• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Implementation Patterns For Software Security Programs
 

Implementation Patterns For Software Security Programs

on

  • 1,867 views

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers ...

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Statistics

Views

Total Views
1,867
Views on SlideShare
847
Embed Views
1,020

Actions

Likes
1
Downloads
6
Comments
0

7 Embeds 1,020

http://blog.denimgroup.com 928
http://denimgroup.typepad.com 80
http://www.denimgroup.com 6
http://miclark 3
http://www.newsblur.com 1
http://ranksit.com 1
http://denimgroup.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Implementation Patterns For Software Security Programs Implementation Patterns For Software Security Programs Presentation Transcript

    • Implementation Patterns for! Software Security Programs! ! ! Dan Cornell! @danielcornell© Copyright 2013 Denim Group - All Rights Reserved
    • Denim Group Background •  Professional services firm that builds & secures enterprise applications –  External application assessments •  Web, mobile, and cloud –  Software development lifecycle development (SDLC) consulting •  Classroom and e-Learning for PCI compliance •  Secure development services: –  Secure .NET and Java application development –  Post-assessment remediation •  Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors •  Customer base spans Fortune 500 •  Contributes to industry best practices through the Open Web Application Security Project (OWASP)© Copyright 2013 Denim Group - All Rights Reserved 2
    • Dan Cornell •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio •  15 years experience in software architecture, development and security •  Heads Denim Group’s application security team© Copyright 2013 Denim Group - All Rights Reserved 3
    • Agenda •  What Makes a Successful Software Security Program? –  Key commonalities •  Software Security Program Implementations –  Approaches –  Customization –  Considerations •  Three Example Program Activities –  Security Testing –  Code Review –  Education and Guidance •  Selecting What Works for your Organization© Copyright 2013 Denim Group - All Rights Reserved 4
    • Successful Software Security Programs •  Common Goal –  Reduce Risk by… •  Reliably Creating Acceptably Secure Software •  Obligatory “People, Process, Technology” Reference –  Anybody got a good Sun Tzu quote? –  I’d settle for a von Clausewitz… •  Common Activities –  Implementation must be tied to the specific organization© Copyright 2013 Denim Group - All Rights Reserved 5
    • Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/© Copyright 2013 Denim Group - All Rights Reserved 6
    • SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
    • SAMM Security Practices •  From each of the Business Functions, three Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
    • Check Out This One... This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
    • Program Implementation •  Approaches •  Customization •  Considerations© Copyright 2013 Denim Group - All Rights Reserved 10
    • Approaches •  Automated vs. Manual •  Depth-First vs. Breadth-First •  Centralized vs. Distributed •  Top-Down vs. Bottom-Up •  SaaS vs. On-Premise •  In-House vs. Outsourced •  All of the Above (and More)© Copyright 2013 Denim Group - All Rights Reserved 11
    • Organizational Fit •  Not “One Size Fits All” –  What Are the Threats to Your Organization? –  How Much of an Executive Mandate Do You Have? –  How Much Risk Are You Willing (Or Going) to Bear? •  Differences Across Industries –  Financial Services Firms Do This Differently Than Energy Sector –  Different Threats, Different Regulatory Environment •  Differences Within Industries –  Oilfield Services versus Mid-majors –  Banks versus Credit Unions© Copyright 2013 Denim Group - All Rights Reserved 12
    • Holdings $0 $500,000,000 $1,000,000,000 $1,500,000,000 $2,000,000,000 $2,500,000,000 1 JPMorgan & Chase 2 Bank of American 3 Citigroup 4 Wells Fargo© Copyright 2013 Denim Group - All Rights Reserved 5 Goldman Sachs Group 6 MetLife 7 Morgan Stanley 8 U.S. Bancorp 9 Bank of New York Mellon 10 HSBC 11 PNC Financial Services Group 12 Capitol One 13 TD Bank 14 State Street Corporation Total Assets for Top Holding Companies 15 Ally Financial 16 BB&T Corporation 17 Suntrust Banks 18 Principal Financial Group 19 American Express 20 Ameriprise Financial13
    • Considerations •  Raw Budget Constraints •  Organizational Structure •  Regulatory and Compliance Mandates •  Culture and Risk Appetite •  Leadership Buy in© Copyright 2013 Denim Group - All Rights Reserved 14
    • Patterns and Anti-Patterns •  Every Organization is Different –  But there are commonalities •  Similar approaches –  Some good –  Some … less good •  Do you know the “right” thing to do? •  Are you doing it? –  If not – why not?© Copyright 2013 Denim Group - All Rights Reserved 15
    • Example Program Activities •  Take Three Common Activities from OpenSAMM •  Security Testing •  Code Review •  Education and Guidance© Copyright 2013 Denim Group - All Rights Reserved 16
    • Examples of Activities •  Security Testing –  Recurring dynamic scanning –  Manual penetration tests •  Code Review –  Automated static analysis –  Manual security code review •  Education and Guidance –  Instructor-led training for developers –  e-Learning –  Develop and publish “Top 10” list for developers© Copyright 2013 Denim Group - All Rights Reserved 17
    • Security Testing •  Also known as “black box testing” and “penetration testing” •  Testing the security of a running system –  Automated scanners help –  But don’t forget the manual component •  As with any testing activity –  How frequently? –  How thorough?© Copyright 2013 Denim Group - All Rights Reserved 18
    • Security Testing: Anti-Patterns •  “Dude with a scanner” approach –  Can also be implemented as the “lady with a scanner” approach •  “SaaS and forget” approach© Copyright 2013 Denim Group - All Rights Reserved 19
    • Security Testing: Better Patterns •  Deep Assessment of Critical Applications –  Automated scanning, manual scan review and assessment •  Breadth-First Scanning –  You want a scanning program, not a scanner •  Understand that security testing is a means to an end –  Not an end in and of itself –  Start of vulnerability management© Copyright 2013 Denim Group - All Rights Reserved 20
    • Code Review •  Also known as “static analysis” •  Again – scanners are great, but manual review and assessment are required for depth •  Code review can be (is) complicated –  Often more so than dynamic security testing –  Clean scans, false positives, prioritization…© Copyright 2013 Denim Group - All Rights Reserved 21
    • Code Review: Anti-Patterns •  “Dude with a scanner” approach (redux) –  Can still be implemented as the “lady with a scanner” approach –  Even worse for code review because source code (or binary) access is required •  “I’m sure the developers are taking care of this” –  “They’re using [FindBugs|PMD|XYZ tool]”© Copyright 2013 Denim Group - All Rights Reserved 22
    • Code Review: Better Patterns •  Key Questions: –  Who runs the scan? –  What do you do with the results? •  Centralized Code Review Group –  Helps if you have a mandate and/or the ability to block applications from production •  Deploy to Developer Desktops –  Can be great for certain organizations, but… –  Many potential pitfalls and hidden costs here© Copyright 2013 Denim Group - All Rights Reserved 23
    • Education and Guidance •  It is really hard to hold developers to a standard if you have not communicated that standard to them and provided guidance on how they can meet that standard –  Only fair… •  Can take a variety of forms –  Instructor-led training (ILT) –  e-Learning –  Lunch and learns –  Mentoring –  Knowledge bases© Copyright 2013 Denim Group - All Rights Reserved 24
    • Education and Guidance: Anti-Patterns •  “Email a link to OWASP” approach –  Site is www.owasp.org by the way –  OWASP is great, but… •  “I made you all a Powerpoint” •  “Cattle car” instructor-led training •  Fire and forget e-Learning© Copyright 2013 Denim Group - All Rights Reserved 25
    • Education and Guidance: Better Patterns •  Informal approaches can have value –  But that is not a training program –  Best used to identify staff with a special interest in security •  e-Learning for everyone –  Make it part of their bonus or annual evaluation •  Instructor-led training for “mavens” –  Provide context, link to their roles and responsibilities •  Technology- and role-specific guidance –  Do not force developers to think© Copyright 2013 Denim Group - All Rights Reserved 26
    • Where Do We Go From Here? •  Evaluate where you are •  Determine the next plateau you want to reach •  Make a plan to get there (that works for your organization)© Copyright 2013 Denim Group - All Rights Reserved 27
    • Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (210) 572-4400 www.denimgroup.com blog.denimgroup.com© Copyright 2013 Denim Group - All Rights Reserved 28