Software Security Assurance - Bruce Jenkins

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SoftwareSecurityAssurance
Managingriskinthefaceofdigitaltransformation

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
IT-oLogy Trends 2015 –Columbia, SC
Bruce C Jenkins
CISM, CISSP, CSSLP
Fortify Security Lead
AppSec Program Strategist
Hewlett-Packard Company
Current
 Fortify product and information security
 HP-internal application security program strategy
 Customer-facing appsec workshops and strategy
Former
 Fortify Pro Services, 2007-2011
 US Air Force, 1979-2007
About me

• 2005: USAir Force personnel systembreached;
33Krecords exfiltrated
• 2006: VA employee’s personal external drive stolen;
26M VA records at risk
• 2007-2011: ???
• 2012: Thrift Saving Plan contractor’s systemattacked;
123KSSNs stolen
• 2013: Target POS systemcompromised;
up to 70M customers impacted
• 2014: University of Maryland, 309Krecords;
Home Depot, e-mail, cr cds
• 2015: Several… + Office of Personnel Management, 18M records
About my motivation for developing secure systems…

Let’s talk about risk management…

What is “Security”?

What is “Security”?
Definitions
from The American Heritage® Dictionary of the English Language, 4th Edition
n. Freedom from risk or danger; safety.
n. Freedom from doubt, anxiety, or fear; confidence.
n. Something that gives or assures safety

Security Issue?

“Security is never black and white, and
context matters more than technology”
– Bruce Schneier
Secrets & Lies: Digital Security
in a Networked World
Security Issue?

So… Security Issue?

So… Security Issue?
As you go about the business of developing and enhancing systems
in support of today’s digital transformation, it’s important to keep
findings in perspective. Pay attention to the weeds—youmay need
to eliminate them—but don’t get lostin them.
Maybe

Agenda
Why Software Security is Hard
Creating a Foundation
Building Security In
Lessons Learned

WhySoftwareSecurityisHard

Current solutions protect the perimeter
Yet, 84% of breaches occur in the application software

The number of apps is growing
IN-HOUSE DEVELOPMENTLEGACY SOFTWARE OPEN SOURCEOUTSOURCED COMMERCIAL
PRODUCTION
Increasing platforms and complexity …many delivery models

15
“I just want to be a coder; I’m really not
interested in security.”
– Security Consultant Candidate
Developers are NOT trained to be security experts

Attacks have a proven life cycle
Research
Research potential
targets
Monetization
Data sold
on black market
Infiltration
Phishing attack and
malware
Discovery
Mapping breached
environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy
stolen data

Attack life cycle risk mitigation
Research
Research Potential
Targets
Monetization
Data sold
on black market
Infiltration
Phishing Attack and
Malware
Discovery
Mapping Breached
Environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy
Stolen data
Threat intelligence
• Security Research
Block adversary
• Network
• Software
Detect adversary
• SEIM
• UBA
Protect data
• At rest
• In motion
Mitigate damage
• Breach Response

median time to detect breach205days
2013 January February March April May June July August September October November December 2014 January February March April
Source:Mandiant M-Trends 2015Threat Report

Conflicting views over the priority of security
1 Source: Osterman Research White Paper, Jan 2015

Top challenges in achieving software security goals*
Source:Gatepoint Research Pulse Report,Oct 2014
n = 300 executives
*Read as: software security assurance (SSA) program goals

© Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice.
“Itisnecessarythatpeopleworktogether
inunisontowardcommonobjectivesand
avoidworkingatcrosspurposesat all
levelsifthe ultimateinefficiencyand
achievementisto beobtained.”
Dave Packard
Co-founder,Hewlett-Packard

CreatingaFoundation

Obtain stakeholder alignment with a common vision
• Establish security-related goals that
are directly tied to the firm’s mission
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training

Example: Hewlett-Packard Co
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Goal n
Security Group
Goal 1
.........
Ent. Security
...
Goal n
See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html

Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
Goal 1
.........
Ent. Security
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Goal n
Security Group
...
Goal n

Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
Goal 1
.........
Ent. Security
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Group
...
Goal n Security Goal n

Example: Private SectorFinancial
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n

Goal 1
Goal 2
Goal 3
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n

Goal 1
Goal 2
Goal 3
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
Proactively identify
and mitigateriskin
all Mission Critical
applications

BuildingSecurityIn

Consider using a software security framework (SSF)as a guide
• Develop a security strategy that is designed to
support achievement of the security goal(s)
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training

© Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice.
“There are knownknowns. These are things
weknowthat we know.Thereareknown
unknowns.Thatisto say,there arethings
thatweknowwedon'tknow.But there are
also unknownunknowns. There are things
wedon't knowwedon't know.
Donald Rumsfeld
FormerUS Secretary ofDefence

Design Construct Test Deploy
Establish a security gate to understand security posture of portfolio
Security Gate
Governance
• Strategy and Metrics
• Policy and Compliance
• Education and Guidance
Construction
• Security Requirements
• Threat Assessment
• Security Architecture
Verification
• Design Review
• Implementation Review
• Security testing
Operations
• Environment Hardening
• Issue Management
• Operational Enablement

With assessment results available, the unknown is known
• Based upon business priorities and portfolio risk*,
design time-constrained, measurable objectives
• Only choosemetrics and constructKPI’s that show
progress toward meeting the objectives; nothing else
*portfolio isknown, classified and risk-ranked
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training

Measure thoughtfully
• Based upon business priorities and portfolio risk*,
design time-constrained, measurable objectives
• Only choosemetrics and constructKPI’s that show
progress toward meeting the objectives; nothing else
*portfolio isknown, classified and risk-ranked
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training

Building Security In: Lessons Learned
• Complex problems with complex solutions
• All organizational levels must be made aware of the risks associated with
software vulnerabilities
• No education / training == unmet expectations
Awareness, Education and Training

• Before assessment,establish policies and set expectations
• Ensure that policies and expectations are communicated to all stakeholders
• Consistently enforce policies and measure expectation achievement
Clear Communication Regarding Security

• Network Security / Information Assurance people are not software security people
• Development background is a necessity
• Even with a development background, extensive training and experience is needed
Software Security is a Unique Skill Set

• Network Security / Information Assurance people are not software security people
• Development background is a necessity
• Even with a development background, extensive training and experience is needed
• Developers should NOT be expected to be security experts
Software Security is a Unique Skill Set

Summary
• Workto gain and maintain executive-levelsupport
• Developsecuritygoals, strategy& objectives
• Train staffto comply withpolicy
• Use technologyappropriately
• Measure,report,adjust
Managing risk in the face of digital transformation

Thankyou
hp.com/go/fortifyssa
Bruce C Jenkins
bcj@hpe.com

Software Security Assurance - Bruce Jenkins

More Related Content

Viewers also liked

Similar to Software Security Assurance - Bruce Jenkins

More from IT-oLogy

Recently uploaded

Software Security Assurance - Bruce Jenkins