way they behave when “Their butt hits the seat in front of their compiler”—one has to speak their language. Developers speak and write code. Documents like security policy, tend to be written by Corporate Security, or worse: lawyers. These groups speak and write legalese. There’s a big difference and it’s easily detected: one usually comes in 12pt. Courier.
Your objective: answering questions about how to do things right for developers by showing them the right way… while leaving enough flexibility and room in the guidance for them to remain creative and solve the business problems their application was intended to.
Writing technology-specific guidance engages Security Architects in helping directly solve Developer problems. Rather than specifying “Do not allow direct access to Servlets by name” (a decent agnostic standard, when used in concert with others) show them how:
——
Using Struts, map an impossible-to-assign role, such as noaccess to every Servlet but one–a single front controller–that mediates access to your other Action Servlets like this:
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/functionality</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>noaccess</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
</login-config>
<security-role>
<role-name>noaccess</role-name>
</security-role>
Place all Action Servlets in a single directory, for ease of maintenance (/functionality in the example above). Demand authentication prior to access to the single front controller and delegate actions from that Servlet.
——
Alternatives may be necessary. For instance, while the standard prescribes lumping functionality in one directory–that may not be possible. For those cases, the standard should describe how extension based url-patterns can aid in casting the broadest net possible.
Standards, at this level, should always state a preference however. The worst offense of failing to do so is nearly every J2EE book’s discussion of both declarative and programmatic means of authorization without indicating which should be used when.
Next week I’ll move on and discuss detailed, technology-specific security guidance in more detail, but first I would like to recognize the value less specific guidance provides. Detailed, technology-specific guidance requires significant time and effort to produce. Such guidance is perishable and becomes useless as you upgrade or update your technology stack. Technology agnostic guidance, or guidance kept at the level of security concepts insulates you a bit more. Organizations should certainly start with this level of guidance, getting coverage over the broad array of security topics needed to educate their developers before diving down a rabbit hole and writing technology-specific guidance.
In other words, one level of guidance does not replace the other. Instead, less specific guidance serves as safety net underneath the more specific, catching inquiring minds when the specific guidance hasn’t been written yet or when it doesn’t apply (as often happens when a team faces constraints like deploying an old version of Tomcat).
I hope, however, that in the meantime I’ve shown an example of how being technology-specific, code-centric, and detailed about standards can engage security folk in development, engage Developers in their own language, and actually push projects forward more quickly by making hard security decisions for them. This is just one of the activities your Security Architects can undertake when they parachute into development teams… a concept I introduced in my blog entry on research in the 50’s.
Technorati Tags: software security
May 23rd, 2007 at 9:58 am
Your point about the “perishability” of such prescriptive checklists does make the adoption of such a program fairly high maintenance. Nothing wrong with that, but expectations should be set early that this would not be a fire and forget type of program, but rather an ongoing investment.
May 23rd, 2007 at 10:47 am
Dave,
You correctly emphasize the Level of Effort (LoE) associated with such standards. This isn’t one of those “Duh, it’s simple, just get off your butt and do it” things. Technology-specific standards require at least a dedicated staff of one and help from others distributed throughout the organization. That means commitment.
Dave speaks from experience, by the way. His organization does an outstanding job of making sure that both security and development folk have knowledge about critical vulnerabilities and emerging best practices from the industry at large.
From my perspective, obtaining critical mass of an initial set of standards requires the most LoE. Neither Developers nor Security Analysts will “come and get it” if when they initially explore they only find sparse and/or superficial guidance. I recommend building (or buying) a critical mass. What to tackle first? Well, what problems do you find most often when you assess your organization’s applications?
Once your organization obtains critical mass, I suggest using a distributed work-force for continued standard development and update. Your Security Analysts (conducting application reviews), Security Architects (helping out with secure design), and even savvy Developers (who might have created a nifty way around session forgery for their own use) all represent exceptional sources of new standards to be folded in. Whether or not the security group “buys back” the time these people spend developing standards depends on specifics of your org.
If you successfully create an environment of contribution, that one dedicated resource I prescribed should be responsible for coordinating, collecting, editing, vetting, and distributing standards. This person acts like an Editor in Chief of standards and may involve an editorial board of internal and/or external reviewers. Certainly, including Development Champions who can vouch for the practicality of given guidance aides in reception of and buy-in for standards.
What do you guys think out there?
-jOHN