Given the proliferation of software, limited resources, and the constant stream of breaches, organizations continue to seek ways to implement high impact activities to reduce enterprise risk. Although this can be achieved by conducting a variety of analysis and testing techniques, it is important to focus on those that address your most critical threats and nightmares - those that can ultimately bring an organization to its knees, like theft of IP or failing medical device (versus defacing of web site, loss of funds, etc.)
Two of my favorite threat-driven activities that are conducted at both the software and enterprise levels are Threat Modeling and Red Teaming.
Threat modeling is an effective way to understand high-risk areas and ensure that assessment and other security activities are commensurate with the risks. Every other security activity will leverage this asset as a compass for risk mitigation. It is not overly complex yet very few organizations do it at the individual application level. Threat modeling can help drive design choices, test plans, and selection of mitigating controls. It can also be done at the enterprise level but using it to help you risk rate applications to see where your limited resources and budget should focus most on.
Light touch threat modeling is effective when you want to assess a portfolio of dozens or hundreds of applications in timely manner. However, it can get a bit more technical at the individual software application level where you need to know specific configuration and deployment details.
For more information on Threat Modeling, please check out our on-demand webinar:
Threat Modeling - Locking the Door on Vulnerabilities.
This type of exercise allows an organization to understand how they stand up against very specific types of attacks. Security executives and practitioners often plug obvious holes as the result of a vulnerability scan, but what if those holes don’t really lead to much damage? This is where red teaming comes into play because it allows an organization to identify and plug holes that DO enable the infliction of serious damage. For example, when you think of worse case scenarios for a pharmaceutical company, stealing private data like customer names is not a good thing, but it’s not a deal breaker. However, being able to steal the formula of an innovative drug or changing the “fine line print” on a drug online can be. Red teaming helps an organization test their defensive readiness against goal-based attacks like this. Teams will conduct perpetual attacks with this one objective in mind which provides an “all hands on deck” inspection of your must vulnerable assets.
Red team exercises can be done in-house or outsourced. If conducted internally, it ideally should be a stealth mission with the IT team unaware of the activity. Often, organizations opt to do vulnerability testing on their own but bring in experts for deeper, more specialized testing where needed. The simulation can range from testing an organization’s preparedness to withstand and respond to an attack, to going after a very specific objective like trying to steal sensitive IP, traversing from a low risk application to another high risk one. Red teaming is essentially any offensive activity with a specific objective in mind. They can be very effective and outsourcing to a third party often provides a different, but thorough perspective.
While it may not be possible to remediate every vulnerability or protect each line of code, it is important for organizations to focus on critical assets and the most impactful threats. With proper planning, this can be done cost-effectively by shifting some of the time already being spent on activities that don’t have as much risk to those that do, or augmenting existing activities. Threat modeling and red teaming are the most important steps you can take to reduce your application security risk.