That’s an easy question to ask, but a very difficult one to answer. I’m going to write two articles on this topic. This, the second one, is about assuring the security of an application. The first one was about what security we want in an application.
Security assurance in an application is evidence of some kind that it is secure.
An application builder may want assurance in its security for his own benefit (to improve the application). Other parties (buyers or users of the application) may want assurance before trusting the application with their data.
Assurance can come from several sources:
- From the way the application was developed. If the application was developed in a rigorous way by highly qualified people, perhaps it is more secure. Unfortunately it is difficult to find any definite link between the way an application is developed and how secure it is. There are several maturity models available for application security, ISO 21827 (which defines 5 maturity levels) and the OpenSAMM model produced by OWASP (which defines 3). I am not aware of any organisation having adopted , but several have adopted OpenSAMM (including Capgemini).
- From an analysis of the design or code of the application. You can do this manually, but now there are software tools such as HP fortify that will examine your code automatically. Manual analysis is very effective if done by an expert, but also very expensive. Automated analysis can find a lot of generic vulnerabilities, and a lot of false positives also, you need expertise to interpret what the tools say.
- From testing the application. Testing can also be expensive. Normal testing is intended to show that the application does what was expected when the user acts as expected. It’s not very good at finding vulnerabilities. Penetration testing is specialised testing that does just that – it attempts to exercise known vulnerabilities in order to detect their presence. Penetration testing can be heavily automated and so can be reasonably cost effective.
Do any of these guarantee security? No – they probably tell you something about your application’s security, and may increase your confidence in it, but the devil is in the detail. If someone did a code review, what was his expertise? How long did he have for the review? What did he find?
There is a standard called the Common Criteria (ISO15408) which attempts to take all these types of assurance into account. It defines 7 levels of assurance (EAL1 to EAL7, where 1 is the lowest and 7 the highest). Products can be evaluated against the Common Criteria by licensed test laboratories. Be warned, such evaluations are very expensive and I have to say, are oriented more to documentation than to real security weaknesses. Many firewalls are certified to EAL4, very few products are evaluated to a higher level.