A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
eveloping secure software requires more than the definition of a
process, i.e., a Secure Software Development Lifecycle. The
successful implementation of a Secure Software Development Lifecycle
relies on many factors among them providing the right tools to
developers that support them in writing secure and reliable code.
Based on SAP's experience in the large scale introduction of static
code analysis tools as well as the use of dynamic (security) testing
tools, I will discuss several challenges of secure development
approaches in industry such as finding the right balance between
security requirements and development efforts or the between the
precision of a security analysis and its scalability.
How to apply security in an agile environment. Using old frameworks in an agile environment fails. By using a new model and an agile aligned security strategy, information security can be integrated into agile development projects.
Managing risks is crucial in the development of safe and reliable products. Thoroughly identifying, analyzing, and controlling all the potential ways your product could fail (overall referred to as risk management) will increase the quality of any product, but is even more important in the context of safety-critical development. In an Agile environment with self-governing teams, implementing adequate risk management processes throughout the lifecycle can be a challenge.
Our webinar helps you to learn more about managing risks in general, and how to make sure all risks are considered and covered when developing software with Agile teams. During this webinar, we also discusses the practical side of implementing comprehensive risk management processes in an Agile environment.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Security Champions - Introduce them in your OrganisationIves Laaf
How to get security software development established, training of teams. A methodology based on the concept of security champions and owasp tools and guides.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
eveloping secure software requires more than the definition of a
process, i.e., a Secure Software Development Lifecycle. The
successful implementation of a Secure Software Development Lifecycle
relies on many factors among them providing the right tools to
developers that support them in writing secure and reliable code.
Based on SAP's experience in the large scale introduction of static
code analysis tools as well as the use of dynamic (security) testing
tools, I will discuss several challenges of secure development
approaches in industry such as finding the right balance between
security requirements and development efforts or the between the
precision of a security analysis and its scalability.
How to apply security in an agile environment. Using old frameworks in an agile environment fails. By using a new model and an agile aligned security strategy, information security can be integrated into agile development projects.
Managing risks is crucial in the development of safe and reliable products. Thoroughly identifying, analyzing, and controlling all the potential ways your product could fail (overall referred to as risk management) will increase the quality of any product, but is even more important in the context of safety-critical development. In an Agile environment with self-governing teams, implementing adequate risk management processes throughout the lifecycle can be a challenge.
Our webinar helps you to learn more about managing risks in general, and how to make sure all risks are considered and covered when developing software with Agile teams. During this webinar, we also discusses the practical side of implementing comprehensive risk management processes in an Agile environment.
IBM Cloud Computing Course Project - Utilising Enterprise Design Thinking Propose cloud computing solution leveraging on IOT device and IBM Watson AI (artificial Intelligence) solution to assist in ensure the safety of elderly living alone in Singapore, while maintaining their independent daily lifestyle.
"Shift Lef Security" What the funk does that mean?
In the agile, lean, DevOps communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Shift Left Security: Development Does Not Want to Own It.Aggregage
Shifting security left to the earliest part of development is currently in the spotlight in the developer world. What teams are now discovering is, this approach results in misdirected ownership for developers and a frustrated security team. In the current climate, we cannot afford to let security implementations falter. It's time to manage your team's energies to maximize DevOps efficiency, all the while maintaining top security standards. Join Shlomo Bielak, and learn how to keep your DevSecOps team focused and connected without creating silos.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Avi Douglen, Software Security Advisor, Bounce Security presented at the Synopsys Security Event - Israel. For more information please visit us at www.synopsys.com/software
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Systems Modeling Language (SysML) and Model-Based Systems Engineering (MBSE) ...Tonex
System Modeling Language (SysML): SysML is a general-purpose architectural modeling language for system engineering applications.
Model-based system engineering (MBSE): Model-based system engineering (MBSE) is the formal application of modeling to support system requirements, design, analysis, verification, and validation activities. These activities start from the conceptual design stage and continue throughout the entire Development and later life cycle stages
SysML provides a semantic foundation for graphical representation, which can be used to model system requirements, behavior, structure, and parametric equations, which can be integrated with various engineering analyses.
The model-based systems engineering (MBSE) approach allows organizations to design prior to construction-allowing stakeholders to visualize, simulate and fine-tune product specifications with greater accuracy earlier in the product life cycle-ideally before project resources have been submitted And developed a project schedule.
Tonex's SysML and MBSE Training
Tonex Combo MBSE and SysML training courses cover OMG Certified System Modeling Specialist (OCSMP) certification.
SysML and MBSE training is a practical training course, which includes model creation exercises, case studies and workshops. Participants can use various tools to implement SysML concepts.
Learning Target:
Learn how to create models in SysML, including diagrams and constructions
Develop an executable SysML activity model
Analyze and construct SysML models through calculations, and perform parametric simulations
Learn how to automatically generate and model a traceability matrix
Conduct trade research Automatically generate documentation from system models and model repositories
Learn how to use MBSE/SysML with DoD DoDAF, NATO NAF, UK MoDAF and UAF frameworks
Understand what is a model and the trend of SE to MBSE transition
Describe the benefits and use cases of MBSE
Describe how MBSE and SysML are related
Explain SysML terms and symbols
Deploy MBE, MBSE and SysML in complex system or SoS functions, development, engineering projects or tasks
Apply MBSE to complex systems and system of systems (SoS)
Compare and contrast traditional systems engineering methods and MBSE
And More..
Study Method:
The course is composed of teaching elements that are intertwined to maximize the use of individual, group and class time. These elements include lectures, classroom activities, group assignments, and problem scenarios for role-playing and finding solutions.
Training Outline:
Model Concepts
MBSE (Model Based Systems Engineering)
Creating Systems Modeling Language (SysML) Models
Overview of INCOSE’s Modeling and Simulation Interoperability Efforts
Group Exercises and Workshops
For More Information:
https://www.tonex.com/training-courses/hands-mbse-training-creating-sysml-models-workshop/
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP.
In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.
IBM Cloud Computing Course Project - Utilising Enterprise Design Thinking Propose cloud computing solution leveraging on IOT device and IBM Watson AI (artificial Intelligence) solution to assist in ensure the safety of elderly living alone in Singapore, while maintaining their independent daily lifestyle.
"Shift Lef Security" What the funk does that mean?
In the agile, lean, DevOps communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Shift Left Security: Development Does Not Want to Own It.Aggregage
Shifting security left to the earliest part of development is currently in the spotlight in the developer world. What teams are now discovering is, this approach results in misdirected ownership for developers and a frustrated security team. In the current climate, we cannot afford to let security implementations falter. It's time to manage your team's energies to maximize DevOps efficiency, all the while maintaining top security standards. Join Shlomo Bielak, and learn how to keep your DevSecOps team focused and connected without creating silos.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
Avi Douglen, Software Security Advisor, Bounce Security presented at the Synopsys Security Event - Israel. For more information please visit us at www.synopsys.com/software
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Systems Modeling Language (SysML) and Model-Based Systems Engineering (MBSE) ...Tonex
System Modeling Language (SysML): SysML is a general-purpose architectural modeling language for system engineering applications.
Model-based system engineering (MBSE): Model-based system engineering (MBSE) is the formal application of modeling to support system requirements, design, analysis, verification, and validation activities. These activities start from the conceptual design stage and continue throughout the entire Development and later life cycle stages
SysML provides a semantic foundation for graphical representation, which can be used to model system requirements, behavior, structure, and parametric equations, which can be integrated with various engineering analyses.
The model-based systems engineering (MBSE) approach allows organizations to design prior to construction-allowing stakeholders to visualize, simulate and fine-tune product specifications with greater accuracy earlier in the product life cycle-ideally before project resources have been submitted And developed a project schedule.
Tonex's SysML and MBSE Training
Tonex Combo MBSE and SysML training courses cover OMG Certified System Modeling Specialist (OCSMP) certification.
SysML and MBSE training is a practical training course, which includes model creation exercises, case studies and workshops. Participants can use various tools to implement SysML concepts.
Learning Target:
Learn how to create models in SysML, including diagrams and constructions
Develop an executable SysML activity model
Analyze and construct SysML models through calculations, and perform parametric simulations
Learn how to automatically generate and model a traceability matrix
Conduct trade research Automatically generate documentation from system models and model repositories
Learn how to use MBSE/SysML with DoD DoDAF, NATO NAF, UK MoDAF and UAF frameworks
Understand what is a model and the trend of SE to MBSE transition
Describe the benefits and use cases of MBSE
Describe how MBSE and SysML are related
Explain SysML terms and symbols
Deploy MBE, MBSE and SysML in complex system or SoS functions, development, engineering projects or tasks
Apply MBSE to complex systems and system of systems (SoS)
Compare and contrast traditional systems engineering methods and MBSE
And More..
Study Method:
The course is composed of teaching elements that are intertwined to maximize the use of individual, group and class time. These elements include lectures, classroom activities, group assignments, and problem scenarios for role-playing and finding solutions.
Training Outline:
Model Concepts
MBSE (Model Based Systems Engineering)
Creating Systems Modeling Language (SysML) Models
Overview of INCOSE’s Modeling and Simulation Interoperability Efforts
Group Exercises and Workshops
For More Information:
https://www.tonex.com/training-courses/hands-mbse-training-creating-sysml-models-workshop/
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP.
In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
The development world has come to realize that the way we build applications opens the door to hackers.
We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the
development team to build software that is inherently impervious to attack. Catching and dealing with
security defects earlier in the development lifecycle is much more economical than dealing with them once
the applications have been deployed.
With many automotive organizations transforming development efforts towards agile methodologies, the need to redefine and establish security, safety, and quality standards and testing methods is more important than ever. How do we fit safety and security planning and tools into the adaptive development and rapid delivery practices of agile teams?
In this second one-hour webinar you'll learn how to:
- Integrate security and compliance testing with agile development
- Provide context for fast triage and remediation
- Create policies for code management in integrated testing environments
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
This talk is completely dedicated to how to build application security culture and team in your organization. I have presented this talk at The Hack Summit Poland.
A successful application security program - Envision build and scalePriyanka Aash
Learn how to build an application security program that is successfully integrated into various stages of software development life cycle and product life cycle. This lab will draw from the facilitators’ successful experience at Sabre, focusing on the top five maxims to design, build and scale.
(Source : RSA Conference USA 2017)
Research and Presentation of Bluetooth Vulnerabilities at the 23C3 in Berlin. Release of BTCrack a Bluetooth Pin cracker + FPGA Implementation. Remote Root over Bluetooth demonstration.
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
During the research on Bluetooth Security we uncovered multiple implementation vulnerabilities in Drivers, Software and Stacks. This presentation will explain the reasons and the consequences of these findings. More importingly however protocol weaknesses were discovered and shown live on stage.
http://events.ccc.de/congress/2006/Fahrplan/speakers/1290.en.html
The TLS/SSLv3 renegotiation vulnerability explainedThierry Zoller
The whitepaper explains the SSLv3/TLS renegotiation vulnerability (CVE-2009-3555) to a broader audience and goes into details about the different attack vectors possible. The whitepaper includes original research such as downgrading the client down to clear-text protocol transparently.
The paper is referenced by the US-CERT, FINCERT, RUS-CERT, Qualys, Nessus as the main reference for this vulnerability.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
2. Secure Development LifecycleSecure Development Lifecycle
Development Lifecycles
■ Waterfall Model and Agile Software Development (SCRUM, Devops..)
■ Others: Spiral Development
■ Realistically speaking I have seen a mix all of all of these, with some companies unable
to name what type of cycle they use.
2
3. Agenda -Agenda - כולם הבאים ברוכים
Who am I ?
■ Thierry Zoller - Luxembourg
■ Pratice Lead EMEA for Verizon Business
■ Discovered and coordinated over 100 Software
vulnerabilities
■ ISC2 CSSLP Evangelist
■ Former Director of Product Security at n.runs AG
Who is Verizon / Verizon Business ?
■ Offices in over 129 countries (overall)
■ Data Breach Report (2011 to be out soon)
■ Broad consulting services worldwide
(GRC, Business Optimisation, Application
Security, Forensics ..)
■ Over 1100 dedicated security professionals worldwide
3
4. AgendaAgenda
What this talk is about
■ Different forms of Application Risk Management
■ Types of Development Lifcycles
■ Get upper management support for an SDLC Program
■ Most effective methods to establish such a Program
■ Experience Pitfalls / Traps
■ How to measure success, which metrics to use
What this talk is not
■ Review of source code analysis tools
■ Reports on effectivness of Penetration Tests or Fuzzing Tools
■ Threat modeling or Vulnerabilities
■ Sun Tzu
4
5. Application Risk ManagementApplication Risk Management
What is “Application Risk Management”
“The Art of creating, acquiring and maintaining Applications while guaranteeing a
defined level of Security Assurance and allowing Risk management to happen ” - Me
5
6. Application Risk ManagementApplication Risk Management
What is “Application Risk Management”
■ Vendor perspective vs. Enterprise
■ Encompasses a broader Spectrum
■ Assurance needs to be given to all Applications not only those developed in-
house
6
vs
Potential Software Supply Chain Paths
7. Application Risk ManagementApplication Risk Management
An effective Application Risk management Program allows you to answer these
types of requests a bit more coherently :
Dear CISO -
■ We’d like to open this web application up to the internet ? Can you give us the
go ahead ?
■ We need to add transactional features to our current HR platform and we still
need remote access – what’s your advice ?
■ We’d like to develop a custom Front Office - Back Office Solution and would
need your requirements beforehand.
Oh by the way, we need an answer today, we knew since 2 month, but we forgot, hmmk
7
8. Secure Development LifecycleSecure Development Lifecycle
Development Lifecycles
■ Waterfall Model and Agile Software Development (SCRUM, Devops..)
■ Others: Spiral Development
■ Realistically speaking I have seen a mix all of all of these, with some companies unable
to name what type of cycle they use.
8
10. Secure Development LifecycleSecure Development Lifecycle
Development Lifecycles
■ Waterfall Model and Agile Software Development (SCRUM, Devops..)
■ Others: Spiral Development
■ Realisticaly I have seen a mix all of all of these, with some companies unable
to name what type of cycle they use.
10
11. Secure Development LifecycleSecure Development Lifecycle
A Secure Development Lifecycle
■ Different shapes and colors - SDL, SDLC, SSDL, Software
Assurance
■ Types
■ Heavy Processes
■ [Hall 2002a] [NSA 2002, Chapter 3]
■ Clean Room and TSP-Secure
■ Lightweight Processes
■ Microsoft SDL
■ CLASP
■ They are all fine if they fit the needs of your enterprise / organization
11
Source: DHS
12. Secure Development LifecycleSecure Development Lifecycle
A Secure Development Lifecycle
■ Good experience with the Microsoft SDL approach
■ Have had good results
■ Is applicable to legacy code, not to heavy, formal and not too light
■ Adjustable to different Development Models (Waterfall, Spiral, RAD)
■ Feeds on years of experience
■ Knowledge and Training is key
■ VzB EMEA is in the process of joining the Microsoft SDLPro Network
12
13. Secure Development LifecycleSecure Development Lifecycle
Classical Development Lifecycle
13
Systems or
Application
Development
Requirements
Engineering
Use Cases
Functional Test
Plans
Testing
& Results
Deploy
Security
Assessment
■ “Bolt-On” Security
■ Lacks proper knowledge management
■ No Security Gates = Flaws mostly always found
after development is over
■ No knowledge management
■ Risk management near impossible /
■ Need to shift security and assurance to the left of the development cycle
14. AgendaAgenda
14
Results in Increase of Costs
■ Especially for Vendors, need to react and issue patches
■ Major OS vendor calculated 200K USD costs per Bulletin published
15. AgendaAgenda
15
Results in Increase of Risk
■ Statistics from Microsoft
■ Summary: Less Risk, Less Cost, Higher assurance
– Holy Grail of Security ?
16. Secure Development LifecycleSecure Development Lifecycle
16
Security build-in Development Lifecycle
■ A simplified example
Systems or
Application
Development
Requirements
Engineering
Use Cases
Functional Test
Plans
Testing
& Results
Deploy
Security
Assessment
Misuse/Abuse
Cases
Security
Requirements
Threat Model
Attack Surface
Security Push
/Security Test
Cases
(scope implicitly captured)
17. Secure Development LifecycleSecure Development Lifecycle
Requirements / Design Phase
■ One of the most important phases
■ Identify key security objectives
■ Security Policies / Compliance
■ Data Privacy
■ Classify Application into Assurance Groups
■ Example : OWASP ASVS
■ No more, “ Oh we needed PCI-DSS compliance ?! ,
at the end of Development.
17
Requirements
Engineering
Security
Requirements
18. AgendaAgenda
Assurance Levels / Example
■ Decide what Assurance Level the Application needs to fullfill
■ Keeps effort down and effort relative to value of application and data
TechniquesScope
GenericExampleonly
19. AgendaAgenda
Assurance Levels / Example
■ Decide what Assurance Level the Application needs to fullfill
■ Keeps effort down and effort relative to value of application and data
TechniquesScope
Provides Assurance
against :
Opportunistic Attackers
Limitations :
Does not cover
application Logic
Provides Assurance
against :
Unsophisticated
opportunists such as
attackers with open
source attack tools.
Provides Assurance
against :
Opportunists, and
determined attackers
(skilled and motivated
attackers focusing on specific
targets using tools including
purpose-builtscanning tools)
Provides Assurance
against :
Determined Attackers,
Professional Attackers –
Potentially State
founded Attackers
GenericExampleonly
20. Secure Development LifecycleSecure Development Lifecycle
Key concepts
■ Initial and regular Developer Trainings
■ Product Manager / Architect Awareness Training
■ Project Kick off Meetings
■ Knowledge Base
■ Past issues
■ New vulnerability types / classes
■ Lessons learned
■Feed into :
■ Coding Guidelines
■ Application Security Requirements
■ Design Requirements
■ Coding Guidelines
■ Reduced Attack Surface
20
Knowledge management
21. Secure Development LifecycleSecure Development Lifecycle
21
Signs of Failure of a Secure Development Lifecycle
You are doing it wrong if :
■ Simple Bug classes at later stages
■ XSS prior to deploying or in production
■ If your SDL works, there should be no “low hanging fruits”
■ Architectural and Design bugs
■ CSRF at a late stage
■ Usually already covered at design/requirements stage
22. Secure Development LifecycleSecure Development Lifecycle
22
Phases and Recommendations
Planning and Requirements
Incorporate security activities into project plans
Identify key security objectives
Consider security feature requirements
Consider need to comply with industry standards and by certification processes
such as the Common Criteria
Consider how the security features and assurance measures of its software
will
integrate with other software likely to be used together with its software
23. Secure Development LifecycleSecure Development Lifecycle
23
Phases and Recommendations
Design
Define security architecture and design guidelines
Document the elements of the software attack surface
Conduct threat modeling
Implementation
Apply coding and testing standards
Apply security-testing tools including fuzzing tools (if appropriate)
Apply static-analysis code scanning tools
Conduct code reviews
24. Secure Development LifecycleSecure Development Lifecycle
24
Phases and Recommendations
Verification
While the software is undergoing beta testing, conduct a “security push” that includes
security code reviews beyond those completed in the implementation phase as well as
focused security testing
Not by members of the development team / can be external
Support
Prepare to evaluate reports of vulnerabilities and release security advisories and
updates when appropriate (Incident Handling)
Conduct a post-mortem of reported vulnerabilities and take action as
necessary
Improve tools and processes to avoid similar future vulnerabilities (knowledge
management)
25. Secure Development LifecycleSecure Development Lifecycle
25
Implementing an SDLC Program
■ Most important : Get upper management support
■ Waste of time trying to implement a program using your budget with limited Senior
management backing
■ Too many stakeholder and political minefields
■ Second most important step : Designate an SDLC Evangelist
■ Very important if new to SDLC
■ Responsible for bringing the stakeholders together
■ Monthly senior management meetings (Status, Roadblocks)
■ Can be insourced, should be stress resistant
■ Create regular meetings
■ Train and motivate
■ Get everybody on board
■ ….
26. AgendaAgenda
26
Ideas and Experiences on Budget and Funding
Barriers :
■ The name itself “Secure Development Lifecycle “
■ Name is associated to increase in costs and TTM
■ Product Management
To leverage :
■ Focus on Risk and Cost reduction (for once it’s real and we have it)
■ Create a few business cases on real examples, use figures
■ Compliance (PCI-DSS, you name it)
28. AquisitionAquisition
28
Building Security into the Aquisition Process
Due Diligence Questionnaires / Checklists
Should include :
■ Security Track Record
■ Financial History and Status
■ Software Security Training and Awareness
■ Development Process Management
■ Foreign influences and interests
■ Complete check list can be found :
“Software Assurance in Acquisition: Mitigating Risks to the Enterprise”
29. AquisitionAquisition
29
Building Security into the Aquisition Process
Contractually require a Secure Development Lifecycle
■ OWASP and US-CERT offer a template
■ Visit them and have them show their
Development Processes
■ Make them liable as far as possible
■ Don’t forget the Sustainment (or Post-release Support)
■ Require them to be audited by a trusted auditor
■ Audit in the large sense