In it he lists 4 approaches for getting started with application security:
- Top-down framework
- Portfolio Risk
- Training First
- Lead with a tool
I had success with #4, but not using the tools we usually think of for bootstrapping a program, namely static analysis or testing tools.
When I took the position they had already settled on using Netegrity's Siteminder product for a common authentication and authorization scheme across all of the applications. I managed to get them to settle on doing a quasi-RBAC with Siteminder, using it almost as an
identity service as well.
Settling on one common high-quality authentication and authorization tool/framework had three effects:
- It removed these services from the realm of development. They just had to integrate with it, but didn't have to figure out all of the corner cases to password changes, etc. that so often crop up, and people mess up in homegrown approaches.
- It convinced developers to build clean interfaces in their code for things like authorization to call out externally and/or have the data provided to them in a standard fashion. By settling on RBAC it also helped a lot with role and permission modeling that did need to happen in the app.
- In a shop that usually wanted to do everything itself, it broke that cycle and people got used to not having to write everything from scratch.
Just one data point on leading with a tool that focused more on architecture and design than it did on finding defects.
In the end in order to fully implement the program we had to do developer training, build our own frameworks, perform risk assessments against applications, and fully incorporate testing.
The key to getting it started though was adopting a common approach to one area of security via a well-designed tool.