SlideShare a Scribd company logo

[EMC] Source Code Protection

Perforce
Perforce
Technology
1 of 35
Download to read offline
1   Source Code Protection: Evaluating Source Code Security Stephanie Woiciechowski, GSEC Principal Software Engineer Product Security Office EMC Corporation
2   Goals •  Understand application of basic security concepts •  Collaborative security •  Iterative security improvements around source code If  you  have  built  castles  in  the   air,  your  work  need  not  be  lost;   that  is  where  they  should  be.   Now  put  the  founda;ons  under   them.        -­‐-­‐  Thoreau  
3   Why should we care? Threats to source code
4   Source Code Threats “Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.” Security for Business Innovation Council (2011) Security  takes  a  new  role  in  working  with  source  code.  
5   Claims  by  Anonymous   about  Symantec   -­‐-­‐Symantec   •  Theft of product-related intellectual property to undermine the security of our customers. •  Or to seek competitive advantage •  Exposure of vulnerabilities •  Exposure of trade/government secrets Source Code Threats Security  takes  a  new  role  in  working  with  source  code.   AMSC  Taking  Sinovel   Infringement  Suit  to   China’s  Supreme  Court      -­‐-­‐  Bloomberg   Ex-­‐NASA  contractor   arrested  on  plane  to   China   -­‐-­‐Associated  Press  
6   Claims  by  Anonymous  about  Symantec  -­‐-­‐Symantec   •  Theft of product-related intellectual property to undermine the security of our customers. •  Or to seek competitive advantage •  Exposure of vulnerabilities •  Exposure of trade/government secrets Source Code Threats Security  takes  a  new  role  in  working  with  source  code.   AMSC  Taking   Sinovel   Infringement   Suit  to  China’s   Supreme  Court      -­‐-­‐  Bloomberg   Ex-­‐NASA   contractor   arrested  on   plane  to  China   -­‐-­‐Associated   Press  
7   Source Code Threats •  Insertion of malicious code into products during development cycle that can undermine product integrity and operations in customer environments. Security  takes  a  new  role  in  working  with  source  code.   phpMyAdmin
8   What can we do? Define objective
9   What can we do? •  Prerequisites & Assumptions •  IT is doing their part for corporate security •  Security is not #1 for SCM, Build, Release, QE, and Dev •  Security goals often support SCM goals of traceability, reproducibility, and auditability •  Approach: Collaboration •  Define security criteria •  Understand current environment •  Review tools in use against criteria •  Include input from SCM and security experts •  Manage change •  Provide recommendations for preferred solutions •  Provide a framework to assess implementations & evaluate new solutions Improve  security  in  the  source  code  environment  to  defend   against  threats.  
10   •  Policy: What needs to be done to protect source code. •  Strong passwords to access source code •  Transactions will be logged and protected •  Standards: How to implement policy. •  Source code systems are integrated with organization’s identity management system and use network password. •  Transactions are logged to syslog and exported every 20 minutes to a log aggregation system. •  Achievable & Maintainable: Consistent approach to implementation •  Measureable: Evaluation if a control is in place and how it is functioning •  Threat model: How might your environment be attacked? •  Business case •  What could happen if your source code is modified? •  What could happen if your source code is stolen? •  How would you recover and at what cost? •  Actionable intelligence Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards •  Procedures & Assessments RISK  REDUCTION   Task  Force   IT   Security   Source  Code  Admin   Legal   Development   RISK  REDUCTION  
11   •  Threat model: How might your environment be attacked? •  Business case •  What could happen if your source code is modified? •  What could happen if your source code is stolen? •  How would you recover and at what cost? •  Actionable intelligence Establish Goals & Team •  Initial Goals: Call to action RISK  REDUCTION  
12   Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? Task  Force   IT   Security   Source  Code  Admin   Legal   Development  
13   •  Policy: What needs to be done to protect source code. •  Strong passwords to access source code •  Transactions will be logged and protected •  Standards: How to implement policy. •  Source code systems are integrated with organization’s identity management system and use network password. •  Transactions are logged to syslog and exported every 20 minutes to a log aggregation system. Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards
14   •  Achievable & Maintainable: Consistent approach to implementation •  Measureable: Evaluation if a control is in place and how it is functioning Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards •  Procedures & Assessments RISK  REDUCTION  
15   Source   Code   Backups   Hardware   Storage  EncrypMon   DLP   Network   IsolaMon   Physical   IsolaMon   Virtual   IsolaMon   Virtual   Containment   Preven;ve   Detec;ve   Correc;ve   •  Authentication is a way to prove your identity such that no one can later say it wasn’t you Identity + Secret = Authentication •  Centralized authentication mechanisms •  Why local accounts cause problems Value of and risk to the data informs appropriate security solutions Defining Security Criteria •  Defense-in-depth •  Data Classification •  Identity/Authentication •  Access Controls •  Isolation •  Data Protection •  Hardening •  Avoiding Malicious Code •  Logging Layers of Protection Services   Ports   Security  Patches   ConfiguraMon   Code  Changes   •  Chain  of   Custody   •  Code  reviews   •  Reputable   sourcing   •  Integrity   checks   Environment   •  Servers   •  WorkstaMons   •  Malware   •  Rootkits   Principle of Least Privilege •  The Apache Way … Reduce vulnerable surface area of a server eGRC Compliance monitoring Forensics   Log  protecMon   Regular  reviews   AcMve  monitoring   • Restricted  access   • Storage  monitors   • Log  aggregaMon   • One  of  the  most  common   ways  insiders  detect   breaches  
16   Define Security Criteria •  We have a team •  We have basic Defense-in-Depth security solutions •  Now … draft Source Code Security Policies and Standards to document expectations
17   What can we do? Understand the current environment
18   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams
19   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices
20   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling
21   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling •  Tools •  Are they working securely? •  Simple solutions? •  Turn on functionality •  Add-ons •  Cost/benefit •  Change tools •  Reinforce environment Don’t throw the baby out with the bathwater!
22   Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling •  Tools •  Usability!!!
23   What did EMC find?
24   2011 EMC Summary of 5 Common Brands Analysis of product features, not existing implementations Repository 1 Repository 2 Repository 3 Repository 4 Repository 5 Out of Box Add On Out of Box Add On Out of Box Add On Out of Box Add On Out of Box Add On Corporate  authenMcaMon   ü ü ü ü ü Logs  of  transacMons  against  access  controls   can  be  exported  to  a  monitoring  tool.   ü PARTIAL ü PARTIAL ü ü PARTIAL ü Granular  access  controls   PARTIAL x PARTIAL x PARTIAL ü x ü Support  for  code  review  workflow   PARTIAL ü x ü x ü ü x ü 11 High level policy criteria and 31 controls (not weighted)
25   2011 EMC Summary of 5 Common Brands 11 High level policy criteria and 31 controls (not weighted) 0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   Overall  Risk  Assessment  Percentages   Add-­‐On   Out  of  Box     Repository  1   Repository  2   Repository  3   Repository  4   Repository  5   Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     TOTAL 200 210 160 210 160 210 220 220 170 220(out  of  220) Percentage 91% 95% 73% 95% 73% 95% 100% 100% 77% 100% Difference:   5%   23%   23%   0%   23% Analysis of product features, not existing implementations
26   EMC’s Observations •  Most major Source Code Repository systems can be made acceptable •  All existing solutions can be made better •  Newer SCMs have more security built–in or added as features •  Source code is highly visible to many people regardless of whether the SCM is distributed (like Git) or not •  A poorly configured underlying platform or poor practices can undermine strength of any application controls that may exist
27   Managing change … … to steady state
28   Action Like most organizational projects … •  Team •  Policies & Standards •  Evaluate •  Plan •  Implement … except this must be a continuous process.
29   Continuous Monitoring and Improvement Observe   &  Orient   •  Minimize new options •  Until you get a handle on your environment •  Don’t chase a moving target •  Assessments •  Security awareness training needs to emphasize secure source code
30   Continuous Monitoring and Improvement Observe   &  Orient   Decide   •  Minimize new options •  Until you get a handle on your environment •  Don’t chase a moving target •  Assessments •  Security awareness training needs to emphasize secure source code •  How will you evaluate new solutions? •  Expand scope: other build- related tools and infrastructure
31   Triage   eGRC   Threat   Model   Assessment   Continuous Monitoring and Improvement Observe   &  Orient   Decide  
32   Continuous Monitoring and Improvement Observe   &  Orient   Decide   AcMon   •  Test •  Deploy •  Implementation guidance
33   Summary
34   Summary •  Evolving threats change how we need to think about source code security •  Collaboration: Expanding security awareness involves more stakeholders •  Policies & Standards: define security goals based on common security strategies •  Measure: Baseline environment •  Implement & manage change •  Expand frameworks Improve  security  in  the  source  code  environment  to   defend  against  threats  
35   Thank you Stephanie Woiciechowski, GSEC EMC Product Security Office stephanie.woiciechowski@emc.com

Recommended

The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
Digital Bond
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
Cigital
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
John Gilligan
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Core Security
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 

Recommended

The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
Digital Bond
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
Cigital
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
John Gilligan
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Core Security
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
Symantec
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
Muhammad Mudassar
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groups
Tomas Ericsson
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
laurahees
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Black Duck by Synopsys
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
L27
L27L27
L27
NathannyabvureMapisa
 
Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling Android
Godfrey Nolan
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 

More Related Content

What's hot

Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
Symantec
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
Muhammad Mudassar
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groups
Tomas Ericsson
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 

What's hot (20)

Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groups
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
L27
L27L27
L27
 

Viewers also liked

Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 

Viewers also liked (9)

Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling Android
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 

Similar to [EMC] Source Code Protection

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
PIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdfPIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdf
TAURUSEER
 

Similar to [EMC] Source Code Protection (20)

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
PIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdfPIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdf
 

More from Perforce

How to Organize Game Developers With Different Planning Needs
How to Organize Game Developers With Different Planning NeedsHow to Organize Game Developers With Different Planning Needs
How to Organize Game Developers With Different Planning Needs
Perforce
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Perforce
 
Understanding Compliant Workflow Enforcement SOPs
Understanding Compliant Workflow Enforcement SOPsUnderstanding Compliant Workflow Enforcement SOPs
Understanding Compliant Workflow Enforcement SOPs
Perforce
 
Branching Out: How To Automate Your Development Process
Branching Out: How To Automate Your Development ProcessBranching Out: How To Automate Your Development Process
Branching Out: How To Automate Your Development Process
Perforce
 
How to Do Code Reviews at Massive Scale For DevOps
How to Do Code Reviews at Massive Scale For DevOpsHow to Do Code Reviews at Massive Scale For DevOps
How to Do Code Reviews at Massive Scale For DevOps
Perforce
 
Shift to Remote: How to Manage Your New Workflow
Shift to Remote: How to Manage Your New WorkflowShift to Remote: How to Manage Your New Workflow
Shift to Remote: How to Manage Your New Workflow
Perforce
 
Hybrid Development Methodology in a Regulated World
Hybrid Development Methodology in a Regulated WorldHybrid Development Methodology in a Regulated World
Hybrid Development Methodology in a Regulated World
Perforce
 
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
Better, Faster, Easier: How to Make Git Really Work in the EnterpriseBetter, Faster, Easier: How to Make Git Really Work in the Enterprise
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
Perforce
 
Easier Requirements Management Using Diagrams In Helix ALM
Easier Requirements Management Using Diagrams In Helix ALMEasier Requirements Management Using Diagrams In Helix ALM
Easier Requirements Management Using Diagrams In Helix ALM
Perforce
 
Should You Break Up With Your Monolith?
Should You Break Up With Your Monolith?Should You Break Up With Your Monolith?
Should You Break Up With Your Monolith?
Perforce
 
Free Yourself From the MS Office Prison
Free Yourself From the MS Office Prison Free Yourself From the MS Office Prison
Free Yourself From the MS Office Prison
Perforce
 

More from Perforce (20)

How to Organize Game Developers With Different Planning Needs
How to Organize Game Developers With Different Planning NeedsHow to Organize Game Developers With Different Planning Needs
How to Organize Game Developers With Different Planning Needs
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Understanding Compliant Workflow Enforcement SOPs
Understanding Compliant Workflow Enforcement SOPsUnderstanding Compliant Workflow Enforcement SOPs
Understanding Compliant Workflow Enforcement SOPs
 
Branching Out: How To Automate Your Development Process
Branching Out: How To Automate Your Development ProcessBranching Out: How To Automate Your Development Process
Branching Out: How To Automate Your Development Process
 
How to Do Code Reviews at Massive Scale For DevOps
How to Do Code Reviews at Massive Scale For DevOpsHow to Do Code Reviews at Massive Scale For DevOps
How to Do Code Reviews at Massive Scale For DevOps
 
How to Spark Joy In Your Product Backlog
How to Spark Joy In Your Product Backlog How to Spark Joy In Your Product Backlog
How to Spark Joy In Your Product Backlog
 
Going Remote: Build Up Your Game Dev Team
Going Remote: Build Up Your Game Dev Team Going Remote: Build Up Your Game Dev Team
Going Remote: Build Up Your Game Dev Team
 
Shift to Remote: How to Manage Your New Workflow
Shift to Remote: How to Manage Your New WorkflowShift to Remote: How to Manage Your New Workflow
Shift to Remote: How to Manage Your New Workflow
 
Hybrid Development Methodology in a Regulated World
Hybrid Development Methodology in a Regulated WorldHybrid Development Methodology in a Regulated World
Hybrid Development Methodology in a Regulated World
 
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
Better, Faster, Easier: How to Make Git Really Work in the EnterpriseBetter, Faster, Easier: How to Make Git Really Work in the Enterprise
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
 
Easier Requirements Management Using Diagrams In Helix ALM
Easier Requirements Management Using Diagrams In Helix ALMEasier Requirements Management Using Diagrams In Helix ALM
Easier Requirements Management Using Diagrams In Helix ALM
 
How To Master Your Mega Backlog
How To Master Your Mega Backlog How To Master Your Mega Backlog
How To Master Your Mega Backlog
 
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
 
How to Scale With Helix Core and Microsoft Azure
How to Scale With Helix Core and Microsoft Azure How to Scale With Helix Core and Microsoft Azure
How to Scale With Helix Core and Microsoft Azure
 
Achieving Software Safety, Security, and Reliability Part 2
Achieving Software Safety, Security, and Reliability Part 2Achieving Software Safety, Security, and Reliability Part 2
Achieving Software Safety, Security, and Reliability Part 2
 
Should You Break Up With Your Monolith?
Should You Break Up With Your Monolith?Should You Break Up With Your Monolith?
Should You Break Up With Your Monolith?
 
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
 
What's New in Helix ALM 2019.4
What's New in Helix ALM 2019.4What's New in Helix ALM 2019.4
What's New in Helix ALM 2019.4
 
Free Yourself From the MS Office Prison
Free Yourself From the MS Office Prison Free Yourself From the MS Office Prison
Free Yourself From the MS Office Prison
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

[EMC] Source Code Protection

  • 1. 1   Source Code Protection: Evaluating Source Code Security Stephanie Woiciechowski, GSEC Principal Software Engineer Product Security Office EMC Corporation
  • 2. 2   Goals •  Understand application of basic security concepts •  Collaborative security •  Iterative security improvements around source code If  you  have  built  castles  in  the   air,  your  work  need  not  be  lost;   that  is  where  they  should  be.   Now  put  the  founda;ons  under   them.        -­‐-­‐  Thoreau  
  • 3. 3   Why should we care? Threats to source code
  • 4. 4   Source Code Threats “Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.” Security for Business Innovation Council (2011) Security  takes  a  new  role  in  working  with  source  code.  
  • 5. 5   Claims  by  Anonymous   about  Symantec   -­‐-­‐Symantec   •  Theft of product-related intellectual property to undermine the security of our customers. •  Or to seek competitive advantage •  Exposure of vulnerabilities •  Exposure of trade/government secrets Source Code Threats Security  takes  a  new  role  in  working  with  source  code.   AMSC  Taking  Sinovel   Infringement  Suit  to   China’s  Supreme  Court      -­‐-­‐  Bloomberg   Ex-­‐NASA  contractor   arrested  on  plane  to   China   -­‐-­‐Associated  Press  
  • 6. 6   Claims  by  Anonymous  about  Symantec  -­‐-­‐Symantec   •  Theft of product-related intellectual property to undermine the security of our customers. •  Or to seek competitive advantage •  Exposure of vulnerabilities •  Exposure of trade/government secrets Source Code Threats Security  takes  a  new  role  in  working  with  source  code.   AMSC  Taking   Sinovel   Infringement   Suit  to  China’s   Supreme  Court      -­‐-­‐  Bloomberg   Ex-­‐NASA   contractor   arrested  on   plane  to  China   -­‐-­‐Associated   Press  
  • 7. 7   Source Code Threats •  Insertion of malicious code into products during development cycle that can undermine product integrity and operations in customer environments. Security  takes  a  new  role  in  working  with  source  code.   phpMyAdmin
  • 8. 8   What can we do? Define objective
  • 9. 9   What can we do? •  Prerequisites & Assumptions •  IT is doing their part for corporate security •  Security is not #1 for SCM, Build, Release, QE, and Dev •  Security goals often support SCM goals of traceability, reproducibility, and auditability •  Approach: Collaboration •  Define security criteria •  Understand current environment •  Review tools in use against criteria •  Include input from SCM and security experts •  Manage change •  Provide recommendations for preferred solutions •  Provide a framework to assess implementations & evaluate new solutions Improve  security  in  the  source  code  environment  to  defend   against  threats.  
  • 10. 10   •  Policy: What needs to be done to protect source code. •  Strong passwords to access source code •  Transactions will be logged and protected •  Standards: How to implement policy. •  Source code systems are integrated with organization’s identity management system and use network password. •  Transactions are logged to syslog and exported every 20 minutes to a log aggregation system. •  Achievable & Maintainable: Consistent approach to implementation •  Measureable: Evaluation if a control is in place and how it is functioning •  Threat model: How might your environment be attacked? •  Business case •  What could happen if your source code is modified? •  What could happen if your source code is stolen? •  How would you recover and at what cost? •  Actionable intelligence Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards •  Procedures & Assessments RISK  REDUCTION   Task  Force   IT   Security   Source  Code  Admin   Legal   Development   RISK  REDUCTION  
  • 11. 11   •  Threat model: How might your environment be attacked? •  Business case •  What could happen if your source code is modified? •  What could happen if your source code is stolen? •  How would you recover and at what cost? •  Actionable intelligence Establish Goals & Team •  Initial Goals: Call to action RISK  REDUCTION  
  • 12. 12   Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? Task  Force   IT   Security   Source  Code  Admin   Legal   Development  
  • 13. 13   •  Policy: What needs to be done to protect source code. •  Strong passwords to access source code •  Transactions will be logged and protected •  Standards: How to implement policy. •  Source code systems are integrated with organization’s identity management system and use network password. •  Transactions are logged to syslog and exported every 20 minutes to a log aggregation system. Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards
  • 14. 14   •  Achievable & Maintainable: Consistent approach to implementation •  Measureable: Evaluation if a control is in place and how it is functioning Establish Goals & Team •  Initial Goals: Call to action •  Who should be involved? •  Policies & Standards •  Procedures & Assessments RISK  REDUCTION  
  • 15. 15   Source   Code   Backups   Hardware   Storage  EncrypMon   DLP   Network   IsolaMon   Physical   IsolaMon   Virtual   IsolaMon   Virtual   Containment   Preven;ve   Detec;ve   Correc;ve   •  Authentication is a way to prove your identity such that no one can later say it wasn’t you Identity + Secret = Authentication •  Centralized authentication mechanisms •  Why local accounts cause problems Value of and risk to the data informs appropriate security solutions Defining Security Criteria •  Defense-in-depth •  Data Classification •  Identity/Authentication •  Access Controls •  Isolation •  Data Protection •  Hardening •  Avoiding Malicious Code •  Logging Layers of Protection Services   Ports   Security  Patches   ConfiguraMon   Code  Changes   •  Chain  of   Custody   •  Code  reviews   •  Reputable   sourcing   •  Integrity   checks   Environment   •  Servers   •  WorkstaMons   •  Malware   •  Rootkits   Principle of Least Privilege •  The Apache Way … Reduce vulnerable surface area of a server eGRC Compliance monitoring Forensics   Log  protecMon   Regular  reviews   AcMve  monitoring   • Restricted  access   • Storage  monitors   • Log  aggregaMon   • One  of  the  most  common   ways  insiders  detect   breaches  
  • 16. 16   Define Security Criteria •  We have a team •  We have basic Defense-in-Depth security solutions •  Now … draft Source Code Security Policies and Standards to document expectations
  • 17. 17   What can we do? Understand the current environment
  • 18. 18   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams
  • 19. 19   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices
  • 20. 20   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling
  • 21. 21   Establish a baseline Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling •  Tools •  Are they working securely? •  Simple solutions? •  Turn on functionality •  Add-ons •  Cost/benefit •  Change tools •  Reinforce environment Don’t throw the baby out with the bathwater!
  • 22. 22   Where are we? •  Scope your environment •  Environment diagrams •  Engineering practices •  Data classification: where is the important “stuff”? •  Threat Modeling •  Tools •  Usability!!!
  • 23. 23   What did EMC find?
  • 24. 24   2011 EMC Summary of 5 Common Brands Analysis of product features, not existing implementations Repository 1 Repository 2 Repository 3 Repository 4 Repository 5 Out of Box Add On Out of Box Add On Out of Box Add On Out of Box Add On Out of Box Add On Corporate  authenMcaMon   ü ü ü ü ü Logs  of  transacMons  against  access  controls   can  be  exported  to  a  monitoring  tool.   ü PARTIAL ü PARTIAL ü ü PARTIAL ü Granular  access  controls   PARTIAL x PARTIAL x PARTIAL ü x ü Support  for  code  review  workflow   PARTIAL ü x ü x ü ü x ü 11 High level policy criteria and 31 controls (not weighted)
  • 25. 25   2011 EMC Summary of 5 Common Brands 11 High level policy criteria and 31 controls (not weighted) 0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   Overall  Risk  Assessment  Percentages   Add-­‐On   Out  of  Box     Repository  1   Repository  2   Repository  3   Repository  4   Repository  5   Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     Out-­‐of-­‐ Box   Add-­‐On     TOTAL 200 210 160 210 160 210 220 220 170 220(out  of  220) Percentage 91% 95% 73% 95% 73% 95% 100% 100% 77% 100% Difference:   5%   23%   23%   0%   23% Analysis of product features, not existing implementations
  • 26. 26   EMC’s Observations •  Most major Source Code Repository systems can be made acceptable •  All existing solutions can be made better •  Newer SCMs have more security built–in or added as features •  Source code is highly visible to many people regardless of whether the SCM is distributed (like Git) or not •  A poorly configured underlying platform or poor practices can undermine strength of any application controls that may exist
  • 27. 27   Managing change … … to steady state
  • 28. 28   Action Like most organizational projects … •  Team •  Policies & Standards •  Evaluate •  Plan •  Implement … except this must be a continuous process.
  • 29. 29   Continuous Monitoring and Improvement Observe   &  Orient   •  Minimize new options •  Until you get a handle on your environment •  Don’t chase a moving target •  Assessments •  Security awareness training needs to emphasize secure source code
  • 30. 30   Continuous Monitoring and Improvement Observe   &  Orient   Decide   •  Minimize new options •  Until you get a handle on your environment •  Don’t chase a moving target •  Assessments •  Security awareness training needs to emphasize secure source code •  How will you evaluate new solutions? •  Expand scope: other build- related tools and infrastructure
  • 31. 31   Triage   eGRC   Threat   Model   Assessment   Continuous Monitoring and Improvement Observe   &  Orient   Decide  
  • 32. 32   Continuous Monitoring and Improvement Observe   &  Orient   Decide   AcMon   •  Test •  Deploy •  Implementation guidance
  • 34. 34   Summary •  Evolving threats change how we need to think about source code security •  Collaboration: Expanding security awareness involves more stakeholders •  Policies & Standards: define security goals based on common security strategies •  Measure: Baseline environment •  Implement & manage change •  Expand frameworks Improve  security  in  the  source  code  environment  to   defend  against  threats  
  • 35. 35   Thank you Stephanie Woiciechowski, GSEC EMC Product Security Office stephanie.woiciechowski@emc.com