The NIST Cyber Security Framework Completely Misses the Mark

Monday, January 06, 2014

Rohit Sethi

219bfe49c4e7e1a3760f307bfecb9954

The National Institute of Standards and Technology (NIST) released a Preliminary Cyber Security Framework to help organizations build a holistic approach to cyber security. The framework is very broad, which on the surface is a boon for information security programs. In particular, the five core functions are a good way of ensuring a complete view of security: Identify, Protect, Detect, Respond, Recover.  But, the devil is in the details – the Cyber Security Framework completely lacks any mention of application security. We predict that organizations will likewise adopt the framework with scant attention paid to secure software, which will lull them into a false sense of security.  

Make no mistake about it, application security is critically important. The 2013 Verizon Data Breach Investigations Report (DBIR) indicates that 40% used malware  and 52% of breaches used some form of hacking.  In the case of malware, gone are the days where people download a malicious executable file and run in. Instead, infections take advantage of software vulnerabilities in end user systems such as browsers, operating systems, and desktop programs. In the case of hacking, the majority of vulnerabilities are software vulnerabilities, such as back-doors, susceptibility to brute force attacks, and SQL injection. Not integrating application security in custom development, and more importantly into the supply chain for procured software, is a major gap.  

As with implementers of other broad frameworks such as NERC CIP, ISO 27001 and COBIT, we cannot have confidence that implementers will have a comprehensive application security program. An organization with hundreds of applications could reasonably conform to this cyber-security framework with absolutely no application security controls whatsoever – even if those applications are responsible for a large portion of the breaches. The absence or presence of application security controls will rest with the domain knowledge of whomever is assessing that organization for compliance. To put this in perspective, if the developers ofhealthcare.gov want to adopt the Cyber Security Framework, they could  possibly do so without any application security controls. This, despite the fact that healthcare.gov is in itself a massive web application.  

Clearly the framework’s authors were trying to stay focused on high level objectives, as opposed to frameworks like the Payment Card Industry Data Security Standard which are very perspective and specific with technical compliance requirements. You could argue that some parts of the framework such as “ID.RM-1: Risk management processes are managed and agreed to” ought to include application security. That particular section lists  NIST SP 800-53 as an informative reference, which does cover application security explicitly. Yet there’s a big difference between an optional “informative reference” on a single line item and a top-level control that calls for application security controls. It makes sense for the framework to be focused on strategic outcomes, but not at the expense of potentially dangerous false negatives. 

The Cyber Security Framework can make a significant impact on information security. The framework could, for example, make application security for both custom and procured software, a major piece of the “Protect” function. They could include references to holistic application security standards, such as the emerging ISO 27034. Imagine the cumulative impact if every implementor of the framework pushed comprehensive application security controls on to its supply chain. Many of the root cause vulnerabilities that enable security incidents could be significantly reduced at a lower cost, as proven by Microsoft through its SDL program. Not only would the organizations who implement the Cyber Security Framework benefit, but all users of the downstream vendors’ software will also have improved security postures. None of this will happen if application security is optional.  

Cross-posted from the SC Labs blog  

Possibly Related Articles:
12830
General Security Awareness Privacy Vulnerabilities Webappsec->General
NIST Cyber Security Framework
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked