This picture by Dustin Sacks shows the extreme measures one can take to feel secure. It’s amusing that only one of the hundred or so locks actually anchors the bike to the bike rack. Government web pages need to be secure, but currently there are many, many, different security practices—so many that it can be over-whelming. Some are more important, while others are just cosmetic and provide only a false sense of security. Some are not needed and may actually open the door to more attacks. Over-zealousness may result in a situation like the bike pictured above.
Low Hanging Fruit
Why climb up the tree for an apple if you can reach the apple from the ground? Removing the low hanging fruit for hackers needs to be first priority. The OWASP Top 10 Risks represents the current low-hanging fruit. If these risks are ignored, your site will be the first to get hacked. For a development team the CWE/SANS Top 25 Most Dangerous Software Errors are more valuable and instructive.
Regular training has helped Partnet uncover and resolve vulnerabilities in DOD EMALL that was thought to be secure. It has helped DOD EMALL stay ahead. Because of training with the OWASP top ten, Partnet added protection against CSRF attacks nearly a year before these protections were required by the Application Development and Security STIG in May.
A government website cannot be content with simply removing the low-hanging fruit. But with so many security activities, it’s hard to know what to focus on next. For adding depth, the OpenSAMM (Software Assurance Maturity Model) project from OWASP provides that guidance. It organizes many of the best security practices into a maturity model. It organizes 12 general security practices into four business functions: Governance, Construction, Verification, and Deployment:
The general security practices help ensure you have all the bases covered. Each practice has four levels of maturity. These levels can be thought of as bang for the buck levels. Implement level one activities before level two, as these will give you more bang for the buck. These levels of maturity help an organization answer the question, “how secure do we want to be?”
Open SAMM offers road-maps to help you answer that question. It includes road-maps for four different types businesses: Web-applications, traditional shrink-wrap software, financial services, and government services.
Partnet uses OpenSAMM as a measuring stick when considering new security activities, helping us put first-things first, and giving DOD EMALL the most security bang for the buck. We highly encourage using OWASP resources when building a Government eCommerce web application.