This document details an enterprise level strategy for approaching security assessment to enable assurance regarding the achievement of specific security objectives. The security assessment framework applies across all assessment methods, namely examination, interviewing and testing.
Testing is the process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors. Examination includes checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarity, or obtain evidence.
Interviewing involves conducting discussions with individuals or groups within an organization to facilitate understanding, bring clarity, or identify the location of an evidence. The underlying significance of security assessments depend on the level of maturity an organization practices. Assessment results are used to determine security control effectiveness over time.
In the absence of an overarching strategy to approach security assessment, organizations adopt ready to use methodologies and techniques to cater to ongoing security assessment tasks. This can create gaps, as the approach is not aligned to the business requirements and decision-making processes of organizations.
Objectives and principles
A Security Testing Framework, developed for Wipro’s internal consumption, achieves the following objectives:
Security objectives provide an effective basis for evaluating the capabilities and performance of the security testing framework, along with the solutions and the supporting process used to deliver security testing. Each objective defines a business or technical requirement that is derived based on an organization’s policy, directives or a formal position that can be measured either quantitatively or qualitatively. A security objective that is supported by a risk-based baseline provides a deterministic guideline to select a testing reference model.
Nuts and bolts of the AppSec framework
The Application Security Testing Framework derives its guiding principles from NIST RMF and the Cyber Security Framework. The framework’s stratum consists of a classification layer, baseline layer, and a control layer, which enable effective utilization of the existing testing methodology and approach adopted by Wipro.
Figure 1: The Application Security Testing Framework
The Control layer provides the core engine for the application security testing framework. It offfers an industry specific (HIPAA, PCI, ICFR) basis, with a clear structure of cyber security management processes, that are powered by 18 control areas. The Control layers bring in the taxonomy for each function, defining multiple categories and subcategories which an organization can pick and mix, to put together a set of items that correspond to its individual risks, requirements, and expected outcomes. For example, Asset Management within the Identify function is ID.AM, and Response Planning within the Response function is RS.RP. Each category has further subcategories that correspond to appropriate activities. For example, the subcategory of Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3
Listed below are the 18 different controls that fall under NIST SP 800-53. These controls are divided according to their impact scale – low, moderate, and high.
Let’s apply the controls to web application security, by analyzing five different functions namely Identify, Protect, Detect, Respond, and Recover in the context of an organization’s existing and planned security activities and risk management processes. Organizations must select categories and sub categories that are relevant to specific needs, and apply them to their security policies in order to ensure sufficient coverage w.r.t the required cyber security activities.
The Baseline layer provides the foundation for deterministic security requirements that cater to an organization’s vision, mission, and near and long term goals. This layer imbibes the organization’s policies, standards, and procedures that are developed in-line with its risk appetite, as this module runs as a central theme for security requirements. Each security testing objective determines its definition from a discrete business or technical requirement that is derived from a policy, directive, or a formally stated position of the organization. For example, “A cryptography policy states that application traffic needs to be encrypted in transit and at rest.” The framework determines its testing and remediation guidelines basis the associate standards and procedures for cryptography policies. For instance, for an asset which has data classification of strictly confidential and hosted external facing, it’s mandatory to implement encryption both in transit and at rest. However, for an asset with data classification that is for official use only and hosted as external facing, it’s mandatory to implement encryption in transit and but encryption at rest is good to have. Thus the baseline layer is leveraged as the basis or justification factor for supporting the security requirement to perform the required test procedures as part of the security testing engagement.
The Classification layer receives inputs to understand the scope, purpose, and approach supported by the guiding principles. This layer determines the security solution portfolio, categorizing the projects into enterprise adhered collections for test procedure selection and suggested risk treatment in the course of security testing.
Classification Module Description
Strategic and Enterprise level (Tier 1)
Provides a high-level architectural definition to describe logical areas to security testing services and capabilities that involve maintenance development/activities, mergers and acquisitions, or compliance to regulatory requirements and domestic and/or international legislation. This involves enterprise wide testing efforts to measure the security posture of applications and infrastructure at a point in time and provide support to strategic initiatives/roll-outs and security direction. For example, the IDAM program to enable BYOD (e.g. MDM products) in multiple business functions that reflect potential organization changes. Results from penetration testing would identify the security posture change of the modified component, which would be compared to the existing security posture in order to determine the effects of such changes.
Business and Process level (Tier 2)
Provides the architectural basis to define business specific, security testing service and capability that involves ongoing development activities for Operational Systems (MyWipro, HR, Finances, etc.), and vendor solutions supporting daily operations, business and support functions. This involves business wide testing efforts to measure the security posture of application and infrastructure supporting business functions, suppliers supporting the respective business processes on a periodic and on going basis. For example,
security testing will be conducted on a regular basis on various infrastructure and applications supporting Wipro business functions such as the MyWipro portal. The testing will be unannounced and will be used to determine the security health of the fleet. The supplier/support function is then required to remediate any identified issues in the set timeframes. IRMC will track remediation activities after testing has occurred.
Tactical , Solution and Project level (Tier 3)
Provides the architectural definition to define project and technology security testing service and capability that involves new development/maintenance activities for Wipro external/internal customer projects or compliance to regulatory requirements as per the business rule book definition for the end customer. This involves supporting security testing for Wipro’s internal/external customer operating from Wipro’s ODC setups to identify security vulnerabilities in new or existing applications and infrastructure before changes are released into the production environment. For example, a Wipro external customer project team wants to deploy an internet facing system enhancement or application. Before the project goes “live”, security testing will be undertaken to identify any potential security exposures, and remediated thereafter before deployment into production.
In accordance with the Application Development and Maintenance Policy (ADM 12.04), all Wipro operational systems, systems under development, and systems undergoing major changes are in the scope for Certification and Accreditation (C&A), whether they are hosted in Wipro’s internal infrastructure or hosted by external service providers. For the purpose of this document, we have categorized the systems into the following categories:
The classification layer embeds a risk-based testing approach as part of the overall C&A process performed by CRS. This approach has two key elements- i) Selection of the information security test procedures and supporting documents required to certify the system and ii) Assessment of residual risks from an information security perspective to make an informed decision in order to authorize a system for operation. The framework requires focus on information security risks that impact the confidentiality, integrity, and availability of the information system in the scope of engagement. While tailoring the procedures to certify the system, various criteria are considered. These include the following risk factors:
Based on these factors and the category of the system, the approach is tailored on risk and is focused on assessing vulnerabilities at several layers including, operating system, database, and application, where ever applicable. In addition to performing tests at each of the applicable layers based on risk factors and category of system, the C&A team also validates the following:
The Application Security Framework, provides a holistic approach to information security and risk management by providing organizations with the breadth and depth of verifying/validating security controls that are necessary to strengthen information systems and the associated environments. In the digital era, where organizations are still embarking on completely moving to an agile vs DevOps journey, a framework of similar shape and form caters to the workload, leveraging both waterfall/agile/DevSecOps. The Application Security framework is the first steps towards a “Building It Right” strategy coupled with “Continuous Monitoring”, to empower leaders, making ongoing risk-based decisions that affect mission critical assets. The pursuit we aim to resolve is to combine standard based policies that are tailored to business and compliance requirements with enterprise best practices derived for industry specific frameworks, and superimposed with a risk management framework, to deliver effective security testing guidelines that produce repeatable results.
For more information on the application security framework and what it can deliver to your organization, connect with us.
DevSecOps Architect, Cybersecurity & Risk Services, Wipro
Arun champions DevSecOps charter for Security Assurance Service within Wipro's Cybersecurity and Risk Services division. He has over 15 years of experience with specialization in the security domain. He has worked and managed projects related to Security Architecture, Secure SDLC, Threat Modelling, Secure Coding, Penetration Testing and Security Consulting.
Arun is an ISC2 Certified Information Systems Security Professional (CISSP) and ISACA's Certified in Risk and Information Systems Control (CRISC). He holds a Master's degree in Information Technology from Sikkim Manipal University of Science & Technology and is a TOGAF certified Enterprise Architect from TheOpenGroup.
Allam Vinodh Kumar
Practice Partner, Cybersecurity & Risk Services, Wipro
A globally recognized Cybersecurity Assurance Evangelist, Vinodh has more than 20 years of experience building, developing, and securing web-based software systems. As a Practice Partner for Cybersecurity & Risk Services at Wipro, his technology teams launch and expand critical application security initiatives and build secure applications and infrastructures, integrating security throughout the development process.