Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Software Security Initiative

64 views

Published on

Application development in today's day and age involves building Scalable and Reliable software in an Agile manner. The challenge is in incorporating security controls without throttling down the speed of application delivery. Individual activities like threat modeling, static code analysis and penetration testing though might add value, are currently performed in silos.

Product and Security engineering teams need to leverage these piecemeal activities and bring them under one robust framework - The Software Security Initiative (SSI)

This webinar on Software Security Initiative aims to create awareness on what constitutes an SSI, the various security gates and their corresponding integration points in the application development lifecycle and how companies can benefit by adopting a software security initiative to continuously assess their security posture and maturity over time. The webinar aims to cover some of the most popular Secure SDLC frameworks such as BSIMM and OpenSAMM how companies stand to gain by adopting these frameworks based on what works best for them

Published in: Software
  • Be the first to comment

  • Be the first to like this

Introduction to Software Security Initiative

  1. 1. INTRODUCTION TO SOFTWARE SECURITY INITIATIVE Sudarshan Narayanan 1
  2. 2. AGENDA ➤ What is a Software Security Initiative? ➤ Objectives & Benefits of a Software Security Initiative ➤ The 1-2-3 of Software Security Initiative implementation ➤ Types of Software Security Frameworks ➤ Questions 2
  3. 3. PRODUCT ENGINEERING TODAY ➤ Agile Product Engineering ➤ Accelerated Deployment - Advent of DevOps ➤ Micro-services and Serverless Architecture ➤ Dependence on Third Party Libraries ➤ Automation Testing - Functional and Performance 3
  4. 4. CURRENT STATE OF APPSEC ➤ AppSec Testing = Manual Pen-testing (and/or) Code Review ➤ Threat Modelling (???) ➤ Regressing security issues across releases ➤ Increased time to fix security vulnerabilities ➤ Lack of metrics to measure Software Security 4
  5. 5. IN SHORT….. 5
  6. 6. WHAT IS A SOFTWARE SECURITY INITIATIVE?? 6
  7. 7. 7 AN ADDITIONAL 20 HOURS A WEEK?
  8. 8. EVERY SECURITY ENGINEERING TEAM 8 Penetration Tests Threat Modeling Infra Sweeps Adhering to Compliance Training Security Automation Design Review Code Review Secure Coding Guidelines Security Toolchain Bug Bounty Program SAST DAST Architecture Review DevSecOps Risk Assessment Security Governance Server Hardening Security Regressions Vulnerability Assessments Vulnerability Correlation
  9. 9. SOFTWARE SECURITY INITIATIVE (SSI) “Collection of activities that Measure, Maintain and Improve the state of Software Security” 9
  10. 10. OBJECTIVES ➤ Drive software security through shared ownership across teams ➤ Build a culture of software security awareness ➤ Equip teams to increase their “secure product throughput” ➤ Measure and Communicate success of building secure software ➤ Security -> Cost Center to Revenue Center 10
  11. 11. THE 1-2-3-4 OF AN SSI 11
  12. 12. STEP 1 - PLAN 12
  13. 13. GATHER HISTORICAL/ CURRENT STATE DATA ORGANIZE YOUR TOOL CHEST APPLICATION : TEAM MAPPING IDENTIFY TRAINING NEEDS IDENTIFY SECURITY GATES ASCERTAIN COMPLIANCE / LEGAL OBJECTIVES ESTABLISH SSI GOVERNANCE 13 Incident Reports Assmt Reports GA Reports Dev / OpsQA DAST SAST Dep Checks Commit Builds Deploy Prod PLAN
  14. 14. STEP 2 - DO 14
  15. 15. TOOLCHAIN IMPLEMENTATION ENHANCE EXISTING AUTOMATION BUILD INTERNAL CAPABILITY (TRAINING)SIG COLLABORATIONS TRANSCEND BEYOND PEN TESTS ENFORCE SECURITY GATES 15 QA Scripts+ DAST Exploit Scripts Threat Modeling Infra Audits Config Checks Code Reviews DO
  16. 16. STEP 3 - CHECK 16
  17. 17. CHOOSE FRAMEWORK 17 BSIMM OpenSAMM CHECK
  18. 18. BSIMM VS OPENSAMM (Slight Deviation….but its worth it guys!) 18
  19. 19. A QUICK COMPARISON ➤ OpenSAMM ➤ Business Functions - 4 ➤ Security Practices - 12 ➤ Activities - 72 ➤ Maturity Levels - 3 ➤ Scoring ➤ Each practice area gets a score from 0.00 - 3.00 ➤ Answers from each activity across all maturity levels, scores are calculated. ➤ Metrics ➤ Spider chart ➤ Roadmap projections ➤ BSIMM8 ➤ Domains - 4 ➤ Practice Areas - 12 ➤ Activities - 113 ➤ Maturity Levels - 3 ➤ Scoring Method ➤ Performed activities are scored with 1 ➤ No score for activities that are not performed ➤ Metrics ➤ Spider charts - Activities with highest maturity considered as highest water mark 19
  20. 20. CHOOSE FRAMEWORK PERFORMANCE ANALYSIS SECURITY ASSESSMENT DATA COMPLIANCE AUDIT DATA DEFECT TRIAGE 20 BSIMM OpenSAMM CHECK
  21. 21. STEP 4 - ACT 21
  22. 22. EVOLVE USING FRAMEWORKS MITIGATION ROADMAPRESPOND TO CHANGES PROJECT MANAGEMENT TOOL - SSI 22 ACT
  23. 23. TO SUM IT ALL UP 23 PLAN DO CHECK ACT Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI
  24. 24. BEFORE WE END… ➤ Having trouble mapping security, compliance, legal, risk mandates? ➤ Have product releases been blocked or delayed owing to open security issues? ➤ Realise security is important, but just not able to catch up with deployments? ➤ Had trouble optimising / securing additional security budgets? ➤ You know you’ve done some great stuff on the security front, but just can’t convince your customers? 24
  25. 25. 25 SSI FOR THE WIN!
  26. 26. OPEN HOUSE Questions , Clarifications et all….. 26

×