• Save
Master pci quick start code scan secure 360 2011
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Master pci quick start code scan secure 360 2011

  • 521 views
Uploaded on

Presented at Secure360 2011; a case study and related advice on building a security-focused static code analysis program for appsec in a rapid start model.

Presented at Secure360 2011; a case study and related advice on building a security-focused static code analysis program for appsec in a rapid start model.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
521
On Slideshare
491
From Embeds
30
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 30

http://darrenpmeyer.com 29
http://flavors.me 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. Rapid-Start Code ScanningFor PCI Compliance Presented at Secure 360, 2011 by Darren Meyer <darren.meyer@gmail.com>
  • 2. The problem you think you havePCI DSS version 2.0, §6.6:Verify that public-facing web applications are reviewed (usingeither manual or automated vulnerability security assessment toolsor methods), as follows:- At least annually- After any changes- By an organization that specializes in application security- That all vulnerabilities are corrected- That the application is re-evaluated after the corrections
  • 3. The problem you actually havePCI DSS version 2.0, §6.5: Prevent common coding vulnerabilities in software development processes
  • 4. Actually, it’s this PCI DSS 2.0 Requirement 6: Develop and maintain secure systems and applications
  • 5. Yeah...Let’s not worry about that today
  • 6. What you are about to see is real Some details have been changed to protect me from PR policy violations
  • 7. My challenge
  • 8. My challenge“We’re building a huge, public, eCommerce site”
  • 9. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work”
  • 10. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program”
  • 11. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program” “You have 8 weeks to build one”
  • 12. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program” “You have 8 weeks to build one” GO!
  • 13. Challenge Accepted
  • 14. Prevent common codingvulnerabilities.... VerizonOh, OK! TCS WiPro NetSPIWe’ll hire IBMsomeone... Trustwave Spider Labs
  • 15. For about$1.20 a line... (Fully loaded cost)
  • 16. And... You have to do it regularly: “...the application is re-evaluated after the corrections” I would have needed weekly reviews to meet goals on this 100-week project
  • 17. Estimated total cost:$168,000,000
  • 18. Ok, I’ll build it myself!
  • 19. Consider this... Staffing needs Exception management Skills training Coding standards Setting up a process False positive mgmt. Developer training Roll-out planning Awareness Support Developer turnover Vulnerability triage
  • 20. RightI don’t have 3 years
  • 21. Rapid Start
  • 22. Rapid Start
  • 23. Rapid Start Select a tool
  • 24. Rapid Start Select a tool Integrate Build
  • 25. Rapid Start Select a tool Integrate Build Buy a CoE
  • 26. Estimated total Rapid Start cost: $16,200,000 (9.6% of original)
  • 27. What tool?
  • 28. What tool?
  • 29. What tool?
  • 30. Key selection criteria Think long-term: - Language coverage - Licensing terms - Support for my build systems - Portfolio management capabilities
  • 31. Build integration Security is part of quality: use the QA build (But don’t get in the critical path)
  • 32. Buy a CoE Hire a firm that knows your tool and has a good AppSec capability
  • 33. Keep the process simple QA build Consult on Eliminate noiseRejected Defects Triage to Defect Tracker
  • 34. Prepare for rejected defects Developers will reject defects, because: - They don’t understand the problem - They don’t understand how to fix it - They aren’t security experts
  • 35. Prepare for rejected defects Developers will reject defects, because: - They don’t understand the problem - They don’t understand how to fix it - They aren’t security expertsThis is O K
  • 36. Check your work!You still need an expert codereview at least a couple of times(we did four)Pen tests help you verify severityand get needed attention
  • 37. Dev is not the enemyNO punishmentNO retaliationNO special treatment
  • 38. Now what?
  • 39. Let’s talk about technical debtBecause this approach created quite a bit
  • 40. Remember these?Staffing needs Exception managementSkills training Coding standardsSetting up a process False positive mgmt.Developer training Roll-out planningAwareness SupportDeveloper turnoverVulnerability triage
  • 41. You have to address themYou can’t scale theRapid Start modelCompliance is notsecurity
  • 42. Get closer to developmentInstrument IDE totest for securityKeep your QA buildhooks in place
  • 43. Build clear requirements - Use tools to test against requirements - Govern only against requirements - If it’s not in the requirements, it’s your fault
  • 44. Internalize your CoE Use your own people Stop looking for noise (your devs will find it) Support development Maintain the program LL M INE A
  • 45. Train your developers Train on tools Train on requirements Teach basic security skills DON’T try to make them security experts
  • 46. Remember who your customer is (It’s NOT the security team)
  • 47. Argue with / Interrogate me
  • 48. ColophonCreator Darren Meyer <darren.meyer@gmail.com>Typeface Helvetica NeueSoftware Apple Keynote PixelmatorThanks to Fortify Software Secure 360 Conference Jay Jacobs =^o-o^=