SlideShare a Scribd company logo

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Brian Levine
Brian Levine

"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale. Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers. If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on. Is there a script you could follow? And which set of frameworks would you use to get started in the right direction? My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started. What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program. [Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability

Technology
1 of 30
Download to read offline
Brian Levine Senior Director, Product & Cloud Security A WARRIOR'S JOURNEY: BUILDING A GLOBAL APPSEC PROGRAM
A Warrior's Journey: Building a Global AppSec Program "Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale. Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
About Brian Levine Senior Director Product & Cloud Security Axway Software Former Stuff: • Industrial Engineer, Purdue University • Systems Engineer, EMC & other places • Product Manager Security, Syncplicity
Where would you begin?
“Adapt what is useful, reject what is useless, and add what is specifically your own.” – Bruce Lee
• Foundations for building a scalable global application security program Outline & Agenda • Culture • Process • Governance
LET’S UNPACK THAT... CULTURE
OWASP SAMM – “Secure Software Center of Excellence (SSCE)” BSIMM – “Software Security Group (SSG)” Axway – “Product Security Group (PSG)” Others – “Product Security Office (PSO)” ... Centralized Application Security Group a Rose by any other name...
OWASP SAMM v2.0 Organization & Culture
“According to our observations, the first step of a Software Security Initiative (SSI) is to form an SSG.” “without an SSG, success ... is very unlikely.” BSIMM – Software Security Group (SSG) Source: BSIMM11
GETTING STARTED • Secure Executive Sponsorship • Establish and Publicize the Charter and Scope • Define SSDLC goals & product objectives • Align with PM, Development, and Operations • Internal Evangelism • Selecting security tools, procedures, and driving adoption SOFTWARE SECURITY CENTER OF EXCELLENCE (SSCE) LEVELING UP • Stay Focused on the Customer (R&D) • Publish SSDLC Standards, Procedures, and Best Practices • Identify promising security champions to join the SSCE • External evangelism • DevSecOps automation, enabling self- service & continuous security • Data-driven program management
• 42% (55/130) of the firms in BSIMM11 study have a security champions program. • 65% of the firms that have been assessed more than once have a security champions program. SECURITY CHAMPIONS OWASP SAMM BSIMM
BUILDING • Identify individuals with interest/passion for security • 1 champion per development project • Provide formal training, workshops, and sponsorship for conferences, certifications, etc. • Executes SSDLC procedures (and scans) • Triages findings into product backlog • Work with SSG on Threat modeling and secure architecture • Reward and Recognize Publicly SECURITY CHAMPIONS PROGRAM SCALING • Multiple full-time champions per project • SPOCs push the curve identifying improvements, new security tools and procedures • Performs secure architecture design and threat models • Interested SPOCs rotate into the SSG “SPOC” Security Point of Contact
ANTI-PATTERNS • SPOC is the only member of the team responsible for security. All security tasks and questions assigned to SPOC • SPOC is responsible to prioritize security in the product development cycle (bottom-up) • Adversarial or subordinate relationship to the SSG SECURITY CHAMPIONS PROGRAM - GOTCHAS COURSE CORRECTIONS • All devs are responsible for fixing security defects. SPOC works with devops, build managers, etc. to automate security testing • Execs, Product Managers, Engineering Managers are responsible to prioritize security (top-down). • SSG exists to support R&D success. SSG and SPOC learn from each other to improve in a blameless culture.
Mandatory Developer Security Training EDUCATION & AWARENESS Structured Training Programs Security Events Recognition & Rewards Advanced, role-specific and platform-specific training, more hands-on Behavioral achievements & certifications •Security Days •Tournaments & Challenges •Capture the flag (CTF) OWASP Security Shepherd •Security Stars Program •Public Praise •SWAG •Brand your AppSec program (T-Shirts) •Hit-up your Vendors (Hoodies, Stickers, etc.)
PROCESS
Define Security Gates and Passing Criteria Source: Microsoft Security Development Lifecycle © 2010 Microsoft Corporation.
BSIMM SM1.4, “defining checks in the process first and enforcing them later is extremely helpful in moving development toward security without major pain. Socializing the conditions and then verifying them once most projects already know how to succeed is a gradual approach that can motivate good behavior without requiring it.” SECURITY GATES (PRO-TIP) Merge security into the existing development cycles. First, identify the gates & collect the results. But don’t enforce them (yet). “Be shapeless, formless, like water. Water can flow or water can crash. Be water.” –Bruce Lee
Third-party software component analysis • For Initial Security Review (ISR) and Final Security Review (FSR) the project is scanned using approved SCA tool(s). • All results are reviewed by the development team • All critical, high, and medium issues are resolved prior to release. (*with enforcement at FSR) EXAMPLE Security Gate / Security Bar Other Security Bars (gates) to define: • Threat modeling / Secure design review • Static Application Security Test (SAST) • Container Vulnerability Analysis • Attack surface analysis • Dynamic Application Security Test (DAST)
“I fear not who has practiced 10,000 kicks once, but I fear who has practiced one kick 10,000 times.” – Bruce Lee
CONTINUOUS SECURITY & DevSecOps • Initial Security Review (ISR) • Security Requirements • Threat Model • Training • Dynamic Analysis (DAST) • Attack Surface Analysis • Red Team Pentest • Container Scanning • Secure Code Review • Static Analysis (SAST) • 3rd-party Component Analysis • Incident/Intrusion Detection • Incident Response • Vulnerability Scanning • Hardening/Config Management • Infra Vulnerability Scanning • Verification • 3rd party pentesting • Access Control • Audits • Change Control • Vulnerability Management • Application Security Bar • Cloud Security Bar • Final Security Review (FSR) • Continuous Security Review (CSR) DEV OPS
CONTINUOUS SECURITY PIPELINE (example) Defect Management Tracking Attack Surface Analysis Dynamic Analysis (DAST) Threat Modeling Static Application Testing (SAST) Software Composition / 3rd- party (SCA) Container Security Code commit Deploy to Production Deploy to staging Threat & Risk Correlation Runtime Analysis & Monitoring Vulnerability Scanning Security Event Management (SIEM) CIS Compliance Cloud Configuration Monitoring Host Intrusion Detection (HIDS) IAM & Privilege Management Continuous Security Review
Dev’s want fast build times and immediate feedback • Problem: Some security tests cannot be done on every build • Solution: CI pipeline runs security tests inline in the build (where applicable) and for longer running tests or manual security tasks (e.g., threat model), it fetches the latest results via API. Security in CICD
Governance
• Aggregate security metrics to communicate overall risk level. • Share at the executive level to show trends and current security posture. • Share across all of R&D so every team can see how they’re doing relative to the business KPI Metrics & Dashboards
Released Software (with security) is our goal. Conditional Pass Requires: 1. Mitigation Plan 2. Executive Risk Approval Captured in Ticketing System and enforced by automation and orchestration. SECURITY EXCEPTIONS & RISK APPROVAL
Summary •Culture •Process •Governance Begin where you are... The warrior’s journey starts with the first step.
I would greatly appreciate your thoughts, comments, feedback, disagreements, complaints, arguments, etc... Where to find me.... Brian Levine
• Microsoft Security Development Lifecycle © 2010 Microsoft Corporation. • The Software Assurance Maturity Model (SAMM) was created by Pravir Chandra and is now an Open Web Application Security Project (OWASP) project. SAMM is licensed under the Creative Commons Attribution-Share Alike 4.0 License https://owaspsamm.org/ • BSIMM LICENSE This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License. To view a copy of this license,visit http://creativecommons.org/licenses/by-sa/3.0/legalcode or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. ATTRIBUTIONS Image by Gordon Johnson from Pixabay

Recommended

Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 

Recommended

Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outlineNickleus Jimenez
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 

More Related Content

What's hot

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
 

What's hot (20)

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter Chestna
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 

Similar to A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.pptazida3
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and toolMoutasm Tamimi
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 

Similar to A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020 (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and tool
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

  • 1. Brian Levine Senior Director, Product & Cloud Security A WARRIOR'S JOURNEY: BUILDING A GLOBAL APPSEC PROGRAM
  • 2. A Warrior's Journey: Building a Global AppSec Program "Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale. Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
  • 3. About Brian Levine Senior Director Product & Cloud Security Axway Software Former Stuff: • Industrial Engineer, Purdue University • Systems Engineer, EMC & other places • Product Manager Security, Syncplicity
  • 5. “Adapt what is useful, reject what is useless, and add what is specifically your own.” – Bruce Lee
  • 6. • Foundations for building a scalable global application security program Outline & Agenda • Culture • Process • Governance
  • 8. OWASP SAMM – “Secure Software Center of Excellence (SSCE)” BSIMM – “Software Security Group (SSG)” Axway – “Product Security Group (PSG)” Others – “Product Security Office (PSO)” ... Centralized Application Security Group a Rose by any other name...
  • 10. “According to our observations, the first step of a Software Security Initiative (SSI) is to form an SSG.” “without an SSG, success ... is very unlikely.” BSIMM – Software Security Group (SSG) Source: BSIMM11
  • 11. GETTING STARTED • Secure Executive Sponsorship • Establish and Publicize the Charter and Scope • Define SSDLC goals & product objectives • Align with PM, Development, and Operations • Internal Evangelism • Selecting security tools, procedures, and driving adoption SOFTWARE SECURITY CENTER OF EXCELLENCE (SSCE) LEVELING UP • Stay Focused on the Customer (R&D) • Publish SSDLC Standards, Procedures, and Best Practices • Identify promising security champions to join the SSCE • External evangelism • DevSecOps automation, enabling self- service & continuous security • Data-driven program management
  • 12. • 42% (55/130) of the firms in BSIMM11 study have a security champions program. • 65% of the firms that have been assessed more than once have a security champions program. SECURITY CHAMPIONS OWASP SAMM BSIMM
  • 13. BUILDING • Identify individuals with interest/passion for security • 1 champion per development project • Provide formal training, workshops, and sponsorship for conferences, certifications, etc. • Executes SSDLC procedures (and scans) • Triages findings into product backlog • Work with SSG on Threat modeling and secure architecture • Reward and Recognize Publicly SECURITY CHAMPIONS PROGRAM SCALING • Multiple full-time champions per project • SPOCs push the curve identifying improvements, new security tools and procedures • Performs secure architecture design and threat models • Interested SPOCs rotate into the SSG “SPOC” Security Point of Contact
  • 14. ANTI-PATTERNS • SPOC is the only member of the team responsible for security. All security tasks and questions assigned to SPOC • SPOC is responsible to prioritize security in the product development cycle (bottom-up) • Adversarial or subordinate relationship to the SSG SECURITY CHAMPIONS PROGRAM - GOTCHAS COURSE CORRECTIONS • All devs are responsible for fixing security defects. SPOC works with devops, build managers, etc. to automate security testing • Execs, Product Managers, Engineering Managers are responsible to prioritize security (top-down). • SSG exists to support R&D success. SSG and SPOC learn from each other to improve in a blameless culture.
  • 15.
  • 16. Mandatory Developer Security Training EDUCATION & AWARENESS Structured Training Programs Security Events Recognition & Rewards Advanced, role-specific and platform-specific training, more hands-on Behavioral achievements & certifications •Security Days •Tournaments & Challenges •Capture the flag (CTF) OWASP Security Shepherd •Security Stars Program •Public Praise •SWAG •Brand your AppSec program (T-Shirts) •Hit-up your Vendors (Hoodies, Stickers, etc.)
  • 18. Define Security Gates and Passing Criteria Source: Microsoft Security Development Lifecycle © 2010 Microsoft Corporation.
  • 19. BSIMM SM1.4, “defining checks in the process first and enforcing them later is extremely helpful in moving development toward security without major pain. Socializing the conditions and then verifying them once most projects already know how to succeed is a gradual approach that can motivate good behavior without requiring it.” SECURITY GATES (PRO-TIP) Merge security into the existing development cycles. First, identify the gates & collect the results. But don’t enforce them (yet). “Be shapeless, formless, like water. Water can flow or water can crash. Be water.” –Bruce Lee
  • 20. Third-party software component analysis • For Initial Security Review (ISR) and Final Security Review (FSR) the project is scanned using approved SCA tool(s). • All results are reviewed by the development team • All critical, high, and medium issues are resolved prior to release. (*with enforcement at FSR) EXAMPLE Security Gate / Security Bar Other Security Bars (gates) to define: • Threat modeling / Secure design review • Static Application Security Test (SAST) • Container Vulnerability Analysis • Attack surface analysis • Dynamic Application Security Test (DAST)
  • 21. “I fear not who has practiced 10,000 kicks once, but I fear who has practiced one kick 10,000 times.” – Bruce Lee
  • 22. CONTINUOUS SECURITY & DevSecOps • Initial Security Review (ISR) • Security Requirements • Threat Model • Training • Dynamic Analysis (DAST) • Attack Surface Analysis • Red Team Pentest • Container Scanning • Secure Code Review • Static Analysis (SAST) • 3rd-party Component Analysis • Incident/Intrusion Detection • Incident Response • Vulnerability Scanning • Hardening/Config Management • Infra Vulnerability Scanning • Verification • 3rd party pentesting • Access Control • Audits • Change Control • Vulnerability Management • Application Security Bar • Cloud Security Bar • Final Security Review (FSR) • Continuous Security Review (CSR) DEV OPS
  • 23. CONTINUOUS SECURITY PIPELINE (example) Defect Management Tracking Attack Surface Analysis Dynamic Analysis (DAST) Threat Modeling Static Application Testing (SAST) Software Composition / 3rd- party (SCA) Container Security Code commit Deploy to Production Deploy to staging Threat & Risk Correlation Runtime Analysis & Monitoring Vulnerability Scanning Security Event Management (SIEM) CIS Compliance Cloud Configuration Monitoring Host Intrusion Detection (HIDS) IAM & Privilege Management Continuous Security Review
  • 24. Dev’s want fast build times and immediate feedback • Problem: Some security tests cannot be done on every build • Solution: CI pipeline runs security tests inline in the build (where applicable) and for longer running tests or manual security tasks (e.g., threat model), it fetches the latest results via API. Security in CICD
  • 26. • Aggregate security metrics to communicate overall risk level. • Share at the executive level to show trends and current security posture. • Share across all of R&D so every team can see how they’re doing relative to the business KPI Metrics & Dashboards
  • 27. Released Software (with security) is our goal. Conditional Pass Requires: 1. Mitigation Plan 2. Executive Risk Approval Captured in Ticketing System and enforced by automation and orchestration. SECURITY EXCEPTIONS & RISK APPROVAL
  • 28. Summary •Culture •Process •Governance Begin where you are... The warrior’s journey starts with the first step.
  • 29. I would greatly appreciate your thoughts, comments, feedback, disagreements, complaints, arguments, etc... Where to find me.... Brian Levine
  • 30. • Microsoft Security Development Lifecycle © 2010 Microsoft Corporation. • The Software Assurance Maturity Model (SAMM) was created by Pravir Chandra and is now an Open Web Application Security Project (OWASP) project. SAMM is licensed under the Creative Commons Attribution-Share Alike 4.0 License https://owaspsamm.org/ • BSIMM LICENSE This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License. To view a copy of this license,visit http://creativecommons.org/licenses/by-sa/3.0/legalcode or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. ATTRIBUTIONS Image by Gordon Johnson from Pixabay