Security Innovation, profile picture
Uploaded bySecurity Innovation
PPTX, PDF1,327 views

5 Ways to Reduce 3rd Party Developer Risk

The webinar discusses strategies to mitigate risks associated with third-party developers by emphasizing the importance of security assessments, integrity checks, and establishing clear contractual obligations. It highlights the need for ongoing training, communication, and collaboration between internal teams and third-party suppliers to ensure security is embedded throughout the software development lifecycle. Key recommendations include threat modeling, vulnerability management, and proactive engagement to address potential risks before and after software delivery.

Technologyâ—¦
Related topics:
Application Security•

Embed presentation

Downloaded 29 times
Webinar: 5 Ways to Reduce 3rd Party Developer Risks We will begin momentarily… @SecInnovation #reducedevrisk
5 Ways to Reduce 3rd Party Developer Risks Jason Taylor, CTO
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Understanding Root Cause of Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
Security vs. Software Quality When you think of 3rd party language for functionality requirements, think similarly for security requirements
The Organizational Disconnect • IT/GRC/InfoSec historically focused on network/endpoint security *Developers and SDLC are now “in scope” • Tools are a typical first step *Both have different perspective on what policies and procedures are in place • How did we handle performance, reliability? *Security needs to be a standard part of the process
Language, Platform & Framework Nuances • Security policies are not enough o Follow through with architecture and development standards o Must explain “how” and “why,” not just “what” o Must tie to specific roles and technologies • Each language has unique idiosyncrasies and syntax issues: o C++ o Java and .NET o Scripting languages • Each platform is unique: o Mobile o Cloud & Web o Embedded
The Pitfalls of Automation • First instinct is “what tool can we buy”? • It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution • Analyzing results is time consuming and requires skill • Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
• Network boundary plays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through • With Internet, applications become the perimeter • We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
…. and a Human Problem • Vulnerabilities are frequently the result of a failure in the engineering process • Developers have an implicit trust in the user o Often think of functionality (practical) rather than security o Not common to consider abuse cases • Education tailored to each environment isn’t required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Integrity Checks • Perform security assessments o Design reviews, code reviews, penetration tests at key validation points • Address security beyond the traditional “testing” phase • Security assessment = more than penetration testing the binary: o Validating the design and the architecture before coding begins o Developing a threat model that guides design, coding and test efforts o Using tools while developers are coding to find common security defects o Verifying the security and configuration of the deployment environment
Assessment Activities Work Together • Design review o Sets the rest of the team up for success and finds problems that are the costly to fix later in the cycle • Threat Modeling o Ensures key threats are considered during design, coding and testing • Code Review o One of the highest impact activities, but doesn’t consider the as-deployed state
…Continued • Manual penetration testing o Requires deep knowledge of application and technologies in the environment • Scanning tools o Provide broad coverage to augment these activities
State of Application Security Assessment Conventional approaches to application security are not risk-based • Over-reliance on automated vulnerability scanning • Random efforts to find a needle in a haystack • Fails to address each application’s unique code-, system- and workflow-level vulnerabilities • Little practical guidance on prioritizing defect remediation • Find & Fix “hamster wheel” leads to frustration and stagnation • Many flaws are caused by environment interaction and only discoverable after analyzing application in production
…Continued An effective security assessment program • Uses threat modeling to focus efforts on highest risk first • Is committed to finding problems at each phase of development • Aligns breadth and depth of analysis to application complexity and criticality • Let’s humans and tools do what they each do best • Leverages assessment findings to identify root causes and address process and skills gaps
It’s Called “Verification Phase” for a Reason • Security testing should be like the net under a tightrope o Not the only time when security problems are found • Why do we often find so many vulnerabilities in testing? o If architecture and development standards are followed, vulnerabilities will be minimized o If assessment activities occur consistently, vulnerabilities will be found early • Penetration testing becomes the last-best assessment, rather than the last-desperate hope
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Managing 3rd Party Risk • 3rd party includes: o Supplier of software you purchase o Supplier of Software as a Service you consume o Outsourced development team you leverage • Managing risk includes: o Setting expectations, including contractual language o Validating expectations are met o Clear remediation procedures to handle identified risks
Language Normalization Term Definition Vulnerability Security exposure that results from a weakness that the architect, developer, etc did not intend to introduce Threat A negative occurrence in the business processes of a system Attack An implementation-specific action or set of actions taken against a system to realize a threat Exploit Sequence of commands/activities that takes advantage of a vulnerability to cause unintended or unanticipated behavior (i.e. gaining control of a system, privilege escalation, or a denial-of-service attack) Impact What damage can be done with a successful exploit Risk The exposure and probability weighted ranking of a given threat, allowing for comparisons between threats and across systems and factors in mitigating/compensating controls It’s important to speak the same language both internally and with 3rd parties
Understand the Risk you are Purchasing • The ecosystem around software is constantly changing • How “risky” software is has as much to do with vendor support as it does to how secure the source code is • Questions should be asked not just of software vendors that sell applications, but also for vendors that offer software as a service. • Contractual requirements should be put into place for outsourced development
Consideration #1 Has Supplier Thought About Security? • A contract does not replace diligence but given the frequency of security breaches today, it’s important to: o Determine what language you (the “Customer”) should minimally have with your “Supplier” when sourcing a software application (the “Software”) o Ensure that terms are defined to your acceptance and understood by supplier • Ask the supplier to provide evidence of security due diligence o Perhaps they have a 3rd-party or independent penetration testing doc to share o Are they willing to attest to your security requirements and/or acceptance testing…and offer remedies if they do not?
Suggested Contract Language • E.g., the Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Documents, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards.
Consideration #2 Suppliers Secure Development Process? • Often a vendor’s documentation is absent of security controls other than a reference to industry standard(s) • Vendor should demonstrate capabilities around integrating security into each phase of development • Many compliance mandates and customer requirements overlap o Activities are generally the same, just worded differently o Do the mapping ahead of time to consolidate requirements
Mapping Regulations & Mandates • Most regulations, frameworks, and compliance mandates call out general requirements and have non-obvious implications: o “develop according to industry best practices” o “protected information should not be improperly altered’” • Vendor should demonstrate a repeatable SDLC that integrates key security and compliance activities: o Ensures future requirements will have little impact on existing efforts o Allows you to maintain a “big picture” view to software development and IT teams o Reduces “re-do” expenses and audit costs
OWASP Top Ten
High-Level Requirement Other Standards (Partial List) Selected Coding Practices Confidentiality SOX, HIPAA, ISO 27002,, GLBA, FFIEC, Basel l I, CA SB 1386, FIPS 199, NIST - Appropriate use of strong encryption for data in databases. - Encrypting confidential data in memory. No custom or untrusted encryption routines - Encrypting data in motion, especially for wireless transmissions. - Masking confidential data that needs to be viewed in part Data integrity SOX, ISO 27002, HIPAA, GLBA, FIPS 199, NIST - Robust integrity checks to prevent tampering with data. - Input validation and comprehensive error handling to prevent injection attacks, privilege escalation, and other hacking techniques. - Output encoding. Use of least privileges. - Hashing for confidential data that needs to be validated (e.g. passwords) Authentication and access control SOX, ISO 27002, HIPAA, II, NIST SP - Support for strong passwords & two-factor authentication where appropriate. - Role-based access control and revocation of rights, with clear roles mapped to permissions. - Locked down file access and database roles. No guest accounts. - Passwords and encryption keys encrypted before storage and transmission. Logging and auditing SOX, ISO 27002, HIPAA, SB 1386, NIST SP - Detailed audit trails of users accessing data and resources. - Detailed logging of systems that process sensitive data, including shutdowns, restarts and unusual events. No confidential data exposed in logs. - Event logs and audit trails available only to system admins and protected from unauthorized modifications. One secure coding activity yields leverage across security controls in 6 different standards
Other Questions to Ask: Requirements • Do you gather security objectives? How are they mapped to the rest of the design process? Design • Does your team conduct security architecture and design reviews? • Do you use checklists to drive the process? Do you revise them over time? • Does your team create threat models to understand and prioritize risk? Coding • Does your team use a formalized set of security coding best practices? • What type of code scanning tools do you use? • Do you perform code reviews against security best practices? Testing • Does your team conduct 3rd party or internal penetration tests? • Are your testers QA trained on the latest attack trends and test techniques? • Do you use security testing tools?
Suggested Contract Language • The Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Document, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards. • The Product Requirements Document mutually acceptable to Customer and Supplier shall include each of the security elements set forth on Exhibit A * Be certain to review with your legal counsel what information that is confidential to your company that the application may access, and any appropriate controls on confidential information, trade secrets or private data
Principle Secure Development Requirements • “The software shall include the following secure application development requirements” o (a) a Data Criticality Definition (“DCD”); o (b) security requirements based upon such DCD; o (c) for each technology stack: o i. Defined Architecture Standards o ii. Defined Coding Standards o iii. Defined checklists for use in architecture reviews, code reviews and penetration testing o iv. Defined application security role-based training program for development team o (d) Architecture and design review and threat model o (e) Regular security code review and code scanning during development o (f) 3rd party penetration test before release o (g) Defined response plan for discovered vulnerabilities including how to deploy updates to Customer
Consideration #3 Commitment to Training? • Is there a security training program in place for all development team members? • Is the training appropriate role and technology based? • Is there validation of security skills and techniques?
Additional Items to Discuss • What regular/recurring training does your development and test team receive specific to application security? • What percentage of your software development and testing team is focused on security? • Do you have a security team that attack your products prior to release or is security embedded in each team?
Consideration #4 Security After the Delivery of Software • Consider security for the whole lifecycle • Production scanning or penetration testing? • Cybersecurity insurance with customer as named beneficiary • Make a penetration test an acceptance criteria • Consider the supplier’s security and privacy policies
Suggested Contract Language • Supplier shall at all times during the term of this Agreement maintain appropriate technical and organizational measures to protect any Data that it collects, accesses or processes in conjunction with this Agreement against unauthorized or unlawful use or disclosure. • Supplier shall implement security procedures to protect Data from improper disclosure or use, such procedures to be in compliance with all industry standards and all applicable federal and state regulatory requirements. • Supplier will immediately notify Customer of any breach, or suspected breach, of data security, (a “Security Breach”) and shall immediately coordinate with the Customer security personnel to investigate and remedy the Security Breach, as directed by Customer security personnel. • Supplier shall maintain records of any known or suspected security breaches in accordance with commercially accepted industry practices, and, if not prohibited by applicable law, shall make such records available to Customer upon request.
…Continued • In the event of a Security Breach, notwithstanding any other provision, Supplier shall be solely responsible for all expenses related to the investigation of such breach as well as the costs of furnishing notices to the other party’s affected customers and the offer to such affected customers of services to mitigate the effect of such breach. • Supplier shall not store any Data outside of the United States, other than an ISO 27014 certified facility, transfer any of the same to any location outside of the United States or access or permit access to any of the same from any location outside of the United States. • At Customer’ discretion and Customer’ expense, no more than once in any given year, Supplier shall cause a third party to perform a penetration test of all systems owned or controlled by Supplier or its subcontractors that contain any Data. • Supplier shall provide a summary of such results to Customer. If penetration testing shows any material deficiencies, then Supplier shall use reasonable best efforts to remediate all such deficiencies and shall provide Customer written documentation of such remediation efforts.
Consideration #5 Vulnerability Service Level Agreement • Cooperation after a suspected or known security breach may not be adequate. • Vulnerability SLA including response and turnaround time • Terms and period of vendor’s security support agreement • Tiers for different severity classes (clearly define) • Dedicated team to assess and respond to security vulnerabilities • How (or if) reported security defects are treated differently than non-security defects.
Suggested Contract Language In the event of a Security Breach or if Supplier has reason to believe a Software vulnerability exists, Supplier shall respond within the specified turnaround time according to the following service levels: • (a) Critical: Attacker gains access to admin or root privileges allowing remote read and write access to the system and remote commands. • Response time: 2 to 3 hours • Resolution time: Risk mitigated immediately (e.g. system offline if necessary), risk resolved within 3 days. • (b) High: Attacker gains user privileges or can execute a denial of service (DOS) for any users on the system. Partial and/or read access to the sensitive data. • Response time: 8 hours • Resolution time: Risk mitigated within 1 day, risk resolved within 1 week
In Summary: 3rd Party Risk is Your Risk • All software in your enterprise represents a security risk: o Internally developed o 3rd party vendor o Outsourced team • 3rd party is hard o It's natural to want to 'trust' a 3rd party and hope they are doing all the right things. o It's hard to control 3rd party behavior • Solution o Clear expectations o Backed by binding contractual language
Questions?
Thank You! marketing@securityinnovation.com https://www.securityinnovation.com/knowledge-center/webinars

More Related Content

PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PPTX
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
byWrikeTechClub
 
PPTX
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
byPositive Hack Days
 
PDF
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 
PPTX
Intro to Security in SDLC
byTjylen Veselyj
 
PPT
Software Engineering Code Of Ethics And Professional Practice
bySaqib Raza
 
PPTX
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
PPTX
Secure Software Development Life Cycle
byMaurice Dawson
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
byWrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
byPositive Hack Days
 
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 
Intro to Security in SDLC
byTjylen Veselyj
 
Software Engineering Code Of Ethics And Professional Practice
bySaqib Raza
 
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
Secure Software Development Life Cycle
byMaurice Dawson
 

What's hot

PPTX
Application and Website Security -- Developer Edition: Introducing Security I...
byDaniel Owens
 
PPT
Defect analysis and prevention methods
bydeep sharma
 
PPT
Introducing: Klocwork Insight Pro | November 2009
byKlocwork
 
PDF
Shift Left Security
bygjdevos
 
PDF
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
bySynopsys Software Integrity Group
 
PDF
Manual Code Review
byn|u - The Open Security Community
 
PPTX
Software Audit Strategies - How often is good enough for a software audit?
byTiberius Forrester
 
PDF
Defect analysis course v1.0
byGunesh Apte
 
PPTX
Why do we test software?
byMd. Shafiuzzaman Hira
 
PDF
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
PPTX
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
byBlack Duck by Synopsys
 
PDF
The Next Static Code Analysis Tool - Today and Tomorrow
byM Firdaus Harun
 
PPTX
Improve Security through Continuous Testing
byTechWell
 
PPTX
Presentation (software engineering)
byAbdullah Al Shiam
 
PPTX
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
PPT
Anti Patterns Siddhesh Lecture3 Of3
bySiddhesh Bhobe
 
PPT
Anti Patterns Siddhesh Lecture1 Of3
bySiddhesh Bhobe
 
PDF
Security Development Lifecycle Tools
byn|u - The Open Security Community
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PPT
software lecture
byRabia Khalid
 
Application and Website Security -- Developer Edition: Introducing Security I...
byDaniel Owens
 
Defect analysis and prevention methods
bydeep sharma
 
Introducing: Klocwork Insight Pro | November 2009
byKlocwork
 
Shift Left Security
bygjdevos
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
bySynopsys Software Integrity Group
 
Manual Code Review
byn|u - The Open Security Community
 
Software Audit Strategies - How often is good enough for a software audit?
byTiberius Forrester
 
Defect analysis course v1.0
byGunesh Apte
 
Why do we test software?
byMd. Shafiuzzaman Hira
 
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
byBlack Duck by Synopsys
 
The Next Static Code Analysis Tool - Today and Tomorrow
byM Firdaus Harun
 
Improve Security through Continuous Testing
byTechWell
 
Presentation (software engineering)
byAbdullah Al Shiam
 
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
Anti Patterns Siddhesh Lecture3 Of3
bySiddhesh Bhobe
 
Anti Patterns Siddhesh Lecture1 Of3
bySiddhesh Bhobe
 
Security Development Lifecycle Tools
byn|u - The Open Security Community
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
software lecture
byRabia Khalid
 

Viewers also liked

PDF
28 banjamini mage_21235
byBirmingham Shirtmakers
 
PPTX
lt meeting discussion deck 081016
byJohn Grover
 
PDF
Reduce Cost, Time, and Risk – eDiscovery and Records Management in SharePoint
byConcept Searching, Inc
 
PPTX
Question 1 - Evaluation
byheyitsdanni_
 
PDF
Intelligent Compliance to Optimize Energy Sector Enterprise Content Managemen...
byConcept Searching, Inc
 
DOCX
NET APP CERTIFICATE
byIgor Pidgorny
 
DOCX
Portafolio de descripciones y planos cad
byEsperanza Espitia
 
PDF
SMART International Symposium for Next Generation Infrastructure: Cost Benefi...
bySMART Infrastructure Facility
 
DOCX
Curriculum Vita Dance Pro
byKayla (Bolton) Hostetler
 
PDF
2005 RSA Conference: Safe at Any Speed
bySecurity Innovation
 
PDF
Get Smart about Ransomware: Protect Yourself and Organization
bySecurity Innovation
 
PPS
PgMP, program Management Professionals
byISDTIS KENNIS TRAINING INSTITUTE
 
PPTX
Bridge defects
byDr Fereidoun Dejahang
 
PDF
Business proposal presentation
bySalehin Rahman Khan
 
28 banjamini mage_21235
byBirmingham Shirtmakers
 
lt meeting discussion deck 081016
byJohn Grover
 
Reduce Cost, Time, and Risk – eDiscovery and Records Management in SharePoint
byConcept Searching, Inc
 
Question 1 - Evaluation
byheyitsdanni_
 
Intelligent Compliance to Optimize Energy Sector Enterprise Content Managemen...
byConcept Searching, Inc
 
NET APP CERTIFICATE
byIgor Pidgorny
 
Portafolio de descripciones y planos cad
byEsperanza Espitia
 
SMART International Symposium for Next Generation Infrastructure: Cost Benefi...
bySMART Infrastructure Facility
 
Curriculum Vita Dance Pro
byKayla (Bolton) Hostetler
 
2005 RSA Conference: Safe at Any Speed
bySecurity Innovation
 
Get Smart about Ransomware: Protect Yourself and Organization
bySecurity Innovation
 
PgMP, program Management Professionals
byISDTIS KENNIS TRAINING INSTITUTE
 
Bridge defects
byDr Fereidoun Dejahang
 
Business proposal presentation
bySalehin Rahman Khan
 

Similar to 5 Ways to Reduce 3rd Party Developer Risk

PDF
AppSec in an Agile World
byDavid Lindner
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
How to Improve Software Security in 2026.pdf
byflufftailshop
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 
PDF
How to Improve Software Security in 2026
bykalichargn70th171
 
PPT
csce201 - software - sec Basic Security.ppt
bygealehegn
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPTX
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
PPT
Software Security Initiatives
byMarco Morana
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Building an AppSec Culture
byNirosh Jayaratnam
 
PDF
Cyber security series Application Security
byJim Kaplan CIA CFE
 
PDF
Applicaiton Security - Building The Audit Program
byMichael Davis
 
PDF
OWASP Secure Coding Quick Reference Guide
byAryan G
 
PPTX
Digital Product Security
bySoftServe
 
ODP
CISSP Week 12
byjemtallon
 
AppSec in an Agile World
byDavid Lindner
 
Software Security in the Real World
byMark Curphey
 
Software Security Engineering
byMarco Morana
 
How to Improve Software Security in 2026.pdf
byflufftailshop
 
The Future of Software Security Assurance
byRafal Los
 
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 
How to Improve Software Security in 2026
bykalichargn70th171
 
csce201 - software - sec Basic Security.ppt
bygealehegn
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
Software Security Initiatives
byMarco Morana
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
How to develop an AppSec culture in your project
by99X Technology
 
Building an AppSec Culture
byNirosh Jayaratnam
 
Cyber security series Application Security
byJim Kaplan CIA CFE
 
Applicaiton Security - Building The Audit Program
byMichael Davis
 
OWASP Secure Coding Quick Reference Guide
byAryan G
 
Digital Product Security
bySoftServe
 
CISSP Week 12
byjemtallon
 

More from Security Innovation

PPTX
Securing Applications in the Cloud
bySecurity Innovation
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
bySecurity Innovation
 
PPTX
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
PDF
5 Ways To Train Security Champions
bySecurity Innovation
 
PPTX
Aligning Application Security to Compliance
bySecurity Innovation
 
PPTX
How to Hijack a Pizza Delivery Robot with Injection Flaws
bySecurity Innovation
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
PPTX
Opening the Talent Spigot to Securing our Digital Future
bySecurity Innovation
 
PPTX
Assessing System Risk the Smart Way
bySecurity Innovation
 
PDF
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
PPTX
A Fresh, New Look for CMD+CTRL Cyber Range
bySecurity Innovation
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PPTX
Cyber Ranges: A New Approach to Security
bySecurity Innovation
 
PPTX
Is Blockchain Right for You? The Million Dollar Question
bySecurity Innovation
 
PPTX
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
PPTX
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Securing Applications in the Cloud
bySecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
bySecurity Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
bySecurity Innovation
 
5 Ways To Train Security Champions
bySecurity Innovation
 
Aligning Application Security to Compliance
bySecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
bySecurity Innovation
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
bySecurity Innovation
 
Assessing System Risk the Smart Way
bySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
bySecurity Innovation
 
Security Testing for IoT Systems
bySecurity Innovation
 
Cyber Ranges: A New Approach to Security
bySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
bySecurity Innovation
 
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
bySecurity Innovation
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 

Recently uploaded

PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
NTG - Data Center Management System Software
byMustafa KuÄźu
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Designing a Blog Using Wordpress
bymarkzubi50
 
NTG - Data Center Management System Software
byMustafa KuÄźu
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 

5 Ways to Reduce 3rd Party Developer Risk

  • 1.
    Webinar: 5 Ways toReduce 3rd Party Developer Risks We will begin momentarily… @SecInnovation #reducedevrisk
  • 2.
    5 Ways toReduce 3rd Party Developer Risks Jason Taylor, CTO
  • 3.
    Agenda • Common Challengesto Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 4.
    Understanding Root Causeof Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
  • 5.
    Security vs. SoftwareQuality When you think of 3rd party language for functionality requirements, think similarly for security requirements
  • 6.
    The Organizational Disconnect •IT/GRC/InfoSec historically focused on network/endpoint security *Developers and SDLC are now “in scope” • Tools are a typical first step *Both have different perspective on what policies and procedures are in place • How did we handle performance, reliability? *Security needs to be a standard part of the process
  • 7.
    Language, Platform &Framework Nuances • Security policies are not enough o Follow through with architecture and development standards o Must explain “how” and “why,” not just “what” o Must tie to specific roles and technologies • Each language has unique idiosyncrasies and syntax issues: o C++ o Java and .NET o Scripting languages • Each platform is unique: o Mobile o Cloud & Web o Embedded
  • 8.
    The Pitfalls ofAutomation • First instinct is “what tool can we buy”? • It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution • Analyzing results is time consuming and requires skill • Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
  • 9.
    • Network boundaryplays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through • With Internet, applications become the perimeter • We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
  • 10.
    …. and aHuman Problem • Vulnerabilities are frequently the result of a failure in the engineering process • Developers have an implicit trust in the user o Often think of functionality (practical) rather than security o Not common to consider abuse cases • Education tailored to each environment isn’t required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
  • 11.
    Agenda • Common Challengesto Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 12.
    Integrity Checks • Performsecurity assessments o Design reviews, code reviews, penetration tests at key validation points • Address security beyond the traditional “testing” phase • Security assessment = more than penetration testing the binary: o Validating the design and the architecture before coding begins o Developing a threat model that guides design, coding and test efforts o Using tools while developers are coding to find common security defects o Verifying the security and configuration of the deployment environment
  • 13.
    Assessment Activities WorkTogether • Design review o Sets the rest of the team up for success and finds problems that are the costly to fix later in the cycle • Threat Modeling o Ensures key threats are considered during design, coding and testing • Code Review o One of the highest impact activities, but doesn’t consider the as-deployed state
  • 14.
    …Continued • Manual penetrationtesting o Requires deep knowledge of application and technologies in the environment • Scanning tools o Provide broad coverage to augment these activities
  • 15.
    State of ApplicationSecurity Assessment Conventional approaches to application security are not risk-based • Over-reliance on automated vulnerability scanning • Random efforts to find a needle in a haystack • Fails to address each application’s unique code-, system- and workflow-level vulnerabilities • Little practical guidance on prioritizing defect remediation • Find & Fix “hamster wheel” leads to frustration and stagnation • Many flaws are caused by environment interaction and only discoverable after analyzing application in production
  • 16.
    …Continued An effective securityassessment program • Uses threat modeling to focus efforts on highest risk first • Is committed to finding problems at each phase of development • Aligns breadth and depth of analysis to application complexity and criticality • Let’s humans and tools do what they each do best • Leverages assessment findings to identify root causes and address process and skills gaps
  • 17.
    It’s Called “VerificationPhase” for a Reason • Security testing should be like the net under a tightrope o Not the only time when security problems are found • Why do we often find so many vulnerabilities in testing? o If architecture and development standards are followed, vulnerabilities will be minimized o If assessment activities occur consistently, vulnerabilities will be found early • Penetration testing becomes the last-best assessment, rather than the last-desperate hope
  • 18.
    Agenda • Common Challengesto Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 19.
    Managing 3rd PartyRisk • 3rd party includes: o Supplier of software you purchase o Supplier of Software as a Service you consume o Outsourced development team you leverage • Managing risk includes: o Setting expectations, including contractual language o Validating expectations are met o Clear remediation procedures to handle identified risks
  • 20.
    Language Normalization Term Definition VulnerabilitySecurity exposure that results from a weakness that the architect, developer, etc did not intend to introduce Threat A negative occurrence in the business processes of a system Attack An implementation-specific action or set of actions taken against a system to realize a threat Exploit Sequence of commands/activities that takes advantage of a vulnerability to cause unintended or unanticipated behavior (i.e. gaining control of a system, privilege escalation, or a denial-of-service attack) Impact What damage can be done with a successful exploit Risk The exposure and probability weighted ranking of a given threat, allowing for comparisons between threats and across systems and factors in mitigating/compensating controls It’s important to speak the same language both internally and with 3rd parties
  • 21.
    Understand the Riskyou are Purchasing • The ecosystem around software is constantly changing • How “risky” software is has as much to do with vendor support as it does to how secure the source code is • Questions should be asked not just of software vendors that sell applications, but also for vendors that offer software as a service. • Contractual requirements should be put into place for outsourced development
  • 22.
    Consideration #1 Has SupplierThought About Security? • A contract does not replace diligence but given the frequency of security breaches today, it’s important to: o Determine what language you (the “Customer”) should minimally have with your “Supplier” when sourcing a software application (the “Software”) o Ensure that terms are defined to your acceptance and understood by supplier • Ask the supplier to provide evidence of security due diligence o Perhaps they have a 3rd-party or independent penetration testing doc to share o Are they willing to attest to your security requirements and/or acceptance testing…and offer remedies if they do not?
  • 23.
    Suggested Contract Language •E.g., the Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Documents, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards.
  • 24.
    Consideration #2 Suppliers SecureDevelopment Process? • Often a vendor’s documentation is absent of security controls other than a reference to industry standard(s) • Vendor should demonstrate capabilities around integrating security into each phase of development • Many compliance mandates and customer requirements overlap o Activities are generally the same, just worded differently o Do the mapping ahead of time to consolidate requirements
  • 25.
    Mapping Regulations &Mandates • Most regulations, frameworks, and compliance mandates call out general requirements and have non-obvious implications: o “develop according to industry best practices” o “protected information should not be improperly altered’” • Vendor should demonstrate a repeatable SDLC that integrates key security and compliance activities: o Ensures future requirements will have little impact on existing efforts o Allows you to maintain a “big picture” view to software development and IT teams o Reduces “re-do” expenses and audit costs
  • 26.
  • 27.
    High-Level Requirement Other Standards (Partial List) SelectedCoding Practices Confidentiality SOX, HIPAA, ISO 27002,, GLBA, FFIEC, Basel l I, CA SB 1386, FIPS 199, NIST - Appropriate use of strong encryption for data in databases. - Encrypting confidential data in memory. No custom or untrusted encryption routines - Encrypting data in motion, especially for wireless transmissions. - Masking confidential data that needs to be viewed in part Data integrity SOX, ISO 27002, HIPAA, GLBA, FIPS 199, NIST - Robust integrity checks to prevent tampering with data. - Input validation and comprehensive error handling to prevent injection attacks, privilege escalation, and other hacking techniques. - Output encoding. Use of least privileges. - Hashing for confidential data that needs to be validated (e.g. passwords) Authentication and access control SOX, ISO 27002, HIPAA, II, NIST SP - Support for strong passwords & two-factor authentication where appropriate. - Role-based access control and revocation of rights, with clear roles mapped to permissions. - Locked down file access and database roles. No guest accounts. - Passwords and encryption keys encrypted before storage and transmission. Logging and auditing SOX, ISO 27002, HIPAA, SB 1386, NIST SP - Detailed audit trails of users accessing data and resources. - Detailed logging of systems that process sensitive data, including shutdowns, restarts and unusual events. No confidential data exposed in logs. - Event logs and audit trails available only to system admins and protected from unauthorized modifications. One secure coding activity yields leverage across security controls in 6 different standards
  • 28.
    Other Questions toAsk: Requirements • Do you gather security objectives? How are they mapped to the rest of the design process? Design • Does your team conduct security architecture and design reviews? • Do you use checklists to drive the process? Do you revise them over time? • Does your team create threat models to understand and prioritize risk? Coding • Does your team use a formalized set of security coding best practices? • What type of code scanning tools do you use? • Do you perform code reviews against security best practices? Testing • Does your team conduct 3rd party or internal penetration tests? • Are your testers QA trained on the latest attack trends and test techniques? • Do you use security testing tools?
  • 29.
    Suggested Contract Language •The Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Document, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards. • The Product Requirements Document mutually acceptable to Customer and Supplier shall include each of the security elements set forth on Exhibit A * Be certain to review with your legal counsel what information that is confidential to your company that the application may access, and any appropriate controls on confidential information, trade secrets or private data
  • 30.
    Principle Secure Development Requirements •“The software shall include the following secure application development requirements” o (a) a Data Criticality Definition (“DCD”); o (b) security requirements based upon such DCD; o (c) for each technology stack: o i. Defined Architecture Standards o ii. Defined Coding Standards o iii. Defined checklists for use in architecture reviews, code reviews and penetration testing o iv. Defined application security role-based training program for development team o (d) Architecture and design review and threat model o (e) Regular security code review and code scanning during development o (f) 3rd party penetration test before release o (g) Defined response plan for discovered vulnerabilities including how to deploy updates to Customer
  • 31.
    Consideration #3 Commitment toTraining? • Is there a security training program in place for all development team members? • Is the training appropriate role and technology based? • Is there validation of security skills and techniques?
  • 32.
    Additional Items toDiscuss • What regular/recurring training does your development and test team receive specific to application security? • What percentage of your software development and testing team is focused on security? • Do you have a security team that attack your products prior to release or is security embedded in each team?
  • 33.
    Consideration #4 Security Afterthe Delivery of Software • Consider security for the whole lifecycle • Production scanning or penetration testing? • Cybersecurity insurance with customer as named beneficiary • Make a penetration test an acceptance criteria • Consider the supplier’s security and privacy policies
  • 34.
    Suggested Contract Language •Supplier shall at all times during the term of this Agreement maintain appropriate technical and organizational measures to protect any Data that it collects, accesses or processes in conjunction with this Agreement against unauthorized or unlawful use or disclosure. • Supplier shall implement security procedures to protect Data from improper disclosure or use, such procedures to be in compliance with all industry standards and all applicable federal and state regulatory requirements. • Supplier will immediately notify Customer of any breach, or suspected breach, of data security, (a “Security Breach”) and shall immediately coordinate with the Customer security personnel to investigate and remedy the Security Breach, as directed by Customer security personnel. • Supplier shall maintain records of any known or suspected security breaches in accordance with commercially accepted industry practices, and, if not prohibited by applicable law, shall make such records available to Customer upon request.
  • 35.
    …Continued • In theevent of a Security Breach, notwithstanding any other provision, Supplier shall be solely responsible for all expenses related to the investigation of such breach as well as the costs of furnishing notices to the other party’s affected customers and the offer to such affected customers of services to mitigate the effect of such breach. • Supplier shall not store any Data outside of the United States, other than an ISO 27014 certified facility, transfer any of the same to any location outside of the United States or access or permit access to any of the same from any location outside of the United States. • At Customer’ discretion and Customer’ expense, no more than once in any given year, Supplier shall cause a third party to perform a penetration test of all systems owned or controlled by Supplier or its subcontractors that contain any Data. • Supplier shall provide a summary of such results to Customer. If penetration testing shows any material deficiencies, then Supplier shall use reasonable best efforts to remediate all such deficiencies and shall provide Customer written documentation of such remediation efforts.
  • 36.
    Consideration #5 Vulnerability ServiceLevel Agreement • Cooperation after a suspected or known security breach may not be adequate. • Vulnerability SLA including response and turnaround time • Terms and period of vendor’s security support agreement • Tiers for different severity classes (clearly define) • Dedicated team to assess and respond to security vulnerabilities • How (or if) reported security defects are treated differently than non-security defects.
  • 37.
    Suggested Contract Language Inthe event of a Security Breach or if Supplier has reason to believe a Software vulnerability exists, Supplier shall respond within the specified turnaround time according to the following service levels: • (a) Critical: Attacker gains access to admin or root privileges allowing remote read and write access to the system and remote commands. • Response time: 2 to 3 hours • Resolution time: Risk mitigated immediately (e.g. system offline if necessary), risk resolved within 3 days. • (b) High: Attacker gains user privileges or can execute a denial of service (DOS) for any users on the system. Partial and/or read access to the sensitive data. • Response time: 8 hours • Resolution time: Risk mitigated within 1 day, risk resolved within 1 week
  • 38.
    In Summary: 3rdParty Risk is Your Risk • All software in your enterprise represents a security risk: o Internally developed o 3rd party vendor o Outsourced team • 3rd party is hard o It's natural to want to 'trust' a 3rd party and hope they are doing all the right things. o It's hard to control 3rd party behavior • Solution o Clear expectations o Backed by binding contractual language
  • 39.
  • 40.