@ISACA Volume 6  25 March 2015

Preventive Measures for Application Security


Many organizations’ IT efforts are focused on using technology to deliver services to customers. Specifically, applications are the vehicles that take services to customers. In order to ensure these services are delivered securely, organizations should ensure that security is built into the infrastructure. This includes network level (firewall, intrusion detection or prevention systems [IDS/IPS]), antivirus, web site authentications and user authentication with multifactor access controls. Despite these precautions, there has been an increase in the incidents of fraud and information leakage. There are 2 weak links in the process: humans (users) and applications. Weakness in humans can be addressed using awareness training. Application security, on the other hand, must be part of the application and needs to be addressed during development.

Many organizations focus their application security efforts on automated detective and/or corrective solutions (e.g., application scans, penetration testing, grey box/white box testing, web application firewalls) rather than on preventing the defects from occurring in the first place. Subsequently, security defects are fixed when reported. This approach requires a lot of rework and the cost is high.

The following are a few suggestions to build security into applications:

  • Do not expect security from users, e.g., securing mobile devices or browsers. Develop applications that do not depend upon browser configuration.
  • Adopt a secure software development life cycle (SDLC) methodology by incorporating steps for embedding security in each phase of software development.
  • Organizations must adopt standard coding practices that prevent security flaws from being introduced within applications.
  • Ongoing developer education is a preventive technique that seeks to empower developers with the knowledge to write secure code. A single training class is a point-in-time activity and the value of the education diminishes over time, unless the developers are continuously in touch with the material and are updated on new and emerging techniques.

Detective techniques, as a result of extremely high remediation costs in the SDLC, are inefficient when compared to preventive techniques. It is more cost-effective to plan and prevent defects upfront rather than finding and fixing them later.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


The True Cost of Cost Savings When Outsourcing IT

By Karl Fruecht

Blame the IT skills shortage or new pressures facing chief information officers (CIOs), but information technology outsourcing (ITO) is the new normal. In fact, Gartner predicts the worldwide IT services market will reach US $1.1 trillion by 2018, with outsourcing contributing to more than half of that market growth. Also consider the booming IT offshoring market, with Forrester Research conservatively predicting 542,000 IT jobs will have moved overseas by this year.

ITO is unavoidable and widely seen as inexpensive. However, growing cybersecurity concerns demand a second, more detailed inspection of the cost associated with risk. A 2014 Gartner study found that all 9 countries it studied in the Asia-Pacific region were rated either poor or fair on the data/Internet Protocol (IP) security and privacy criterion.

What are the costs, in terms of additional security, of sending these jobs outside the enterprise? Until an organization assesses its entire application infrastructure and its layers of security, these savings may be part of a false economy—something that saves money at first, but costs more over time. How much are these cost-saving measures really costing?

To find out, assess the organization’s application portfolio, from internal functions to external access, and align it with security metrics. While the 10 applications’ outsourced teams’ access may total US $1 million annually, what about the cost of maintenance, extra security precautions and a potential data breach? That then must be combined with the time and manpower linked to maintaining these extra precautions.

Evaluating these components together shows the true cost associated with doing business with an outsourcer or overseas provider. According to the Pricewaterhouse Coopers’ 2015 Global Information Security Survey, other than current and former employees, there is no higher cybersecurity threat than service providers, consultants and contractors.

Plus, the cost of an incident is increasing. Globally, the average financial loss associated with cybersecurity incidents in 2014 was US $2.7 million, a 34% increase over 2013. Do the math and find the real price tag of outsourcing.

Karl Fruecht is principal business consultant at KillerIT, a division of Forsythe Technology Inc. KillerIT is a Gartner-recognized IT program and portfolio management (PPM) software suite that provides a data-driven roadmap to optimize IT and accelerate digital business. In 2014, Gartner named KillerIT both a “Cool Vendor in Program and Portfolio Management” and in the Visionaries Quadrant of its “Magic Quadrant for Integrated IT Portfolio Analysis Applications.”


Learn to Collaborate and Become More Involved With a CRISC Certification

Marco Vasquez Chavez, CISA, CRISC, COBIT Foundation, ITIL v2 Foundation, Shares His Experience as a CRISC

“To get certified is the best way to formalize knowledge, keep up to date professionally and gain acknowledgement of your skills,” says Marco Vasquez Chavez. Vasquez decided to obtain the Certified in Risk and Information Systems Control (CRISC) certification to receive recognition for his risk experience. He also knew that ISACA membership would give him access to valuable risk resources.

For Vasquez, the most rewarding part of his job is its collaborative nature. “The best parts of my job are planning, sharing and comparing. It is important to learn about business reality and its associated functions for business needs. It is necessary to have the adequate processes, methods and technologies in place to collaborate in the success of an organization,” he says.

Although Vasquez says that understanding the unique needs of every business area can be a challenge, he says that collaboration is necessary to appropriately address risk. “If you understand the reality, you can propose a technology path to the company that can be used companywide.”

Vasquez is heavily involved with ISACA activities. He is vice president of the Quito (Ecuador) Chapter and he has done translation work for ISACA. Vasquez says that his pursuit of the CRISC certification and his ISACA involvement have enabled him to earn more certifications. “My approach to CRISC specifically, and involvement with ISACA generally, presented me with the opportunity to earn the Certified Information Systems Auditor (CISA) certification and a COBIT Foundation certificate. The CRISC certification has also motivated me to participate more actively as an ISACA member at first, and then as an ISACA local chapter leader.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Hacking Exposed: Unified Communications & VoIP Security Secrets & Solutions

Reviewed by Jeimy J. Cano, Ph.D., COBIT Foundation, CFE, CMAS

Digital communications industry leaders warn of the convergence of hardware and software. But this convergence is the new normal that organizations implement to stay connected to their global partners. This new way of communicating helps companies face the challenge of creating a single new user experience that links service and technology support in a way that users prefer.

The threats to unified communications seek to compromise the availability of communications, steal bandwidth and services, steal information, listen in on private conversations, conduct espionage, impersonate users and manipulate specialized technical protocols to create instability in the service.

Hacking Exposed: Unified Communications & VoIP Security Secrets & Solutions develops an in-depth technical and practical analysis of the most important protocols in unified communications. This book helps information security professionals and IT auditors see the faults and information security risk that compromise the proper functioning of this technology. Hacking Exposed also explains how the transmission of information through Voice-over Internet Protocol (VoIP) works.

The 17 chapters of this book guide readers through the different aspects of VoIP including the recognition of unified communication networks, passing by the attacks on applications, and the handling of specialized protocols (e.g., Session Initiation Protocol [SIP] and Real-time Transport Protocol [RTP]). The book also has case studies that examine aspects of assurance and controls that limit such actions.

One of the most valuable parts of the book is the chapter on emerging technologies that sets the trends and realities of unified communications in the context of mobile computing and cloud computing. This approach opens up new possibilities and debates about rethinking the concepts of security and control.

This book is a reference for understanding the threats and risk associated with unified communications. It provides a way to identify specific practices to mitigate potential security breaches that can occur on the multiple VoIP platforms available internationally and implemented in many enterprises globally.

Hacking Exposed: Unified Communications & VoIP Security Secrets & Solutions is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Jeimy J. Cano, Ph.D., COBIT Foundation, CFE, CMAS, is a distinguished professor in the law department of the Universidad de los Andes, Bogota, Colombia. He has been a practitioner and researcher in information and computer security, digital evidence and computer forensics for more than 17 years in different industries. Cano is a member of the ISACA Publications Subcommittee.