Hello Andy,

> Once an application is released or put into production, what are
> organizations doing to keep the applications secure?  As new

Some organizations purchase web application security scanners and perform 
scanning (this could be done by the soc) or use a service  such as whitehatsec
to perform continuous application level scanning. It usually boils down to 
company resources, 
finding qualified people to configure/run a tool, and/or budget.

If you're using a service ideally they should be identifying the false 
positives and removing
them from your reporting. If you're using a tool you'll need someone qualified 
to be able
to identify if an issue is real or not and remove it.

For the sake of saying it no tool can find all issues and having a human/tool 
is really required. Tools do very poorly at logic flaws which are often the 
most damaging.

For more critical applications (dealing with Personal Identifiable Information) 
or those dubbed risky
one off deep dive pen tests may be needed in addition to continuous 
scanning/monitoring. This 
will depend on frequency of application changes, budget, and resources. 

> vulnerabilities and classes of exploits are released, how is that
> information being fed back to developers so they can update/patch in
> the software.  At the network most organizations have a Network

After the scanning is performed typically you'll have an assigned security 
resource (this could 
even be a QA/dev person depending on available resources) that files tickets 
with development 
(if this process isn't automated) to address each issue and owns the 
responsibility to follow-up 
on each discovery. Remediation timelines will vary depending on the flaw and 
unless their is a 
policy/management buy-in of some sort, forcing development to fix things in a 
given timeframe 
may be difficult. It is important to iron out the process regarding false 
positive identification 
otherwise development will take you less seriously when an issue is filed.

> Is there a formal method other than reacting to incidents?  Is there a

Yes by proactively monitoring and testing your applications for 'security 
(pen testing/security assessments). 

> sort of Operations or Intelligence cell that proactively finds and
> processes new information and feeds that info back to the design and
> development teams so they can update the software?

It is important to note that development people aren't security people
and they never will be (no matter how much the security people want them to be).
Sure they will get better and stop making certain mistakes over time but most
developers aren't monitoring the usual security outlets for the latest threats
to see if their code may be affected. It is typically the job of a security team
(local, service, or SOC) or auditing team (regarding compliance e.g PCI/SOX) to 
ensure that a given application is reviewed against the latest threats at the 
of the evaluation. Depending on your setup a SOC may handle monitoring/incident 
response and scanning. 

Hope this helps.

- Robert
http://www.cgisecurity.com/ Application Security news and more
http://www.webappsec.org/ The Web Application Security Consortium
http://www.qasec.com/ Software Security Testing

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to