Uploaded byRafal Los
Software Security Assurance - Program Building (You're going to need a bigger shovel)
This document outlines a 5-step approach to establishing a Software Security Assurance program: 1) Conduct an assessment of capabilities, resources, assets, and organization. 2) Develop a resource strategy and plan based on assessment. 3) Build intelligent processes that leverage existing processes and accommodate business needs. 4) Implement processes strategically and augment with automation technologies. 5) Continuously measure business impact and reassess goals as business priorities change.
More Related Content
Similar to Software Security Assurance - Program Building (You're going to need a bigger shovel)
![The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/the5psofpreparedness-hopeisnotastrategy1-220515185319-563a56e9-thumbnail.jpg?width=640&height=640&fit=bounds)
![Operationalizing Security Intelligence [ InfoSec World 2014 ]](https://cdn.slidesharecdn.com/ss_thumbnails/infosecworld2014-operationalizingsecurityintelligencev2-140416103116-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![Cloud Security Alliance- Challanges of an elastic environment v8a [public]](https://cdn.slidesharecdn.com/ss_thumbnails/cloudsecurity-challangesofanelasticenvironmentv8apublic-120112090335-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Software Security Assurance - Program Building (You're going to need a bigger shovel)
- 1. You're Going toNeed a Bigger Shovel A Critical Look at Software Security Assurance Rafal M. Los (“Wh1t3Rabbit”) Enterprise & Cloud Security Strategist ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
- 2. Catch more infofrom me – Podcast: http://podcast.wh1t3rabbit.net Blog: http://hp.com/go/white-rabbit Twitter: @Wh1t3Rabbit
- 3. What Type ofOrganization Are You? Be honest with yourself “Get SSA” Randomly Spending $ on “App Sec” Fooling Themselves 3 Enterprise Security – HP Public
- 4. App Security vs.Software Security Assurance • Application Security (AppSec) – “Securing software” – Tactical approach, marked by erratic spending – Measured to CISO level – Tools, tools, tools • Software Security Assurance (SSA) – Program approach driven by risks – Acknowledge there is no such thing as secure software – Measured to CIO level as impact on IT performance – People & process first, then smart application of technology 4 Enterprise Security – HP Public
- 5. Step 1: Assessment Knowwhere you’re starting • Perform a rational assessment of – Capabilities – Resources – Assets – Liabilities – Organization & structure – Organizational goals • Be careful of paralysis by analysis • Be thorough, but move swiftly 5 Enterprise Security – HP Public
- 6. Step 2: ResourcePlanning Build resource strategy from your assessment • What can you do with what you’ve got? – Human resources – Technology – Time & capital • Plan for resource allocation – Plan 6, 12, 18, 36 months into the future – What is current capacity (work-load), how will it grow over time – Will you in-source, outsource, hybridize or all of the above? – Will budgets increase, decrease, and can you leverage your LoB? – Do you have the right resources in the right positions to succeed? 6 Enterprise Security – HP Public
- 7. Step 3: IntelligentProcess Building Process makes success possible • Don’t reinvent the wheel (you probably don’t have to) Start – Leverage existing processes – Less friction within the organization – How are things being done today? Can you fit in the right controls? • Accommodate, align, associate ? – Accommodate processes that LoB is already using – Align to others’ goals (remember, they’re not yours …yet) – Associate your success to theirs, then vice versa Secur – DevOps! e • Think of the full ALM span (Application Lifecycle) 7 Enterprise Security – HP Public
- 8. Step 4: Implementationand Technology Implement, then automate • Implement strategically – Start small, where failure won’t be noticed – Tweak processes, approach as you go – Do whatever it takes to succeed the pilot – Shout your success, encourage others to sign on • Augment and automate with technology – People don’t scale well – Ensure right technology, to the right resources, at the right time – Your process must produce consistent, repeatable results – Remove burden from the user 8 Enterprise Security – HP Public
- 9. Step 5: Measurementand Re-Assessment Make sure you measure business relevance • Measure impact to the business – Get beyond “vulnerabilities” and “criticals” – Demonstrate risk reduction with less negative business impact – Build IT-relevant KPIs – “How is your activity contributing to business value? • Re-assess each {quarter | half-year | year} to align goals – As business priorities change, so should your program – What causes a change in program? • Industry security “climate” • Budget • Technology shifts 9 Enterprise Security – HP Public
- 10. Things Everyone Forgets Thingsonly failure teaches • Planning for things you can’t plan for – Cloud computing – Consumer device adoption • Being a smart victim – Plan for incident response – “Would you know you’ve become a victim?” • Adopt to boardroom requirements – Business objectives change – learn how to listen – Priorities, budgets change • What happens after you’ve been promoted? 10 Enterprise Security – HP Public
- 11. If this waseasy, everyone wouldn’t be getting pwn3d through a 10 year old bug. 11