How Cybersecurity Frameworks Apply to Web Application Security
A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and appropriate safeguards to protect information systems and data from cyber threats. Although originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for small and medium-sized businesses. Without getting too formal, let’s take a look at what cybersecurity frameworks exist, why you might want to use one, and how to manually select the cybersecurity processes and actions that apply to your specific web application security program.
Why Cybersecurity Frameworks Exist
According to the organization, a successful cyberattack can have serious social, economic or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now an ongoing concern not only for businesses and governments, but also for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” is not enough given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy at the top of the list, a systematic and formalized approach is needed to identify the specific security controls that keep sensitive information inaccessible to malicious actors.
With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working on a common set of policies and best practice recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit might be the only way to come up with a reasonably comprehensive and effective cybersecurity policy.
Commonly used cybersecurity frameworks
You can think of a cybersecurity framework as a common box of parts for developing cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and objectives to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:
- The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
- ISO 27001 Information Security Management: Guidelines for Information Security Management Systems (ISMS) prepared by the International Organization for Standardization.
- CIS Critical Security Controls for Effective Cyber Defense: A Framework of Actions to Protect Organizations Against Known Cyber Threats, prepared by the Center for Internet Security.
- Risk management frameworks: Documents such as the NIST Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for information security risk management focus on risk management strategies, including cybersecurity risk management.
- Industry-specific frameworks: Many industries have their own security standards for these industries, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.
A Closer Look at NIST’s Cybersecurity Framework
In 2013, a US Presidential Executive Order was issued calling for a standardized cybersecurity framework to describe and structure cybersecurity-related activities and methodologies. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk, but also to create a common language for communicating cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.
The NIST CSF is divided into three main components:
- Core of the framework: the main informative part of the document, defining common activities and outcomes related to cybersecurity. All basic information is organized into functions, categories and subcategories.
- Framework Profile: The basic subset of categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
- Implementation Levels: A set of policy implementation levels, intended to help organizations define and communicate their approach and identified level of risk for their specific business environment.
The core of the framework provides a unified structure of cybersecurity management processes, with the five main functions being Identify, Protect, Detect, Answerand Retrieve. For each function, several categories and sub-categories are then defined. This is where organizations can choose and mix to assemble a set of elements for each function that matches their individual risks, requirements, and expected results. For clarity and conciseness, each function and category has a unique letter identifier, so for example Asset Management within the Identify the function is noted ID.AMwhile Response planning within the Answer the function is RS.RP.
Each category has subcategories that correspond to specific activities, and these subcategories are assigned numerical identifiers. To give another example, the subcategory Detection processes are tested under the Detection process category and Detect the function is identified as DE.DP-3. The definitions of the sub-categories are accompanied by references to the relevant sections of the normative documents for quick access to the normative guidelines for each action.
Applying the NIST Framework to Application Security
By design, the NIST CSF is extremely broad in scope and covers far more activities than any one specific organization is likely to need. To apply the framework to web application security, you begin by analyzing each of the five functions in relation to your existing and planned application security activities and risk management processes. Then you select the categories and subcategories that match your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy should include at least the following subcategories for each function:
- ID.AM-2: Software platforms and applications within the organization are inventoried
- ID.RA-1: Asset vulnerabilities are identified and documented
- PR.AC-4: Access permissions and authorizations are managed by integrating the principles of least privilege and separation of duties
- PR.DS-2: data in transit is protected
- PR.IP-10: Incident response and recovery plans are tested
- DE.AE-2: Detected events are analyzed to understand targets and attack methods
- DE.CM-8: Vulnerability analyzes are carried out
- RS.RP-1: The response plan is executed during or after an incident
- RS.AN-1: Notifications from detection systems are reviewed
- RC.RP-1: The recovery plan is executed during or after a cybersecurity incident
- RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as management and leadership teams
Cybersecurity frameworks provide a common structure for planning, implementing, responding, and mitigating. By selecting the relevant actions (subcategories) for each core function, you can create custom cybersecurity policies tailored to your organization’s business and compliance requirements. By combining standards-based policies with enterprise web security best practices and trusted web application security solutions, you can minimize risk and maintain a strong cybersecurity posture.
The post How Cybersecurity Frameworks Apply to Web Application Security appeared first on Invicti.
*** This is a syndicated blog from Invicti’s Security Bloggers Network written by Zbigniew Banach. Read the original post at: https://www.invicti.com/blog/web-security/cybersecurity-framework-web-application-security/