Bill Ross, profile picture
Uploaded byBill Ross
PPT, PDF4,717 views

Security Lifecycle Management Process

The document discusses application security, highlighting the increasing vulnerabilities in web applications and the various cyber threats facing organizations. It emphasizes the importance of integrating security throughout the software development lifecycle (SDLC) and implementing best practices to mitigate risks. Key threats include SQL injection, cross-site scripting, and exploitation of security flaws, necessitating robust security measures and training for developers.

Related topics:
Secure Development

Embed presentation

Downloaded 91 times
INFOSECFORCE Application Security INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS 1
INFOSECFORCE Security and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
INFOSECFORCE Slickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
INFOSECFORCE What You Need to Know Symantec Internet Security Threat Report, Volume XIV 4
INFOSECFORCE Operational report  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild
INFOSECFORCE Common attack tools 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks
INFOSECFORCE “ the Cyber Battle Field” Google China cyber attack part of vast espionage campaign, experts say Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
INFOSECFORCE Malicious code is installed • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Symantec Internet Security Threat Report
INFOSECFORCE Key trends “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Web-based Cyber criminals want Increased sophistication Rapid adaptation to malicious activity YOUR information of the Underground security measures has accelerated Economy • Focus on exploits • Primary vector for targeting end-users • Well-established • Relocating operations to malicious activity for financial gain infrastructure for new geographic areas • Target reputable, monetizing stolen • Evade traditional security high-traffic websites information protection Symantec Internet Security Threat Report
INFOSECFORCE Key Trends – Global Activity • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase in identities exposed Downadup infections propagated spam across the Internet • Threat activity • 95% vulnerabilities as shared executable with 349.6 billion increases with attacked were client- files messages growth in side • 90% spam email Internet/Broadband distributed by Bot networks usage Internet Security Threat Report
INFOSECFORCE Website compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Site-specific vulnerabilities Web application vulnerabilities Internet Security Threat Report, 11 11
INFOSECFORCE Impact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
INFOSECFORCE The SDL Reduces the Total Cost of Development The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
INFOSECFORCE Top 10 Web Security Threats Broken authentication Cross-site scripting (XSS) Broken access control Unvalidated input Insecure storage Buffer overflows Improper error handling Injection flaws Insecure configuration management Application denial-of-service SUN
INFOSECFORCE Web Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
INFOSECFORCE Web Application Security Threats 2 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting
INFOSECFORCE Attack vector analyses Hacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.” Source: IBM
INFOSECFORCE Application security paradox Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place. Internet DMZ Trusted IIS ASP .NET Inside SunOne SQL WebSphere Oracle Apache Java DB2 HTTP(S) Corporate IMAP, FTP Firewall only Firewall only Firewall only allow Inside allows PORT 80 allows application server SSH , TELNET (or 443 SSL) applications to talk to POP3, XML traffic from the on the web database server. Internet to the server to talk to web server. application Any – Web server. Server: 80 SOURCE: SPIDYNAMICS
INFOSECFORCE Hacking the Super Bowl Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews
INFOSECFORCE How did this happen ? Business engines fueled by multiple and powerful applications
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA
INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure Social networks, and I-Pod, I-PAD as a network, peripheral-geddon Easy & “ anywhere access ” “THE CLOUD” Bill Gates, 2007 RSA
INFOSECFORCE Security coding errors
INFOSECFORCE Prevent & fortify
INFOSECFORCE This ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
INFOSECFORCE Security Business Case Security Defects Matter  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner) =  Undetected • QA testing tools not designed to detect security defects in applications  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the 1000 application sample ‘Healthchecks’ with market has become a mandatory requirement AppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deployment and encryption solutions in place… is almost 100 times greater than detecting and eliminating them during development. SOURCE: Seagate Technology
INFOSECFORCE Best practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning Application Development Prod and Maintenance Minimal set of coding practices  Data Classification – Classify  Input Validation – Validate input  Applications shall be hosted on data according to the sensitivity of from all sources. servers compliant with the corporate the data. Security requirements for IT system  Default deny – Access control  Risk Assessment – Conduct should be based on specific hardening preliminary risk assessment before permission rather than exclusion. development begins and after  Applications classified as planning is complete. Security  By default all access should be sensitive shall at a minimum have Requirements – Identify and denied. document the security requirements annual vulnerability assessments, of the application early in the  Principle of Least Privilege – when a significant change to the development lifecycle. Perform all processes with the least application has occurred, or set of required privileges depending on the data sensitivity  Security Design – Use the Data and risk. Classification process to determine  Quality Assurance – Quality specific security services needed by assurance identifies and eliminates the application software vulnerabilities.  SDLC – Address security within  Perform internal testing – Use all stages of the SDLC. source code auditing, pen testing, manual code review, or automated source code review
INFOSECFORCE Principles of Secure Programming TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN
INFOSECFORCE Application security risk analyses Vulnerability Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Threat Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Risk Multiple avenues of attack on organizational vital information assets Likelihood rating High Risk Impact High rating Overall risk High rating Risk summary High Relevant Hardened infrastructure (will not block port 80 attacks) controls Risk mitigation Follow application security planning, development and production best practices. Build security into all SDLC phases.
INFOSECFORCE SLCMP Embed information security in the SDLC and PLCMP by applying the practices and procedures defined in SLCMP
INFOSECFORCE An art form “ Building highly secure software is nothing less than an eloquently choreographed dance that calls upon the talent and skills of the developer, project manager and information security teaming to ensure that an application securely glides with grace across the technical stage ”
INFOSECFORCE SLCMP and the SDLC …“The Dance” Initiate Design/Develop Implement Production Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod for new business requirements technical development prod testing prod testing process, document architecture application or designed developed technology INFOSEC architecture document created based on data security Application and INFOSEC participation categorization, policy, infrastructure in feasibility analyses, application functionality penetration testing no documentation and risk and vulnerability required Server cert assessments Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests, application security process to decompile code follows phase one guidelines. Preliminary risk and testing. Once code acceptance vulnerability test plan defining as much as possible to testing process. vulnerability assessment done. begins solidifying, Used as final document assessments, Measures requirements against testing tools, use soft tools such as determine if code has verification that risk policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC requirements stated based on testers. Gain level testing. the security architecture. perspective preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide manager. to developers to fix or define assessments. If necessary, developers for code mitigating controls. Aspect ** Security certification and requirements document adjusted correction security has expertise in this accreditation should be area finalized
INFOSECFORCE SLCMP Deliverables Initiate Develop Implement Production - Security control integration - Second phase app security - Data security categorization testing - Preliminary risk assessment - Third phase app security testing - Security certification - Security plan - Security accreditation - Risk assessment - Security architecture - Threat management - Functional requirements - Functional and vulnerability - Configuration analyses test plan management and control - Assurance requirements - First phase testing - Continuous monitoring - Control selection - Additional planning - Incident response plan assignments
INFOSECFORCE SLCMP and the PLCMP Initiate Design/Develop Implement Production Demand manger reviews the request Control selection begins. and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and Detailed technical and solutions and designs designs implemented as part of the security design infrastructure. • Architecture • Design security controls • Security architecture • Implementation • Patch management Standards and • Begin organizing security • Design and technical • Change Management • Monitoring Convergence plan development architecture developed Capacity Monitoring • Incident response • Project Review • Architecture Review • Day to Day Operations • Security administration • Scoping • Detailed Design planning • KPI reporting on security • Solution Design • Level 4 Support design metrics • Cost Estimation • Define Security requirements • Security architecture • Threat management • Data and Infrastructure Categorization • Security control integration • Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability • Risk assessment • Security penetration and • Control selection and standard testing • Functional requirements analyses vulnerability testing integration • Determines validity of security • Assurance requirements analyses • Security certification architecture • Control selection and standard • Security accreditation • Determines security process integration • Final risk assessment shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK
INFOSECFORCE SLCMP adopted guidelines Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 SP 800-37 Security Security Control Categorization Security Control Selection Monitoring Defines category of information Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the safeguards and countermeasures) planned or impact of loss information system that may affect security in place to protect the information system controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 Security Control SLCMP System Refinement Authorization Uses risk assessment to adjust minimum control INPUTS Determines risk to agency operations, agency set based on local conditions, required threat assets, or individuals and, if acceptable, coverage, and specific agency requirements authorizes information system processing SP 800-18 SP 800-53A / SP 800-26 / SP 800-37 SP 800-70 Security Control Security Control Documentation Security Control Assessment Implementation In system security plan, provides a an Determines extent to which the security overview of the security requirements for Implements security controls in controls are implemented correctly, operating the information system and documents the new or legacy information as intended, and producing desired outcome security controls planned or in place systems; implements security with respect to meeting security configuration checklists requirements Source: NIST
INFOSECFORCE SLCMP Benefits SLCMP ROI  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs
INFOSECFORCE Conclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
INFOSECFORCE QUESTIONS 38
INFOSECFORCE BACK UP SLIDES
INFOSECFORCE Initiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
INFOSECFORCE Develop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements Ensure that enterprise security policy and standards are followed. Determine which laws analyses must be followed by the application. Assurance requirements Determine what level of certification application requires. For example, government analyses applications might require a FISMA C&A.
INFOSECFORCE Develop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that business test plan logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc components
INFOSECFORCE Implement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct testing findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective testing Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
INFOSECFORCE Production deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management Operational process and plan to ensure environment receives current security patches and and control other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
INFOSECFORCE SDLC/PLCMP Deliverables Initiate - Data security categorization - Security Plan - Preliminary risk assessment Design and - Risk assessment - Security architecture develop - Functional and vulnerability - Functional requirements analyses test plan - Assurance requirements - First phase testing - Control selection - Additional planning assignments Implement - Security control integration - Security certification - Security accreditation - Second phase app security testing - Final risk acceptance - Third phase app security testing document Production - Threat management - Configuration management and control - Continuous monitoring - Incident response plan REF: NIST 800-53

More Related Content

PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Phishing techniques
bySushil Kumar
 
PPTX
Data explosion
byPrachi Gulihar
 
PDF
Mobile Security
byXavier Mertens
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Mobile Security 101
byLookout
 
PPTX
Basics of Denial of Service Attacks
byHansa Nidushan
 
PPTX
Equifax data breach
bySajib Sen
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Phishing techniques
bySushil Kumar
 
Data explosion
byPrachi Gulihar
 
Mobile Security
byXavier Mertens
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Mobile Security 101
byLookout
 
Basics of Denial of Service Attacks
byHansa Nidushan
 
Equifax data breach
bySajib Sen
 

What's hot

PDF
The fundamentals of Android and iOS app security
byNowSecure
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PPTX
mobile application security
by-jyothish kumar sirigidi
 
PDF
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
byVaralakshmiKC
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PPTX
Password Cracking
bySagar Verma
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PPTX
What is Threat Hunting? - Panda Security
byPanda Security
 
PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
PPTX
Man in the middle attack (mitm)
byHemal Joshi
 
PPTX
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Memory forensics
bySunil Kumar
 
PPTX
Mobile security
byTapan Khilar
 
PPTX
Presentation-Detecting Spammers on Social Networks
byAshish Arora
 
PPTX
Different Types of Phishing Attacks
bySysCloud
 
PPTX
Siber güvenlik kampı sunumu
byBGA Cyber Security
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PDF
3. Security Engineering
bySam Bowne
 
The fundamentals of Android and iOS app security
byNowSecure
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
mobile application security
by-jyothish kumar sirigidi
 
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
byVaralakshmiKC
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Secure coding practices
byMohammed Danish Amber
 
Password Cracking
bySagar Verma
 
MITRE ATT&CK framework
byBhushan Gurav
 
What is Threat Hunting? - Panda Security
byPanda Security
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
Man in the middle attack (mitm)
byHemal Joshi
 
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Memory forensics
bySunil Kumar
 
Mobile security
byTapan Khilar
 
Presentation-Detecting Spammers on Social Networks
byAshish Arora
 
Different Types of Phishing Attacks
bySysCloud
 
Siber güvenlik kampı sunumu
byBGA Cyber Security
 
Secure coding guidelines
byZakaria SMAHI
 
3. Security Engineering
bySam Bowne
 

Similar to Security Lifecycle Management Process

PPT
DEVSECOPS_the_beginning.ppt
byschwarz10
 
PPT
Secure by design and secure software development
byBill Ross
 
PDF
Frontier Secure: Handout for small business leaders on "How to be Secure"
byFrontier Small Business
 
PPTX
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
PPTX
Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.
byTripwire
 
PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PPTX
2011-10 The Path to Compliance
byRaleigh ISSA
 
PPTX
Spiceworld 2011 - AppRiver breakout session
byShane Rice
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PPTX
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
PDF
Solving the enterprise security challenge - Derek holt
byRoopa Nadkarni
 
PPT
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
byGaurav Srivastav
 
PDF
20120329 Cybercrime threats on e-world
byLuc Beirens
 
PPTX
2013 PMA Business Security Insights
bygotopaz
 
PPTX
BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze
byDataExchangeAgency
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PDF
Watch Guard Reputation Enabled Defense (White Paper)Dna
bySylCotter
 
PDF
Effective Cyber Security: Successful Approaches and Experiences
byInnoTech
 
PDF
5 network-security-threats
byReadWrite
 
PDF
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
DEVSECOPS_the_beginning.ppt
byschwarz10
 
Secure by design and secure software development
byBill Ross
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
byFrontier Small Business
 
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.
byTripwire
 
Invited Talk - Cyber Security and Open Source
byhack33
 
2011-10 The Path to Compliance
byRaleigh ISSA
 
Spiceworld 2011 - AppRiver breakout session
byShane Rice
 
Top Application Security Trends of 2012
byDaveEdwards12
 
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
Solving the enterprise security challenge - Derek holt
byRoopa Nadkarni
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
byGaurav Srivastav
 
20120329 Cybercrime threats on e-world
byLuc Beirens
 
2013 PMA Business Security Insights
bygotopaz
 
BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze
byDataExchangeAgency
 
Threats, Threat Modeling and Analysis
byIan G
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
bySylCotter
 
Effective Cyber Security: Successful Approaches and Experiences
byInnoTech
 
5 network-security-threats
byReadWrite
 
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 

More from Bill Ross

DOCX
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
byBill Ross
 
DOCX
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
byBill Ross
 
PPTX
Cyber_Space_is_not_Cyber_Security
byBill Ross
 
DOCX
Infosecforce security services
byBill Ross
 
PPTX
INFOSECFORCE Risk Management Framework Transition Plan
byBill Ross
 
PPT
Security architecture analyses brief 21 april 2015
byBill Ross
 
DOCX
INFOSECFORCE llc security services
byBill Ross
 
PDF
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
byBill Ross
 
DOCX
Cyber Intelligence Operations Center
byBill Ross
 
DOCX
" The Invisible Person ... the Security Architect "
byBill Ross
 
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
byBill Ross
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
byBill Ross
 
Cyber_Space_is_not_Cyber_Security
byBill Ross
 
Infosecforce security services
byBill Ross
 
INFOSECFORCE Risk Management Framework Transition Plan
byBill Ross
 
Security architecture analyses brief 21 april 2015
byBill Ross
 
INFOSECFORCE llc security services
byBill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
byBill Ross
 
Cyber Intelligence Operations Center
byBill Ross
 
" The Invisible Person ... the Security Architect "
byBill Ross
 

Security Lifecycle Management Process

  • 1.
    INFOSECFORCE Application Security INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS 1
  • 2.
    INFOSECFORCE Security and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
  • 3.
    INFOSECFORCE Slickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
  • 4.
    INFOSECFORCE What You Need to Know Symantec Internet Security Threat Report, Volume XIV 4
  • 5.
    INFOSECFORCE Operational report  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild
  • 6.
    INFOSECFORCE Common attack tools 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks
  • 7.
    INFOSECFORCE “ the Cyber Battle Field” Google China cyber attack part of vast espionage campaign, experts say Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
  • 8.
    INFOSECFORCE Malicious code is installed • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Symantec Internet Security Threat Report
  • 9.
    INFOSECFORCE Key trends “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Web-based Cyber criminals want Increased sophistication Rapid adaptation to malicious activity YOUR information of the Underground security measures has accelerated Economy • Focus on exploits • Primary vector for targeting end-users • Well-established • Relocating operations to malicious activity for financial gain infrastructure for new geographic areas • Target reputable, monetizing stolen • Evade traditional security high-traffic websites information protection Symantec Internet Security Threat Report
  • 10.
    INFOSECFORCE Key Trends – Global Activity • Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target lead to identity theft vulnerabilities up percent of the Financial services (up • Theft and loss top 19% (5491) volume of the top 50 24%) cause of data • Top attacked malicious code • Detected 55,389 phishing leakage for overall vulnerability: • 66% of potential website hosts (up 66%) data breaches and Exploits by malicious code • Detected 192% increase in identities exposed Downadup infections propagated spam across the Internet • Threat activity • 95% vulnerabilities as shared executable with 349.6 billion increases with attacked were client- files messages growth in side • 90% spam email Internet/Broadband distributed by Bot networks usage Internet Security Threat Report
  • 11.
    INFOSECFORCE Website compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Site-specific vulnerabilities Web application vulnerabilities Internet Security Threat Report, 11 11
  • 12.
    INFOSECFORCE Impact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
  • 13.
    INFOSECFORCE The SDL Reduces the Total Cost of Development The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
  • 14.
    INFOSECFORCE Top 10 Web Security Threats Broken authentication Cross-site scripting (XSS) Broken access control Unvalidated input Insecure storage Buffer overflows Improper error handling Injection flaws Insecure configuration management Application denial-of-service SUN
  • 15.
    INFOSECFORCE Web Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
  • 16.
    INFOSECFORCE Web Application Security Threats 2 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting
  • 17.
    INFOSECFORCE Attack vector analyses Hacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.” Source: IBM
  • 18.
    INFOSECFORCE Application security paradox Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place. Internet DMZ Trusted IIS ASP .NET Inside SunOne SQL WebSphere Oracle Apache Java DB2 HTTP(S) Corporate IMAP, FTP Firewall only Firewall only Firewall only allow Inside allows PORT 80 allows application server SSH , TELNET (or 443 SSL) applications to talk to POP3, XML traffic from the on the web database server. Internet to the server to talk to web server. application Any – Web server. Server: 80 SOURCE: SPIDYNAMICS
  • 19.
    INFOSECFORCE Hacking the Super Bowl Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews
  • 20.
    INFOSECFORCE How did this happen ? Business engines fueled by multiple and powerful applications
  • 21.
    INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA
  • 22.
    INFOSECFORCE Expanding “e-com” perimeter Microsoft’s vision for secure Social networks, and I-Pod, I-PAD as a network, peripheral-geddon Easy & “ anywhere access ” “THE CLOUD” Bill Gates, 2007 RSA
  • 23.
    INFOSECFORCE Security coding errors
  • 24.
    INFOSECFORCE Prevent & fortify
  • 25.
    INFOSECFORCE This ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
  • 26.
    INFOSECFORCE Security Business Case Security Defects Matter  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner) =  Undetected • QA testing tools not designed to detect security defects in applications  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the 1000 application sample ‘Healthchecks’ with market has become a mandatory requirement AppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deployment and encryption solutions in place… is almost 100 times greater than detecting and eliminating them during development. SOURCE: Seagate Technology
  • 27.
    INFOSECFORCE Best practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning Application Development Prod and Maintenance Minimal set of coding practices  Data Classification – Classify  Input Validation – Validate input  Applications shall be hosted on data according to the sensitivity of from all sources. servers compliant with the corporate the data. Security requirements for IT system  Default deny – Access control  Risk Assessment – Conduct should be based on specific hardening preliminary risk assessment before permission rather than exclusion. development begins and after  Applications classified as planning is complete. Security  By default all access should be sensitive shall at a minimum have Requirements – Identify and denied. document the security requirements annual vulnerability assessments, of the application early in the  Principle of Least Privilege – when a significant change to the development lifecycle. Perform all processes with the least application has occurred, or set of required privileges depending on the data sensitivity  Security Design – Use the Data and risk. Classification process to determine  Quality Assurance – Quality specific security services needed by assurance identifies and eliminates the application software vulnerabilities.  SDLC – Address security within  Perform internal testing – Use all stages of the SDLC. source code auditing, pen testing, manual code review, or automated source code review
  • 28.
    INFOSECFORCE Principles of Secure Programming TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN
  • 29.
    INFOSECFORCE Application security risk analyses Vulnerability Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Threat Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Risk Multiple avenues of attack on organizational vital information assets Likelihood rating High Risk Impact High rating Overall risk High rating Risk summary High Relevant Hardened infrastructure (will not block port 80 attacks) controls Risk mitigation Follow application security planning, development and production best practices. Build security into all SDLC phases.
  • 30.
    INFOSECFORCE SLCMP Embed information security in the SDLC and PLCMP by applying the practices and procedures defined in SLCMP
  • 31.
    INFOSECFORCE An art form “ Building highly secure software is nothing less than an eloquently choreographed dance that calls upon the talent and skills of the developer, project manager and information security teaming to ensure that an application securely glides with grace across the technical stage ”
  • 32.
    INFOSECFORCE SLCMP and the SDLC …“The Dance” Initiate Design/Develop Implement Production Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod for new business requirements technical development prod testing prod testing process, document architecture application or designed developed technology INFOSEC architecture document created based on data security Application and INFOSEC participation categorization, policy, infrastructure in feasibility analyses, application functionality penetration testing no documentation and risk and vulnerability required Server cert assessments Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests, application security process to decompile code follows phase one guidelines. Preliminary risk and testing. Once code acceptance vulnerability test plan defining as much as possible to testing process. vulnerability assessment done. begins solidifying, Used as final document assessments, Measures requirements against testing tools, use soft tools such as determine if code has verification that risk policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC requirements stated based on testers. Gain level testing. the security architecture. perspective preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide manager. to developers to fix or define assessments. If necessary, developers for code mitigating controls. Aspect ** Security certification and requirements document adjusted correction security has expertise in this accreditation should be area finalized
  • 33.
    INFOSECFORCE SLCMP Deliverables Initiate Develop Implement Production - Security control integration - Second phase app security - Data security categorization testing - Preliminary risk assessment - Third phase app security testing - Security certification - Security plan - Security accreditation - Risk assessment - Security architecture - Threat management - Functional requirements - Functional and vulnerability - Configuration analyses test plan management and control - Assurance requirements - First phase testing - Continuous monitoring - Control selection - Additional planning - Incident response plan assignments
  • 34.
    INFOSECFORCE SLCMP and the PLCMP Initiate Design/Develop Implement Production Demand manger reviews the request Control selection begins. and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and Detailed technical and solutions and designs designs implemented as part of the security design infrastructure. • Architecture • Design security controls • Security architecture • Implementation • Patch management Standards and • Begin organizing security • Design and technical • Change Management • Monitoring Convergence plan development architecture developed Capacity Monitoring • Incident response • Project Review • Architecture Review • Day to Day Operations • Security administration • Scoping • Detailed Design planning • KPI reporting on security • Solution Design • Level 4 Support design metrics • Cost Estimation • Define Security requirements • Security architecture • Threat management • Data and Infrastructure Categorization • Security control integration • Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability • Risk assessment • Security penetration and • Control selection and standard testing • Functional requirements analyses vulnerability testing integration • Determines validity of security • Assurance requirements analyses • Security certification architecture • Control selection and standard • Security accreditation • Determines security process integration • Final risk assessment shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK
  • 35.
    INFOSECFORCE SLCMP adopted guidelines Starting Point FIPS 199 / SP 800-60 FIPS 200 / SP 800-53 SP 800-37 Security Security Control Categorization Security Control Selection Monitoring Defines category of information Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the safeguards and countermeasures) planned or impact of loss information system that may affect security in place to protect the information system controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 SP 800-37 Security Control SLCMP System Refinement Authorization Uses risk assessment to adjust minimum control INPUTS Determines risk to agency operations, agency set based on local conditions, required threat assets, or individuals and, if acceptable, coverage, and specific agency requirements authorizes information system processing SP 800-18 SP 800-53A / SP 800-26 / SP 800-37 SP 800-70 Security Control Security Control Documentation Security Control Assessment Implementation In system security plan, provides a an Determines extent to which the security overview of the security requirements for Implements security controls in controls are implemented correctly, operating the information system and documents the new or legacy information as intended, and producing desired outcome security controls planned or in place systems; implements security with respect to meeting security configuration checklists requirements Source: NIST
  • 36.
    INFOSECFORCE SLCMP Benefits SLCMP ROI  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs
  • 37.
    INFOSECFORCE Conclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
  • 38.
    INFOSECFORCE QUESTIONS 38
  • 39.
    INFOSECFORCE BACK UP SLIDES
  • 40.
    INFOSECFORCE Initiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
  • 41.
    INFOSECFORCE Develop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements Ensure that enterprise security policy and standards are followed. Determine which laws analyses must be followed by the application. Assurance requirements Determine what level of certification application requires. For example, government analyses applications might require a FISMA C&A.
  • 42.
    INFOSECFORCE Develop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that business test plan logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc components
  • 43.
    INFOSECFORCE Implement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct testing findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective testing Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
  • 44.
    INFOSECFORCE Production deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management Operational process and plan to ensure environment receives current security patches and and control other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
  • 45.
    INFOSECFORCE SDLC/PLCMP Deliverables Initiate - Data security categorization - Security Plan - Preliminary risk assessment Design and - Risk assessment - Security architecture develop - Functional and vulnerability - Functional requirements analyses test plan - Assurance requirements - First phase testing - Control selection - Additional planning assignments Implement - Security control integration - Security certification - Security accreditation - Second phase app security testing - Final risk acceptance - Third phase app security testing document Production - Threat management - Configuration management and control - Continuous monitoring - Incident response plan REF: NIST 800-53

Editor's Notes

  • #11 We offer customers choice and flexibility in how they purchase and use our products and services. These range from modular software suites like Symantec Protection Suites for enterprises to all-in-one software products such as Norton 360 for consumers. We have professional services – 4,000 security experts providing everything from advisory to supports services – to Norton Live consumer services. There are a variety of solutions that we offer as a service (SaaS) – from online backup for consumers to messaging security for enterprises. And then there are managed services – from residency to MSS to Norton Live for consumers.
  • #12 Fewer site-specific vulns in 2008 but they still aren’t being patched. Only 394 (3%) patched in 2008 compared to 1,240 (7%) in 2007. The number of site-specific vulns is adding up over time. In 2008, 63% of identified vulnerabilities affected Web applications, an increase over 2007, when 59% did. In 2008 there were a number of high-profile incidents involving SQL injection vulnerabilities. The purpose of these attacks was to inject malicious content into compromised sites that would then attempt to exploit subsequent site visitors. Attackers used a technique that allowed them to dynamically inject malicious content into strings throughout the database without detection. This provided a means of generically exploiting vulnerable applications rather than having to develop application-specific payloads. Messaging: Web servers can be difficult to secure. Patching requires downtime and frequently corporate sites are hosted on third-party server networks. As a result they can frequently be easy targets for attackers. Because of this, Web servers and connected databases need to be continuously monitored for suspicious activity.
  • #27 STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide