Secure development after release

[bugtraq at cgisecurity.net (bugtraq at cgisecurity.net)]

Hello Andy,

> Once an application is released or put into production, what are
> organizations doing to keep the applications secure?  As new

Some organizations purchase web application security scanners and perform periodic 
scanning (this could be done by the soc) or use a service  such as whitehatsec
to perform continuous application level scanning. It usually boils down to company resources, 
finding qualified people to configure/run a tool, and/or budget.

If you're using a service ideally they should be identifying the false positives and removing
them from your reporting. If you're using a tool you'll need someone qualified to be able
to identify if an issue is real or not and remove it.

For the sake of saying it no tool can find all issues and having a human/tool combination
is really required. Tools do very poorly at logic flaws which are often the most damaging.

For more critical applications (dealing with Personal Identifiable Information) or those dubbed risky
one off deep dive pen tests may be needed in addition to continuous scanning/monitoring. This 
will depend on frequency of application changes, budget, and resources. 


> vulnerabilities and classes of exploits are released, how is that
> information being fed back to developers so they can update/patch in
> the software.  At the network most organizations have a Network

After the scanning is performed typically you'll have an assigned security resource (this could 
even be a QA/dev person depending on available resources) that files tickets with development 
(if this process isn't automated) to address each issue and owns the responsibility to follow-up 
on each discovery. Remediation timelines will vary depending on the flaw and unless their is a 
policy/management buy-in of some sort, forcing development to fix things in a given timeframe 
may be difficult. It is important to iron out the process regarding false positive identification 
otherwise development will take you less seriously when an issue is filed.


> Is there a formal method other than reacting to incidents?  Is there a

Yes by proactively monitoring and testing your applications for 'security defects' 
(pen testing/security assessments). 


> sort of Operations or Intelligence cell that proactively finds and
> processes new information and feeds that info back to the design and
> development teams so they can update the software?

It is important to note that development people aren't security people
and they never will be (no matter how much the security people want them to be).
Sure they will get better and stop making certain mistakes over time but most
developers aren't monitoring the usual security outlets for the latest threats
to see if their code may be affected. It is typically the job of a security team
(local, service, or SOC) or auditing team (regarding compliance e.g PCI/SOX) to 
ensure that a given application is reviewed against the latest threats at the time 
of the evaluation. Depending on your setup a SOC may handle monitoring/incident 
response and scanning. 

Hope this helps.

Regards,
- Robert
http://www.cgisecurity.com/ Application Security news and more
http://www.webappsec.org/ The Web Application Security Consortium
http://www.qasec.com/ Software Security Testing