Loading ...BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
-
Recent Comments
- Bouch on Who’s In Charge Here? The Problem of Information Security Governance
- SecurityExec on Who’s In Charge Here? The Problem of Information Security Governance
- dustin on Patent No. 7,124,197: ARP Poisoning Hack!
- Rob on Agility and Risk Compensation: Exploring the Connection
- Navin on Why Information Security Professionals Should Learn Texas Hold ‘em Poker
Tags
agility algorithms application security assessment awareness Awareness / Education awareness instruction awareness training bloginfosec Annoucements Books on InfoSec breach incidents Budgeting for Security business continunity CIA triad CISO CISO savvy CISO skills COBIT Coding Securely / SDLC compliance Conferences / Events / Meetups contingency plans counterfeit counterfeit equipment data breaches data breach notification laws data classification digital signature disaster recovery education Encryption end-point security equipment Exploit Code / Malware facebook fake FBI featured FFIEC Forensics / Incidents FUD FUD Theater GLBA governance government Gramm-Leach-Bliley hackers hash HIPAA honeynet honeypot identity management identity theft IDM incident Industry Commentary Information security Interviews ISACA Jobs in Information Security Johnny Long KPMG law leadership Legal & Regulatory Issues malicious insider malware metrics nation states network News Commentary No Tech Hacking OWASP Patching PCI Penetration Testing perimeter Phishing Policies and Procedures Privacy Privacy Rights Clearinghouse Reverse Engineering risk Risk Analysis risk management ROI ROSI SB 1386 Security security awareness Security Breaches self-awareness Social Engineering soft skills Solutions / Workarounds SPAM spotlight successful behaviors Tools training Uncategorized Virtual Trust Viruses / Worms vulnerability assessment Vulnerability Commentary Vulnerability Disclosure Wireless Wireless Client Wireless Discussion Wireless Security Wireless Vulnerability Discussion
Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
The OCC and Application Security: Vindication at Last
On May 8, 2008, the OCC (Office of the Comptroller of the Currency, part of the U.S. Department of the Treasury) issued Bulletin 2008-16, which you can find here.
As the OCC states, there have been prior mentions of application security by the FFIEC (of which OCC is a member), NIST and others. However, this is the first guidance, as far as I am aware, issued by a U.S. government regulator, which is specific to application security and is prescriptive to a relatively fine level of detail. Yes, the PCI DSS (Payment Card Industry Data Security Standard), issued and enforced by Visa, Mastercard, American Express, and others, emphasizes measures to achieve higher levels of application security, but these organizations are not government agencies and, although highly influential, do not carry the weight of the government.
Now back to the OCC Bulletin … It is gratifying to see that the OCC has acquired such a high level of knowledge and expertise in this space, as demonstrated by the content of Bulletin. For example, the OCC includes an Appendix containing the ten top vulnerabilities as posted by OWASP (Open Web Application Security Project).
As an aside, I have very high regard for OWASP, and have had some involvement with the organization. I have participated in meetings of the New York/New Jersey Chapter and am scheduled to be on a panel at their World Conference in New York on September 22-25, 2008. OWASP is essentially an all volunteer international organization that issues really great material for the practicing application security professional.
The OCC focuses on software which supports a bank’s products and services and which is developed internally or outsourced to a third-party developer subject to a defined contractual arrangement, as well as on COTS (commercial off-the-shelf) banking applications, with particular emphasis on Web-based applications. It explicitly excludes “operating systems, generic office products, and other nonbanking software …”
The OCC guidance recognizes the importance of reducing risks related to the security triad: confidentiality, availability and integrity. They say that the risk assessment should include the following key factors:
The guidance goes on to suggest the following be part of a risk assessment:
This is all good stuff. It’s what many of us have been touting for years, but we have often been subjected to a whole lot of pushback. Now that a regulator is promoting these principles for achieving greater application security, it will be an easier sell to management, particularly in financial services. But even if you are in a different industry, many of the same factors and measures apply. Why not circulate the OCC Bulletin to your management as examples of practices that everyone should be following?