Introduction

This document details an enterprise level strategy for approaching security assessment to enable assurance regarding the achievement of specific security objectives. The security assessment framework applies across all assessment methods, namely examination, interviewing and testing.

Testing is the process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors. Examination includes checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarity, or obtain evidence.

Interviewing involves conducting discussions with individuals or groups within an organization to facilitate understanding, bring clarity, or identify the location of an evidence. The underlying significance of security assessments depend on the level of maturity an organization practices. Assessment results are used to determine security control effectiveness over time.

In the absence of an overarching strategy to approach security assessment, organizations adopt ready to use methodologies and techniques to cater to ongoing security assessment tasks. This can create gaps, as the approach is not aligned to the business requirements and decision-making processes of organizations.

Objectives and principles

A Security Testing Framework, developed for Wipro’s internal consumption, achieves the following objectives:

• Model security threats, profile security risk, and enable security control recommendations.
• Identify vulnerability and security exposure/weaknesses in applications and underlying infrastructure.
• Identify potential security risks associated with enterprise IT assets.
• Establish a standardized, consistent testing methodology.
• Determine the security posture of the organization.
• Assist in establishing security governance to meet security obligations and provide inputs to develop strategic directions for security programs.
• Provide security measures and metrics for the management’s consumption.

Security objectives provide an effective basis for evaluating the capabilities and performance of the security testing framework, along with the solutions and the supporting process used to deliver security testing. Each objective defines a business or technical requirement that is derived based on an organization’s policy, directives or a formal position that can be measured either quantitatively or qualitatively. A security objective that is supported by a risk-based baseline provides a deterministic guideline to select a testing reference model.

Principle

• Provide governance, oversight, risk management, strategic/tactical prioritization, and compliance.
• Provide a risk-based approach to security assessments for enterprise/customer information assets.
• Promote managed and measurable security services and capabilities.
• Provide proactive guidance with reactive capabilities.
• Advocate defence-in-depth.
• Respect and align with enterprise architecture guidelines.

Nuts and bolts of the AppSec framework 

The Application Security Testing Framework derives its guiding principles from NIST RMF and the Cyber Security Framework. The framework’s stratum consists of a classification layer, baseline layer, and a control layer, which enable effective utilization of the existing testing methodology and approach adopted by Wipro.

Figure 1: The Application Security Testing Framework

The Control layer provides the core engine for the application security testing framework. It offfers an industry specific (HIPAA, PCI, ICFR) basis, with a clear structure of cyber security management processes, that are powered by 18 control areas. The Control layers bring in the taxonomy for each function, defining multiple categories and subcategories which an organization can pick and mix, to put together a set of items that correspond to its individual risks, requirements, and expected outcomes. For example, Asset Management within the Identify function is ID.AM, and Response Planning within the Response function is RS.RP. Each category has further subcategories that correspond to appropriate activities. For example, the subcategory of Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3

Listed below are the 18 different controls that fall under NIST SP 800-53. These controls are divided according to their impact scale – low, moderate, and high.

• Access Control
• Audit and Accountability
• Awareness and Training
• Configuration Management
• Contingency Planning
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical and Environmental Protection
• Planning
• Program Management
• Risk Assessment
• Security Assessment and Authorization
• System and Communications Protection
• System and Information Integrity
• System and Services Acquisition

Let’s apply the controls to web application security, by analyzing five different functions namely Identify, Protect, Detect, Respond, and Recover in the context of an organization’s existing and planned security activities and risk management processes. Organizations must select categories and sub categories that are relevant to specific needs, and apply them to their security policies in order to ensure sufficient coverage w.r.t the required cyber security activities. 

Identify:

• ID.AM-2: Software platforms and applications within the organization are inventoried.
• ID.RA-1: Asset vulnerabilities are identified and documented.

Protect:

• PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
• PR.DS-2: Data -in-transit is protected.
• PR.IP-10: Response and recovery plans are tested.

Detect:

• DE.AE-2: Detected events are analysed to understand attack targets and methods.
• DE.CM-8: Vulnerability scans are performed.

Respond:

• RS.RP-1: A response plan is executed during or after an incident.
• RS.AN-1: Notifications from detection systems are investigated.

Recover:

• RC.RP-1: A recovery plan is executed during or after a cyber security incident.
• RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as the executive and management teams.

The Baseline layer provides the foundation for deterministic security requirements that cater to an organization’s vision, mission, and near and long term goals. This layer imbibes the organization’s policies, standards, and procedures that are developed in-line with its risk appetite, as this module runs as a central theme for security requirements. Each security testing objective determines its definition from a discrete business or technical requirement that is derived from a policy, directive, or a formally stated position of the organization. For example, “A cryptography policy states that application traffic needs to be encrypted in transit and at rest.” The framework determines its testing and remediation guidelines basis the associate standards and procedures for cryptography policies. For instance, for an asset which has data classification of strictly confidential and hosted external facing, it’s mandatory to implement encryption both in transit and at rest. However, for an asset with data classification that is for official use only and hosted as external facing, it’s mandatory to implement encryption in transit and but encryption at rest is good to have. Thus the baseline layer is leveraged as the basis or justification factor for supporting the security requirement to perform the required test procedures as part of the security testing engagement.

The Classification layer receives inputs to understand the scope, purpose, and approach supported by the guiding principles. This layer determines the security solution portfolio, categorizing the projects into enterprise adhered collections for test procedure selection and suggested risk treatment in the course of security testing. 

Classification Module Description

In accordance with the Application Development and Maintenance Policy (ADM 12.04), all Wipro operational systems, systems under development, and systems undergoing major changes are in the scope for Certification and Accreditation (C&A), whether they are hosted in Wipro’s internal infrastructure or hosted by external service providers. For the purpose of this document, we have categorized the systems into the following categories:

• Web Applications – Internet facing applications developed and/or configured under the direction or influence of Wipro (e.g. internally developed sites, externally developed sites, social collaboration platforms, partnership applications, etc.).
• Enterprise Applications – Applications supporting the institution’s business processes (e.g., SAP, PeopleSoft, Treasury applications, etc.) or providing interfaces to those systems.
• Mobile Applications – Applications running or accessed on mobile devices.
• Service – Service offered to Wipro by a cloud service provider (e.g. O365, MS Teams, WebEx, Box, and SurveyMonkey) or application service provider (e.g., Aetna, CVS, Travel Applications, Payroll, American Express Travel, etc.)

The classification layer embeds a risk-based testing approach as part of the overall C&A process performed by CRS. This approach has two key elements- i) Selection of the information security test procedures and supporting documents required to certify the system and ii) Assessment of residual risks from an information security perspective to make an informed decision in order to authorize a system for operation.  The framework requires focus on information security risks that impact the confidentiality, integrity, and availability of the information system in the scope of engagement. While tailoring the procedures to certify the system, various criteria are considered. These include the following risk factors:

• Hosting location of the information system
• Exposure to external entities
• Regulatory/compliance requirements (e.g., ICFR application, HIPAA, PCI assets)
• Information classification

Based on these factors and the category of the system, the approach is tailored on risk and is focused on assessing vulnerabilities at several layers including, operating system, database, and application, where ever applicable. In addition to performing tests at each of the applicable layers based on risk factors and category of system, the C&A team also validates the following:

• Implementation of specific control requirements identified by the security architecture team and agreed by the business;
• Implementation of specific controls (as per the privacy control set) for systems housing PII information; and
• Implementation of specific controls (as per the ICFR control set) for ICFR, PCI, HIPAA, ISO systems.

Conclusion

The Application Security Framework, provides a holistic approach to information security and risk management by providing organizations with the breadth and depth of verifying/validating security controls that are necessary to strengthen information systems and the associated environments. In the digital era, where organizations are still embarking on completely moving to an agile vs DevOps journey, a framework of similar shape and form caters to the workload, leveraging both waterfall/agile/DevSecOps. The Application Security framework is the first steps towards a “Building It Right” strategy coupled with “Continuous Monitoring”, to empower leaders, making ongoing risk-based decisions that affect mission critical assets. The pursuit we aim to resolve is to combine standard based policies that are tailored to business and compliance requirements with enterprise best practices derived for industry specific frameworks, and superimposed with a risk management framework, to deliver effective security testing guidelines that produce repeatable results.

For more information on the application security framework and what it can deliver to your organization, connect with us.

Arun Pillai
DevSecOps Architect, Cybersecurity & Risk Services, Wipro

Arun champions DevSecOps charter for Security Assurance Service within Wipro's Cybersecurity and Risk Services division. He has over 15 years of experience with specialization in the security domain. He has worked and managed projects related to Security Architecture, Secure SDLC, Threat Modelling, Secure Coding, Penetration Testing and Security Consulting.

Arun is an ISC2 Certified Information Systems Security Professional (CISSP) and ISACA's Certified in Risk and Information Systems Control (CRISC). He holds a Master's degree in Information Technology from Sikkim Manipal University of Science & Technology and is a TOGAF certified Enterprise Architect from TheOpenGroup.

Allam Vinodh Kumar
Practice Partner, Cybersecurity & Risk Services, Wipro

A globally recognized Cybersecurity Assurance Evangelist, Vinodh has more than 20 years of experience building, developing, and securing web-based software systems. As a Practice Partner for Cybersecurity & Risk Services at Wipro, his technology teams launch and expand critical application security initiatives and build secure applications and infrastructures, integrating security throughout the development process.