Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSE June 2016: Best Practices for a Mature Appsec Program


Published on

Join CEO of Security Innovation, Ed Adams, as he discusses Best Practices for a Mature Application Security Program in a webinar sponsored by the Connected Security Expo.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CSE June 2016: Best Practices for a Mature Appsec Program

  1. 1. Best Practices for a Mature Application Security Program
  2. 2. About the Presenter Ed Adams, CEO of Security Innovation • Ponemon Institute Distinguished Research Fellow • Privacy by Design Ambassador • CEO by trade; engineer by heart • In younger days, built non-lethal weapons systems for Federal Government
  3. 3. About Security Innovation Specialization • 15 years research on software vulnerabilities • Security testing methodology adopted by SAP, Symantec, Microsoft, and McAfee • Authors of 19 books; 10 co-authored with Microsoft Products & Services • STANDARDS: best practices adoption • TRAINING: eLearning & instructor-led • ASSESSMENT: software and SDLC Reducing Application Security Risk • Uncover critical vulnerabilities • Roll out a secure, repeatable SDLC • Build internal competency
  4. 4. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  5. 5. Understanding Root Cause of Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
  6. 6. Disconnect Between Security and Software Teams Ponemon Application Security Research Study: 36% 40% 41% 42% 46% 48% 50% 53% 54% 58% 34% 35% 35% 31% 33% 41% 39% 37% 44% 38% 0% 10% 20% 30% 40% 50% 60% 70% There are ample resources to ensure all IT security requirements are accomplished IT security can hire and retain knowledgeable and experienced security practitioners The IT security leader is a member of the executive team IT security responds quickly to new challenges and issues The IT security function is able to prevent serious cyber attacks such as advanced persistent threats Appropriate steps are taken to comply with the leading IT security standards IT security strategy is fully aligned with the business strategy Security & data protection policies are well-defined and fully understood by employees Security technologies are adequate in protecting our information assets and IT infrastructure Application security is a top priority in my organization Developers Security Cisco report indicates that Applications (32.6%) and Infrastructure (41.9%) were the top categories exploited.* *Cisco 2015 Annual Security Report
  7. 7. The Organizational Disconnect IT/GRC/InfoSec historically focused on network/endpoint security • Developers and SDLC are now “in scope” Tools are a typical first step • Both have different perspective on what policies and procedures are in place How did we handle performance, reliability? • Security needs to be a standard part of the process
  8. 8. Implications: Aligning Management & Staff Developers don’t always understand policies o “Ensure applications are coded so as not to be susceptible to OWASP Top 10” what does this mean to a an ObjectiveC iOS developer? Lack of policy enforcement renders mandate invisible Management, security and engineers all speak different languages o “Confidential data must be protected”  Protected from what?  How do I protect it? • Architecture guidance? • Coding standards? • Remediation specifics once vulnerabilities are found? • e.g., user input sanitation…. how do I do that in ASP.NET 3.5?
  9. 9. Organizations Don’t Have a Defined SDLC SDLC Still Lacking o Tools aren’t integrated into the SDLC o Security automation often used after deployment (too late?) o Policies and standards are still rare Forrester “Organizations implementing an SDLC showed better ROI than the overall population” Aberdeen Adopting a formal SDLC process increases security and reduces severity and cost of vulnerability incidents while generating a 4x ROI than other application security approaches There are well-known and widely adopted secure SDLC practices – it’s a matter of pulling it all together
  10. 10. Building Security In Department of Homeland Security “Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment*” Gartner “Finding bugs at operations time costs you up to 100 percent effort” Source: National Institute of Standards & Technology (NIST) *DHS: Estimating Benefits from Investing in Secure Development Relative cost of fixing security flaws during the different development phases Implementation 6.5 Testing 15 Post Release 60 Design 1 0 10 20 30 40 50 60 70 Time Cost
  11. 11. Comprehensive & Specialized Skills Mature organizations have application security training programs in place for their developers to focus on: o Specific role-based responsibilities o Offensive and defensive tactics o Applications security policies o Areas of vulnerability o Best practices for standards to be followed o Various platforms and languages 19% of developers believe their organizations training program is up-to-date - Ponemon Institute An effective training program can reduce vulnerabilities by 25% - Forrester
  12. 12. Does Application Security Pay? Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal SDLC program: o Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 days o Observed that repeat vulnerabilities dropped from 80% to 0% o Operational improvements led to expense benefits valued at more than $2 million per team over the course of 2 years Source: Mainstay Partners/HP – Does Application Security Pay?
  13. 13. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  14. 14. The Connected World Connected homes, medical equipment, transportation are ALL vulnerable to software attacks
  15. 15. Language, Platform & Framework Nuances Each language has unique idiosyncrasies and syntax issues • C++ developers need to worry about memory-usage vulnerabilities • Java and .NET have different security architectures and libraries • Scripting languages such as Python can be difficult to secure Each platform is unique • Mobile – rogue client/server issues; data caching on device • Cloud/Web – Authorization issues; web services particularly vulnerable • Embedded – breach hardware root of trust and game over Security policies are not enough • Follow through with architecture and development standards • Must explain “how” and “why,” not just “what” • Must tie to specific roles and technologies All software-born exploits
  16. 16. Network boundary plays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through With Internet, applications become the perimeter We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
  17. 17. * source: Gartner and NIST …. and a Human Problem Vulnerabilities are frequently the result of a failure in the engineering process Developers have an implicit trust in the user o Often think of functionality rather than security o Not common to consider abuse cases Education tailored to each environment is required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
  18. 18. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  19. 19. Typical Maturity Progression Tools are an important part of an AppSec program Tools SUPPORT a solid FOUNDATION of people and process Investment in people and process yields the most leverage
  20. 20. The Pitfalls of Automation First instinct is “what tool can we buy”? It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution Analyzing results is time consuming and requires skill Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
  21. 21. Secure at the Source Find & Fix Protect in Play  InfoSec Standards  Secure Coding Standards  Key activities  Know-how  Web Application Firewalls  Application Whitelisting  RASP  DLP  Vulnerability Scanning  Penetration Testing  Manual or Automated  Code or in Production Skills Development Skills and Tools Tools for Defense in Depth Securing at the Source Cannot be Driven by Technology
  22. 22. Reducing Application Security Risk at the Source Standards & Policies: set goals and be explicit o Create security requirements for your teams (insource or outsource) o Align development activities with policies, compliance mandates, and requirements Education: equip teams to make good decisions o Technical and awareness training o By roles, technology, and platform o Training drives effective assessments and help meet standards Assessment: understand the gaps o Audit your team against standards and policies o Results drive policy, standards, education and tools usage improvements
  23. 23. Rolling Out a Secure SDLC A mature SDLC has formal requirements, designs, implementations and testing procedures in place View security as yet another aspect of software quality
  24. 24. You Don’t Have to Change Your Process Simply augment it with a set of high-impact security activities and the knowledge to execute
  25. 25. Activities Work Together Design review Sets team up for success and finds problems before they propagate into difficult and expensive problems Threat Modeling Ensures key threats are considered during design, coding and testing Code Review One of the highest impact activities, but doesn’t consider as-deployed state Manual penetration testing Requires deep knowledge of application and technologies in the environment Scanning tools Provides broad coverage quickly to augment these activities
  26. 26. Secure, Repeatable Development Works Major Challenges • Needed to roll out the Microsoft Security Development Lifecycle (SDL) to hundreds of dev teams • Internal instructor-lead training was effective, but not scalable and couldn’t be repurposed for new employees • Needed a way to train vendors to ensure software was built with security in mind Security Innovation Solution • Customized 14 eLearning courses specific to the Microsoft SDL Within 2 years, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)
  27. 27. Investing in Your SDLC Works! Consistent application of sound security practices during all phases of development will facilitate compliance and result in fewer vulnerabilities
  28. 28. Secure Software Development Principles Executives & Managers • The importance of building secure applications from the start • Equip dev teams with the necessary tools, training and resources scalable and couldn’t be repurposed for new employees Architects • Threat modeling, architecture risk analysis and attack surface reduction Developers • How to code securely, avoid vulnerabilities and find and fix security defects in code Testers • Vulnerability classes, attack techniques and secure coding principles
  29. 29. In Summary Application security know-how is the foundation of a mature AppSec program o You can’t operate tools or conduct key activities effectively otherwise Vulnerabilities are a human created problem o Fill the skills gap and you fill the vulnerabilities gap Remember the 3 Pillars of Success for secure development o Standards & Process o Education o Assessments Let tools, technology & humans do what they do best
  30. 30. Questions?
  31. 31. Thank You! Ed Adams, Additional educational webinars : Free reports and guides: