SlideShare a Scribd company logo

24may 1200 valday eric anklesaria 'secure sdlc – core banking'

Positive Hack Days
Positive Hack Days
Technology
1 of 14
Secure SDLC – Core Banking Eric Anklesaria Partner – Financial Services – Business Advisory
Secure SDLC – Core BankingPage 2 Agenda ► Core Banking and Advantages ► What do statistics reveal.. ► Need for Application Security.. ► SLDC versus Secure SDLC ► Sustaining Secure SDLC Lifecycle ► Summary ► Questions and Answers
Secure SDLC – Core BankingPage 3 Core Banking and Advantages ► Core Banking in simple terms means performing centralized banking operations and transactions of branches and Head Office typically at Data Centre ► This furnishes real-time financial position and situation of bank which further enables taking quick decisions in today’s dynamic banking environment ► Further, centralization helps better monitoring, analysis and rollout/changes of any module of application ► Extends customer reach to not only nearest branch but also to other branches and HO (if need be)
Secure SDLC – Core BankingPage 4 What do statistics reveal… Application Security Core Banking, Internet Banking , Mobile Banking * Over half (51%) of developers and over half (51%) of security personnel have no training in application security. * Close to half (44%) of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security. * Survey conducted by Security Innovation and Ponemon Institute Ernst & Young Advanced Security Center (ASC) findings: ► 93% of applications tested have at least 1 high-risk finding ► High risk findings ► 70% only require low level of effort to exploit ► 46% require low level of effort to remediate ► 34% could be prevented by properly validating user input ► 33% are Cross-Site Scripting (XSS) or SQL Injection
Secure SDLC – Core BankingPage 5 Need for Application Security… ► Core Banking : heart of banking operations utmost critical components of banks to safeguard and maintain ► Stores critical information - customer names, address details, account information etc ► Compromise of any of this information has direct implication on regulatory requirements and compliance frameworks (such as ISO 27001, CoBIT, PCI- DSS etc.) which also have direct impact on bank’s reputation ► Whether developed in-house, purchased from a third party, or supplied by an outsourcing company, software applications are vulnerable with application related risks
Secure SDLC – Core BankingPage 6 SDLC versus Secure SDLC Business Requirements Design Development Functional Testing Deployment Business and Security Requirements Secure Design Secure Development Security & Functional testing Secure Deployment ► Typical SDLC does not explicitly include ‘Security’ in it ► Secure SDLC has explicit place for ‘Security’ and practices within it
Secure SDLC – Core BankingPage 7 Secure SDLC Business and Security Requirements Understanding security requirements should be a mandatory exercise of the business requirements phase when developing an application. Security requirements in this phase are: ► Application Risk Profiling: Review the Core Banking application portfolio in-terms of risk as compared to other applications within Bank. Responses to questions such as below will help determining the same: ► What are the key business risks and possible technical risks? ► Will the application be accessible over Internet ► Will the application store personally identifiable information (PII)? ► Describe and confirm high level security requirements ► What high level data or information needs to be accessed? ► What is the context of the application within the current infrastructure? ► What application features will have an impact on security? ► Determine possible use cases ► How will users interact with the application – VPN, Browser etc.? ► Will other web services or applications connect with the application?
Secure SDLC – Core BankingPage 8 Secure SDLC Secure Design Security MUST begin right from secure design… ► Developing Threat Model: Excellent method to determine technical security posture of proposed application. This can be achieved by: ► Decomposing application to determine potential weak spots within application that attacker might want to exploit ► Categorizing and rank threats to determine potential threats that can help develop mitigation strategies ► Mitigation for those identified threats such as information security training to developers and programmers, programming language specific secure coding trainings etc. ► Secure Architecture Design (SAD): ► Security architecture framework should be established within Bank that can serve as foundation for secure design that can be used for multiple application development in-house ► Develop Security Test Plans ► basis the frequency of testing (Quarterly, monthly), area of tests (Web, APIs etc.,) type of tests (Black or White box)
Secure SDLC – Core BankingPage 9 Secure SDLC Secure Development Secure development is inherent part of developing business logic for core banking applications ► Program for Developer Awareness and Training: ► Common observation that programmers often have very little experience in coding securely ► They must undergo adequate training bare essentially for Web application security, language specific (.NET, Java) secure coding techniques and custom courses based on code review or application tests ► Developing Secure Coding Standards, Guidelines and Frameworks for Key Languages and Platforms: ► Objective is to provide SDLC participants with the proper requirements for securing software applications right from designing stage till deployment ► Source Code Review Process: ► Control flow analysis in addition to automation of source code review of application must be adopted ► To accurately track the sequencing of operations to prevent issues such as un-initialized variable use or a failure to enable parser validation.
Secure SDLC – Core BankingPage 10 Secure SDLC Security and Functional Testing Security Testing (Vulnerability Assessment, Penetration Testing etc.) should be inherent along with functional testing of Core Banking applications. ► Security Integration with existing test bed: ► Most enterprise test environments use automated tools to perform functional, usability and QA testing ► As a matured security testing processes, software testers must be inclined to embrace automated security tools that link into their existing test beds ► Security related regression testing: ► Helps in confirming the security view presented by the architecture and development teams ► Further it will also present an added level of comfort to internal and external application audit teams ► Develop Security Standards for infrastructure supporting the Applications ► Develop pre-implementation risk analysis ► The combined/overall security of the application should be determined before the application goes live. For e.g., the orchestration of web server farms with multiple operating systems and web server platforms, the designing of firewall access control lists and assignation of network ports and the integration with application servers can spark off a plethora of innocuous but dangerous vulnerabilities.
Secure SDLC – Core BankingPage 11 Sustaining Secure SDLC life-cycle Ongoing security has to be ensured in-order to maintain successful Secure SDLC lifecycle ► Extremely critical since the application goes numerous changes post its development and deployment, which may directly or in-directly affect its pre-determined security posture. ► Following are few suggested activities to ensure ongoing security for core banking applications: ► External Security Design Reviews ► Post-deployment Penetration Tests and Code Reviews ► Vendor Risk Management Reviews ► Outsourced Software Security Acceptance Testing services ► Legacy Application Reviews
Secure SDLC – Core BankingPage 12 Summary – Secure SDLC • By definition, the System Requirements Specification (SRS) document captures functional requirements only. Non-functional requirements (such as security and performance) are often not captured adequately. • Authentication, Access Control, Session Management, Auditing, Cryptography. • Documentation & review of supplementary specifications that address non-functional requirements. • Potential threats and attack scenarios are not envisaged during the design stage. • Security flaws detected during the design phase may incur 30-60 times less efforts compared to those detected post release. • Authentication, Access Control, Session Management, Auditing, Cryptography. • Secure SDLC Benefits: Threat Modeling, Attack Tree Development aimed at uncovering design flaws • Unsafe functions and APIs are used without any mitigating controls as formal secure coding guidelines do not exist. • Where formal secure coding guidelines exist, they may not be adhered to if the developers do not realize the value of the restrictive coding rules owing to lack of security awareness. • Input Validation, Exception Handling, Interaction With Deployment Environment • Secure SDLC Benefits: Secure Coding Handbook and Secure Application Development Workshops to enhance security awareness. • Testing efforts are focused on identifying and fixing functionality bugs. Security focused testing is not carried out as the security requirements have not been identified and documented. • The importance laid on development concentrates talented workforce in those teams. All • Secure SDLC Benefits: Security focused testing as a result of documented security requirements. • Applications are often granted privileged access to the deployment infrastructure (OS, RDBMS) in order to save the efforts involved in identifying the minimum privileges required at the infrastructure level to support the application functionality. • Interaction With Deployment Environment. • Secure SDLC Benefits: Application functionality guaranteed to work in hardened deployment infrastructure. Description SecureSDLC Benefits Security Domains
Secure SDLC – Core BankingPage 13 Questions and Answers
Thank You! Email: Eric.Anklesaria@in.ey.com

Recommended

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
The Best Strategy for Asset Integrity
The Best Strategy for Asset Integrity The Best Strategy for Asset Integrity
The Best Strategy for Asset Integrity
Darwin Jayson Mariano
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 

Recommended

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
The Best Strategy for Asset Integrity
The Best Strategy for Asset Integrity The Best Strategy for Asset Integrity
The Best Strategy for Asset Integrity
Darwin Jayson Mariano
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
WAJAHAT IQBAL
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
La sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internesLa sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internes
ISACA Chapitre de Québec
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
Osama Salah
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan PublikStrategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
Directorate of Information Security | Ditjen Aptika
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
Vikas Jain
 
Splunk Enterprise Security
Splunk Enterprise Security Splunk Enterprise Security
Splunk Enterprise Security
Md Mofijul Haque
 
Sécurité de l’information et gouvernance
Sécurité de l’information et gouvernanceSécurité de l’information et gouvernance
Sécurité de l’information et gouvernance
PECB
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Bachir Benyammi
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
Ahmad Azwang Aisram Omar
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 

More Related Content

What's hot

La sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internesLa sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internes
ISACA Chapitre de Québec
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 

What's hot (20)

NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
La sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internesLa sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internes
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan PublikStrategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
Strategi dan Penerapan Manajemen Risiko Keamanan Informasi PSE Layanan Publik
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Splunk Enterprise Security
Splunk Enterprise Security Splunk Enterprise Security
Splunk Enterprise Security
 
Sécurité de l’information et gouvernance
Sécurité de l’information et gouvernanceSécurité de l’information et gouvernance
Sécurité de l’information et gouvernance
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 

Similar to 24may 1200 valday eric anklesaria 'secure sdlc – core banking'

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Datasheet app vulnerability_assess
Datasheet app vulnerability_assessDatasheet app vulnerability_assess
Datasheet app vulnerability_assess
Birodh Rijal
 

Similar to 24may 1200 valday eric anklesaria 'secure sdlc – core banking' (20)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Datasheet app vulnerability_assess
Datasheet app vulnerability_assessDatasheet app vulnerability_assess
Datasheet app vulnerability_assess
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

24may 1200 valday eric anklesaria 'secure sdlc – core banking'

  • 1. Secure SDLC – Core Banking Eric Anklesaria Partner – Financial Services – Business Advisory
  • 2. Secure SDLC – Core BankingPage 2 Agenda ► Core Banking and Advantages ► What do statistics reveal.. ► Need for Application Security.. ► SLDC versus Secure SDLC ► Sustaining Secure SDLC Lifecycle ► Summary ► Questions and Answers
  • 3. Secure SDLC – Core BankingPage 3 Core Banking and Advantages ► Core Banking in simple terms means performing centralized banking operations and transactions of branches and Head Office typically at Data Centre ► This furnishes real-time financial position and situation of bank which further enables taking quick decisions in today’s dynamic banking environment ► Further, centralization helps better monitoring, analysis and rollout/changes of any module of application ► Extends customer reach to not only nearest branch but also to other branches and HO (if need be)
  • 4. Secure SDLC – Core BankingPage 4 What do statistics reveal… Application Security Core Banking, Internet Banking , Mobile Banking * Over half (51%) of developers and over half (51%) of security personnel have no training in application security. * Close to half (44%) of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security. * Survey conducted by Security Innovation and Ponemon Institute Ernst & Young Advanced Security Center (ASC) findings: ► 93% of applications tested have at least 1 high-risk finding ► High risk findings ► 70% only require low level of effort to exploit ► 46% require low level of effort to remediate ► 34% could be prevented by properly validating user input ► 33% are Cross-Site Scripting (XSS) or SQL Injection
  • 5. Secure SDLC – Core BankingPage 5 Need for Application Security… ► Core Banking : heart of banking operations utmost critical components of banks to safeguard and maintain ► Stores critical information - customer names, address details, account information etc ► Compromise of any of this information has direct implication on regulatory requirements and compliance frameworks (such as ISO 27001, CoBIT, PCI- DSS etc.) which also have direct impact on bank’s reputation ► Whether developed in-house, purchased from a third party, or supplied by an outsourcing company, software applications are vulnerable with application related risks
  • 6. Secure SDLC – Core BankingPage 6 SDLC versus Secure SDLC Business Requirements Design Development Functional Testing Deployment Business and Security Requirements Secure Design Secure Development Security & Functional testing Secure Deployment ► Typical SDLC does not explicitly include ‘Security’ in it ► Secure SDLC has explicit place for ‘Security’ and practices within it
  • 7. Secure SDLC – Core BankingPage 7 Secure SDLC Business and Security Requirements Understanding security requirements should be a mandatory exercise of the business requirements phase when developing an application. Security requirements in this phase are: ► Application Risk Profiling: Review the Core Banking application portfolio in-terms of risk as compared to other applications within Bank. Responses to questions such as below will help determining the same: ► What are the key business risks and possible technical risks? ► Will the application be accessible over Internet ► Will the application store personally identifiable information (PII)? ► Describe and confirm high level security requirements ► What high level data or information needs to be accessed? ► What is the context of the application within the current infrastructure? ► What application features will have an impact on security? ► Determine possible use cases ► How will users interact with the application – VPN, Browser etc.? ► Will other web services or applications connect with the application?
  • 8. Secure SDLC – Core BankingPage 8 Secure SDLC Secure Design Security MUST begin right from secure design… ► Developing Threat Model: Excellent method to determine technical security posture of proposed application. This can be achieved by: ► Decomposing application to determine potential weak spots within application that attacker might want to exploit ► Categorizing and rank threats to determine potential threats that can help develop mitigation strategies ► Mitigation for those identified threats such as information security training to developers and programmers, programming language specific secure coding trainings etc. ► Secure Architecture Design (SAD): ► Security architecture framework should be established within Bank that can serve as foundation for secure design that can be used for multiple application development in-house ► Develop Security Test Plans ► basis the frequency of testing (Quarterly, monthly), area of tests (Web, APIs etc.,) type of tests (Black or White box)
  • 9. Secure SDLC – Core BankingPage 9 Secure SDLC Secure Development Secure development is inherent part of developing business logic for core banking applications ► Program for Developer Awareness and Training: ► Common observation that programmers often have very little experience in coding securely ► They must undergo adequate training bare essentially for Web application security, language specific (.NET, Java) secure coding techniques and custom courses based on code review or application tests ► Developing Secure Coding Standards, Guidelines and Frameworks for Key Languages and Platforms: ► Objective is to provide SDLC participants with the proper requirements for securing software applications right from designing stage till deployment ► Source Code Review Process: ► Control flow analysis in addition to automation of source code review of application must be adopted ► To accurately track the sequencing of operations to prevent issues such as un-initialized variable use or a failure to enable parser validation.
  • 10. Secure SDLC – Core BankingPage 10 Secure SDLC Security and Functional Testing Security Testing (Vulnerability Assessment, Penetration Testing etc.) should be inherent along with functional testing of Core Banking applications. ► Security Integration with existing test bed: ► Most enterprise test environments use automated tools to perform functional, usability and QA testing ► As a matured security testing processes, software testers must be inclined to embrace automated security tools that link into their existing test beds ► Security related regression testing: ► Helps in confirming the security view presented by the architecture and development teams ► Further it will also present an added level of comfort to internal and external application audit teams ► Develop Security Standards for infrastructure supporting the Applications ► Develop pre-implementation risk analysis ► The combined/overall security of the application should be determined before the application goes live. For e.g., the orchestration of web server farms with multiple operating systems and web server platforms, the designing of firewall access control lists and assignation of network ports and the integration with application servers can spark off a plethora of innocuous but dangerous vulnerabilities.
  • 11. Secure SDLC – Core BankingPage 11 Sustaining Secure SDLC life-cycle Ongoing security has to be ensured in-order to maintain successful Secure SDLC lifecycle ► Extremely critical since the application goes numerous changes post its development and deployment, which may directly or in-directly affect its pre-determined security posture. ► Following are few suggested activities to ensure ongoing security for core banking applications: ► External Security Design Reviews ► Post-deployment Penetration Tests and Code Reviews ► Vendor Risk Management Reviews ► Outsourced Software Security Acceptance Testing services ► Legacy Application Reviews
  • 12. Secure SDLC – Core BankingPage 12 Summary – Secure SDLC • By definition, the System Requirements Specification (SRS) document captures functional requirements only. Non-functional requirements (such as security and performance) are often not captured adequately. • Authentication, Access Control, Session Management, Auditing, Cryptography. • Documentation & review of supplementary specifications that address non-functional requirements. • Potential threats and attack scenarios are not envisaged during the design stage. • Security flaws detected during the design phase may incur 30-60 times less efforts compared to those detected post release. • Authentication, Access Control, Session Management, Auditing, Cryptography. • Secure SDLC Benefits: Threat Modeling, Attack Tree Development aimed at uncovering design flaws • Unsafe functions and APIs are used without any mitigating controls as formal secure coding guidelines do not exist. • Where formal secure coding guidelines exist, they may not be adhered to if the developers do not realize the value of the restrictive coding rules owing to lack of security awareness. • Input Validation, Exception Handling, Interaction With Deployment Environment • Secure SDLC Benefits: Secure Coding Handbook and Secure Application Development Workshops to enhance security awareness. • Testing efforts are focused on identifying and fixing functionality bugs. Security focused testing is not carried out as the security requirements have not been identified and documented. • The importance laid on development concentrates talented workforce in those teams. All • Secure SDLC Benefits: Security focused testing as a result of documented security requirements. • Applications are often granted privileged access to the deployment infrastructure (OS, RDBMS) in order to save the efforts involved in identifying the minimum privileges required at the infrastructure level to support the application functionality. • Interaction With Deployment Environment. • Secure SDLC Benefits: Application functionality guaranteed to work in hardened deployment infrastructure. Description SecureSDLC Benefits Security Domains
  • 13. Secure SDLC – Core BankingPage 13 Questions and Answers