Rapid-Start Code ScanningFor PCI Compliance       Presented at Secure 360, 2011 by Darren Meyer <darren.meyer@gmail.com>
The problem            you think you havePCI DSS version 2.0, §6.6:Verify that public-facing web applications are reviewed...
The problem       you actually havePCI DSS version 2.0, §6.5: Prevent common coding vulnerabilities in software developmen...
Actually, it’s this PCI DSS 2.0 Requirement 6: Develop and maintain secure systems and applications
Yeah...Let’s not worry about that today
What you are about to see         is real Some details have been changed to protect me from PR policy violations
My challenge
My challenge“We’re building a huge, public, eCommerce site”
My challenge“We’re building a huge, public, eCommerce site”    “We hired an integrator to do the work”
My challenge“We’re building a huge, public, eCommerce site”    “We hired an integrator to do the work”  “They have no appl...
My challenge“We’re building a huge, public, eCommerce site”    “We hired an integrator to do the work”  “They have no appl...
My challenge“We’re building a huge, public, eCommerce site”    “We hired an integrator to do the work”  “They have no appl...
Challenge Accepted
Prevent common codingvulnerabilities....                     VerizonOh, OK!                 TCS                      WiPro...
For about$1.20 a line... (Fully loaded cost)
And... You have to do it regularly: “...the application is re-evaluated after the corrections” I would have needed weekly ...
Estimated total cost:$168,000,000
Ok, I’ll build it myself!
Consider this... Staffing needs         Exception management Skills training        Coding standards Setting up a process ...
RightI don’t have 3 years
Rapid Start
Rapid Start
Rapid Start Select a tool
Rapid Start Select a tool                 Integrate Build
Rapid Start Select a tool                 Integrate Build                                   Buy a CoE
Estimated total Rapid Start cost:   $16,200,000         (9.6% of original)
What tool?
What tool?
What tool?
Key selection criteria Think long-term:   - Language coverage   - Licensing terms   - Support for my build systems   - Por...
Build integration  Security is part of quality:     use the QA build       (But don’t get in the critical path)
Buy a CoE Hire a firm that knows your tool and has         a good AppSec capability
Keep the process simple                          QA build   Consult on                                              Elimin...
Prepare for rejected defects Developers will reject defects, because:  - They don’t understand the problem  - They don’t u...
Prepare for rejected defects  Developers will reject defects, because:       - They don’t understand the problem       - T...
Check your work!You still need an expert codereview at least a couple of times(we did four)Pen tests help you verify sever...
Dev is not the enemyNO punishmentNO retaliationNO special treatment
Now what?
Let’s talk about technical debtBecause this approach created quite a bit
Remember these?Staffing needs         Exception managementSkills training        Coding standardsSetting up a process   Fa...
You have to address themYou can’t scale theRapid Start modelCompliance is notsecurity
Get closer to developmentInstrument IDE totest for securityKeep your QA buildhooks in place
Build clear requirements - Use tools to test against requirements - Govern only against requirements - If it’s not in the ...
Internalize your CoE Use your own people Stop looking for noise (your devs will find it) Support development Maintain the ...
Train your developers                Train on tools                Train on requirements                Teach basic securi...
Remember who your   customer is  (It’s NOT the security team)
Argue with / Interrogate me
ColophonCreator     Darren Meyer <darren.meyer@gmail.com>Typeface    Helvetica NeueSoftware    Apple Keynote            Pi...
Master pci quick start code scan secure 360 2011
Upcoming SlideShare
Loading in …5
×

Master pci quick start code scan secure 360 2011

579 views

Published on

Presented at Secure360 2011; a case study and related advice on building a security-focused static code analysis program for appsec in a rapid start model.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
579
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Master pci quick start code scan secure 360 2011

    1. 1. Rapid-Start Code ScanningFor PCI Compliance Presented at Secure 360, 2011 by Darren Meyer <darren.meyer@gmail.com>
    2. 2. The problem you think you havePCI DSS version 2.0, §6.6:Verify that public-facing web applications are reviewed (usingeither manual or automated vulnerability security assessment toolsor methods), as follows:- At least annually- After any changes- By an organization that specializes in application security- That all vulnerabilities are corrected- That the application is re-evaluated after the corrections
    3. 3. The problem you actually havePCI DSS version 2.0, §6.5: Prevent common coding vulnerabilities in software development processes
    4. 4. Actually, it’s this PCI DSS 2.0 Requirement 6: Develop and maintain secure systems and applications
    5. 5. Yeah...Let’s not worry about that today
    6. 6. What you are about to see is real Some details have been changed to protect me from PR policy violations
    7. 7. My challenge
    8. 8. My challenge“We’re building a huge, public, eCommerce site”
    9. 9. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work”
    10. 10. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program”
    11. 11. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program” “You have 8 weeks to build one”
    12. 12. My challenge“We’re building a huge, public, eCommerce site” “We hired an integrator to do the work” “They have no application security program” “You have 8 weeks to build one” GO!
    13. 13. Challenge Accepted
    14. 14. Prevent common codingvulnerabilities.... VerizonOh, OK! TCS WiPro NetSPIWe’ll hire IBMsomeone... Trustwave Spider Labs
    15. 15. For about$1.20 a line... (Fully loaded cost)
    16. 16. And... You have to do it regularly: “...the application is re-evaluated after the corrections” I would have needed weekly reviews to meet goals on this 100-week project
    17. 17. Estimated total cost:$168,000,000
    18. 18. Ok, I’ll build it myself!
    19. 19. Consider this... Staffing needs Exception management Skills training Coding standards Setting up a process False positive mgmt. Developer training Roll-out planning Awareness Support Developer turnover Vulnerability triage
    20. 20. RightI don’t have 3 years
    21. 21. Rapid Start
    22. 22. Rapid Start
    23. 23. Rapid Start Select a tool
    24. 24. Rapid Start Select a tool Integrate Build
    25. 25. Rapid Start Select a tool Integrate Build Buy a CoE
    26. 26. Estimated total Rapid Start cost: $16,200,000 (9.6% of original)
    27. 27. What tool?
    28. 28. What tool?
    29. 29. What tool?
    30. 30. Key selection criteria Think long-term: - Language coverage - Licensing terms - Support for my build systems - Portfolio management capabilities
    31. 31. Build integration Security is part of quality: use the QA build (But don’t get in the critical path)
    32. 32. Buy a CoE Hire a firm that knows your tool and has a good AppSec capability
    33. 33. Keep the process simple QA build Consult on Eliminate noiseRejected Defects Triage to Defect Tracker
    34. 34. Prepare for rejected defects Developers will reject defects, because: - They don’t understand the problem - They don’t understand how to fix it - They aren’t security experts
    35. 35. Prepare for rejected defects Developers will reject defects, because: - They don’t understand the problem - They don’t understand how to fix it - They aren’t security expertsThis is O K
    36. 36. Check your work!You still need an expert codereview at least a couple of times(we did four)Pen tests help you verify severityand get needed attention
    37. 37. Dev is not the enemyNO punishmentNO retaliationNO special treatment
    38. 38. Now what?
    39. 39. Let’s talk about technical debtBecause this approach created quite a bit
    40. 40. Remember these?Staffing needs Exception managementSkills training Coding standardsSetting up a process False positive mgmt.Developer training Roll-out planningAwareness SupportDeveloper turnoverVulnerability triage
    41. 41. You have to address themYou can’t scale theRapid Start modelCompliance is notsecurity
    42. 42. Get closer to developmentInstrument IDE totest for securityKeep your QA buildhooks in place
    43. 43. Build clear requirements - Use tools to test against requirements - Govern only against requirements - If it’s not in the requirements, it’s your fault
    44. 44. Internalize your CoE Use your own people Stop looking for noise (your devs will find it) Support development Maintain the program LL M INE A
    45. 45. Train your developers Train on tools Train on requirements Teach basic security skills DON’T try to make them security experts
    46. 46. Remember who your customer is (It’s NOT the security team)
    47. 47. Argue with / Interrogate me
    48. 48. ColophonCreator Darren Meyer <darren.meyer@gmail.com>Typeface Helvetica NeueSoftware Apple Keynote PixelmatorThanks to Fortify Software Secure 360 Conference Jay Jacobs =^o-o^=

    ×