Aspect’s engineers have assessed thousands of applications and complex systems – and year after year we find the same design flaws and implementation vulnerabilities. Organizations continue to be breached via the same vulnerabilities that have exposed so many others.
There’s plenty of blame to go around for the problem. But with thousands of vulnerabilities, threats and attack vectors, application developers and security teams face an astoundingly complex problem.
Training helps developers recognize and avoid the most common vulnerabilities; it can help prevent some breaches. But what organizations really need is a framework that facilitates laser-like focus on what matters most in application security – something that cuts through the clutter and gives developers and security teams a clear roadmap to secure the most vulnerable elements of their applications.
A Roadmap to Application Security Clarity
Aspect created Application Security Knowledge Domains (or ASKDs) to meet this need. ASKDs function as application security building blocks – they illustrate the fundamental security controls that every system needs and help stakeholders visualize those controls.
While the controls they describe are universally applicable to software and complex systems, they can also be extended to describe an organization’s particular technology stack and processes – regardless of whether the application is built or acquired.
As of today, we have developed eight ASKD controls:
- Authentication & Identity
- Session Management
- Authorization & Access Control
- Validation & Encoding
- Sensitive Data Protection
- Logging & Audit
- Configuration Security
- eXtensible Design
The Benefits of a Controls Based Approach to Application Security
Using a controls-based approach to security, business stakeholders identify the critical business use cases and data flows. In concert, technical stakeholders identify and implement the corresponding controls needed to protect those elements. As vulnerabilities stem from missing, incorrect, improperly used, incomplete or misconfigured security controls, a controls-based approach also facilitates repeatable, robust security testing of the system.
Aspect has created core definitions that model the use cases, elements and minimum required behaviors of a security control for each control area, along with the associated terminology. This abstract model is completely independent of technology and can even express security controls implemented as manual processes or through ad hoc means.
Organizations can use the model to create a reference architecture that promotes internal understanding of the control and its elements. The newfound clarity allows for further analysis. For example, while technical attacks constantly evolve and change, the attack patterns on a security control are fixed based on the required behavior for that security control. As a result, once a desired security control has been modeled it is easy to identify the attack patterns. This knowledge can be used to inform the design process, threat modeling and any security verification processes (e.g., pen tests).
Likewise, when a desired security control is modeled, it becomes possible to identify what mechanism or process is responsible for supplying each needed function of the security control. These needs naturally translate into implementation points (with associated functional requirements) and inform any implementation review efforts (e.g., code reviews). Additionally, the model can delineate organizational responsibility for each element of the control.
ASKD is a Common Translation Layer
By focusing our ASKDs on security control areas, stakeholders across the organization (business analysts, developers, testers, security teams and more) can discuss security using the same terminology. This allows organizations to tie business context to security risks in a concrete manner.
The ASKDs also serve as a common translation layer or mapping between an organization’s own standards and the myriad application security or industry-specific controls and regulations with which organizations must comply (CAPEC, CWE, NIST SP 800-53, HIPAA, PCI DSS and more). These standards and regulations have one major challenge – an overwhelming amount of information to parse and manage, with different focus areas and vocabularies to add to the confusion.
The ASKDs organize application security knowledge in a meaningful way using common terminology. By using the ASKDs, we can accurately describe and convey the fundamental security controls necessary to protect an application or system without losing other relevant contextual information – including threats, weaknesses, vulnerabilities, attacks and exploits.
Distribute AppSec Guidance with ASKD
ASKDs also help organizations distribute application security guidance using that common taxonomy. When combined with appropriate training, ASKDs provide a standardized foundation of knowledge so that team members can understand organization-specific threats and vulnerabilities as well as find tailored design, coding and testing guidance.
This knowledge base enables stakeholders to incorporate security earlier in the software development lifecycle, making security more visible, efficient and cost-effective.
We believe the ASKDs offer a new way for organizations to think about and discuss application security, with a common taxonomy and the ability to provide organization-specific guidance. Most importantly, we believe that the ASKDs can serve as a rallying point for security teams to collaborate with business stakeholders. Over time, we anticipate finding novel uses for the ASKDs – and are eager to hear your feedback and ideas. In the meantime, keep an eye out on this blog. Over the next few months we will share how organizations are using the ASKDs and how we envision others may use them.
Want to use ASKDs at your organization now? Contact us today.