SlideShare a Scribd company logo

Estimating Development Security Maturity in About an Hour

Priyanka Aash
Priyanka Aash

The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given. (Source: RSA USA 2016-San Francisco)

Technology
1 of 48
Download to read offline
SESSION ID: #RSAC Matt Clapham Estimating Development Security Maturity in About an Hour STR-W05 Principal, Product Security GE Healthcare @ProdSec
#RSAC How We Got to Now 2 Needed something given volume 4 things recommended Added one more Assessment leverages experience Field-tested with suppliers and devs
#RSAC Not for n00bs 3 Security operations Development experience Testing (penetration, vulnerabilities, security, or in general) Cryptography background Incident response Certifications Etc.
#RSAC Three Example Stories 4 The 11th-hour Security Review The Acquisition The Internal Development Team
#RSAC The 11th Hour Security Review “This security review won’t take long, will it?” 5
#RSAC The Acquisition “So we’re going to buying company X for its ___ product.” 6
#RSAC The Internal Development Team “Those folks making that software over there…” 7
#RSAC Agenda 8 Overview Five key behaviors Scoring and report Pros, cons, and other models Extending the method Summary Application
#RSAC Method Overview 9 Pre-meeting research - 5 to 15 minutes Meet with development team - 30 to 60 minutes Score and report back - 15 minutes Goal: 90+% confidence on assessment Total time: 50 to 90 minutes or “About an hour on average.”
#RSAC Pre-meeting Research 10 Process time required: 5 to 15 minutes Looking for… Public details about vulnerabilities Company responses and published guidance History of supporting and fixing the software Search on software name or company name and… NVD vulnerabilities patches
#RSAC Meet with the Development Team 11 Process time required: 30 to 60 minutes Resources needed: developers, testers, and program managers Goals Establish rapport Status on each of the 5 behaviors Additional information on how software is made securely
#RSAC Development Meeting Sample Agenda 12 Introductions and establish rapport – 5 minutes Identify necessary resources – 1 minute Technology overview – 3 minutes Probing questions on each focus area – 20+ minutes Wrap-up – 2 minutes
#RSAC Development Meeting Warning Signs 13 “I’m just the IT guy.” or “I’m the CISO.” “We can’t tell you because that would be a security risk.” “Our software has no flaws.” “We wrote our own encryption method…” “Bob does that for us and he’s on vacation.”
#RSAC Five Key Behaviors 14 Developer training in secure development Design threat modeling for security refinement Static code analysis Dynamic analysis and testing Vulnerability and incident response process
#RSAC What to Look For in Each 15 90% confident on a yes/no answer Anecdotes regarding technology, design pattern, etc. Artifacts (extra points if publicly available) Positives, i.e. increased quality or above and beyond Negatives, i.e. poor execution or follow-through Nearest exit, i.e. a statement that indicates yes/no quickly
#RSAC Behavior 1: Secure Development Training Do you train developers in writing secure code? 16
#RSAC Training: Openers 17 How do you teach a new developer to make a secure product? How would your developer know which security tech to use? Describe the security training developers receive. How do you keep developers up to date on security risks?
#RSAC Training: Positives and Negatives 18 Positives Regular security conference attendance Internal or External professional training Negatives Focus on general secure computer usage awareness Single annual conference attendance
#RSAC Training: Warning Signs and Exits 19 “Every developer has a chat with our Sr. architect.” “Our compliance team requires…” “We don’t need to worry about that because…” “Our cloud provider takes care of defending us.” “We sent Bob to a conference last year and he gave us slides.”
#RSAC Behavior 2: Threat Modeling How do you refine the design to remove threats? 20
#RSAC Threat Modeling: Openers 21 Describe your group’s threat modeling process. What tools do you use to model threats to the application? How do you refine the security of the design? How do you know when you’re done threat modeling?
#RSAC Threat Modeling: Positives and Negatives 22 Positives Formal process Uses tool(s) Always up to date Negatives Ad hoc Dependent on one person
#RSAC Threat Modeling: Warning Signs and Exits 23 “A couple of us get together and review the design.” “Bob does that for us and he’s on vacation.” “We had a penetration test last year and…” “We use SSL.”
#RSAC Behavior 3: Static Code Analysis How do you review your code for security flaws? 24
#RSAC Static Analysis: Openers 25 What code analysis tools do you use? How do you check your code for security flaws? How would you know if there’s a buffer overflow in your code? Describe your code review process. How do you know your code is secure?
#RSAC Static: Positives & Negatives 26 Positives Build integrated Developer client Clean check-in requirement Negatives Manual or ad hoc execution No fixing of identified problems No security tests in testing suite
#RSAC Static: Warning Signs and Exits 27 “We review every line of code manually.” “Bob reviews all our code himself.” “We use lint.” “We compile with all warnings on.”
#RSAC Behavior 4: Dynamic Analysis How do you test your software for security flaws? 28
#RSAC Dynamic Analysis: Openers 29 How do you know if your web application has a cross-site scripting vulnerability or not? How do you find vulnerabilities that have slipped through the cracks? Tell me about how you test the security of your service. Do you use any tools to automatically test the security of your application?
#RSAC Dynamic: Positives and Negatives 30 Positives Regularly scans production Coordinated with Static analysis Quality gating function Negatives Only uses a configuration scanner Only focuses on OWASP top 10
#RSAC Dynamic: Warning Signs and Exits 31 “Once a year we hire a security firm to penetration test.” “Bob scans our systems for missing patches.” “We use a patch scanner to test for vulnerabilities.” “We tried using a tool but it broke our software.”
#RSAC Behavior 5: Vulnerability and Incident Response (V&IR) Who gets the call at 3AM if there’s a vulnerability to fix? 32
#RSAC V&IR: Openers 33 How would a researcher inform you of a problem and confirm that you’ve fixed a vulnerability? How can the operations team tell if a vulnerability is in the code you wrote or not? Describe your incident response process.
#RSAC V&IR: Positives and Negatives 34 Positives Public “trust center” for customer communications and bulletins Security community engagement like bug bounties Planned (and practiced) process for handling vulnerabilities Negatives Informal or ad-hoc Thinking its only about middleware or OS patches
#RSAC V&IR: Warning Signs and Exits 35 “Our operations are experienced in dealing with patches.” “We don’t scan in our production environment.” “No one has reported any vulnerabilities to Bob.” “We’re too small to be attacked.” “We haven’t been hacked yet.”
#RSAC Scoring Method 36 Review notes and evidence Starts at 0 1 point for every confirmed behavior Average out modifiers for Positives and Negatives Aggregate score is number with + / - Range of 0- to 5+
#RSAC Simple Scoring Examples 37 Example 1 Aspect Notes Search results Nothing Training Yes Threat modeling No, - Static analysis No, + Dynamic analysis Yes, + + Vulnerabilities & incident response No, - Example 2 Aspect Notes Search results Security portal Training Yes, + - Threat modeling No, - Static analysis Yes, + + Dynamic analysis Yes, + - - Vulnerabilities & Incident Response Yes, -
#RSAC Scoring Example 1: 11th Hour Review 38 Aspect Score Notes Search results Minimal public presence, no detail of security at all Training No Alice gave security presentation and relayed news items Threat modeling No Ad hoc design review not focused on security Static analysis Yes Built-in to IDE, compiler warnings as errors Dynamic analysis No Alice did some ad hoc security testing using free tools Vulnerabilities & incident response No Customer reported problems goto account manager first
#RSAC Scoring Example 2: The Acquisition 39 Aspect Score Notes Search results Security info center Training Yes N00bs goto professional class; industry hires optionally Threat modeling Yes No tool; security architecture review team Static analysis No Custom rules for style only, lacking a tool for Ruby Dynamic analysis Yes Promotion requirement, bug bounty program Vulnerabilities & incident response Yes Incident response for patches not home-grown code, escalation process to development team in place
#RSAC Scoring Example 3: Internal Developers 40 Aspect Score Notes Search results Team has design docs for security features available Training No Optional for testers Threat modeling Yes Formal process, not all problems addressed Static analysis Yes Rules don’t specifically target security Dynamic analysis No Tried once and it broke things Vulnerabilities & incident response Yes Single point of contact is Bob, just Bob
#RSAC Report Back 41 Brief recap of 5 behaviors Refer to evidence Score with Positives or Negatives Explain the score and answer questions Optional feedback to the development teams
#RSAC Tips & Tricks 42 Be respectful and flexible in questioning Leverage experience to spot misdirection Avoid black holes in discussion Repeat back key responses Keep good notes, especially scoring justifications Seed memes of good behaviors
#RSAC Is and Isn’t 43 What it is… Speedy Rough Smoke detector Creator of more action items Anecdote for a recommendation …and isn’t Full maturity model Secure development process Standards based Compliance audit Complex
#RSAC Building Security In Maturity Model 44 a.k.a. BSIMM Based on actual usage (6 doz. Companies) Biases to assessed population Many behaviors considered across four domains Maturity levels for each item Takes about 2 to 4 weeks for a full evaluation
#RSAC Open Software Assurance Maturity Model 45 a.k.a. OpenSAMM Creative-Commons Licensed Simpler than BSIMM Handy score cards and templates Self-achievable Takes 2 days to 1 week
#RSAC For Just a few Hours More 46 Suggest trainings and resources Provide formal list of recommendations Review vulnerability history for trends Review the vulnerability history of the software’s dependencies Kickoff a maturity improvement program Referral to formal maturity assessment
#RSAC Summary 47 How the method came about Overview Five key behaviors Scoring and reporting Pros, cons, and other models Adding a few extras
#RSAC Apply What You Have Learned Today 48 3 days: Use it on a last-minute security review 3 weeks: Start using it to triage application security reviews 3 months: Formalize estimation as a process to gate further security analysis

Recommended

AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdf
Shagun Rathore
 
Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
Comguard India
 
Introduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall ManagerIntroduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 

Recommended

AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdf
Shagun Rathore
 
Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
Comguard India
 
Introduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall ManagerIntroduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
 
AWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit GatewayAWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit Gateway
RJ Jafarkhani ☁
 
CI/CD on AWS Deploy Everything All the Time
CI/CD on AWS Deploy Everything All the TimeCI/CD on AWS Deploy Everything All the Time
CI/CD on AWS Deploy Everything All the Time
Amazon Web Services
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Дмитрий Бумов
 
Mis Capstone Presentation
Mis Capstone PresentationMis Capstone Presentation
Mis Capstone Presentation
BenHnat
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
Broken access control
Broken access controlBroken access control
Broken access control
Priyanshu Gandhi
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
Amazon Web Services
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep Dive
Nagesh Ramamoorthy
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
Aditi Anand
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Journey Through The Cloud - Disaster Recovery
Journey Through The Cloud - Disaster RecoveryJourney Through The Cloud - Disaster Recovery
Journey Through The Cloud - Disaster Recovery
Amazon Web Services
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
Priyanka Aash
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

What's hot (20)

20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
 
AWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit GatewayAWS Advanced Networking: Transit Gateway
AWS Advanced Networking: Transit Gateway
 
CI/CD on AWS Deploy Everything All the Time
CI/CD on AWS Deploy Everything All the TimeCI/CD on AWS Deploy Everything All the Time
CI/CD on AWS Deploy Everything All the Time
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
 
Mis Capstone Presentation
Mis Capstone PresentationMis Capstone Presentation
Mis Capstone Presentation
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Broken access control
Broken access controlBroken access control
Broken access control
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep Dive
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Journey Through The Cloud - Disaster Recovery
Journey Through The Cloud - Disaster RecoveryJourney Through The Cloud - Disaster Recovery
Journey Through The Cloud - Disaster Recovery
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 

Viewers also liked

Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
Tuan Phan
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
Tuan Phan
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
1ECG
 

Viewers also liked (7)

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
Getting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for cspGetting started on fed ramp sec auth for csp
Getting started on fed ramp sec auth for csp
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
FedRAMP CSP SSP Training
FedRAMP CSP SSP TrainingFedRAMP CSP SSP Training
FedRAMP CSP SSP Training
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
 
DevOps
DevOpsDevOps
DevOps
 

Similar to Estimating Development Security Maturity in About an Hour

str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
Michael Hammer
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 

Similar to Estimating Development Security Maturity in About an Hour (20)

Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_oftenstr-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 

Recently uploaded (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 

Estimating Development Security Maturity in About an Hour

  • 1. SESSION ID: #RSAC Matt Clapham Estimating Development Security Maturity in About an Hour STR-W05 Principal, Product Security GE Healthcare @ProdSec
  • 2. #RSAC How We Got to Now 2 Needed something given volume 4 things recommended Added one more Assessment leverages experience Field-tested with suppliers and devs
  • 3. #RSAC Not for n00bs 3 Security operations Development experience Testing (penetration, vulnerabilities, security, or in general) Cryptography background Incident response Certifications Etc.
  • 4. #RSAC Three Example Stories 4 The 11th-hour Security Review The Acquisition The Internal Development Team
  • 5. #RSAC The 11th Hour Security Review “This security review won’t take long, will it?” 5
  • 6. #RSAC The Acquisition “So we’re going to buying company X for its ___ product.” 6
  • 7. #RSAC The Internal Development Team “Those folks making that software over there…” 7
  • 8. #RSAC Agenda 8 Overview Five key behaviors Scoring and report Pros, cons, and other models Extending the method Summary Application
  • 9. #RSAC Method Overview 9 Pre-meeting research - 5 to 15 minutes Meet with development team - 30 to 60 minutes Score and report back - 15 minutes Goal: 90+% confidence on assessment Total time: 50 to 90 minutes or “About an hour on average.”
  • 10. #RSAC Pre-meeting Research 10 Process time required: 5 to 15 minutes Looking for… Public details about vulnerabilities Company responses and published guidance History of supporting and fixing the software Search on software name or company name and… NVD vulnerabilities patches
  • 11. #RSAC Meet with the Development Team 11 Process time required: 30 to 60 minutes Resources needed: developers, testers, and program managers Goals Establish rapport Status on each of the 5 behaviors Additional information on how software is made securely
  • 12. #RSAC Development Meeting Sample Agenda 12 Introductions and establish rapport – 5 minutes Identify necessary resources – 1 minute Technology overview – 3 minutes Probing questions on each focus area – 20+ minutes Wrap-up – 2 minutes
  • 13. #RSAC Development Meeting Warning Signs 13 “I’m just the IT guy.” or “I’m the CISO.” “We can’t tell you because that would be a security risk.” “Our software has no flaws.” “We wrote our own encryption method…” “Bob does that for us and he’s on vacation.”
  • 14. #RSAC Five Key Behaviors 14 Developer training in secure development Design threat modeling for security refinement Static code analysis Dynamic analysis and testing Vulnerability and incident response process
  • 15. #RSAC What to Look For in Each 15 90% confident on a yes/no answer Anecdotes regarding technology, design pattern, etc. Artifacts (extra points if publicly available) Positives, i.e. increased quality or above and beyond Negatives, i.e. poor execution or follow-through Nearest exit, i.e. a statement that indicates yes/no quickly
  • 16. #RSAC Behavior 1: Secure Development Training Do you train developers in writing secure code? 16
  • 17. #RSAC Training: Openers 17 How do you teach a new developer to make a secure product? How would your developer know which security tech to use? Describe the security training developers receive. How do you keep developers up to date on security risks?
  • 18. #RSAC Training: Positives and Negatives 18 Positives Regular security conference attendance Internal or External professional training Negatives Focus on general secure computer usage awareness Single annual conference attendance
  • 19. #RSAC Training: Warning Signs and Exits 19 “Every developer has a chat with our Sr. architect.” “Our compliance team requires…” “We don’t need to worry about that because…” “Our cloud provider takes care of defending us.” “We sent Bob to a conference last year and he gave us slides.”
  • 20. #RSAC Behavior 2: Threat Modeling How do you refine the design to remove threats? 20
  • 21. #RSAC Threat Modeling: Openers 21 Describe your group’s threat modeling process. What tools do you use to model threats to the application? How do you refine the security of the design? How do you know when you’re done threat modeling?
  • 22. #RSAC Threat Modeling: Positives and Negatives 22 Positives Formal process Uses tool(s) Always up to date Negatives Ad hoc Dependent on one person
  • 23. #RSAC Threat Modeling: Warning Signs and Exits 23 “A couple of us get together and review the design.” “Bob does that for us and he’s on vacation.” “We had a penetration test last year and…” “We use SSL.”
  • 24. #RSAC Behavior 3: Static Code Analysis How do you review your code for security flaws? 24
  • 25. #RSAC Static Analysis: Openers 25 What code analysis tools do you use? How do you check your code for security flaws? How would you know if there’s a buffer overflow in your code? Describe your code review process. How do you know your code is secure?
  • 26. #RSAC Static: Positives & Negatives 26 Positives Build integrated Developer client Clean check-in requirement Negatives Manual or ad hoc execution No fixing of identified problems No security tests in testing suite
  • 27. #RSAC Static: Warning Signs and Exits 27 “We review every line of code manually.” “Bob reviews all our code himself.” “We use lint.” “We compile with all warnings on.”
  • 28. #RSAC Behavior 4: Dynamic Analysis How do you test your software for security flaws? 28
  • 29. #RSAC Dynamic Analysis: Openers 29 How do you know if your web application has a cross-site scripting vulnerability or not? How do you find vulnerabilities that have slipped through the cracks? Tell me about how you test the security of your service. Do you use any tools to automatically test the security of your application?
  • 30. #RSAC Dynamic: Positives and Negatives 30 Positives Regularly scans production Coordinated with Static analysis Quality gating function Negatives Only uses a configuration scanner Only focuses on OWASP top 10
  • 31. #RSAC Dynamic: Warning Signs and Exits 31 “Once a year we hire a security firm to penetration test.” “Bob scans our systems for missing patches.” “We use a patch scanner to test for vulnerabilities.” “We tried using a tool but it broke our software.”
  • 32. #RSAC Behavior 5: Vulnerability and Incident Response (V&IR) Who gets the call at 3AM if there’s a vulnerability to fix? 32
  • 33. #RSAC V&IR: Openers 33 How would a researcher inform you of a problem and confirm that you’ve fixed a vulnerability? How can the operations team tell if a vulnerability is in the code you wrote or not? Describe your incident response process.
  • 34. #RSAC V&IR: Positives and Negatives 34 Positives Public “trust center” for customer communications and bulletins Security community engagement like bug bounties Planned (and practiced) process for handling vulnerabilities Negatives Informal or ad-hoc Thinking its only about middleware or OS patches
  • 35. #RSAC V&IR: Warning Signs and Exits 35 “Our operations are experienced in dealing with patches.” “We don’t scan in our production environment.” “No one has reported any vulnerabilities to Bob.” “We’re too small to be attacked.” “We haven’t been hacked yet.”
  • 36. #RSAC Scoring Method 36 Review notes and evidence Starts at 0 1 point for every confirmed behavior Average out modifiers for Positives and Negatives Aggregate score is number with + / - Range of 0- to 5+
  • 37. #RSAC Simple Scoring Examples 37 Example 1 Aspect Notes Search results Nothing Training Yes Threat modeling No, - Static analysis No, + Dynamic analysis Yes, + + Vulnerabilities & incident response No, - Example 2 Aspect Notes Search results Security portal Training Yes, + - Threat modeling No, - Static analysis Yes, + + Dynamic analysis Yes, + - - Vulnerabilities & Incident Response Yes, -
  • 38. #RSAC Scoring Example 1: 11th Hour Review 38 Aspect Score Notes Search results Minimal public presence, no detail of security at all Training No Alice gave security presentation and relayed news items Threat modeling No Ad hoc design review not focused on security Static analysis Yes Built-in to IDE, compiler warnings as errors Dynamic analysis No Alice did some ad hoc security testing using free tools Vulnerabilities & incident response No Customer reported problems goto account manager first
  • 39. #RSAC Scoring Example 2: The Acquisition 39 Aspect Score Notes Search results Security info center Training Yes N00bs goto professional class; industry hires optionally Threat modeling Yes No tool; security architecture review team Static analysis No Custom rules for style only, lacking a tool for Ruby Dynamic analysis Yes Promotion requirement, bug bounty program Vulnerabilities & incident response Yes Incident response for patches not home-grown code, escalation process to development team in place
  • 40. #RSAC Scoring Example 3: Internal Developers 40 Aspect Score Notes Search results Team has design docs for security features available Training No Optional for testers Threat modeling Yes Formal process, not all problems addressed Static analysis Yes Rules don’t specifically target security Dynamic analysis No Tried once and it broke things Vulnerabilities & incident response Yes Single point of contact is Bob, just Bob
  • 41. #RSAC Report Back 41 Brief recap of 5 behaviors Refer to evidence Score with Positives or Negatives Explain the score and answer questions Optional feedback to the development teams
  • 42. #RSAC Tips & Tricks 42 Be respectful and flexible in questioning Leverage experience to spot misdirection Avoid black holes in discussion Repeat back key responses Keep good notes, especially scoring justifications Seed memes of good behaviors
  • 43. #RSAC Is and Isn’t 43 What it is… Speedy Rough Smoke detector Creator of more action items Anecdote for a recommendation …and isn’t Full maturity model Secure development process Standards based Compliance audit Complex
  • 44. #RSAC Building Security In Maturity Model 44 a.k.a. BSIMM Based on actual usage (6 doz. Companies) Biases to assessed population Many behaviors considered across four domains Maturity levels for each item Takes about 2 to 4 weeks for a full evaluation
  • 45. #RSAC Open Software Assurance Maturity Model 45 a.k.a. OpenSAMM Creative-Commons Licensed Simpler than BSIMM Handy score cards and templates Self-achievable Takes 2 days to 1 week
  • 46. #RSAC For Just a few Hours More 46 Suggest trainings and resources Provide formal list of recommendations Review vulnerability history for trends Review the vulnerability history of the software’s dependencies Kickoff a maturity improvement program Referral to formal maturity assessment
  • 47. #RSAC Summary 47 How the method came about Overview Five key behaviors Scoring and reporting Pros, cons, and other models Adding a few extras
  • 48. #RSAC Apply What You Have Learned Today 48 3 days: Use it on a last-minute security review 3 weeks: Start using it to triage application security reviews 3 months: Formalize estimation as a process to gate further security analysis