Software Security Assurance - Program Building (You're going to need a bigger shovel)


Published on

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Software Security Assurance - Program Building (You're going to need a bigger shovel)

  1. 1. Youre Going to Need a Bigger Shovel A Critical Look at Software Security AssuranceRafal M. Los (“Wh1t3Rabbit”)Enterprise & Cloud Security Strategist©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  2. 2. Catch more info from me –Podcast: http://podcast.wh1t3rabbit.netBlog: @Wh1t3Rabbit
  3. 3. What Type of Organization Are You?Be honest with yourself “Get SSA” Randomly Spending $ on “App Sec” Fooling Themselves3 Enterprise Security – HP Public
  4. 4. App Security vs. Software Security Assurance• Application Security (AppSec) – “Securing software” – Tactical approach, marked by erratic spending – Measured to CISO level – Tools, tools, tools• Software Security Assurance (SSA) – Program approach driven by risks – Acknowledge there is no such thing as secure software – Measured to CIO level as impact on IT performance – People & process first, then smart application of technology4 Enterprise Security – HP Public
  5. 5. Step 1: AssessmentKnow where you’re starting• Perform a rational assessment of – Capabilities – Resources – Assets – Liabilities – Organization & structure – Organizational goals• Be careful of paralysis by analysis• Be thorough, but move swiftly5 Enterprise Security – HP Public
  6. 6. Step 2: Resource PlanningBuild resource strategy from your assessment • What can you do with what you’ve got? – Human resources – Technology – Time & capital • Plan for resource allocation – Plan 6, 12, 18, 36 months into the future – What is current capacity (work-load), how will it grow over time – Will you in-source, outsource, hybridize or all of the above? – Will budgets increase, decrease, and can you leverage your LoB? – Do you have the right resources in the right positions to succeed?6 Enterprise Security – HP Public
  7. 7. Step 3: Intelligent Process BuildingProcess makes success possible• Don’t reinvent the wheel (you probably don’t have to) Start – Leverage existing processes – Less friction within the organization – How are things being done today? Can you fit in the right controls?• Accommodate, align, associate ? – Accommodate processes that LoB is already using – Align to others’ goals (remember, they’re not yours …yet) – Associate your success to theirs, then vice versa Secur – DevOps! e• Think of the full ALM span (Application Lifecycle)7 Enterprise Security – HP Public
  8. 8. Step 4: Implementation and TechnologyImplement, then automate• Implement strategically – Start small, where failure won’t be noticed – Tweak processes, approach as you go – Do whatever it takes to succeed the pilot – Shout your success, encourage others to sign on• Augment and automate with technology – People don’t scale well – Ensure right technology, to the right resources, at the right time – Your process must produce consistent, repeatable results – Remove burden from the user8 Enterprise Security – HP Public
  9. 9. Step 5: Measurement and Re-AssessmentMake sure you measure business relevance• Measure impact to the business – Get beyond “vulnerabilities” and “criticals” – Demonstrate risk reduction with less negative business impact – Build IT-relevant KPIs – “How is your activity contributing to business value?• Re-assess each {quarter | half-year | year} to align goals – As business priorities change, so should your program – What causes a change in program? • Industry security “climate” • Budget • Technology shifts9 Enterprise Security – HP Public
  10. 10. Things Everyone ForgetsThings only failure teaches• Planning for things you can’t plan for – Cloud computing – Consumer device adoption• Being a smart victim – Plan for incident response – “Would you know you’ve become a victim?”• Adopt to boardroom requirements – Business objectives change – learn how to listen – Priorities, budgets change• What happens after you’ve been promoted?10 Enterprise Security – HP Public
  11. 11. If this was easy, everyone wouldn’t be getting pwn3d through a 10 year old bug.11