The Need For Open Software Security Standards In A Mobile And Cloudy World

Bio: Dan Cornell • Founder and CTO, Denim Group • Software developer by background (Java, .NET) • OWASP – San Antonio Chapter Leader – Open Review Project Leader – Chair of the Global Membership Committee • Speaking – RSA, SOURCE Boston – OWASP AppSec, Portugal Summit, AppSecEU Dublin – ROOTS in Norway© Copyright 2011 Denim Group - All Rights Reserved 1

Denim Group Background • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party software – Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix, Sprajax – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems© Copyright 2011 Denim Group - All Rights Reserved 2

What Are Executives Actually Scared Of? • Fuel Price Changes • Physical Security • Global economy • Cross-Site Scripting(?) • Security needs to be aware of this when they weigh in© Copyright 2011 Denim Group - All Rights Reserved 4

Mobile: Risk and Value • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities© Copyright 2011 Denim Group - All Rights Reserved 5

What Mobile Users Are You Concerned About? Mobile Application Users Enterprise Customer Users Users Paid Convenience Employees Partners Application Users Users© Copyright 2011 Denim Group - All Rights Reserved 7

Security Team’s First Concern… • Stay in the Conversation • Identify these initiatives • Make sure you get to participate • This means you have to add value© Copyright 2011 Denim Group - All Rights Reserved 11

Innovation Pressure Leads to Rogue Mobile Efforts • “We‟re thinking about doing some mobile applications” • “Actually your iPhone app went live 6 months ago and your Android app went live last week…” • Initiatives being driven from “Office of the CTO”, R&D, and Marketing© Copyright 2011 Denim Group - All Rights Reserved 12

Cost and Ease of Use Pressures Lead to Rogue Cloud Deployments • “What do you mean the CEO‟s IT trouble tickets are handled by a SaaS provider?” • “When did we start using BaseCamp and Google Docs to manage customer projects?” • Any employee with a $500/month corporate credit card can now be their own purchasing officer© Copyright 2011 Denim Group - All Rights Reserved 13

Challenges for Both Suppliers and Consumers • Did you want an automated scan or a full design assessment with manual source code review? • „Cause that has an impact on scope and price… • Consumers of software and services must be able to articulate the level of security assurance they require – Otherwise it is a financial race to the bottom – RFPs: Garbage in, garbage out© Copyright 2011 Denim Group - All Rights Reserved 16

Service Provider Dilemma • Certain customers want some sort of assurance, but are not necessarily sophisticated and do not know what to ask for • Other customers require deeper assurance© Copyright 2011 Denim Group - All Rights Reserved 17

Recent Developments • Process: – OpenSAMM – BSIMM • Results: – Penetration Testing Execution Standard (PTES) – OWASP Application Security Verification Standard (ASVS)© Copyright 2011 Denim Group - All Rights Reserved 22

Geekonomics by David Rice • Great insight into economic and legal issues for software security and reliability • Calls for better software construction and testing standards© Copyright 2011 Denim Group - All Rights Reserved 23

OpenSAMM and BSIMM • Externally look very similar – Both are three-level maturity models – Both have 12 different major areas of concern • Methodology is very different – BSIMM based on data from industry leaders – OpenSAMM based on general industry consensus© Copyright 2011 Denim Group - All Rights Reserved 25

Application Security Verification Standard • Defines multiple levels to correspond with the degree of inspection • Currently available for web applications, but other derivatives in the works© Copyright 2011 Denim Group - All Rights Reserved 27

A Case Study (continued) • Used a combination of OpenSAMM and OWASP ASVS • Extended to meet certain special requirements • Detailed report provided to client • Summary report provided to interested parties© Copyright 2011 Denim Group - All Rights Reserved 29

So What Does This Get Us? • Application consumers can know what they are getting • Applications providers can clearly communicate the security state of their offerings • World peace?© Copyright 2011 Denim Group - All Rights Reserved 30

And What Are We Still Lacking? • Is a “standard” being appropriately applied? • Is the evaluation being done at an appropriate technical granularity? • How do you report and communicate business risk? • How do you avoid a “checkbox” mentality?© Copyright 2011 Denim Group - All Rights Reserved 31

What Can You Do To Be a Winner? • Involve yourself in these key conversations • Discuss your verification requirements • Secure your right to test • Reward the good and punish the bad© Copyright 2011 Denim Group - All Rights Reserved 32

References • Geekonomics – http://www.geekonomicsbook.com/ • Common Criteria – https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria • Building Security In Maturity Model (BSI-MM) – http://bsimm.com/ • Open Software Assurance Maturity Model (OpenSAMM) – http://www.opensamm.org/ • Penetration Test Execution Standard (PTES) – http://www.pentest-standard.org/ • OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project© Copyright 2011 Denim Group - All Rights Reserved 33

http://blog.denimgroup.com	609
http://denimgroup.posterous.com	38
http://denimgroup.typepad.com	17
http://posterous.com	3

The Need For Open Software Security Standards In A Mobile And Cloudy World

by Denim Group

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 667

Statistics

The Need For Open Software Security Standards In A Mobile And Cloudy World Presentation Transcript