Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure SDLC in the Real World:
          Pitfalls Discovered and Treasure Collected                         Along the Way ...
Overview•     Background"•     The Manual"•     The Premise"•     Treasures and Pitfalls"•     Game Over"Copyright 2011 by...
About• Phil Beyer"     – Information Security Officer"     – Consulting background"• TEA"     – ~700 employees"     – ~120...
Where Did TEA Start?• Application Security Program already  established"     – Some policies & procedures"     – Initial t...
Where Do You Start?• Establish your Application Security  Program"• Be the Champion (or find one)"• Make sure your Team Ge...
The Manual
                                    Business FunctionsCopyright 2011 by Texas EducationAgency. All rights reser...
The Manual
                                    Security PracticesCopyright 2011 by Texas EducationAgency. All rights reser...
The Manual
                Phases1. The Early Levels"2. Racking Up Some   Points"3. Hitting Your Stride"4. Bigger Treasure...
The Premise• It has already started"• Shortcuts don’t exist"     – No cheat codes"     – No invincibility"     – No God mo...
The Early Levels (Phase 1)
                                 Treasures• A Map"     – Not necessarily THE Map, but       som...
The Early Levels (Phase 1)
                                   Pitfalls• The Log"     – You can’t stand still"     – Move t...
Racking Up Some Points (Phase 2)
                      Treasures• Silver Bars"     – Development teams begin to       appr...
Racking Up Some Points (Phase 2)
                       Pitfalls• The Alligator"     – There’s a dangerous thing       the...
Hitting Your Stride (Phase 3)
                                 Treasures• Gold Bars"     – Better visibility instills     ...
Hitting Your Stride (Phase 3)
                                   Pitfalls• The Scorpion"     – Better informed Management ...
Bigger Treasures, Deeper Pits (Phase 4)
                Treasures• The Bridge"     – Get rid of that Rope and jeer at     ...
Bigger Treasures, Deeper Pits (Phase 4)
                 Pitfalls• The Hole"     – Compliance is not Security"     – Don’t...
The End Game (Phases 5 & 6)
                            Treasures• Shangri-La"     – You’ve reached the mystical,       ha...
It’s Time to Play• Build a Mature Software Assurance  Program"• Measure and Report Your Progress"• Have Fun!Copyright 2011...
Resources• OWASP – Open Web Application Security  Project"     – http://www.owasp.org/"• OpenSAMM - Software Assurance Mat...
Upcoming SlideShare
Loading in …5
×

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Along the Way

1,220 views

Published on

:: History ::
Security BSides DFW 2011 - November 5, 2011 (Philip J Beyer) - http://lanyrd.com/skymf

:: Summary ::
I will present the difficulties and successes involved with realigning the development lifecycle at TEA using OpenSAMM.

:: Abstract ::
In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OWASP's OpenSAMM in a large organization is kinda like playing that classic game. It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. I will present the hazards he discovered and the treasure he found while playing the game.

Published in: Technology, Education
  • Be the first to comment

Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Along the Way

  1. 1. Secure SDLC in the Real World:
 Pitfalls Discovered and Treasure Collected Along the Way Philip J. Beyer - Texas Education Agency" philip.beyer@tea.state.tx.us" @pjbeyerCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 1
  2. 2. Overview• Background"• The Manual"• The Premise"• Treasures and Pitfalls"• Game Over"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 2
  3. 3. About• Phil Beyer" – Information Security Officer" – Consulting background"• TEA" – ~700 employees" – ~1200 school districts" – ~5 million studentsCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 3
  4. 4. Where Did TEA Start?• Application Security Program already established" – Some policies & procedures" – Initial training & exposure to concepts" – Historically siloed approach"• Outsourcing for subject matter expertiseCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 4
  5. 5. Where Do You Start?• Establish your Application Security Program"• Be the Champion (or find one)"• Make sure your Team Gets It"• Have a Roadmap to MaturityCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 5
  6. 6. The Manual
 Business FunctionsCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 6
  7. 7. The Manual
 Security PracticesCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 7
  8. 8. The Manual
 Phases1. The Early Levels"2. Racking Up Some Points"3. Hitting Your Stride"4. Bigger Treasures, Deeper Pits" The End GameCopyright 2011 by Texas EducationAgency. All rights reserved.
  9. 9. The Premise• It has already started"• Shortcuts don’t exist" – No cheat codes" – No invincibility" – No God mode"• There are Pitfalls"• There are TreasuresCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 9
  10. 10. The Early Levels (Phase 1)
 Treasures• A Map" – Not necessarily THE Map, but something to get started" – An organizational roadmap is a powerful thing"• Some Running Room" – Awareness in the organization is increasing"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 10
  11. 11. The Early Levels (Phase 1)
 Pitfalls• The Log" – You can’t stand still" – Move through Phase 1 so you don’t get rolled over"• Inertia" – Getting started is just plain hard" – Determining who should play is also hardCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 11
  12. 12. Racking Up Some Points (Phase 2)
 Treasures• Silver Bars" – Development teams begin to appreciate the security problem""• The Ladder" – More of the team is involved in practicing security" – You’ve found a new way around the alligator-infested pondCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 12
  13. 13. Racking Up Some Points (Phase 2)
 Pitfalls• The Alligator" – There’s a dangerous thing there on the screen" – Threats are real, and now they see some of them too"• More Players" – Other people are going to play your game" – They may not play as { nice | carefully | safely } as youCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 13
  14. 14. Hitting Your Stride (Phase 3)
 Treasures• Gold Bars" – Better visibility instills confidence in Management"• The Compass" – The Program has direction" – From requirements to maintenance, a formal process starts to emerge"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 14
  15. 15. Hitting Your Stride (Phase 3)
 Pitfalls• The Scorpion" – Better informed Management may sting"• The Wall" – A different kind of obstacle will block your path" – Developers and Operators may not enjoy working together more closely"Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 15
  16. 16. Bigger Treasures, Deeper Pits (Phase 4)
 Treasures• The Bridge" – Get rid of that Rope and jeer at the Alligators as you walk across" – The whole Program is working together to build securely and verify aggressivelyCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 16
  17. 17. Bigger Treasures, Deeper Pits (Phase 4)
 Pitfalls• The Hole" – Compliance is not Security" – Don’t let Management fall into the trap at this stage of the game… It can be a pretty deep pitCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 17
  18. 18. The End Game (Phases 5 & 6)
 Treasures• Shangri-La" – You’ve reached the mystical, harmonious valley; a permanently happy land isolated from the outside world" – I’d tell you how it feels, but we haven’t gotten there yetCopyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 18
  19. 19. It’s Time to Play• Build a Mature Software Assurance Program"• Measure and Report Your Progress"• Have Fun!Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 19
  20. 20. Resources• OWASP – Open Web Application Security Project" – http://www.owasp.org/"• OpenSAMM - Software Assurance Maturity Model" – http://www.opensamm.org/""• Attribution" – All OpenSAMM images are licensed under the Creative Commons Attribution-Share Alike 3.0 License.Copyright 2011 by Texas EducationAgency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 20

×