The IMF and Aspect Security (now part of EY) created a risk-based assurance process to build the IMF’s application security program from the ground up. Presenters will share experiences in scaling from the occasional review of a few applications to providing assurance across our portfolio of applications. The session will discuss how to provide targeted training, tailored design guidance and risk-based assessment activities.
Learning Objectives:
1: Understand the value of risk-based assessments.
2: Understand how to vary the rigor of security activities based on risk.
3: Understand the value of tailored security design guidance.
(Source: RSA Conference USA 2018)
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Scaling an Application Security Program at the IMF: A Case Study
1. SESSION ID:
#RSAC
Jason Li
SCALING AN APPLICATION SECURITY
PROGRAM AT THE IMF: A CASE STUDY
GRC-F03
Senior Manager
Aspect Security (now part of EY)
@InnocuousInfo
Majid Malaika
Application Security Specialist
International Monetary Fund
@MajidMalaika
2. #RSAC
2
THE VIEWS EXPRESSED HEREIN ARE THOSE OF THE SPEAKERS AND SHOULD NOT BE
ATTRIBUTED TO THE IMF, ITS EXECUTIVE BOARD, OR ITS MANAGEMENT.
9. #RSAC
Approach
9
Develop current state or “as-is” security capabilities and maturity
assessment
Develop strategy or “to-be” security capabilities
Perform gap analysis
Develop transition plan from current state to target state
11. #RSAC
Plan
11
Application risk profiling
Secure Software Development Lifecycle (SDLC) integration services
Tailored application security training and guidance
Application security automation
Vulnerability management
12. #RSAC
Application Security Risk Level (ASRL)
12
Application
questionnaire
Network
environment
Development
process
Application
architecture
Usage
scenarios
Security
controls
Data
classification
13. #RSAC
Application Security Risk Level (ASRL)
13
Model calibration Application Security Risk Levels
Very High
High
Medium
Low
Very Low
Representative sampling of
applications
Scoring calculation
Sanity check
18. #RSAC
Case study: ASRL process
18
Challenges we faced
Lack of continuity hurt efficiency
Teams found questions confusing
Same owner for many applications
Legacy apps with new owners
Discrepancy between collected
fields and asset inventory fields
Lessons learned
Use a dedicated resource
Update based on experiences
Short meetings across multiple weeks
Provide questions in advance
Work with asset inventory team to
update
19. #RSAC
ASRL results
19
Expected results Actual results
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
Very High High Medium Low Very Low
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
Very High High Medium Low Very Low
20. #RSAC
Case study: targeted training
Challenges we faced
Roles need different training
Outsourced development results in
staff that comes and goes
Developers geographically dispersed
Off-the-shelf trainings insufficiently
tailored
Lessons learned
Ensure role-based curriculum
Include security training requirements
in contract agreements
Favor e-learning/recorded modules
Mix commodity training with custom
developed modules
20
21. #RSAC
Training results
21
Three main series
Security awareness
Secure processes/activities
Technical application security
Nine roles identified
28 e-learning modules
22. #RSAC
Case study: application security guidance
22
Challenges we faced Lessons learned
Streamline as two-page reference
Tailor to most common architectures
Highlight standard control equivalents
Teams don’t have time to read docs
Teams need relevant guidance
Organization moving toward cloud
23. #RSAC
Case study: Application Security Knowledge
Domains (ASKDs)
23
User
Example Admin
(Ops Team)
Internet
Central
Administration
SharePoint Farm
SC
IntraLinks
(Content Mgmnt)
Control Point
(Reporting)
Nintex
(Workflow)
Web Front End
Web Crawler
(Search)
Document
Respository
HTTPS (IWA/Basic NTLM)
SharePoint Services
Business Intelligence
-Performance Point
-Excel Services
-Power Pivot
ActiveDirectory
HTTPS
Application Server
(SSRS) SQL Server
Reporting Services
Application Server
(SSAS) SQL Server
Analysis Services
SharePoint App
External DBs
Site Admin
Config
Services DBs
Content
HTTPS
NTFS Cluster FS
Large Blobs
Legend
Present and Requires Limited Action
Present but Not Standard
Not Provided
Provided But Irrelevant to Security
Present but Requires Action
24. #RSAC
Case study: road map status
24
Part of a multiyear program build-out
Still progress to be made
What does the future look like?
New testing methods
New development paradigms
Emerging trend toward security champions
25. #RSAC
How can you start applying?
25
Next week you should:
Get buy-in from management
In the first three months following this presentation you should:
Identify your set of profiling questions
Model an initial sample set of applications to calibrate
Align appropriate security activities based on risk level
Within six months you should:
Complete the profiling of your application portfolio
Identify program activities based on portfolio trends
Begin assessing your highest risk applications
26. #RSAC
Takeaways
26
Find your crown jewels
Buy-in from management
Don’t do the same thing for every application
A stitch in time saves nine …