SPICE - Security open Pages Integrated Grace Environment


SPICE - Security open Pages Integrated Grace Environment
Introduction
Open Pages
Open Pages, an IBM company, is a leading provider of integrated governance, risk, and compliance (GRC) solutions for global corporations. OpenPages provides software that helps companies more easily identify and manage risk and compliance activities across the enterprise, enabling them to increase insight and focus on business performance while avoiding unexpected outcomes.

Rational AppScan
Rational AppScan Standard Edition automates vulnerability testing to help protect against the threat of cyber-attack with a solution that combines dynamic analysis, static JavaScript analysis and ease of use.
Enables comprehensive automated testing of Web applications for vulnerabilities with hybrid analysis – the combination of dynamic and static testing in a single solution
Automates dynamic (black box) security testing for emerging Web vulnerabilities including Web Services, Web 2.0 and Rich Internet Applications (JavaScript, Ajax and Adobe Flash) 
Includes JavaScript Security Analyzer for advanced static (white box) analysis of client-side security issues, such as DOM-based cross site scripting and code injection 
Scans Web sites for embedded malware and links to malicious or undesirable sites
Provides customization and extensibility with the AppScaneXtension Framework, which allows the user community to build and share open source add-ons
Includes regulatory compliance reporting templates with 40 out-of-the box compliance reports including PCI Data Security Standard, Payment Applications Data Security (PA-DSS) (new), ISO 27001 and ISO 27002 (new) and Basel II

Architecture
The following picture try to show the target architecture aimed for. It envisages the Openpages as the top tier of the security framework. It takes care of security in all operational domains such as Application security, Data security, Network security, Endpoint security, Identity & Endpoint security. IBM also has various security products in all these domains. The aim is to integrate all these products with Openpages so that there will be an integrated view about the security of the organization and its compliance to the regulations like SOX,PCI etc.

This integration should be done in two steps. First we should be able to map the rules defined in openpages into policies in the respective products. The second step is to get feedback from the products into Openpages about the effectiveness of the policies defined.
This will help us to continuously monitor the organization and provide real time visibility about the security and identify the gaps in the security at a faster rate.

Use cases
Three usecases are defined to represent the three major functions of the OpenPages software. They are 
KPI Evaluator
Automated Control Testing
KRI Calculator
The data can be introduced andexecuted  into openpages using the objectmanager. It takes properly formatted xml files to create the apropriate values.

KPI Evaluator 
The aim of this usecase is to show how we can track the perfomance of the assets defined in openpages. An asset could be anything an server, an software, an infrastructure etc. Here we have taken an sofware which is Tivoli Identity Manager (TIM) as the asset. We have to track the progress of the adaption of into into the existing software environment. 
For this we have chosen to find the percentage of no. of services being run on TIM and the total number of services the organization provides.
A KPI contains following features in openpages:
Name
Tarket value
Threshold value
Frequency
The TIM API should be acessed to find out the number of services being run by TIM and we will have the total number of services as property using the .properties file.
The code which will fetch the number of services from TIM and calculate the percentage will be executed according to the frequency defined in the KPI above.
If the value of the percentage is less than the threshold value then an issue will be created in the openpages which wil be sent to appropriate authorities.

Automated Control Testing
      The aim of this usecase is to show that some of the tests defined in the openpages can be automated increasing the effectiveness of test and the frequency at which they are conducted. 
A test is defined within the openpages with following atttributes.
Test Frequency
Test Performed By
Acceptable Level

Here we have taken an example test of background verifivation. In this test we have check how many database administrators have background verification. 

We have to get this test from the openpages which will give us the xml string with all the above information. We have to parse this information from that string and use it find out the frequency with which we should conduct the test. Once we find that out we schedule the test to be run according to its frequency. 

When the test is executed the code first fethces the list of databse administrators from TIM which will have list of all the employees and their responsibilities by using the web api of TIM. Then we will search the background verification database for each administrator and find out if any of them do not have background check. These will be added to a exception list. We compute the score as 
Score = no of verifed adminstrators/ total no. of administrators.

After executing the test we will check whether the score is above or below acceptable Level. Then we will create the TestResult object in openpages and associate this to the test above.The test Result object will contain following information.
Test Performed By
Test Result(Pass/Fail)
Date Performed
Exceptions(if any)
Test associated with

If the result is below the acceptable level we have to raise a issue which will be sent to the appropriate authority to take measures regarding the failure of test.This issue will be associated with the test result created above. The issue will contain the following information.
Test Result object for which this was created
Authority it is addressed to
Steps taken tocorrect situation
Date these actions are finished.

Key Risk Indicator (KRI)
The aim of this usecase is to show how we can track the risk of the assets defined in openpages. An asset could be anything an server, an software, an infrastructure etc. Here we have taken web application as the asset. We have to use Rational Appscan to evaluate the risk status of web apllication.
For this we have used weighted sum of risks using criticality of applications provided by Appscan. We have selected the threshold value such that even a single critical value will give a weighted sum greater than threshold.
A KPI contains following features in openpages:
Name
Threshold value
Frequency
Rational Appscan will give an xml document with all the threats and their criticality. We have to parse the xml file and find the weighted sum of all threats according their criticality. Then we have to create the xml file to update this value into openpages.
The code which will parse the xml file created by Rational Appscan and calculate the weighted sum will be executed according to the frequency defined in the KRI above.
If the value of the weighted sum is more than the threshold value then an issue will be created in the openpages which wil be sent to appropriate authorities.

Work Done
My work in this project is to study the OpenPages product and find ways to exchange data into it from external code. There are two ways for this to be done. The first one is by using the web API provided. The other way is to use the ObjectManager command interface.
We decided on using Object manager as it is simpler to use compared to the web API. This is decided as the code we writing will be run on the same system as where the openpages software is run. So there is no need for remote communication with OpenPages.
My part in the project is to write a code which will first calculate the required values like performance score, risk score and create an xml structure according to the requirements of Openpages.
<?xml version="1.0" encoding="UTF-8" ?> 
<openpagesConfiguration xmlFormatVersion="1.30">
<nonFormBasedResources>
………
</nonFormBasedResources>
<resourceSets>
……..
</resourceSets>
</openpagesConfiguration>

I also had to write code to connect to remote apis developed by teammates for the other products used like TIM and Rational Appscan before their web APIs are understood for them to be used.

Future Work
Our work only focusses on the feedback part of the integration. Also this is done for a few products over few scenarios to show the feasibility. An extensive study of the possible ways and extent of this integration need to be done. 
Also the developent of model to map the regulatoins defined in Openpages to policies in respective products.

No comments:

Post a Comment

leave your opinion