SlideShare a Scribd company logo

Reduce Third Party Developer Risks

Download as PPTX, PDF
K
Kevo Meehan

Common Challenges to Secure Software Development Integrity Checks and Security Assessments Internal and 3rd Party Security Considerations

Technology
1 of 38
Reduce 3 Party Developer Risks
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Understanding Root Cause of Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
Security vs. Software Quality When you think of 3rd party language for functionality requirements, think similarly for security requirements
The Organizational Disconnect • IT/GRC/InfoSec historically focused on network/endpoint security *Developers and SDLC are now “in scope” • Tools are a typical first step *Both have different perspective on what policies and procedures are in place • How did we handle performance, reliability? *Security needs to be a standard part of the process
Language, Platform & Framework Nuances • Security policies are not enough o Follow through with architecture and development standards o Must explain “how” and “why,” not just “what” o Must tie to specific roles and technologies • Each language has unique idiosyncrasies and syntax issues: o C++ o Java and .NET o Scripting languages • Each platform is unique: o Mobile o Cloud & Web o Embedded
The Pitfalls of Automation • First instinct is “what tool can we buy”? • It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution • Analyzing results is time consuming and requires skill • Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
• Network boundary plays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through • With Internet, applications become the perimeter • We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
…. and a Human Problem • Vulnerabilities are frequently the result of a failure in the engineering process • Developers have an implicit trust in the user o Often think of functionality (practical) rather than security o Not common to consider abuse cases • Education tailored to each environment isn’t required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Integrity Checks • Perform security assessments o Design reviews, code reviews, penetration tests at key validation points • Address security beyond the traditional “testing” phase • Security assessment = more than penetration testing the binary: o Validating the design and the architecture before coding begins o Developing a threat model that guides design, coding and test efforts o Using tools while developers are coding to find common security defects o Verifying the security and configuration of the deployment environment
Assessment Activities Work Together • Design review o Sets the rest of the team up for success and finds problems that are the costly to fix later in the cycle • Threat Modeling o Ensures key threats are considered during design, coding and testing • Code Review o One of the highest impact activities, but doesn’t consider the as-deployed state
…Continued • Manual penetration testing o Requires deep knowledge of application and technologies in the environment • Scanning tools o Provide broad coverage to augment these activities
State of Application Security Assessment Conventional approaches to application security are not risk-based • Over-reliance on automated vulnerability scanning • Random efforts to find a needle in a haystack • Fails to address each application’s unique code-, system- and workflow-level vulnerabilities • Little practical guidance on prioritizing defect remediation • Find & Fix “hamster wheel” leads to frustration and stagnation • Many flaws are caused by environment interaction and only discoverable after analyzing application in production
…Continued An effective security assessment program • Uses threat modeling to focus efforts on highest risk first • Is committed to finding problems at each phase of development • Aligns breadth and depth of analysis to application complexity and criticality • Let’s humans and tools do what they each do best • Leverages assessment findings to identify root causes and address process and skills gaps
It’s Called “Verification Phase” for a Reason • Security testing should be like the net under a tightrope o Not the only time when security problems are found • Why do we often find so many vulnerabilities in testing? o If architecture and development standards are followed, vulnerabilities will be minimized o If assessment activities occur consistently, vulnerabilities will be found early • Penetration testing becomes the last-best assessment, rather than the last-desperate hope
Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
Managing 3rd Party Risk • 3rd party includes: o Supplier of software you purchase o Supplier of Software as a Service you consume o Outsourced development team you leverage • Managing risk includes: o Setting expectations, including contractual language o Validating expectations are met o Clear remediation procedures to handle identified risks
Language Normalization Term Definition Vulnerability Security exposure that results from a weakness that the architect, developer, etc did not intend to introduce Threat A negative occurrence in the business processes of a system Attack An implementation-specific action or set of actions taken against a system to realize a threat Exploit Sequence of commands/activities that takes advantage of a vulnerability to cause unintended or unanticipated behavior (i.e. gaining control of a system, privilege escalation, or a denial-of-service attack) Impact What damage can be done with a successful exploit Risk The exposure and probability weighted ranking of a given threat, allowing for comparisons between threats and across systems and factors in mitigating/compensating controls It’s important to speak the same language both internally and with 3rd parties
Understand the Risk you are Purchasing • The ecosystem around software is constantly changing • How “risky” software is has as much to do with vendor support as it does to how secure the source code is • Questions should be asked not just of software vendors that sell applications, but also for vendors that offer software as a service. • Contractual requirements should be put into place for outsourced development
Consideration #1 Has Supplier Thought About Security? • A contract does not replace diligence but given the frequency of security breaches today, it’s important to: o Determine what language you (the “Customer”) should minimally have with your “Supplier” when sourcing a software application (the “Software”) o Ensure that terms are defined to your acceptance and understood by supplier • Ask the supplier to provide evidence of security due diligence o Perhaps they have a 3rd-party or independent penetration testing doc to share o Are they willing to attest to your security requirements and/or acceptance testing…and offer remedies if they do not?
Suggested Contract Language • E.g., the Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Documents, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards.
Consideration #2 Suppliers Secure Development Process? • Often a vendor’s documentation is absent of security controls other than a reference to industry standard(s) • Vendor should demonstrate capabilities around integrating security into each phase of development • Many compliance mandates and customer requirements overlap o Activities are generally the same, just worded differently o Do the mapping ahead of time to consolidate requirements
Mapping Regulations & Mandates • Most regulations, frameworks, and compliance mandates call out general requirements and have non-obvious implications: o “develop according to industry best practices” o “protected information should not be improperly altered’” • Vendor should demonstrate a repeatable SDLC that integrates key security and compliance activities: o Ensures future requirements will have little impact on existing efforts o Allows you to maintain a “big picture” view to software development and IT teams o Reduces “re-do” expenses and audit costs
OWASP Top Ten
High-Level Requirement Other Standards (Partial List) Selected Coding Practices Confidentiality SOX, HIPAA, ISO 27002,, GLBA, FFIEC, Basel l I, CA SB 1386, FIPS 199, NIST - Appropriate use of strong encryption for data in databases. - Encrypting confidential data in memory. No custom or untrusted encryption routines - Encrypting data in motion, especially for wireless transmissions. - Masking confidential data that needs to be viewed in part Data integrity SOX, ISO 27002, HIPAA, GLBA, FIPS 199, NIST - Robust integrity checks to prevent tampering with data. - Input validation and comprehensive error handling to prevent injection attacks, privilege escalation, and other hacking techniques. - Output encoding. Use of least privileges. - Hashing for confidential data that needs to be validated (e.g. passwords) Authentication and access control SOX, ISO 27002, HIPAA, II, NIST SP - Support for strong passwords & two-factor authentication where appropriate. - Role-based access control and revocation of rights, with clear roles mapped to permissions. - Locked down file access and database roles. No guest accounts. - Passwords and encryption keys encrypted before storage and transmission. Logging and auditing SOX, ISO 27002, HIPAA, SB 1386, NIST SP - Detailed audit trails of users accessing data and resources. - Detailed logging of systems that process sensitive data, including shutdowns, restarts and unusual events. No confidential data exposed in logs. - Event logs and audit trails available only to system admins and protected from unauthorized modifications. One secure coding activity yields leverage across security controls in 6 different standards
Other Questions to Ask: Requirements • Do you gather security objectives? How are they mapped to the rest of the design process? Design • Does your team conduct security architecture and design reviews? • Do you use checklists to drive the process? Do you revise them over time? • Does your team create threat models to understand and prioritize risk? Coding • Does your team use a formalized set of security coding best practices? • What type of code scanning tools do you use? • Do you perform code reviews against security best practices? Testing • Does your team conduct 3rd party or internal penetration tests? • Are your testers QA trained on the latest attack trends and test techniques? • Do you use security testing tools?
Suggested Contract Language • The Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Document, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards. • The Product Requirements Document mutually acceptable to Customer and Supplier shall include each of the security elements set forth on Exhibit A * Be certain to review with your legal counsel what information that is confidential to your company that the application may access, and any appropriate controls on confidential information, trade secrets or private data
Principle Secure Development Requirements • “The software shall include the following secure application development requirements” o (a) a Data Criticality Definition (“DCD”); o (b) security requirements based upon such DCD; o (c) for each technology stack: o i. Defined Architecture Standards o ii. Defined Coding Standards o iii. Defined checklists for use in architecture reviews, code reviews and penetration testing o iv. Defined application security role-based training program for development team o (d) Architecture and design review and threat model o (e) Regular security code review and code scanning during development o (f) 3rd party penetration test before release o (g) Defined response plan for discovered vulnerabilities including how to deploy updates to Customer
Consideration #3 Commitment to Training? • Is there a security training program in place for all development team members? • Is the training appropriate role and technology based? • Is there validation of security skills and techniques?
Additional Items to Discuss • What regular/recurring training does your development and test team receive specific to application security? • What percentage of your software development and testing team is focused on security? • Do you have a security team that attack your products prior to release or is security embedded in each team?
Consideration #4 Security After the Delivery of Software • Consider security for the whole lifecycle • Production scanning or penetration testing? • Cybersecurity insurance with customer as named beneficiary • Make a penetration test an acceptance criteria • Consider the supplier’s security and privacy policies
Suggested Contract Language • Supplier shall at all times during the term of this Agreement maintain appropriate technical and organizational measures to protect any Data that it collects, accesses or processes in conjunction with this Agreement against unauthorized or unlawful use or disclosure. • Supplier shall implement security procedures to protect Data from improper disclosure or use, such procedures to be in compliance with all industry standards and all applicable federal and state regulatory requirements. • Supplier will immediately notify Customer of any breach, or suspected breach, of data security, (a “Security Breach”) and shall immediately coordinate with the Customer security personnel to investigate and remedy the Security Breach, as directed by Customer security personnel. • Supplier shall maintain records of any known or suspected security breaches in accordance with commercially accepted industry practices, and, if not prohibited by applicable law, shall make such records available to Customer upon request.
…Continued • In the event of a Security Breach, notwithstanding any other provision, Supplier shall be solely responsible for all expenses related to the investigation of such breach as well as the costs of furnishing notices to the other party’s affected customers and the offer to such affected customers of services to mitigate the effect of such breach. • Supplier shall not store any Data outside of the United States, other than an ISO 27014 certified facility, transfer any of the same to any location outside of the United States or access or permit access to any of the same from any location outside of the United States. • At Customer’ discretion and Customer’ expense, no more than once in any given year, Supplier shall cause a third party to perform a penetration test of all systems owned or controlled by Supplier or its subcontractors that contain any Data. • Supplier shall provide a summary of such results to Customer. If penetration testing shows any material deficiencies, then Supplier shall use reasonable best efforts to remediate all such deficiencies and shall provide Customer written documentation of such remediation efforts.
Consideration #5 Vulnerability Service Level Agreement • Cooperation after a suspected or known security breach may not be adequate. • Vulnerability SLA including response and turnaround time • Terms and period of vendor’s security support agreement • Tiers for different severity classes (clearly define) • Dedicated team to assess and respond to security vulnerabilities • How (or if) reported security defects are treated differently than non-security defects.
Suggested Contract Language In the event of a Security Breach or if Supplier has reason to believe a Software vulnerability exists, Supplier shall respond within the specified turnaround time according to the following service levels: • (a) Critical: Attacker gains access to admin or root privileges allowing remote read and write access to the system and remote commands. • Response time: 2 to 3 hours • Resolution time: Risk mitigated immediately (e.g. system offline if necessary), risk resolved within 3 days. • (b) High: Attacker gains user privileges or can execute a denial of service (DOS) for any users on the system. Partial and/or read access to the sensitive data. • Response time: 8 hours • Resolution time: Risk mitigated within 1 day, risk resolved within 1 week
In Summary: 3rd Party Risk is Your Risk • All software in your enterprise represents a security risk: o Internally developed o 3rd party vendor o Outsourced team • 3rd party is hard o It's natural to want to 'trust' a 3rd party and hope they are doing all the right things. o It's hard to control 3rd party behavior • Solution o Clear expectations o Backed by binding contractual language
Further Information In partnership with Security Innovation, Emenda can offer over 120 courses to help protect your business. To download our latest course list, click here For further information or to get in touch: Contact Us Visit Our Website

Recommended

5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice Saqib Raza
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 

Recommended

5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice Saqib Raza
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...Daniel Owens
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
shaabani-Final-NC
shaabani-Final-NCshaabani-Final-NC
shaabani-Final-NCMahdi Shabani
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
Presentation (software engineering)
Presentation (software engineering)Presentation (software engineering)
Presentation (software engineering)Abdullah Al Shiam
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramDenim Group
 
Defect analysis and prevention methods
Defect analysis and prevention methods Defect analysis and prevention methods
Defect analysis and prevention methods deep sharma
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010Donald E. Hester
 
Noip2 stack buffer overflow
Noip2 stack buffer overflowNoip2 stack buffer overflow
Noip2 stack buffer overflowb0920075
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 

More Related Content

What's hot

What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...Daniel Owens
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
Presentation (software engineering)
Presentation (software engineering)Presentation (software engineering)
Presentation (software engineering)Abdullah Al Shiam
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramDenim Group
 
Defect analysis and prevention methods
Defect analysis and prevention methods Defect analysis and prevention methods
Defect analysis and prevention methods deep sharma
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010Donald E. Hester
 

What's hot (20)

What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...Application and Website Security -- Developer Edition: Introducing Security I...
Application and Website Security -- Developer Edition: Introducing Security I...
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
shaabani-Final-NC
shaabani-Final-NCshaabani-Final-NC
shaabani-Final-NC
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
Presentation (software engineering)
Presentation (software engineering)Presentation (software engineering)
Presentation (software engineering)
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Defect analysis and prevention methods
Defect analysis and prevention methods Defect analysis and prevention methods
Defect analysis and prevention methods
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startups
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010
 

Viewers also liked

Noip2 stack buffer overflow
Noip2 stack buffer overflowNoip2 stack buffer overflow
Noip2 stack buffer overflowb0920075
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
Software Rollout
Software RolloutSoftware Rollout
Software Rolloutcolmbennett
 
Master Trading in Greece
Master Trading in GreeceMaster Trading in Greece
Master Trading in GreeceMarina Larsen
 
Thinh Hoang Resume
Thinh Hoang Resume Thinh Hoang Resume
Thinh Hoang Resume Thinh Hoang
 
Niki Calderone UX Research Portfolio
Niki Calderone UX Research PortfolioNiki Calderone UX Research Portfolio
Niki Calderone UX Research PortfolioNiki Calderone Canton
 
Researching target audiences
Researching target audiencesResearching target audiences
Researching target audiencesEvijaKapeljuha
 
BuildHub Pitch
BuildHub PitchBuildHub Pitch
BuildHub PitchBootcamp
 
New Items - Constellation 2017
New Items - Constellation 2017New Items - Constellation 2017
New Items - Constellation 2017Gena Feldmann
 
葡萄牙 > 黄金签证计划 与 非常住居民制度
葡萄牙 > 黄金签证计划 与 非常住居民制度葡萄牙 > 黄金签证计划 与 非常住居民制度
葡萄牙 > 黄金签证计划 与 非常住居民制度Dixcart Management (Madeira)
 
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPEdanneeledge
 

Viewers also liked (16)

Noip2 stack buffer overflow
Noip2 stack buffer overflowNoip2 stack buffer overflow
Noip2 stack buffer overflow
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Software Rollout
Software RolloutSoftware Rollout
Software Rollout
 
On - Fideicomiso Ganadero (1)
On - Fideicomiso Ganadero (1)On - Fideicomiso Ganadero (1)
On - Fideicomiso Ganadero (1)
 
Master Trading in Greece
Master Trading in GreeceMaster Trading in Greece
Master Trading in Greece
 
Thinh Hoang Resume
Thinh Hoang Resume Thinh Hoang Resume
Thinh Hoang Resume
 
Niki Calderone UX Research Portfolio
Niki Calderone UX Research PortfolioNiki Calderone UX Research Portfolio
Niki Calderone UX Research Portfolio
 
018 4877 power your life 0
018 4877 power your life 0018 4877 power your life 0
018 4877 power your life 0
 
Work,energyandpower
Work,energyandpowerWork,energyandpower
Work,energyandpower
 
Researching target audiences
Researching target audiencesResearching target audiences
Researching target audiences
 
BuildHub Pitch
BuildHub PitchBuildHub Pitch
BuildHub Pitch
 
New Items - Constellation 2017
New Items - Constellation 2017New Items - Constellation 2017
New Items - Constellation 2017
 
Manual
ManualManual
Manual
 
葡萄牙 > 黄金签证计划 与 非常住居民制度
葡萄牙 > 黄金签证计划 与 非常住居民制度葡萄牙 > 黄金签证计划 与 非常住居民制度
葡萄牙 > 黄金签证计划 与 非常住居民制度
 
018 4895 healing for loved ones
018 4895 healing for loved ones018 4895 healing for loved ones
018 4895 healing for loved ones
 
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE
HOW TO CHOOSE A BIKINI FOR YOUR BODY TYPE
 

Similar to Reduce Third Party Developer Risks

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentortmbainjr131
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
IEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable SoftwareIEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable SoftwareAnn Marie Neufelder
 
Software Engineering Methodologies
Software Engineering MethodologiesSoftware Engineering Methodologies
Software Engineering MethodologiesNesrine Shokry
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 

Similar to Reduce Third Party Developer Risks (20)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
IEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable SoftwareIEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable Software
 
Software Engineering Methodologies
Software Engineering MethodologiesSoftware Engineering Methodologies
Software Engineering Methodologies
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Reduce Third Party Developer Risks

  • 1. Reduce 3 Party Developer Risks
  • 2. Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 3. Understanding Root Cause of Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
  • 4. Security vs. Software Quality When you think of 3rd party language for functionality requirements, think similarly for security requirements
  • 5. The Organizational Disconnect • IT/GRC/InfoSec historically focused on network/endpoint security *Developers and SDLC are now “in scope” • Tools are a typical first step *Both have different perspective on what policies and procedures are in place • How did we handle performance, reliability? *Security needs to be a standard part of the process
  • 6. Language, Platform & Framework Nuances • Security policies are not enough o Follow through with architecture and development standards o Must explain “how” and “why,” not just “what” o Must tie to specific roles and technologies • Each language has unique idiosyncrasies and syntax issues: o C++ o Java and .NET o Scripting languages • Each platform is unique: o Mobile o Cloud & Web o Embedded
  • 7. The Pitfalls of Automation • First instinct is “what tool can we buy”? • It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution • Analyzing results is time consuming and requires skill • Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
  • 8. • Network boundary plays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through • With Internet, applications become the perimeter • We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
  • 9. …. and a Human Problem • Vulnerabilities are frequently the result of a failure in the engineering process • Developers have an implicit trust in the user o Often think of functionality (practical) rather than security o Not common to consider abuse cases • Education tailored to each environment isn’t required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
  • 10. Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 11. Integrity Checks • Perform security assessments o Design reviews, code reviews, penetration tests at key validation points • Address security beyond the traditional “testing” phase • Security assessment = more than penetration testing the binary: o Validating the design and the architecture before coding begins o Developing a threat model that guides design, coding and test efforts o Using tools while developers are coding to find common security defects o Verifying the security and configuration of the deployment environment
  • 12. Assessment Activities Work Together • Design review o Sets the rest of the team up for success and finds problems that are the costly to fix later in the cycle • Threat Modeling o Ensures key threats are considered during design, coding and testing • Code Review o One of the highest impact activities, but doesn’t consider the as-deployed state
  • 13. …Continued • Manual penetration testing o Requires deep knowledge of application and technologies in the environment • Scanning tools o Provide broad coverage to augment these activities
  • 14. State of Application Security Assessment Conventional approaches to application security are not risk-based • Over-reliance on automated vulnerability scanning • Random efforts to find a needle in a haystack • Fails to address each application’s unique code-, system- and workflow-level vulnerabilities • Little practical guidance on prioritizing defect remediation • Find & Fix “hamster wheel” leads to frustration and stagnation • Many flaws are caused by environment interaction and only discoverable after analyzing application in production
  • 15. …Continued An effective security assessment program • Uses threat modeling to focus efforts on highest risk first • Is committed to finding problems at each phase of development • Aligns breadth and depth of analysis to application complexity and criticality • Let’s humans and tools do what they each do best • Leverages assessment findings to identify root causes and address process and skills gaps
  • 16. It’s Called “Verification Phase” for a Reason • Security testing should be like the net under a tightrope o Not the only time when security problems are found • Why do we often find so many vulnerabilities in testing? o If architecture and development standards are followed, vulnerabilities will be minimized o If assessment activities occur consistently, vulnerabilities will be found early • Penetration testing becomes the last-best assessment, rather than the last-desperate hope
  • 17. Agenda • Common Challenges to Secure Software Development • Integrity Checks and Security Assessments • Internal and 3rd Party Security Considerations
  • 18. Managing 3rd Party Risk • 3rd party includes: o Supplier of software you purchase o Supplier of Software as a Service you consume o Outsourced development team you leverage • Managing risk includes: o Setting expectations, including contractual language o Validating expectations are met o Clear remediation procedures to handle identified risks
  • 19. Language Normalization Term Definition Vulnerability Security exposure that results from a weakness that the architect, developer, etc did not intend to introduce Threat A negative occurrence in the business processes of a system Attack An implementation-specific action or set of actions taken against a system to realize a threat Exploit Sequence of commands/activities that takes advantage of a vulnerability to cause unintended or unanticipated behavior (i.e. gaining control of a system, privilege escalation, or a denial-of-service attack) Impact What damage can be done with a successful exploit Risk The exposure and probability weighted ranking of a given threat, allowing for comparisons between threats and across systems and factors in mitigating/compensating controls It’s important to speak the same language both internally and with 3rd parties
  • 20. Understand the Risk you are Purchasing • The ecosystem around software is constantly changing • How “risky” software is has as much to do with vendor support as it does to how secure the source code is • Questions should be asked not just of software vendors that sell applications, but also for vendors that offer software as a service. • Contractual requirements should be put into place for outsourced development
  • 21. Consideration #1 Has Supplier Thought About Security? • A contract does not replace diligence but given the frequency of security breaches today, it’s important to: o Determine what language you (the “Customer”) should minimally have with your “Supplier” when sourcing a software application (the “Software”) o Ensure that terms are defined to your acceptance and understood by supplier • Ask the supplier to provide evidence of security due diligence o Perhaps they have a 3rd-party or independent penetration testing doc to share o Are they willing to attest to your security requirements and/or acceptance testing…and offer remedies if they do not?
  • 22. Suggested Contract Language • E.g., the Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Documents, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards.
  • 23. Consideration #2 Suppliers Secure Development Process? • Often a vendor’s documentation is absent of security controls other than a reference to industry standard(s) • Vendor should demonstrate capabilities around integrating security into each phase of development • Many compliance mandates and customer requirements overlap o Activities are generally the same, just worded differently o Do the mapping ahead of time to consolidate requirements
  • 24. Mapping Regulations & Mandates • Most regulations, frameworks, and compliance mandates call out general requirements and have non-obvious implications: o “develop according to industry best practices” o “protected information should not be improperly altered’” • Vendor should demonstrate a repeatable SDLC that integrates key security and compliance activities: o Ensures future requirements will have little impact on existing efforts o Allows you to maintain a “big picture” view to software development and IT teams o Reduces “re-do” expenses and audit costs
  • 26. High-Level Requirement Other Standards (Partial List) Selected Coding Practices Confidentiality SOX, HIPAA, ISO 27002,, GLBA, FFIEC, Basel l I, CA SB 1386, FIPS 199, NIST - Appropriate use of strong encryption for data in databases. - Encrypting confidential data in memory. No custom or untrusted encryption routines - Encrypting data in motion, especially for wireless transmissions. - Masking confidential data that needs to be viewed in part Data integrity SOX, ISO 27002, HIPAA, GLBA, FIPS 199, NIST - Robust integrity checks to prevent tampering with data. - Input validation and comprehensive error handling to prevent injection attacks, privilege escalation, and other hacking techniques. - Output encoding. Use of least privileges. - Hashing for confidential data that needs to be validated (e.g. passwords) Authentication and access control SOX, ISO 27002, HIPAA, II, NIST SP - Support for strong passwords & two-factor authentication where appropriate. - Role-based access control and revocation of rights, with clear roles mapped to permissions. - Locked down file access and database roles. No guest accounts. - Passwords and encryption keys encrypted before storage and transmission. Logging and auditing SOX, ISO 27002, HIPAA, SB 1386, NIST SP - Detailed audit trails of users accessing data and resources. - Detailed logging of systems that process sensitive data, including shutdowns, restarts and unusual events. No confidential data exposed in logs. - Event logs and audit trails available only to system admins and protected from unauthorized modifications. One secure coding activity yields leverage across security controls in 6 different standards
  • 27. Other Questions to Ask: Requirements • Do you gather security objectives? How are they mapped to the rest of the design process? Design • Does your team conduct security architecture and design reviews? • Do you use checklists to drive the process? Do you revise them over time? • Does your team create threat models to understand and prioritize risk? Coding • Does your team use a formalized set of security coding best practices? • What type of code scanning tools do you use? • Do you perform code reviews against security best practices? Testing • Does your team conduct 3rd party or internal penetration tests? • Are your testers QA trained on the latest attack trends and test techniques? • Do you use security testing tools?
  • 28. Suggested Contract Language • The Software shall comply with all Documentation applicable thereto, including, without limitation, the applicable Product Requirements Document, and Supplier shall develop the Software in a professional, workmanlike manner in accordance with or exceeding all industry standards, including security standards. • The Product Requirements Document mutually acceptable to Customer and Supplier shall include each of the security elements set forth on Exhibit A * Be certain to review with your legal counsel what information that is confidential to your company that the application may access, and any appropriate controls on confidential information, trade secrets or private data
  • 29. Principle Secure Development Requirements • “The software shall include the following secure application development requirements” o (a) a Data Criticality Definition (“DCD”); o (b) security requirements based upon such DCD; o (c) for each technology stack: o i. Defined Architecture Standards o ii. Defined Coding Standards o iii. Defined checklists for use in architecture reviews, code reviews and penetration testing o iv. Defined application security role-based training program for development team o (d) Architecture and design review and threat model o (e) Regular security code review and code scanning during development o (f) 3rd party penetration test before release o (g) Defined response plan for discovered vulnerabilities including how to deploy updates to Customer
  • 30. Consideration #3 Commitment to Training? • Is there a security training program in place for all development team members? • Is the training appropriate role and technology based? • Is there validation of security skills and techniques?
  • 31. Additional Items to Discuss • What regular/recurring training does your development and test team receive specific to application security? • What percentage of your software development and testing team is focused on security? • Do you have a security team that attack your products prior to release or is security embedded in each team?
  • 32. Consideration #4 Security After the Delivery of Software • Consider security for the whole lifecycle • Production scanning or penetration testing? • Cybersecurity insurance with customer as named beneficiary • Make a penetration test an acceptance criteria • Consider the supplier’s security and privacy policies
  • 33. Suggested Contract Language • Supplier shall at all times during the term of this Agreement maintain appropriate technical and organizational measures to protect any Data that it collects, accesses or processes in conjunction with this Agreement against unauthorized or unlawful use or disclosure. • Supplier shall implement security procedures to protect Data from improper disclosure or use, such procedures to be in compliance with all industry standards and all applicable federal and state regulatory requirements. • Supplier will immediately notify Customer of any breach, or suspected breach, of data security, (a “Security Breach”) and shall immediately coordinate with the Customer security personnel to investigate and remedy the Security Breach, as directed by Customer security personnel. • Supplier shall maintain records of any known or suspected security breaches in accordance with commercially accepted industry practices, and, if not prohibited by applicable law, shall make such records available to Customer upon request.
  • 34. …Continued • In the event of a Security Breach, notwithstanding any other provision, Supplier shall be solely responsible for all expenses related to the investigation of such breach as well as the costs of furnishing notices to the other party’s affected customers and the offer to such affected customers of services to mitigate the effect of such breach. • Supplier shall not store any Data outside of the United States, other than an ISO 27014 certified facility, transfer any of the same to any location outside of the United States or access or permit access to any of the same from any location outside of the United States. • At Customer’ discretion and Customer’ expense, no more than once in any given year, Supplier shall cause a third party to perform a penetration test of all systems owned or controlled by Supplier or its subcontractors that contain any Data. • Supplier shall provide a summary of such results to Customer. If penetration testing shows any material deficiencies, then Supplier shall use reasonable best efforts to remediate all such deficiencies and shall provide Customer written documentation of such remediation efforts.
  • 35. Consideration #5 Vulnerability Service Level Agreement • Cooperation after a suspected or known security breach may not be adequate. • Vulnerability SLA including response and turnaround time • Terms and period of vendor’s security support agreement • Tiers for different severity classes (clearly define) • Dedicated team to assess and respond to security vulnerabilities • How (or if) reported security defects are treated differently than non-security defects.
  • 36. Suggested Contract Language In the event of a Security Breach or if Supplier has reason to believe a Software vulnerability exists, Supplier shall respond within the specified turnaround time according to the following service levels: • (a) Critical: Attacker gains access to admin or root privileges allowing remote read and write access to the system and remote commands. • Response time: 2 to 3 hours • Resolution time: Risk mitigated immediately (e.g. system offline if necessary), risk resolved within 3 days. • (b) High: Attacker gains user privileges or can execute a denial of service (DOS) for any users on the system. Partial and/or read access to the sensitive data. • Response time: 8 hours • Resolution time: Risk mitigated within 1 day, risk resolved within 1 week
  • 37. In Summary: 3rd Party Risk is Your Risk • All software in your enterprise represents a security risk: o Internally developed o 3rd party vendor o Outsourced team • 3rd party is hard o It's natural to want to 'trust' a 3rd party and hope they are doing all the right things. o It's hard to control 3rd party behavior • Solution o Clear expectations o Backed by binding contractual language
  • 38. Further Information In partnership with Security Innovation, Emenda can offer over 120 courses to help protect your business. To download our latest course list, click here For further information or to get in touch: Contact Us Visit Our Website