Security Manager's Journal: R&D's new security lab is a promising step
The R&D department will have a sandbox for testing the company's software products. For once, security isn't last.
Computerworld - It's a great thing when a security manager doesn't have to go into battle mode every time a new corporate initiative emerges. When other departments show signs that they aren't putting security last, I can relax a bit. But just a little bit. Even in those cases, I want to have input.
At issue: R&D plans a lab for assessing the security of the company's security products.
For the most part, I was happy when the R&D department came to me last week to discuss their plan to create a software security test lab. The R&D team has been charged with enhancing the security of the software portion of our products, and one of their requirements is to create an environment in which they can run hacking and assessment tools and code-scanning software. That will free them up to conduct such activity whenever they want, without notifying anyone. When my department conducts security assessments or penetration testing against our corporate applications, we schedule the activity at a time that minimizes the impact, and we let everyone know.
Before the architecture team went to work designing the lab, I created a set of security requirements. The first and most important was that the lab must be segmented from our production network. Other requirements included a separate firewall protecting the lab from the corporate network and extremely limited access to the public Internet. I don't want any inquisitive engineers running scans against resources on the Internet -- that could get us into trouble. Also, access to the lab must be controlled and logged.
The lab will be segmented into several virtual LANs, with firewall rules in place to protect one VLAN from another. For example, one VLAN will contain the various security tools for running assessments, penetration testing, code scanning and other activity. The products to be tested will reside on another VLAN, while any source code will reside on yet another. Most of the resources will be installed on virtual machines, so the servers can be quickly taken down and redeployed if necessary. We will set up a bastion host, with access to the lab network restricted to those who have access to the lab itself.
At least at first, we'll stock the lab with some fairly common tools, and then upgrade as the engineers get properly trained on how to conduct assessments. One will be Nessus, a fairly easy-to-use tool that scans for server misconfigurations and also has an extensive menu of plug-ins, including a variety of application vulnerability checks. Another tool will be Metasploit, which is one of my favorites. It can be very helpful in running attacks against potentially vulnerable systems. For example, if you discover a SQL injection vulnerability, Metasploit can attempt several SQL attacks that will validate the vulnerability -- you don't have to be an expert in SQL. That's definitely handy, since SQL injection has been used in many recent attacks compromising user passwords.
Another of my favorites is BurpSuite, a set of application assessment utilities that let you do things like intercept traffic between the client browser and Web application. For example, if an application's password-reset logic isn't written properly, you could use BurpSuite to intercept and alter the parameters in an attempt to change another user's password.
We'll have other utilities, of course, as well as a tool to run static code analysis. That tool will eventually be incorporated into our software development life cycle and will be employed to assess the sanity of our source code.
We need our engineers to use all these tools properly, and I want them to learn to think like a hacker. To help, I'll find a trusted third party to provide training and guidance in application assessments and penetration testing. Slowly but surely, all of this will get all of our engineers to thinking about security early and often in the development process.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- The business impact of BYOA: Five major challenges and how your enterprise can solve them This E-Book reviews five major challenges of BYOA with key subject matter experts and outlines how businesses can solve them.
- BYOA: Embracing the Opportunity, Controlling the Risk This whitepaper explores the shift from BYOD to BYOA (bring-your-own-application) and how IT departments today can address this new change in the IT...
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- What Makes a Cloud Solution Truly Enterprise-Grade? Future enterprise cloud capabilities will evolve from five core elements...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!