The Future of Software Security Assurance


Published on

This talk is from ISSA International 2011, reflecting a look out over the horizon of Software Security Assurance for the next 20 years. Fundamentally, we must be able to start with 1 question - "Can you trust your software?" ...and if you can't say "Yes!" for certain, it's time to start somewhere.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Future of Software Security Assurance

  1. 1. The Future of SoftwareSecurity Assurance:Cloudy, with Storms Likely Rafal Los Enterprise & Cloud Security Strategist HP Software ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  2. 2. SSA Software Security Assurance©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  3. 3. Software Security AssuranceCan you trust your software?
  4. 4. THE FUTURE …of software security.©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  5. 5. 5 Inevitables
  6. 6. 1 – Application ModernizationCatalysts:• Your corporate applications are aging• Aging application technologies are hindering your business productivity• Applications deployed ‘before security’ are critically exposedOpportunity:• Address software security as a core business requirement• Modernize security controls, “bolt-ons”
  7. 7. 2 – Cloud AdoptionCatalysts:• Organizations are adopting cloud whether they acknowledge it or not• Extreme confusion: what is “cloud security”?• “The Cloud” brings fundamentally different security challengesOpportunity:• A forceful re-evaluation of security paradigms• Shift security from perimeter, to application• Engage providers, fully understand risks of the cloud model
  8. 8. 3 – Consumerization of the EnterpriseCatalysts:• Enterprises functions being performed across consumer devices• Corporate data is spread across devices enterprises don’t control• Applications must run on diverse platforms, pose unique risksOpportunity:• Understand application risk profiles across consumer use-cases• Focus on minimizing data sprawl, centralizing logic processing• Create strategic mobile application defenses
  9. 9. 4 – Technology OverrunCatalysts:• Bleeding-edge client-side technology adoption• Mobile development is hot, security is lacking• Development technology over-running security capabilityOpportunity:• Adopt technology-independent security controls• Control application release processes (ITIL change control)
  10. 10. 5 – IncidentsCatalysts:• Incidents will increase as enterprises become more aware• Cloud adoption, mobile computing, consumerization increases likelihood• Regulations and laws continue to drive disclosureOpportunity:• Optimized technology responds to incidents faster, smarter• Identify data acquisition, forensic strategies as part of design plans
  11. 11. 8 Evolutions
  12. 12. 1 – Start and End with Requirements Strategic risk reduction impacts the idea, not the result • Understand organizational goals, seek to reduce risk • Influence “what the business wants” • Abstract security to risk, in business terms • A defect is a deviation from a requirement
  13. 13. 2 – Engage the Full SDLCOrganizations must address the full application lifecycle IT Handoff Release
  14. 14. 3 – Shift SSA OwnershipSoftware security is not the Security organization’s problem.SSA Today SSA Tomorrow• SSA is equated with security • Security governs SSA program• Security runs SSA program • Security manages key aspects• Manage all aspects • Govern testing, validates• Perform security testing findings• Manage defect tracking • Develop policy, practices• Fail. • Succeed.
  15. 15. 4 – Risk-Based DefenseApplication use-cases have unique risk profiles.It’s time to recognize this fact, and build sane strategies.• Segregate, segment, build security zones by business criticality• Short-term tactical defenses for weakest legacy applications• Fix, defer or accept risk.• Develop risk profiles for application use-cases such as mobile… – Encrypt data, virtualize usage• Fortify more than just the front-end – including services, APIs
  16. 16. 5 – Static or Dynamic Testing? Yes.Static vs. Dynamic security testing is no longer a question.Static and Dynamic analysis each has advantages, both are neededProvide the right technology, at the right time, to the right peopleAudit source code, validate the running applicationRemember, you can’t test yourself secure
  17. 17. 6 – Test, but Cheat When you’re up against attackers, cheat as often as possible. • Gray-box technology provides deeper insight into application logic • Link exploits with vulnerable code • Get to the fix faster. Web App Function exec_query () { take user data (x); construct query (x + y); execute query; return results (z);4 exploitable fields  1 fix }
  18. 18. 7 – Dynamic Security IntelligenceReal security isn’t about keeping the ‘bad guys’ out,it’s about reacting in real-time. Critical Detect Data Respond Compromised Remote Corp User
  19. 19. 8 – Measure Against Business Goals (KPIs)Only 2 questions are relevant:1. What are your organizational, business objectives?2. How does Software Security Assurance contribute to those objectives?5 Suggested KPIs:1. WRT – Weighted Risk Trend2. DRW – Defect Remediation Window3. RDR – Rate of Defect Recurrence4. SCM – Specific Coverage Metric5. SQR – Security to Quality Defect Ratio
  20. 20. 1 Cold Hard Fact
  21. 21. You will be breached. You will lose data, trust, and money. The incident is will matter. The response will be the deciding factor.
  22. 22. Surviving a Major BreachIn the court of public opinion Organizational Due Diligence Response Incident “Damage”22 Enterprise Security – HP Confidential
  23. 23. SOFTWARE SECURITY ASSURANCE MUST EVOLVEEnterprise Security – HP Confidential 23
  24. 24. Twitter: @Wh1t3RabbitBlog: THANK YOU, LET’S TALK!