This document discusses ensuring information security in the system development lifecycle process. It provides an overview of several frameworks for implementing an enterprise software security program, including the Microsoft Security Development Lifecycle, OpenSAMM, and BSIMM. It also discusses application security challenges, market drivers for security, and using these frameworks across different industries like financial services.

1. ENSURING INFORMATION
SECURITY IN THE SYSTEM
DEVELOPMENT LIFECYCLE
PROCESS
RENE G. JASPE CISSP, CSSLP

2. Sinag Solutions Founder and CISO
Phylasso Corp., Founder and Managing Director
MobKard, CoFounder and CTO
Rene Jaspe CISSP, CSSLP
• 13 yrs with Telos Corp., a US Federal Gov’t
Defense Contractor, servicing various US
Defense and Intelligence Agencies as well as
NATO allies.
• 10 years Software Development and 5 Years
Application Security Background.

3. 2015: “We Take It Very Seriously”
IBM Xforce Threat Intelligence
Report 2016

4. HEALTHCARE, EDUCATION & FINANCIAL SERVICES LEADS GLOBALLY.
Source: Ponemon Institute Research Report 2016 Cost of Data Breach

5. Incident Pattern By Industry
Verizon Data Breach Incident 2016 Report

6. • Regulatory & Standards
Compliance
– eCommerce: PCI-DSS, PA-DSS
– Financial Services: GLBA
– Energy: NERC / FERC
– Government: FISMA
– PH: Data Privacy Act, BSP
• 81% of organizations subject to PCI
had not been found compliant prior to
the breach
Market Drivers

7. Application security challenges:
Security-development disconnect fails to prevent vulnerabilities in production applications
•Developers Lack Security Insights
(or Incentives to Address Security)
•Mandate to deliver functionality on-time
and on-budget – but not to develop
secure applications
•Developers rarely educated in secure
code practices
•Product innovation drives development of
increasingly complicated applications
Security Team = SDLC Bottleneck
•Security tests executed just before launch
– Adds time and cost to fix
vulnerabilities late
in the process
•Growing number of web applications but
small security staff
– Most enterprises scan ~10% of all
applications
•Continuous monitoring of production apps
limited or non-existent
– Unidentified vulnerabilities & risk

8. 3 Great Frameworks For
Implementing an Enterprise
Software Security Program (MOB)

9. Application Security Pros Hold These
Truths to Be Self Evident
• Software Security is more than a set of
security functions.
– Not magic crypto fairy dust
– Not silver bullet security mechanisms.
• Non-functional aspects of design are
essential
• Bugs and flaws are 50/50.
• Security is an emergent property of the
entire system (just like quality).
• To end up with secure software, deep
integration with the SDLC is necessary.
Source: Cigital on BSIMM VI

10. Prescriptive vs. Descriptive
Models
Prescriptive Models
• Prescriptive models describe
what you should do.
• OpenSAMM
• Microsoft SDL
• Every company has a
methodology they follow (often
a hybrid)
• You need an SSDL.
Descriptive Models
• Descriptive models describe
what is actually happening.
• The BSIMM is a descriptive
model that can be used to
measure any number of
prescriptive SSDLs.

11. Microsoft Security Development Lifecycle 5.2 (May 2012)

12. SDL for Agile
Bucket
Bucket
Bucket
Bucket
One-TimeOne-TimeOne-Time
One-Time
One-Time
Bucket practices:: Important security practices that must be completed on a regular basis but can be spread across multiple sprints
during the project lifetime.
One-Time practices: Foundational security practices that must be established once at the start of every
new Agile project.

13. SDL Practice #7 USE THREAT MODELING
Applying a structure approach to threat scenarios during design helps a team more
effectively and less expensive identify security vulnerabilities, determines risks from those
threats, and establish appropriate mitigations.

14. THREAT MODEL SAMPLE
• S – poofing
• T – ampering
• R – epudiation
• I - nformation Disclosure
• D – enial of Service
• E - levation of Privilege

15. OpenSAMM 1.1 (March 2016)

16. OpenSAMM 1.1 (March 2016)

18. Sample: Construction

19. FINANCIAL SERVICES ORGANIZATION

20. FINANCIAL SERVICES ORGANIZATION

21. Cost: Phase 1(Months 0 – 3) - Awareness & Planning

22. BSIMM 7 ( October 2016)
The BSIMM is a measuring stick for
software security. The best way to use
the BSIMM is to compare and contrast
your own initiative with the data about
what other organizations are doing
contained in the model. You can then
identify goals and objectives of your own
and refer to the BSIMM to determine
which additional activities make sense
for you.
The BSIMM data show that high maturity
initiatives are well-rounded—carrying out
numerous activities in all 12 of the
practices described by the model. The
model also describes how mature
software security initiatives evolve,
change, and improve over time.

23. BSIMM 7

24. Standards & Requirements

25. “EVERYBODY” DOES IT

26. SAMPLE SPIDER CHART

27. VERTICAL COMPARISON

29. • Microsoft Security Development LifeCycle
https://www.microsoft.com/en-us/sdl/
• OpenSAMM
http://www.opensamm.org/
• BSIMM
https://www.bsimm.com/
KEY TAKE AWAY (MOB)

30. “Today we were unlucky, but remember we only have to be
lucky once. You will have to be lucky always.”
THANK YOU
QUESTIONS???
Rene.Jaspe@sinagsolutions.com
@renejaspe
https://ph.linkedin.com/in/renejaspe