Hello Andy, > Once an application is released or put into production, what are > organizations doing to keep the applications secure? As new
Some organizations purchase web application security scanners and perform periodic scanning (this could be done by the soc) or use a service such as whitehatsec to perform continuous application level scanning. It usually boils down to company resources, finding qualified people to configure/run a tool, and/or budget. If you're using a service ideally they should be identifying the false positives and removing them from your reporting. If you're using a tool you'll need someone qualified to be able to identify if an issue is real or not and remove it. For the sake of saying it no tool can find all issues and having a human/tool combination is really required. Tools do very poorly at logic flaws which are often the most damaging. For more critical applications (dealing with Personal Identifiable Information) or those dubbed risky one off deep dive pen tests may be needed in addition to continuous scanning/monitoring. This will depend on frequency of application changes, budget, and resources. > vulnerabilities and classes of exploits are released, how is that > information being fed back to developers so they can update/patch in > the software. At the network most organizations have a Network After the scanning is performed typically you'll have an assigned security resource (this could even be a QA/dev person depending on available resources) that files tickets with development (if this process isn't automated) to address each issue and owns the responsibility to follow-up on each discovery. Remediation timelines will vary depending on the flaw and unless their is a policy/management buy-in of some sort, forcing development to fix things in a given timeframe may be difficult. It is important to iron out the process regarding false positive identification otherwise development will take you less seriously when an issue is filed. > Is there a formal method other than reacting to incidents? Is there a Yes by proactively monitoring and testing your applications for 'security defects' (pen testing/security assessments). > sort of Operations or Intelligence cell that proactively finds and > processes new information and feeds that info back to the design and > development teams so they can update the software? > It is important to note that development people aren't security people and they never will be (no matter how much the security people want them to be). Sure they will get better and stop making certain mistakes over time but most developers aren't monitoring the usual security outlets for the latest threats to see if their code may be affected. It is typically the job of a security team (local, service, or SOC) or auditing team (regarding compliance e.g PCI/SOX) to ensure that a given application is reviewed against the latest threats at the time of the evaluation. Depending on your setup a SOC may handle monitoring/incident response and scanning. Hope this helps. Regards, - Robert http://www.cgisecurity.com/ Application Security news and more http://www.webappsec.org/ The Web Application Security Consortium http://www.qasec.com/ Software Security Testing _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________