SlideShare a Scribd company logo

The 7 Myths of Software Security Best Practices

Download as PPTX, PDF
Cigital
Cigital

The 7 software security myths are common misconceptions about software security best practices. They explore how software security initiatives (SSIs) should work, and aren’t simply about how to secure a particular application. 

Software
1 of 43
Copyright © 2016, Cigital The 7 Myths of Software Security Best Practices
Copyright © 2016, Cigital The 7 software security myths are common misconceptions about software security best practices. They explore how software security initiatives (SSIs) should work, and aren’t simply about how to secure a particular application.
Copyright © 2016, Cigital Myth #1 Perimeter security can secure your applications.
Copyright © 2016, Cigital The Truth Perimeter security was originally implemented to deter and block disturbances from the outside. Although this is still a good basic security precaution, attack strategies have become far more advanced.
Copyright © 2016, Cigital Let’s Put It Into Perspective Today’s computer and network security mechanisms are like the city walls, moats, and drawbridges of feudal times.
Copyright © 2016, Cigital Feudal Systems Are a Thing of the Past… For a Reason. • Attack strategies have become more advanced in the past 500+ years. • A moat, city wall, and drawbridge are no competition for those who want to break in. • Today’s attackers have access to things like predator drones and laser-guided missiles! • The modern castle requires more protection against attacks.
Copyright © 2016, Cigital The Solution: Move Beyond the Perimeter Due to more advanced threats, we must make sure our modern day castles are protected by more than just perimeter security measures. Learn more about myth #1
Copyright © 2016, Cigital In the beginning, perimeter security was invented to protect this broken stuff from bad people. But, more importantly, why is the stuff broken in the first place?
Copyright © 2016, Cigital Myth #2 A tool is all you need for software security.
Copyright © 2016, Cigital The Truth Tools aren’t a catch-all solution. Although more advanced tools allow new rules to be added over time, if a rule hasn’t yet been written, the tool will never find that problem.
Copyright © 2016, Cigital Let’s Put It Into Perspective. • Black box testing tools were the earliest approach for simple protocols (such as HTTP). • Next came the idea of looking at the code itself with static analysis tools. • Static analysis tools focus on finding implementation bugs. However…
Copyright © 2016, Cigital The best a code review can uncover is about 50% of security vulnerabilities.
Copyright © 2016, Cigital 3 Reasons Tools Aren’t a Catch-All Solution 1. Tools suffer from false negatives and false positives. False negatives are more dangerous because they lead to a false sense of security. 2. Manual auditing is very time consuming. There’s no way to avoid sorting through the output, prioritizing which issues. 3. Tools still need people. There’s no way for a tool to know which problems are more or less important to the organization.
Copyright © 2016, Cigital The Solution: The Happy Hybrid Approach • Use the tools. They expedite processes and eliminate the low-hanging fruit vulnerabilities. • Don’t underestimate the effectiveness of humans. Learn more about myth #2
Copyright © 2016, Cigital Myth #3 Penetration testing solves everything.
Copyright © 2016, Cigital The Truth Penetration testing is the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing…
Copyright © 2016, Cigital Let’s Put It Into Perspective. • If we characterize functional testing as “testing for positives,” then penetration is “testing for negatives.” • Testing for a negative poses a far greater challenge than verifying a positive. • If negative tests don’t uncover any faults, this is only proof that no faults occur under particular test conditions, and by no means proves that no faults exist.
Copyright © 2016, Cigital The Solution: Outside-In Penetration Testing • Conduct penetration testing at the end of the SDLC to ensure security measures introduced earlier in the lifecycle are effective. • Architecture risk analysis and code review should take place before penetration testing. Learn more about myth #3
Copyright © 2016, Cigital Myth #4 Software security is a cryptography problem.
Copyright © 2016, Cigital The Truth You can use a crypto library to add a security feature to an application, but that’s not the same thing as making an application secure.
Copyright © 2016, Cigital Let’s Put It Into Perspective. Security is a system property, not a thing. Simply adding crypto measures to your code is unlikely to make it secure. Crypto: • Is astonishingly complex to get right. • Can’t find or eradicate bugs and flaws. • Can’t train your developers. • Falls prey to penetration testing from time to time.
Copyright © 2016, Cigital 2 Reasons Crypto Alone Is Not the Answer 1. Most attacks against applications do not target security features specifically (and crypto is just another security feature). 2. Applied crypto is designed to protect data, not the application that processes data.
Copyright © 2016, Cigital The Solution: Focus on Practices, Not Features Software security is about integrating security practices into the way you build software, not simply integrating security features into your code. Learn more about myth #4
Copyright © 2016, Cigital Myth #5 Software security is only about finding bugs in your code.
Copyright © 2016, Cigital The Truth Implementation bugs in code account for 50% of the overall software security problem.
Copyright © 2016, Cigital Let’s Put It Into Perspective. • The division of design flaws and bugs is about 50/50. Both need to be secured. • You can institute the best code review program on the planet, with the strongest tools known to humanity, but it’s unlikely that you will be able to find and fix flaws this way. • Flaws must be found and resolved by experienced people.
Copyright © 2016, Cigital The Solution: Find, Fix, and Block Bugs • While finding bugs in your code is great, however to improve your security, it’s critical to fix what you find. • It’s also important to make sure you train your developers not to make new bugs every day. Learn more about myth #5
Copyright © 2016, Cigital Myth #6 Software security should be solved by developers.
Copyright © 2016, Cigital The Truth The notion that developers—and only developers—should collectively and magically be responsible for software security never actually works in practice.
Copyright © 2016, Cigital Let’s Put It Into Perspective. Who should ‘do’ software security?  Security people  Compliance people  Developers  None of the above  All of the above
Copyright © 2016, Cigital The Solution: Creating an SSG • Software security does (eventually) take all of the above, but ultimately must be coordinated by a central software security group (SSG). • Implementing software security requires forming a SSG.
Copyright © 2016, Cigital We asked 23 real firms how they went about organizing their SSG.
Copyright © 2016, Cigital 5 Essential SSG Groups 1. Services • Structured in terms of specific services provided to organization. 2. Policy • Sets policy that is to be enforced by technologists outside the SSG. 3. Business Unit • Tailor solution to each business unit within the organization. 4. Hybrid • Sets mandatory policy, but doesn’t have bandwidth to execute work for all teams who want it. 5. Management • Very mature initiatives managing a distributed security network.
Copyright © 2016, Cigital Tips to Make Your SSG Successful • Make sure your SSG includes software people, security people, and people who can interact with the business. • Train your developers and arm them with software security know-how. • Check code for bugs, check design for flaws, and check systems for security holes.
Copyright © 2016, Cigital Myth #7 Software security should be solved by developers.
Copyright © 2016, Cigital The Truth Getting started back in the day meant identifying apps with the most risk and focusing all of the attention on them. However, those days are over.
Copyright © 2016, Cigital Today it’s about securing the entire portfolio—the overall attack surface.
Copyright © 2016, Cigital Let’s Put It Into Perspective. • Risk management is a careful balance between security and business functionality. • Unfortunately, risk management can fail, and when it does, it really fails!
Copyright © 2016, Cigital Failure 0: An Exposed Portfolio • Security controls are kind of like clothing for software and you have a large portfolio of “naked” software assets to protect. • Determine how many, and which type, of clothes to pair with your software assets. • The types of risk management decisions made for this prioritization makes all the difference between success and failure.
Copyright © 2016, Cigital Failure 1: How Many Medium Risks Make High Risk Software? • There is a bug severity problem in software. • How many little bugs does it take to make a big bug? • The problem of compounding influences security risk and risk management decisions.
Copyright © 2016, Cigital The Solution: Cover Your Entire Software Portfolio Ultimately, both risk management failure conditions can be addressed by the same guiding principles: • Leave no code naked. • Tighten security controls between low and high risk assets to the extent possible without moving the high risks down the prioritization list. • Create a specific testing schedule.
Copyright © 2016, Cigital The Bottom Line • Clearly, software security is about more than point solutions. • No point solution by itself can solve software security. • A successful SSI is about culture change in an organization from top to bottom and back again.
Copyright © 2016, Cigital For more info about real-world SSI activities and how to go about measuring an SSI, go to https//www.BSIMM.com info@cigital.com @cigital

Recommended

How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsCigital
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 
Enterprise Spice Scope
Enterprise Spice ScopeEnterprise Spice Scope
Enterprise Spice Scopeespice
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 
Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Kymberlee Price
 
Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedBoaz Shunami
 

Recommended

How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsCigital
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 
Enterprise Spice Scope
Enterprise Spice ScopeEnterprise Spice Scope
Enterprise Spice Scopeespice
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 
Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Security Vulnerabilities in Third Party Code - Fix All the Things!
Security Vulnerabilities in Third Party Code - Fix All the Things! Kymberlee Price
 
Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedBoaz Shunami
 
SSE
SSESSE
SSESagehenCapitalManagement
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
YHON JAIRO DURAN M
YHON JAIRO DURAN MYHON JAIRO DURAN M
YHON JAIRO DURAN MYhon Duran Martinez
 
Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors L.L.C
 
Epistemología, Bolivia, Belleza, Carnaval, White Skin
Epistemología, Bolivia, Belleza, Carnaval, White SkinEpistemología, Bolivia, Belleza, Carnaval, White Skin
Epistemología, Bolivia, Belleza, Carnaval, White SkinÁlvaro Miguel Carranza Montalvo
 
OGE unit 2 assignment 1
OGE unit 2 assignment 1 OGE unit 2 assignment 1
OGE unit 2 assignment 1 Sofi Mercado
 
Sue resume
Sue resume Sue resume
Sue resume Sue Thompson
 
Sociología de la Educación
Sociología de la EducaciónSociología de la Educación
Sociología de la EducaciónÁlvaro Miguel Carranza Montalvo
 
Ortodoncia
OrtodonciaOrtodoncia
OrtodonciaDaniela Garcia
 
الفصل المقلوب
الفصل المقلوب الفصل المقلوب
الفصل المقلوبpnuhaya1
 
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...BASPCAN
 
Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...BASPCAN
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for YouCigital
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 

More Related Content

Viewers also liked

Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors L.L.C
 
OGE unit 2 assignment 1
OGE unit 2 assignment 1 OGE unit 2 assignment 1
OGE unit 2 assignment 1 Sofi Mercado
 
الفصل المقلوب
الفصل المقلوب الفصل المقلوب
الفصل المقلوبpnuhaya1
 
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...BASPCAN
 
Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...BASPCAN
 

Viewers also liked (12)

SSE
SSESSE
SSE
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
YHON JAIRO DURAN M
YHON JAIRO DURAN MYHON JAIRO DURAN M
YHON JAIRO DURAN M
 
Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors pre qualification 22 05 15
 
Epistemología, Bolivia, Belleza, Carnaval, White Skin
Epistemología, Bolivia, Belleza, Carnaval, White SkinEpistemología, Bolivia, Belleza, Carnaval, White Skin
Epistemología, Bolivia, Belleza, Carnaval, White Skin
 
OGE unit 2 assignment 1
OGE unit 2 assignment 1 OGE unit 2 assignment 1
OGE unit 2 assignment 1
 
Sue resume
Sue resume Sue resume
Sue resume
 
Sociología de la Educación
Sociología de la EducaciónSociología de la Educación
Sociología de la Educación
 
Ortodoncia
OrtodonciaOrtodoncia
Ortodoncia
 
الفصل المقلوب
الفصل المقلوب الفصل المقلوب
الفصل المقلوب
 
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
Experiential Learning around Court Skills in Child Protection Cases: A key Pa...
 
Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...Letting the Future: - a guided therapeutic intervention for children and youn...
Letting the Future: - a guided therapeutic intervention for children and youn...
 

More from Cigital

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for YouCigital
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCigital
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The NumbersCigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelCigital
 

More from Cigital (17)

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game Security
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass Houses
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The Numbers
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
 

Recently uploaded

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 

Recently uploaded (20)

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 

The 7 Myths of Software Security Best Practices

  • 1. Copyright © 2016, Cigital The 7 Myths of Software Security Best Practices
  • 2. Copyright © 2016, Cigital The 7 software security myths are common misconceptions about software security best practices. They explore how software security initiatives (SSIs) should work, and aren’t simply about how to secure a particular application.
  • 3. Copyright © 2016, Cigital Myth #1 Perimeter security can secure your applications.
  • 4. Copyright © 2016, Cigital The Truth Perimeter security was originally implemented to deter and block disturbances from the outside. Although this is still a good basic security precaution, attack strategies have become far more advanced.
  • 5. Copyright © 2016, Cigital Let’s Put It Into Perspective Today’s computer and network security mechanisms are like the city walls, moats, and drawbridges of feudal times.
  • 6. Copyright © 2016, Cigital Feudal Systems Are a Thing of the Past… For a Reason. • Attack strategies have become more advanced in the past 500+ years. • A moat, city wall, and drawbridge are no competition for those who want to break in. • Today’s attackers have access to things like predator drones and laser-guided missiles! • The modern castle requires more protection against attacks.
  • 7. Copyright © 2016, Cigital The Solution: Move Beyond the Perimeter Due to more advanced threats, we must make sure our modern day castles are protected by more than just perimeter security measures. Learn more about myth #1
  • 8. Copyright © 2016, Cigital In the beginning, perimeter security was invented to protect this broken stuff from bad people. But, more importantly, why is the stuff broken in the first place?
  • 9. Copyright © 2016, Cigital Myth #2 A tool is all you need for software security.
  • 10. Copyright © 2016, Cigital The Truth Tools aren’t a catch-all solution. Although more advanced tools allow new rules to be added over time, if a rule hasn’t yet been written, the tool will never find that problem.
  • 11. Copyright © 2016, Cigital Let’s Put It Into Perspective. • Black box testing tools were the earliest approach for simple protocols (such as HTTP). • Next came the idea of looking at the code itself with static analysis tools. • Static analysis tools focus on finding implementation bugs. However…
  • 12. Copyright © 2016, Cigital The best a code review can uncover is about 50% of security vulnerabilities.
  • 13. Copyright © 2016, Cigital 3 Reasons Tools Aren’t a Catch-All Solution 1. Tools suffer from false negatives and false positives. False negatives are more dangerous because they lead to a false sense of security. 2. Manual auditing is very time consuming. There’s no way to avoid sorting through the output, prioritizing which issues. 3. Tools still need people. There’s no way for a tool to know which problems are more or less important to the organization.
  • 14. Copyright © 2016, Cigital The Solution: The Happy Hybrid Approach • Use the tools. They expedite processes and eliminate the low-hanging fruit vulnerabilities. • Don’t underestimate the effectiveness of humans. Learn more about myth #2
  • 15. Copyright © 2016, Cigital Myth #3 Penetration testing solves everything.
  • 16. Copyright © 2016, Cigital The Truth Penetration testing is the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing…
  • 17. Copyright © 2016, Cigital Let’s Put It Into Perspective. • If we characterize functional testing as “testing for positives,” then penetration is “testing for negatives.” • Testing for a negative poses a far greater challenge than verifying a positive. • If negative tests don’t uncover any faults, this is only proof that no faults occur under particular test conditions, and by no means proves that no faults exist.
  • 18. Copyright © 2016, Cigital The Solution: Outside-In Penetration Testing • Conduct penetration testing at the end of the SDLC to ensure security measures introduced earlier in the lifecycle are effective. • Architecture risk analysis and code review should take place before penetration testing. Learn more about myth #3
  • 19. Copyright © 2016, Cigital Myth #4 Software security is a cryptography problem.
  • 20. Copyright © 2016, Cigital The Truth You can use a crypto library to add a security feature to an application, but that’s not the same thing as making an application secure.
  • 21. Copyright © 2016, Cigital Let’s Put It Into Perspective. Security is a system property, not a thing. Simply adding crypto measures to your code is unlikely to make it secure. Crypto: • Is astonishingly complex to get right. • Can’t find or eradicate bugs and flaws. • Can’t train your developers. • Falls prey to penetration testing from time to time.
  • 22. Copyright © 2016, Cigital 2 Reasons Crypto Alone Is Not the Answer 1. Most attacks against applications do not target security features specifically (and crypto is just another security feature). 2. Applied crypto is designed to protect data, not the application that processes data.
  • 23. Copyright © 2016, Cigital The Solution: Focus on Practices, Not Features Software security is about integrating security practices into the way you build software, not simply integrating security features into your code. Learn more about myth #4
  • 24. Copyright © 2016, Cigital Myth #5 Software security is only about finding bugs in your code.
  • 25. Copyright © 2016, Cigital The Truth Implementation bugs in code account for 50% of the overall software security problem.
  • 26. Copyright © 2016, Cigital Let’s Put It Into Perspective. • The division of design flaws and bugs is about 50/50. Both need to be secured. • You can institute the best code review program on the planet, with the strongest tools known to humanity, but it’s unlikely that you will be able to find and fix flaws this way. • Flaws must be found and resolved by experienced people.
  • 27. Copyright © 2016, Cigital The Solution: Find, Fix, and Block Bugs • While finding bugs in your code is great, however to improve your security, it’s critical to fix what you find. • It’s also important to make sure you train your developers not to make new bugs every day. Learn more about myth #5
  • 28. Copyright © 2016, Cigital Myth #6 Software security should be solved by developers.
  • 29. Copyright © 2016, Cigital The Truth The notion that developers—and only developers—should collectively and magically be responsible for software security never actually works in practice.
  • 30. Copyright © 2016, Cigital Let’s Put It Into Perspective. Who should ‘do’ software security?  Security people  Compliance people  Developers  None of the above  All of the above
  • 31. Copyright © 2016, Cigital The Solution: Creating an SSG • Software security does (eventually) take all of the above, but ultimately must be coordinated by a central software security group (SSG). • Implementing software security requires forming a SSG.
  • 32. Copyright © 2016, Cigital We asked 23 real firms how they went about organizing their SSG.
  • 33. Copyright © 2016, Cigital 5 Essential SSG Groups 1. Services • Structured in terms of specific services provided to organization. 2. Policy • Sets policy that is to be enforced by technologists outside the SSG. 3. Business Unit • Tailor solution to each business unit within the organization. 4. Hybrid • Sets mandatory policy, but doesn’t have bandwidth to execute work for all teams who want it. 5. Management • Very mature initiatives managing a distributed security network.
  • 34. Copyright © 2016, Cigital Tips to Make Your SSG Successful • Make sure your SSG includes software people, security people, and people who can interact with the business. • Train your developers and arm them with software security know-how. • Check code for bugs, check design for flaws, and check systems for security holes.
  • 35. Copyright © 2016, Cigital Myth #7 Software security should be solved by developers.
  • 36. Copyright © 2016, Cigital The Truth Getting started back in the day meant identifying apps with the most risk and focusing all of the attention on them. However, those days are over.
  • 37. Copyright © 2016, Cigital Today it’s about securing the entire portfolio—the overall attack surface.
  • 38. Copyright © 2016, Cigital Let’s Put It Into Perspective. • Risk management is a careful balance between security and business functionality. • Unfortunately, risk management can fail, and when it does, it really fails!
  • 39. Copyright © 2016, Cigital Failure 0: An Exposed Portfolio • Security controls are kind of like clothing for software and you have a large portfolio of “naked” software assets to protect. • Determine how many, and which type, of clothes to pair with your software assets. • The types of risk management decisions made for this prioritization makes all the difference between success and failure.
  • 40. Copyright © 2016, Cigital Failure 1: How Many Medium Risks Make High Risk Software? • There is a bug severity problem in software. • How many little bugs does it take to make a big bug? • The problem of compounding influences security risk and risk management decisions.
  • 41. Copyright © 2016, Cigital The Solution: Cover Your Entire Software Portfolio Ultimately, both risk management failure conditions can be addressed by the same guiding principles: • Leave no code naked. • Tighten security controls between low and high risk assets to the extent possible without moving the high risks down the prioritization list. • Create a specific testing schedule.
  • 42. Copyright © 2016, Cigital The Bottom Line • Clearly, software security is about more than point solutions. • No point solution by itself can solve software security. • A successful SSI is about culture change in an organization from top to bottom and back again.
  • 43. Copyright © 2016, Cigital For more info about real-world SSI activities and how to go about measuring an SSI, go to https//www.BSIMM.com info@cigital.com @cigital