Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Along the Way

Secure SDLC in the Real World:  Pitfalls Discovered and Treasure Collected Along the Way Philip J. Beyer - Texas Education Agency" philip.beyer@tea.state.tx.us" @pjbeyerCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 1

About• Phil Beyer" – Information Security Officer" – Consulting background"• TEA" – ~700 employees" – ~1200 school districts" – ~5 million studentsCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 3

Where Did TEA Start?• Application Security Program already established" – Some policies & procedures" – Initial training & exposure to concepts" – Historically siloed approach"• Outsourcing for subject matter expertiseCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 4

Where Do You Start?• Establish your Application Security Program"• Be the Champion (or find one)"• Make sure your Team Gets It"• Have a Roadmap to MaturityCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 5

The Premise• It has already started"• Shortcuts don’t exist" – No cheat codes" – No invincibility" – No God mode"• There are Pitfalls"• There are TreasuresCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 9

The Early Levels (Phase 1)  Treasures• A Map" – Not necessarily THE Map, but something to get started" – An organizational roadmap is a powerful thing"• Some Running Room" – Awareness in the organization is increasing"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 10

The Early Levels (Phase 1)  Pitfalls• The Log" – You can’t stand still" – Move through Phase 1 so you don’t get rolled over"• Inertia" – Getting started is just plain hard" – Determining who should play is also hardCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 11

Racking Up Some Points (Phase 2)  Treasures• Silver Bars" – Development teams begin to appreciate the security problem""• The Ladder" – More of the team is involved in practicing security" – You’ve found a new way around the alligator-infested pondCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 12

Racking Up Some Points (Phase 2)  Pitfalls• The Alligator" – There’s a dangerous thing there on the screen" – Threats are real, and now they see some of them too"• More Players" – Other people are going to play your game" – They may not play as { nice | carefully | safely } as youCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 13

Hitting Your Stride (Phase 3)  Treasures• Gold Bars" – Better visibility instills confidence in Management"• The Compass" – The Program has direction" – From requirements to maintenance, a formal process starts to emerge"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 14

Hitting Your Stride (Phase 3)  Pitfalls• The Scorpion" – Better informed Management may sting"• The Wall" – A different kind of obstacle will block your path" – Developers and Operators may not enjoy working together more closely"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 15

Bigger Treasures, Deeper Pits (Phase 4)  Treasures• The Bridge" – Get rid of that Rope and jeer at the Alligators as you walk across" – The whole Program is working together to build securely and verify aggressivelyCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 16

Bigger Treasures, Deeper Pits (Phase 4)  Pitfalls• The Hole" – Compliance is not Security" – Don’t let Management fall into the trap at this stage of the game… It can be a pretty deep pitCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 17

The End Game (Phases 5 & 6)  Treasures• Shangri-La" – You’ve reached the mystical, harmonious valley; a permanently happy land isolated from the outside world" – I’d tell you how it feels, but we haven’t gotten there yetCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 18

It’s Time to Play• Build a Mature Software Assurance Program"• Measure and Report Your Progress"• Have Fun!Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 19

Resources• OWASP – Open Web Application Security Project" – http://www.owasp.org/"• OpenSAMM - Software Assurance Maturity Model" – http://www.opensamm.org/""• Attribution" – All OpenSAMM images are licensed under the Creative Commons Attribution-Share Alike 3.0 License.Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 20

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Along the Way

by Philip Beyer

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 32

Statistics

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Along the Way Presentation Transcript