Lean and (Prepared for) Mean:Application Security Program Essentials<br />Philip J. Beyer - Texas Education Agency<br />ph...
Overview<br />Background<br />Trends<br />Essentials<br />Roadmap<br />TASSCC 2011 Annual Conference<br />2<br />Copyright...
About<br />Phil Beyer<br />Information Security Officer<br />Consulting background<br />John Dickson<br />Application secu...
Application Security – What? Why?<br />In Brief<br />Web applications can be attacked<br />Attacks are different from netw...
Trends<br />At TEA<br />Applications created regularly and retired slowly<br />Ability to outsource remediation decreased ...
EssentialsWhere Did TEA Start<br />Application Security Program established<br />Some policy and procedure<br />Initial tr...
EssentialsThe Premise<br />Some things you Don’t Need<br />Some things you Do Need<br />Some things you Just Don’t Need Ye...
EssentialsWhat You Don’t Need<br />An Expensive Scanner<br />A Security Process for scanning is more important<br />Simple...
EssentialsWhat You Don’t Need<br />A Complicated Scoring/Tracking Tool<br />A Security Process for profiling is more impor...
EssentialsWhat You Don’t Need<br />A Dedicated Application Security Team<br />A Security Process for testing is more impor...
EssentialsWhat You Don’t Need<br />A Perfect SDLC<br />Get started with what you have now<br />Update your policies and pr...
EssentialsWhat You Do Need<br />A Champion<br />That’s You!<br />Understand the problem<br />Communicate the risk<br />Wor...
EssentialsWhat You Do Need<br />A Team that Gets It<br />Managers<br />Developers<br />Testers<br />Security<br />TASSCC 2...
EssentialsWhat You Do Need<br />Good Training<br />Resources exist, some are free<br />The trainer is important<br />Attac...
EssentialsWhat You Do Need<br />Expert Help<br />Technical questions will arise<br />Some vendors will dispute vulnerabili...
EssentialsWhat You Do Need<br />A Roadmap to Maturity<br />Use an established maturity model<br />OpenSAMM<br />BSIMM<br /...
RoadmapUse a Maturity Model<br />OpenSAMM - Software Assurance Maturity Model<br />Maturity levels 1 thru 4<br />Governanc...
Roadmap – Phase 1Governance<br />Estimate overall business risk profile<br />Build and maintain an application security pr...
Roadmap – Phase 1Construction<br />Derive security requirements based on business functionality<br />Evaluate security and...
Roadmap – Phase 1Verification<br />Derive test cases from known security requirements<br />Conduct penetration testing on ...
Roadmap – Phase 1Deployment<br />Identify point of contact for security issues<br />Create informal security response team...
Resources<br />OWASP – Open Web Application Security Project<br />http://www.owasp.org/<br />OpenSAMM - Software Assurance...
Questions?<br />TASSCC 2011 Annual Conference<br />23<br />Copyright 2011 by Texas Education Agency. All rights reserved.<...
Upcoming SlideShare
Loading in...5
×

Lean and (Prepared for) Mean: Application Security Program Essentials

1,351

Published on

:: History ::
TASSCC Annual Conference 2011 - August 8, 2011 (Philip J Beyer and John B Dickson)

:: Summary ::
We will present the process TEA took to assess its application security program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity.

:: Abstract ::
In times of economic hardship and shrinking budgets, security risks are unchanged. When we in state government have to be the most resourceful, the bad guys are no less active and determined. So, how do you stay secure in these lean times? What are the most important and effective security measures to take? In its mission to serve students and educators across the state, the Texas Education Agency has developed a program to manage risk in its web applications. In response to budget constraints, TEA shifted the focus of its application security program. We will present the process TEA took to assess the program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,351
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • You can contact us by email.These slides will be provided.Resources, including links, are provided at the end.
  • BackgroundAbout usAbout TEAAbout application securityTrendsAt TEAIn the industryEssentialsWhere did TEA startWhat you don’t needWhat you do needRoadmap-Work to maturity-Phased approach
  • TEA works with school districts and regional service centers and is responsible for school funding and educator certification.
  • Key Point*Application security should be on your radar screen.Statistics-Trustwave Global Security Report 2011 identifies the cause of 6% of breaches as an SQL Injection flaw (on par with Email Trojan and Social Engineering). Trustwave cites it as the most popular attack vector for web applications.-Verizon Data Breach Incident Report 2011 identifies the cause of 14% of breaches involving hacking as an SQL Injection flaw. Almost ¼ of hacking breaches (22%) used web applications as their attack vector. The Verizon DBIR 2011 states, “Just because web applications dropped as an overall percentage of attacks, don’t believe for an instant that they are any less critical a vector than they were a year ago. If you remove hospitality and retail victims from this dataset, web applications are right back on top and are more numerous than ever.”
  • Key Point*Application security is as important as ever but funding is limited.
  • Key Point*TEA needed to revamp its Application Security Program.VeracodeManaged security service providerProprietary automated scanningInitial review performed by vendorDenim GroupSecondary review performed by vendorRemediation analysis and work performed by vendor
  • Key Point*This is not about the perfect Application Security Program… It’s about a basic one.Mostly, you need to start with structure, not software.
  • Key Point*Expensive software is best purchased after you have policy and procedure already in place.
  • Key Point*Expensive software is best purchased after you have policy and procedure already in place.
  • Key Point*Begin with what you already have.
  • Key Point*Begin with what you already have.
  • Key Point*The effort will need a leader.Other** introduce OWASP at this point
  • Key Point*Application security should involve everyone, not just the technical folks.Other-Security team is primarily oversight
  • Key Point*Developers and testers need to know what they are up against.
  • Key Point*Your team will need to consult with experts, inside or outside of your organization.
  • Key Point*Have a plan and execute it… slowly.
  • Key Point*TEA’s roadmap is based on OpenSAMM.Other-OpenSAMM is managed by OWASP-TEA target maturity levels are listed in parentheses-TEA will take a multi-phase approach to implement target maturity
  • Key Point*Governance activities work to align the program with the business.
  • Key Point*Construction activities work to build security procedures into software development.
  • Key Point*Verification activities work to address security in software testing.
  • Key Point*Deployment activities work to provide security for software in production.
  • Transcript of "Lean and (Prepared for) Mean: Application Security Program Essentials"

    1. 1. Lean and (Prepared for) Mean:Application Security Program Essentials<br />Philip J. Beyer - Texas Education Agency<br />philip.beyer@tea.state.tx.us<br />John B. Dickson - Denim Group<br />john@denimgroup.com<br />1<br />TASSCC 2011 Annual Conference<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    2. 2. Overview<br />Background<br />Trends<br />Essentials<br />Roadmap<br />TASSCC 2011 Annual Conference<br />2<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    3. 3. About<br />Phil Beyer<br />Information Security Officer<br />Consulting background<br />John Dickson<br />Application security industry leader<br />TEA<br /> ~700 employees<br /> ~1200 school districts<br /> ~5 million students<br />TASSCC 2011 Annual Conference<br />3<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    4. 4. Application Security – What? Why?<br />In Brief<br />Web applications can be attacked<br />Attacks are different from network or OS levels<br />Becoming a significant attack vector<br />Impact<br />Attackers bypass traditional infrastructure security controls<br />Users are a target as well as data<br />TASSCC 2011 Annual Conference<br />4<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    5. 5. Trends<br />At TEA<br />Applications created regularly and retired slowly<br />Ability to outsource remediation decreased due to funding limitations<br />In the Industry<br />Attacks are increasingly sophisticated and automated<br />Remediation costs increase in later phases of the development cycle<br />TASSCC 2011 Annual Conference<br />5<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    6. 6. EssentialsWhere Did TEA Start<br />Application Security Program established<br />Some policy and procedure<br />Initial training and exposure to concepts<br />Historically siloed approach<br />Outsourcing for subject matter expertise<br />Veracode<br />Denim Group<br />TASSCC 2011 Annual Conference<br />6<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    7. 7. EssentialsThe Premise<br />Some things you Don’t Need<br />Some things you Do Need<br />Some things you Just Don’t Need Yet<br />TASSCC 2011 Annual Conference<br />7<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    8. 8. EssentialsWhat You Don’t Need<br />An Expensive Scanner<br />A Security Process for scanning is more important<br />Simple (free) scanners will get you started<br />Buy the software later<br />TASSCC 2011 Annual Conference<br />8<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    9. 9. EssentialsWhat You Don’t Need<br />A Complicated Scoring/Tracking Tool<br />A Security Process for profiling is more important<br />Risk ranking doesn’t have to be hard<br />Keeping track of your applications can be simple<br />Buy the software later<br />TASSCC 2011 Annual Conference<br />9<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    10. 10. EssentialsWhat You Don’t Need<br />A Dedicated Application Security Team<br />A Security Process for testing is more important<br />Leverage your existing QA and Testing team<br />Simple security testing will get you started<br />Build and train your testing capability gradually<br />TASSCC 2011 Annual Conference<br />10<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    11. 11. EssentialsWhat You Don’t Need<br />A Perfect SDLC<br />Get started with what you have now<br />Update your policies and procedures as you go<br />Don’t try to drop in “The Secure SDLC” all at once<br />TASSCC 2011 Annual Conference<br />11<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    12. 12. EssentialsWhat You Do Need<br />A Champion<br />That’s You!<br />Understand the problem<br />Communicate the risk<br />Work with the business<br />TASSCC 2011 Annual Conference<br />12<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    13. 13. EssentialsWhat You Do Need<br />A Team that Gets It<br />Managers<br />Developers<br />Testers<br />Security<br />TASSCC 2011 Annual Conference<br />13<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    14. 14. EssentialsWhat You Do Need<br />Good Training<br />Resources exist, some are free<br />The trainer is important<br />Attacks evolve, so should your training<br />TASSCC 2011 Annual Conference<br />14<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    15. 15. EssentialsWhat You Do Need<br />Expert Help<br />Technical questions will arise<br />Some vendors will dispute vulnerabilities<br />Be sure your team can consult with experts<br />TASSCC 2011 Annual Conference<br />15<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    16. 16. EssentialsWhat You Do Need<br />A Roadmap to Maturity<br />Use an established maturity model<br />OpenSAMM<br />BSIMM<br />Design a roadmap to get to maturity<br />Don’t try to do it all at once<br />TASSCC 2011 Annual Conference<br />16<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    17. 17. RoadmapUse a Maturity Model<br />OpenSAMM - Software Assurance Maturity Model<br />Maturity levels 1 thru 4<br />Governance<br />Strategy & Metrics (2), Policy & Compliance (3), Education & Guidance (3)<br />Construction<br />Threat Assessment (3), Security Requirements (3), Secure Architecture (3)<br />Verification<br />Design Review (2), Code Review (2), Security Testing (3)<br />Deployment<br />Vulnerability Management (3), Environment Hardening (3), Operational Enablement (3)<br />TASSCC 2011 Annual Conference<br />17<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    18. 18. Roadmap – Phase 1Governance<br />Estimate overall business risk profile<br />Build and maintain an application security program roadmap<br />Build and maintain compliance guidelines<br />Conduct technical security awareness training<br />Build and maintain technical guidelines<br />TASSCC 2011 Annual Conference<br />18<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    19. 19. Roadmap – Phase 1Construction<br />Derive security requirements based on business functionality<br />Evaluate security and compliance guidance for requirements<br />TASSCC 2011 Annual Conference<br />19<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    20. 20. Roadmap – Phase 1Verification<br />Derive test cases from known security requirements<br />Conduct penetration testing on software releases<br />TASSCC 2011 Annual Conference<br />20<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    21. 21. Roadmap – Phase 1Deployment<br />Identify point of contact for security issues<br />Create informal security response team(s)<br />TASSCC 2011 Annual Conference<br />21<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    22. 22. Resources<br />OWASP – Open Web Application Security Project<br />http://www.owasp.org/<br />OpenSAMM - Software Assurance Maturity Model<br />http://www.opensamm.org/<br />Denim Group – Remediation Resource Center<br />http://www.denimgroup.com/remediation/<br />TASSCC 2011 Annual Conference<br />22<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />
    23. 23. Questions?<br />TASSCC 2011 Annual Conference<br />23<br />Copyright 2011 by Texas Education Agency. All rights reserved.<br />

    ×