Your SlideShare is downloading. ×
0
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Need For Open Software Security Standards In A Mobile And Cloudy World

1,858

Published on

The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes …

The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment. New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices. Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation. This presentation discusses the need for open software security standards to support this evolution. Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers. In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems. Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance. The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,858
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Need for Open Source Security Standards in a Mobile and Cloudy World Dan Cornell CTO, Denim Group @danielcornell© Copyright 2011 Denim Group - All Rights Reserved
  • 2. Bio: Dan Cornell • Founder and CTO, Denim Group • Software developer by background (Java, .NET) • OWASP – San Antonio Chapter Leader – Open Review Project Leader – Chair of the Global Membership Committee • Speaking – RSA, SOURCE Boston – OWASP AppSec, Portugal Summit, AppSecEU Dublin – ROOTS in Norway© Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Denim Group Background • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party software – Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix, Sprajax – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems© Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. The World Is Mobile and Cloudy • And Will Be Getting More So • Deal With It© Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. What Are Executives Actually Scared Of? • Fuel Price Changes • Physical Security • Global economy • Cross-Site Scripting(?) • Security needs to be aware of this when they weigh in© Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Mobile: Risk and Value • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities© Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Generic Mobile Application Threat Model© Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. What Mobile Users Are You Concerned About? Mobile Application Users Enterprise Customer Users Users Paid Convenience Employees Partners Application Users Users© Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Cloud • Cost Savings • Ease of Deployment • Flexibility • Security?© Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. This is (was) Your Threat Model© Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. This is Your Threat Model on “Cloud”© Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Security Team’s First Concern… • Stay in the Conversation • Identify these initiatives • Make sure you get to participate • This means you have to add value© Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Innovation Pressure Leads to Rogue Mobile Efforts • “We‟re thinking about doing some mobile applications” • “Actually your iPhone app went live 6 months ago and your Android app went live last week…” • Initiatives being driven from “Office of the CTO”, R&D, and Marketing© Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Cost and Ease of Use Pressures Lead to Rogue Cloud Deployments • “What do you mean the CEO‟s IT trouble tickets are handled by a SaaS provider?” • “When did we start using BaseCamp and Google Docs to manage customer projects?” • Any employee with a $500/month corporate credit card can now be their own purchasing officer© Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Procurement Challenges • How do we better judge risk? • How can we make the decision process simpler?© Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. What Are App Stores Promising Stakeholders? • What does Apple do? • What does Google do? • What does your enterprise do?© Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. Challenges for Both Suppliers and Consumers • Did you want an automated scan or a full design assessment with manual source code review? • „Cause that has an impact on scope and price… • Consumers of software and services must be able to articulate the level of security assurance they require – Otherwise it is a financial race to the bottom – RFPs: Garbage in, garbage out© Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. Service Provider Dilemma • Certain customers want some sort of assurance, but are not necessarily sophisticated and do not know what to ask for • Other customers require deeper assurance© Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. We Need a Better Way To Communicate • Processes • Results© Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. What Have We Tried in the Past? • Common Criteria • PCI-DSS© Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Common Criteria or© Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Payment Card Industry Data Security Standards • Initially based on OWASP Top 10 • Now more open, but still based on vulnerability lists© Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Recent Developments • Process: – OpenSAMM – BSIMM • Results: – Penetration Testing Execution Standard (PTES) – OWASP Application Security Verification Standard (ASVS)© Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. Geekonomics by David Rice • Great insight into economic and legal issues for software security and reliability • Calls for better software construction and testing standards© Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Comparing Software to Food • Jeff Williams and nutrition labels for software • John Dickson and restaurant cleanliness ratings© Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. OpenSAMM and BSIMM • Externally look very similar – Both are three-level maturity models – Both have 12 different major areas of concern • Methodology is very different – BSIMM based on data from industry leaders – OpenSAMM based on general industry consensus© Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. Penetration Testing Execution Standard • Emerging standard for penetration testers • Suitable for operational environments© Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. Application Security Verification Standard • Defines multiple levels to correspond with the degree of inspection • Currently available for web applications, but other derivatives in the works© Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. A Case Study • Service provider for financial services industry • Hounded by small and large clients© Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. A Case Study (continued) • Used a combination of OpenSAMM and OWASP ASVS • Extended to meet certain special requirements • Detailed report provided to client • Summary report provided to interested parties© Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. So What Does This Get Us? • Application consumers can know what they are getting • Applications providers can clearly communicate the security state of their offerings • World peace?© Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. And What Are We Still Lacking? • Is a “standard” being appropriately applied? • Is the evaluation being done at an appropriate technical granularity? • How do you report and communicate business risk? • How do you avoid a “checkbox” mentality?© Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. What Can You Do To Be a Winner? • Involve yourself in these key conversations • Discuss your verification requirements • Secure your right to test • Reward the good and punish the bad© Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. References • Geekonomics – http://www.geekonomicsbook.com/ • Common Criteria – https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria • Building Security In Maturity Model (BSI-MM) – http://bsimm.com/ • Open Software Assurance Maturity Model (OpenSAMM) – http://www.opensamm.org/ • Penetration Test Execution Standard (PTES) – http://www.pentest-standard.org/ • OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project© Copyright 2011 Denim Group - All Rights Reserved 33
  • 35. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400© Copyright 2011 Denim Group - All Rights Reserved 34

×