DefCamp, profile picture
Uploaded byDefCamp
PPTX, PDF186 views

Building application security with 0 money down

The document outlines a framework for building application security with minimal initial investment, emphasizing the importance of establishing an effective security program through smart tooling and training. It details the Microsoft Security Development Lifecycle (SDL) steps including training, requirements, design, implementation, verification, release, and response; as well as goals for maturity in application security practices. Various free tools are suggested for assessing and fixing security vulnerabilities at different stages of the application lifecycle.

Embed presentation

Download to read offline
@intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
Why this talk? Share experience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
Introduction 01 © 2018 Intralinks, Inc. l All Rights Reserved l 3
Microsoft SDL Steps © 2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Microsoft SDL Steps (continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
Application Security Stages - Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
Beginning State Sincere ignorance © 2018 Intralinks, Inc. l All Rights Reserved l 7
Next State Vicious Cycle First assessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
Application Security Process Inception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
Attainable Goal 1 - Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
Attainable Goal 2 – Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Attainable Goal 3 – Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
Process Inception Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
Steps to Maturity and Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
Maturity Goal 1 – Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
Maturity Goal 2 – Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
Maturity Goal 3 – Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
Maturity Goal 4 – Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
Process Maturity Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
Conclusion 05 © 2018 Intralinks, Inc. l All Rights Reserved l 20
Customized SDL Steps With Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
Ultimately, People Make The Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
Useful Links to Free Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
@intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
Thank You! @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 25 intralinks.com

More Related Content

PPTX
Kba talk track 2018
byGreg Wartes, MCP
 
PPS
Risk Management using ITSG-33
byCTE Solutions Inc.
 
PDF
TETRA
byIntetics
 
PPTX
Functional Safety and Security process alignment
byAlan Tatourian
 
PPTX
Highly dependable automotive software
byAlan Tatourian
 
PDF
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
byidsecconf
 
PPTX
Ga society of cpa's 2018 coastal chapter
byGreg Wartes, MCP
 
PDF
Managing Traceability in an Agile, Safety-critical Development Environment
byIntland Software GmbH
 
Kba talk track 2018
byGreg Wartes, MCP
 
Risk Management using ITSG-33
byCTE Solutions Inc.
 
TETRA
byIntetics
 
Functional Safety and Security process alignment
byAlan Tatourian
 
Highly dependable automotive software
byAlan Tatourian
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
byidsecconf
 
Ga society of cpa's 2018 coastal chapter
byGreg Wartes, MCP
 
Managing Traceability in an Agile, Safety-critical Development Environment
byIntland Software GmbH
 

What's hot

PPTX
Systems architecture with the functional safety/security emphasis
byAlan Tatourian
 
PPTX
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
byBlack Duck by Synopsys
 
PPTX
Security in Android Application
byRishabh Gupta
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
PPTX
Augusta gen v presentation adapture v2
byGreg Wartes, MCP
 
PPTX
Cloud security live hack - final meetup
byAWS User Group North (Manchester)
 
PPTX
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
byBlack Duck by Synopsys
 
PPTX
Highly dependable automotive software
byAlan Tatourian
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PPTX
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
byDevSecCon
 
PPTX
Open source code
byIntetics
 
PDF
Threat Intelligence Is Like Three Day Potty Training
byPriyanka Aash
 
PDF
Hacking ble smartwatch
byidsecconf
 
PDF
Attack eu 2021 attack4cvc
byAndrey Bezverkhiy
 
PDF
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
PDF
BlueHat v18 || Improving security posture through increased agility with meas...
byBlueHat Security Conference
 
PPTX
Securing future connected vehicles and infrastructure
byAlan Tatourian
 
PDF
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
PDF
Software Security: In the World of Cloud & CI-CD
byOWASP Delhi
 
Systems architecture with the functional safety/security emphasis
byAlan Tatourian
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
byBlack Duck by Synopsys
 
Security in Android Application
byRishabh Gupta
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
Augusta gen v presentation adapture v2
byGreg Wartes, MCP
 
Cloud security live hack - final meetup
byAWS User Group North (Manchester)
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
byBlack Duck by Synopsys
 
Highly dependable automotive software
byAlan Tatourian
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
byDevSecCon
 
Open source code
byIntetics
 
Threat Intelligence Is Like Three Day Potty Training
byPriyanka Aash
 
Hacking ble smartwatch
byidsecconf
 
Attack eu 2021 attack4cvc
byAndrey Bezverkhiy
 
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
BlueHat v18 || Improving security posture through increased agility with meas...
byBlueHat Security Conference
 
Securing future connected vehicles and infrastructure
byAlan Tatourian
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
Software Security: In the World of Cloud & CI-CD
byOWASP Delhi
 

Similar to Building application security with 0 money down

PPT
Software Security in the Real World
byMark Curphey
 
PPT
Software Security Initiatives
byMarco Morana
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
SDLC & DevSecOps
byIrina Kostina
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PPT
OWASP: Building Secure Web Apps
bymlogvinov
 
PPTX
Digital Product Security
bySoftServe
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PPT
3830100.ppt
byazida3
 
PPTX
How not to fall into the DevSecOps trap
byMatteo Emili
 
PDF
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
byCory Scott
 
PDF
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
PDF
Best Practices for Driving Software Quality through a Federated Application S...
byDevOps.com
 
KEY
Application Security Done Right
bypvanwoud
 
PDF
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
PPTX
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
Software Security in the Real World
byMark Curphey
 
Software Security Initiatives
byMarco Morana
 
Software Security Engineering
byMarco Morana
 
SDLC & DevSecOps
byIrina Kostina
 
ProdSec: A Technical Approach
byJeremy Brown
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
OWASP: Building Secure Web Apps
bymlogvinov
 
Digital Product Security
bySoftServe
 
AppSec in an Agile World
byDavid Lindner
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
3830100.ppt
byazida3
 
How not to fall into the DevSecOps trap
byMatteo Emili
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
byCory Scott
 
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
Best Practices for Driving Software Quality through a Federated Application S...
byDevOps.com
 
Application Security Done Right
bypvanwoud
 
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 

More from DefCamp

PDF
Remote Yacht Hacking
byDefCamp
 
PDF
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
PPTX
The Charter of Trust
byDefCamp
 
PPTX
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
PPTX
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
PPTX
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
PPTX
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
PPTX
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
PPTX
Trust, but verify – Bypassing MFA
byDefCamp
 
PPTX
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
PPTX
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
PPTX
Lattice based Merkle for post-quantum epoch
byDefCamp
 
PPTX
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
PPTX
Timing attacks against web applications: Are they still practical?
byDefCamp
 
PPTX
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
PPTX
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
PPTX
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
PPTX
Connect & Inspire Cyber Security
byDefCamp
 
PPTX
The lions and the watering hole
byDefCamp
 
PPTX
Catch Me If You Can - Finding APTs in your network
byDefCamp
 
Remote Yacht Hacking
byDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
The Charter of Trust
byDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
Trust, but verify – Bypassing MFA
byDefCamp
 
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
Lattice based Merkle for post-quantum epoch
byDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
Timing attacks against web applications: Are they still practical?
byDefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
Connect & Inspire Cyber Security
byDefCamp
 
The lions and the watering hole
byDefCamp
 
Catch Me If You Can - Finding APTs in your network
byDefCamp
 

Recently uploaded

PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Designing a Blog Using Wordpress
bymarkzubi50
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 

Building application security with 0 money down

  • 1.
    @intralinks @intralinks © 2018 Intralinks,Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
  • 2.
    Why this talk? Shareexperience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
  • 3.
    Introduction 01 © 2018 Intralinks,Inc. l All Rights Reserved l 3
  • 4.
    Microsoft SDL Steps ©2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 5.
    Microsoft SDL Steps(continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
  • 6.
    Application Security Stages- Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
  • 7.
    Beginning State Sincere ignorance ©2018 Intralinks, Inc. l All Rights Reserved l 7
  • 8.
    Next State Vicious Cycle Firstassessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
  • 9.
    Application Security ProcessInception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
  • 10.
    Attainable Goal 1- Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  • 11.
    Attainable Goal 2– Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 12.
    Attainable Goal 3– Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
  • 13.
    Process Inception Checklist ©2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
  • 14.
    Steps to Maturityand Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
  • 15.
    Maturity Goal 1– Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  • 16.
    Maturity Goal 2– Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  • 17.
    Maturity Goal 3– Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
  • 18.
    Maturity Goal 4– Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
  • 19.
    Process Maturity Checklist ©2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
  • 20.
    Conclusion 05 © 2018 Intralinks,Inc. l All Rights Reserved l 20
  • 21.
    Customized SDL StepsWith Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
  • 22.
    Ultimately, People MakeThe Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
  • 23.
    Useful Links toFree Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
  • 24.
    @intralinks @intralinks © 2018 Intralinks,Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
  • 25.
    Thank You! @intralinks @intralinks © 2018Intralinks, Inc. l All Rights Reserved l 25 intralinks.com