SlideShare a Scribd company logo

Secure_Development_ISSA_v4

Download as PPTX, PDF
Steve Markey
Steve Markey
1 of 35
Secure Development Steven C. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK,CompTIACloud+ Principal,nControl,LLC AdjunctProfessor
• Presentation Overview – Application Security (AppSec) Driver(s) – Textbook –Processes (SDLC, SDL, STRIDE, DREAD) –People (InfoSec Staff, Developer Training) –Tools (Scanners, Policies & Standards) –Procuring Secure Applications – Real World –10 Commandments for AppSec –AppSec Use Cases Secure Development
• AppSec Drivers – Risk Management – Compliance – Revenue/Costs Secure Development
• Risk Management – One of Many Risks –Operational Risk –Financial Risk –Reputational Risk – Transfer from Network Security to AppSec Secure Development
Source: OWASP Secure Development
Source: ISC2 Secure Development
• Compliance – Specific –PCI DSS 6.6 – Vague –SOX –HIPAA –FISMA/FIPS –NERC/FERC –FDA 21 CFRF Part 11/ERES Secure Development
• Revenue/Costs – Value-Add – Key Differentiator – Precursor to 3rd Party Accreditation –ICSA Labs Secure Development
Source: KLP Consulting
• AppSec Programs – Architecture + Threat & Vulnerability Management (TVM) – Enterprise Architecture (EA) –Enterprise Security Architecture (ESA) –Sherwood Applied Biz Security Arch (SABSA) –The Open Group Arch Framework (TOGAF) –Jericho Model – AppSec Maturity Models –Building Security In Maturity Model (BSIMM) –OWASP’s Software Assurance Maturity Model (SAMM) Secure Development
Secure Development Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: Mountain Goat Software
Source: Microsoft Secure Development
Source: Microsoft Secure Development
Secure Development
Secure Development
Source: Microsoft
Source: Microsoft Secure Development
Source: Microsoft
• Training – Know Stakeholders –Project Managers –Development Managers – Tailor to Development Team – Use an Iterative Model – Incorporate Train the Trainer – Reinforce Training with Formal / Informal Incentives Secure Development
• Scanners – Static Application Security Testing (SAST) – Dynamic Application Security Testing (DAST) – AppSec Pen Testing – Supplemental Tools –Fuzzing, Tracing, Scanning, Sniffing –IDEs –Proxies / Gateways –Firewalls (WAFs, DbFs / DAM, XML) Secure Development
• Coding Conventions & Architectural Standards – Development Team Specific – Coding Enumeration –Error / Exception Handling –Input / Output Validation –Comments / Documentation –Session Management –Memory / Thread Management –PKI –IAM / IdM Secure Development
• Coding Conventions & Architectural Standards – Architectural Enumeration –Thick / Thin –Internal / External –Transactional –Message / Information Delivery –Monitoring –SOA / Mobile / Cloud –App / Middleware –Database Secure Development
• Coding Conventions & Architectural Standards – Architectural Enumeration Scenario –LAMP with Drupal –IAM via AD-based LDAP –Zend (PHP-based) Framework –Imperva DAM –Syslogd with Arcsight SIEM –DMZ w/ Load Balancing Secure Development
• Procuring Secure Applications – Beware of Your Business Ecosystem – Weakest Link Mentality – Legal / SLA Verbiage – 3rd Party Reviews –ASP / Cloud / ISV –Mobile –COTS –Subsidiaries / Customers Secure Development
• 10 AppSec Commandments 1. Though Shall Execute AppSec at the Speed of Business 2. Though Shall Not Architect Security 3. Though Shall Evolve Your Testing Methodologies 4. Though Shall Not Surprise Dev Teams 5. Though Shall Test Apps in Production 6. Though Shall Not Let Frameworks Replace Intelligence 7. Though Shall Put Vulnerabilities in Proper Context 8. Though Shall Not Give Dev Teams Access to Prod Data 9. Though Shall Use a WAF/DAM with a Plan 10. Though Shall Not Blame the Dev Team Secure Development Source: Dark Reading
• AppSec Use Cases – Strong SDLC & SDL Alignment – Socialize & Incentivize SDL Implementation – Embed AppSec SMEs in Dev Teams – Start on New Projects – Retrofit Legacy Apps / Systems as Time Permits – Iterative Improvement & Wins – No (Process / Tool) Silver Bullets Secure Development
• Questions? • Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1 – LI: http://www.linkedin.com/in/smarkey

Recommended

API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
Abhishek-New (1)
Abhishek-New (1)Abhishek-New (1)
Abhishek-New (1)Abhishek Sa
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
Defence in Depth for your data in the cloud
Defence in Depth for your data in the cloudDefence in Depth for your data in the cloud
Defence in Depth for your data in the cloudAmazon Web Services
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 

Recommended

API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
Abhishek-New (1)
Abhishek-New (1)Abhishek-New (1)
Abhishek-New (1)Abhishek Sa
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Securing Red Hat JBoss from the Inside Out
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
 
Defence in Depth for your data in the cloud
Defence in Depth for your data in the cloudDefence in Depth for your data in the cloud
Defence in Depth for your data in the cloudAmazon Web Services
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016Waratek Ltd
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA WebinarWaratek Ltd
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minuteskieranjacobsen
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 
ICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINALICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINALSteve Markey
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_UglySteve Markey
 

More Related Content

What's hot

How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minuteskieranjacobsen
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security ModelAlert Logic
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 

What's hot (20)

How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TIC
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
 

Viewers also liked

ICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINALICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINALSteve Markey
 
FOJ Marketing 2015
FOJ Marketing 2015FOJ Marketing 2015
FOJ Marketing 2015Erin Perkins
 
ERAU Webinar Slides: Global Business Environment--China Trip
ERAU Webinar Slides: Global Business Environment--China TripERAU Webinar Slides: Global Business Environment--China Trip
ERAU Webinar Slides: Global Business Environment--China TripERAUWebinars
 
Safety webinar with mark friend
Safety webinar with mark friendSafety webinar with mark friend
Safety webinar with mark friendERAUWebinars
 
Vendor_Mgmt_101_IIMC_v2
Vendor_Mgmt_101_IIMC_v2Vendor_Mgmt_101_IIMC_v2
Vendor_Mgmt_101_IIMC_v2Steve Markey
 
Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5Steve Markey
 
Securing_Dbs_in_Cloud_v12
Securing_Dbs_in_Cloud_v12Securing_Dbs_in_Cloud_v12
Securing_Dbs_in_Cloud_v12Steve Markey
 
Securing_Medical_Devices_v5
Securing_Medical_Devices_v5Securing_Medical_Devices_v5
Securing_Medical_Devices_v5Steve Markey
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Presentatie hrm inspiratiedag
Presentatie hrm inspiratiedagPresentatie hrm inspiratiedag
Presentatie hrm inspiratiedagEsther Mallant
 
Webinar Slides-Three Knows to Great Writing Nov 4 2014
Webinar Slides-Three Knows to Great Writing Nov 4 2014Webinar Slides-Three Knows to Great Writing Nov 4 2014
Webinar Slides-Three Knows to Great Writing Nov 4 2014ERAUWebinars
 
Maotchitim
MaotchitimMaotchitim
Maotchitimjoliff
 
Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1Steve Markey
 
Na it infographic_fnl
Na it infographic_fnlNa it infographic_fnl
Na it infographic_fnlThuyly Vu
 
Alpha and Omega: Program Outcomes to the Capstone
Alpha and Omega: Program Outcomes to the CapstoneAlpha and Omega: Program Outcomes to the Capstone
Alpha and Omega: Program Outcomes to the CapstoneERAUWebinars
 
e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5Steve Markey
 
Passion, Persistence, and Patience: The Search for Amelia Earhart
Passion, Persistence, and Patience: The Search for Amelia EarhartPassion, Persistence, and Patience: The Search for Amelia Earhart
Passion, Persistence, and Patience: The Search for Amelia EarhartERAUWebinars
 

Viewers also liked (20)

ICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINALICS_Cybersecurity_FINAL
ICS_Cybersecurity_FINAL
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_Ugly
 
MARIA AUXILIADORA
MARIA AUXILIADORAMARIA AUXILIADORA
MARIA AUXILIADORA
 
FOJ Marketing 2015
FOJ Marketing 2015FOJ Marketing 2015
FOJ Marketing 2015
 
ERAU Webinar Slides: Global Business Environment--China Trip
ERAU Webinar Slides: Global Business Environment--China TripERAU Webinar Slides: Global Business Environment--China Trip
ERAU Webinar Slides: Global Business Environment--China Trip
 
Safety webinar with mark friend
Safety webinar with mark friendSafety webinar with mark friend
Safety webinar with mark friend
 
Vendor_Mgmt_101_IIMC_v2
Vendor_Mgmt_101_IIMC_v2Vendor_Mgmt_101_IIMC_v2
Vendor_Mgmt_101_IIMC_v2
 
Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5
 
Securing_Dbs_in_Cloud_v12
Securing_Dbs_in_Cloud_v12Securing_Dbs_in_Cloud_v12
Securing_Dbs_in_Cloud_v12
 
Securing_Medical_Devices_v5
Securing_Medical_Devices_v5Securing_Medical_Devices_v5
Securing_Medical_Devices_v5
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 
Presentatie hrm inspiratiedag
Presentatie hrm inspiratiedagPresentatie hrm inspiratiedag
Presentatie hrm inspiratiedag
 
Cryptov2 v1
Cryptov2 v1Cryptov2 v1
Cryptov2 v1
 
Webinar Slides-Three Knows to Great Writing Nov 4 2014
Webinar Slides-Three Knows to Great Writing Nov 4 2014Webinar Slides-Three Knows to Great Writing Nov 4 2014
Webinar Slides-Three Knows to Great Writing Nov 4 2014
 
Maotchitim
MaotchitimMaotchitim
Maotchitim
 
Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1Cloud_Computing_IIMC_v1
Cloud_Computing_IIMC_v1
 
Na it infographic_fnl
Na it infographic_fnlNa it infographic_fnl
Na it infographic_fnl
 
Alpha and Omega: Program Outcomes to the Capstone
Alpha and Omega: Program Outcomes to the CapstoneAlpha and Omega: Program Outcomes to the Capstone
Alpha and Omega: Program Outcomes to the Capstone
 
e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5e-Discovery_2_Cloud_v5
e-Discovery_2_Cloud_v5
 
Passion, Persistence, and Patience: The Search for Amelia Earhart
Passion, Persistence, and Patience: The Search for Amelia EarhartPassion, Persistence, and Patience: The Search for Amelia Earhart
Passion, Persistence, and Patience: The Search for Amelia Earhart
 

Similar to Secure_Development_ISSA_v4

Notes_from_a_clouds_security_journey
Notes_from_a_clouds_security_journeyNotes_from_a_clouds_security_journey
Notes_from_a_clouds_security_journeyOlivier Busolini
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsBill Burns
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014Amazon Web Services
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Icicle How startups can adopt cloud computing
Icicle How startups can adopt cloud computingIcicle How startups can adopt cloud computing
Icicle How startups can adopt cloud computingicicletech
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudAmazon Web Services
 
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterRSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterPhil Agcaoili
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeCloudHesive
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecuritySymantec
 
1 icicle how startups can adopt cloud computing feb 12
1 icicle how startups can adopt cloud computing feb 121 icicle how startups can adopt cloud computing feb 12
1 icicle how startups can adopt cloud computing feb 12HeadStart Foundation
 

Similar to Secure_Development_ISSA_v4 (20)

Resume_STrofimov
Resume_STrofimovResume_STrofimov
Resume_STrofimov
 
Notes_from_a_clouds_security_journey
Notes_from_a_clouds_security_journeyNotes_from_a_clouds_security_journey
Notes_from_a_clouds_security_journey
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burns
 
Boot camp - Migration to AWS
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CV
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Icicle How startups can adopt cloud computing
Icicle How startups can adopt cloud computingIcicle How startups can adopt cloud computing
Icicle How startups can adopt cloud computing
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS Cloud
 
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterRSA: CSA GRC Stack Update for the CSA Atlanta Chapter
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our Time
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
1 icicle how startups can adopt cloud computing feb 12
1 icicle how startups can adopt cloud computing feb 121 icicle how startups can adopt cloud computing feb 12
1 icicle how startups can adopt cloud computing feb 12
 

Secure_Development_ISSA_v4

  • 1. Secure Development Steven C. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK,CompTIACloud+ Principal,nControl,LLC AdjunctProfessor
  • 2. • Presentation Overview – Application Security (AppSec) Driver(s) – Textbook –Processes (SDLC, SDL, STRIDE, DREAD) –People (InfoSec Staff, Developer Training) –Tools (Scanners, Policies & Standards) –Procuring Secure Applications – Real World –10 Commandments for AppSec –AppSec Use Cases Secure Development
  • 3. • AppSec Drivers – Risk Management – Compliance – Revenue/Costs Secure Development
  • 4. • Risk Management – One of Many Risks –Operational Risk –Financial Risk –Reputational Risk – Transfer from Network Security to AppSec Secure Development
  • 7. • Compliance – Specific –PCI DSS 6.6 – Vague –SOX –HIPAA –FISMA/FIPS –NERC/FERC –FDA 21 CFRF Part 11/ERES Secure Development
  • 8. • Revenue/Costs – Value-Add – Key Differentiator – Precursor to 3rd Party Accreditation –ICSA Labs Secure Development
  • 10. • AppSec Programs – Architecture + Threat & Vulnerability Management (TVM) – Enterprise Architecture (EA) –Enterprise Security Architecture (ESA) –Sherwood Applied Biz Security Arch (SABSA) –The Open Group Arch Framework (TOGAF) –Jericho Model – AppSec Maturity Models –Building Security In Maturity Model (BSIMM) –OWASP’s Software Assurance Maturity Model (SAMM) Secure Development
  • 17.
  • 19.
  • 27. • Training – Know Stakeholders –Project Managers –Development Managers – Tailor to Development Team – Use an Iterative Model – Incorporate Train the Trainer – Reinforce Training with Formal / Informal Incentives Secure Development
  • 28. • Scanners – Static Application Security Testing (SAST) – Dynamic Application Security Testing (DAST) – AppSec Pen Testing – Supplemental Tools –Fuzzing, Tracing, Scanning, Sniffing –IDEs –Proxies / Gateways –Firewalls (WAFs, DbFs / DAM, XML) Secure Development
  • 29. • Coding Conventions & Architectural Standards – Development Team Specific – Coding Enumeration –Error / Exception Handling –Input / Output Validation –Comments / Documentation –Session Management –Memory / Thread Management –PKI –IAM / IdM Secure Development
  • 30. • Coding Conventions & Architectural Standards – Architectural Enumeration –Thick / Thin –Internal / External –Transactional –Message / Information Delivery –Monitoring –SOA / Mobile / Cloud –App / Middleware –Database Secure Development
  • 31. • Coding Conventions & Architectural Standards – Architectural Enumeration Scenario –LAMP with Drupal –IAM via AD-based LDAP –Zend (PHP-based) Framework –Imperva DAM –Syslogd with Arcsight SIEM –DMZ w/ Load Balancing Secure Development
  • 32. • Procuring Secure Applications – Beware of Your Business Ecosystem – Weakest Link Mentality – Legal / SLA Verbiage – 3rd Party Reviews –ASP / Cloud / ISV –Mobile –COTS –Subsidiaries / Customers Secure Development
  • 33. • 10 AppSec Commandments 1. Though Shall Execute AppSec at the Speed of Business 2. Though Shall Not Architect Security 3. Though Shall Evolve Your Testing Methodologies 4. Though Shall Not Surprise Dev Teams 5. Though Shall Test Apps in Production 6. Though Shall Not Let Frameworks Replace Intelligence 7. Though Shall Put Vulnerabilities in Proper Context 8. Though Shall Not Give Dev Teams Access to Prod Data 9. Though Shall Use a WAF/DAM with a Plan 10. Though Shall Not Blame the Dev Team Secure Development Source: Dark Reading
  • 34. • AppSec Use Cases – Strong SDLC & SDL Alignment – Socialize & Incentivize SDL Implementation – Embed AppSec SMEs in Dev Teams – Start on New Projects – Retrofit Legacy Apps / Systems as Time Permits – Iterative Improvement & Wins – No (Process / Tool) Silver Bullets Secure Development
  • 35. • Questions? • Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1 – LI: http://www.linkedin.com/in/smarkey