Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adopsi Open SAMM untuk Pengembangan Tata Kelola Pengamanan Perangkat Lunak

793 views

Published on

Pengenalan Open SAMM oleh Ivano Aviandi (CEO Cybertech Solusindo, Dosen, Praktisi Keamanan Informasi)

disampaikan pada Diskusi Publik Tata Kelola Pengamanan Perangkat Lunak
Hotel Sahid Jaya Jakarta, 7 November 2013

Published in: Technology
  • Be the first to comment

Adopsi Open SAMM untuk Pengembangan Tata Kelola Pengamanan Perangkat Lunak

  1. 1. TATA KELOLA PENGAMANAN PERANGKAT LUNAK Kementrian Komunikasi dan Informatika
  2. 2. Information Security CONFIDENTIAL
  3. 3. Introduction CONFIDENTIAL
  4. 4. Introduction CONFIDENTIAL
  5. 5. Introduction CONFIDENTIAL
  6. 6. Introduction Security Guideline CONFIDENTIAL
  7. 7. Open SAMM Secure Software Development Governance Construction Verification • Strategy & Metrics • Threat Assessment • Policy and Compliance • Security Requirements • • Education and Guidance • Secure Architecture • • Design Review Deployment • Code Review Security Testing Vulnerability Management Environment Hardening • CONFIDENTIAL • Operational Enablement
  8. 8. Information Security Institute Requirement • • • Security Requirement Setting up Phase Gates Risk Assessment Design • • • Identify Design Sec. Req. Arch and Design Review Threat Modeling • Srv. Configuration Review Net. Configuration Review • • • Vulnerability Assessment Fuzzing Coding • • Coding Best Practice Perform Static Analysis CONFIDENTIAL Deployment Testing
  9. 9. FoundStone - McAfee Requirement Design Implementation Verification Release SANS Institute Analysis and Design Develop Testing and Implementation CONFIDENTIAL Deployment Support and Services
  10. 10. How About? Secure Software Development Governance • • • Construction Strategy & Metrics Policy and Compliance Education and Guidance • • • Verification Implementation • Coding w/ Best Practice Guidance • • • • • Threat Assessment Security Requirements Secure Architecture CONFIDENTIAL Deployment Vulnerability Management Environment Hardening Operational Enablement Design Review Code Review Security Testing
  11. 11. Implementation Implementation Account Security Mechanism • • • • • Username & Password Quality Account and Password Ages Policy Lock Account Policy Lockout Duration Transmission Process Session Management • • • • Session Termination Cookies Management Dynamic Token Multiple Session CONFIDENTIAL Input & Output Based Handling • • • • Input Validation Display Error File Validation Meta Character Filtering
  12. 12. Sample Case CONFIDENTIAL
  13. 13. Man in the Middle Attack CONFIDENTIAL
  14. 14. Man in the Middle Attack Threat Assessment Construction Security Requirement Implementation Security Architecture Account Security Mechanism CONFIDENTIAL Session Management
  15. 15. Terima Kasih Q and A CONFIDENTIAL

×