SlideShare a Scribd company logo

Structuring and Scaling an Application Security Program

Denim Group
Denim Group

Most organizations understand that the software they develop and deploy exposes them to risk from attackers. However the scope of the problem can be daunting. This talk looks at challenges organizations face when trying to structure and scale their application security programs and looks at strategies leading organizations have adopted to help make them successful. Using OWASP's Open Software Assurance Maturity Model (OpenSAMM), the presentation looks at how development teams can plan to design and build applications securely via secure coding training, security requirements and threat modeling and how security teams can help evaluate the security of what development teams have produced via automated scanning as well as manual testing. In addition, the presentation discusses how both security and development teams can prepare to respond to issues that will inevitably arise so that they can most effectively diagnose and correct issues in a timely manner.

Technology
1 of 75
Download to read offline
© 2015 Denim Group – All Rights Reserved Structuring and Scaling! an Application Security Program! ! Dan Cornell! @danielcornell
© 2015 Denim Group – All Rights Reserved My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio 2
© 2015 Denim Group – All Rights Reserved Denim Group Background •  Secure software services and products company •  Builds secure software •  Helps organizations assess and mitigate risk of in-house developed and third party software •  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security •  Application security experts are practicing developers •  Development pedigree translates to rapport with development managers •  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution •  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix •  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI •  World class alliance partners accelerate innovation to solve client problems 3
© 2015 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? •  Great! •  What a software security program ISN’T •  Question: “What are you doing to address software security concerns?” •  Answer: “We bought scanner XYZ” •  What a software security program IS •  People, process, tools (naturally) •  Set of activities intended to repeatedly produce appropriately-secure software 4
© 2015 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs •  Resources •  Raw budget and cost issues •  Level of effort issues •  Resistance: requires organizational change •  Apparently people hate this •  Open source tools •  Can help with raw budget issues •  May exacerbate problems with level of effort •  View the rollout as a multi-stage process •  Not one magical effort •  Use short-term successes and gains to fuel further change 5
© 2015 Denim Group – All Rights Reserved 6 You can’t defend unknown attack surface If everything is important then nothing is important
© 2015 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 7
© 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 8 Software You Currently Know About Why? •  Lots of value flows through it •  Auditors hassle you about it •  Formal SLAs with customers mention it •  Bad guys found it and caused an incident (oops) What? •  Critical legacy systems •  Notable web applications
© 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 9 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? •  Forgot it was there •  Line of business procured through non- standard channels •  Picked it up through a merger / acquisition What? •  Line of business applications •  Event-specific applications
© 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 10 Add In the Software You Bought from Somewhere Why Did You Miss Them? •  Most scanner only really work on web applications so no vendors pester you about your non-web applications •  Assume the application vendor is handling security What? •  More line of business applications •  Support applications •  Infrastructure applications
© 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 11 MOBILE! THE CLOUD! Why Did You Miss Them? •  Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? •  Support for line of business functions •  Marketing and promotion
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Two Dimensions: •  Perception of Software Attack Surface •  Insight into Exposed Assets 12 Perception Insight
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 13 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 14 Perception Insight Web Applications Client-Server Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 15 Perception Insight Web Applications Client-Server Applications Desktop Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 16 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 17 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 18 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 19 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 20 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 21 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 22 Perception Insight Web Applications Client-Server Applications
© 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 23 Perception Insight Web Applications
© 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 24 Perception Insight Web Applications Cloud Applications and Services
© 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 25 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
© 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  When you reach this point it is called “enlightenment” •  You won’t reach this point 26 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
© 2015 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed •  Some Applications Matter More Than Others •  Value and character of data being managed •  Value of the transactions being processed •  Cost of downtime and breaches •  Therefore All Applications Should Not Be Treated the Same •  Allocate different levels of resources to assurance •  Select different assurance activities •  Also must often address compliance and regulatory requirements 27
© 2015 Denim Group – All Rights Reserved Do Not Treat All Applications the Same •  Allocate Different Levels of Resources to Assurance •  Select Different Assurance Activities •  Also Must Often Address Compliance and Regulatory Requirements 28
© 2015 Denim Group – All Rights Reserved An Application Test What Goes Into An Application Test? 29
© 2015 Denim Group – All Rights Reserved Dynamic Analysis What Goes Into An Application Test? 30 Static Analysis
© 2015 Denim Group – All Rights Reserved Automated Application Scanning What Goes Into An Application Test? 31 Static Analysis Manual Application Testing
© 2015 Denim Group – All Rights Reserved Automated Application Scanning What Goes Into An Application Test? 32 Automated Static Analysis Manual Application Testing Manual Static Analysis
© 2015 Denim Group – All Rights Reserved Unauthenticated AutomatedScan What Goes Into An Application Test? 33 Automated Static Analysis Blind Penetration Testing Manual Static Analysis Authenticated AutomatedScan Informed ManualTesting
© 2015 Denim Group – All Rights Reserved Unauthenticated AutomatedScan What Goes Into An Application Test? 34 Automated SourceCode Scanning Blind Penetration Testing ManualSource CodeReview Authenticated AutomatedScan Informed ManualTesting Automated BinaryAnalysis ManualBinary Analysis
© 2015 Denim Group – All Rights Reserved How To Allocate Scarce Resources? •  What Do You HAVE To Do? •  What discretion do you have within these constraints? •  What Is Left Over? •  Strategies •  Breadth-first •  Depth-first •  Hybrid 35
© 2015 Denim Group – All Rights Reserved Breadth-First •  Do Base-level Security Testing of Everything •  Well, everything you can find •  And everything you test with automation •  Automation is key •  Understand the limitations •  Some applications cannot be effectively scanned •  Often scans are unauthenticated •  Whole classes of vulnerabilities are out of testing scope 36
© 2015 Denim Group – All Rights Reserved Depth-First •  Do Deeper Testing of Critical Applications •  Typically Combination of Automation and Manual Testing •  Understand the Limitations •  Some applications remain unexamined •  And breaches to those applications put shared resources and infrastructure at risk 37
© 2015 Denim Group – All Rights Reserved Hybrid •  Combination of Automation and Manual Testing Across Portfolio •  This is where most organizations end up •  Often because regulatory and compliance mandates •  Know Your Gaps 38
© 2015 Denim Group – All Rights Reserved 39 You can’t defend unknown attack surface If everything is important then nothing is important
© 2015 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 40
© 2015 Denim Group – All Rights Reserved Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization •  Useful for: •  Evaluating an organization’s existing software security practices •  Building a balanced software security program in well-defined iterations •  Demonstrating concrete improvements to a security assurance program •  Defining and measuring security-related activities within an organization •  Main website: •  http://www.opensamm.org/ 41
© 2015 Denim Group – All Rights Reserved Using OpenSAMM You Can… •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Review of Existing Secure SDLC Efforts [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved CLASP •  Comprehensive, Lightweight Application Security Process •  Centered around 7 AppSec Best Practices •  Cover the entire software lifecycle (not just development) •  Adaptable to any development process •  Defines roles across the SDLC •  24 role-based process components •  Start small and dial-in to your needs [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Microsoft SDL •  Built internally for MS software •  Extended and made public for others •  MS-only versions since public release [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Touchpoints •  Gary McGraw s and Cigital s model [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Lessons Learned •  Microsoft SDL •  Heavyweight, good for large ISVs •  Touchpoints •  High-level, not enough details to execute against •  CLASP •  Large collection of activities, but no priority ordering •  ALL: Good for experts to use as a guide, but hard for non- security folks to use off the shelf [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Drivers for a Maturity Model •  An organization s behavior changes slowly over time •  Changes must be iterative while working toward long-term goals •  There is no single recipe that works for all organizations •  A solution must enable risk-based choices tailor to the organization •  Guidance related to security activities must be prescriptive •  A solution must provide enough details for non-security-people •  Overall, must be simple, well-defined, and measurable [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Therefore, a Viable Model Must... •  Define building blocks for an assurance program •  Delineate all functions within an organization that could be improved over time •  Define how building blocks should be combined •  Make creating change in iterations a no-brainer •  Define details for each building block clearly •  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev) [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Understanding the Model [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Under Each Security Practice •  Three successive Objectives under each Practice define how it can be improved over time •  This establishes a notion of a Level at which an organization fulfills a given Practice •  The three Levels for a Practice generally correspond to: •  (0: Implicit starting point with the Practice unfulfilled) •  1: Initial understanding and ad hoc provision of the Practice •  2: Increase efficiency and/or effectiveness of the Practice •  3: Comprehensive mastery of the Practice at scale [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Check Out This One... [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Per Level, SAMM Defines... •  Objective •  Activities •  Results •  Success Metrics •  Costs •  Personnel •  Related Levels [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Approach to Iterative Improvement •  Since the twelve Practices are each a maturity area, the successive Objectives represent the building blocks for any assurance program •  Simply put, improve an assurance program in phases by: 1.  Select security Practices to improve in next phase of assurance program 2.  Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Applying the Model [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Conducting Assessments •  SAMM includes assessment worksheets for each Security Practice [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Assessment Process •  Supports both lightweight and detailed assessments •  Organizations may fall in between levels (+) [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Creating Scorecards •  Gap analysis •  Capturing scores from detailed assessments versus expected performance levels •  Demonstrating improvement •  Capturing scores from before and after an iteration of assurance program build- out •  Ongoing measurement •  Capturing scores over consistent time frames for an assurance program that is already in place [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Roadmap Templates •  To make the building blocks usable, SAMM defines Roadmaps templates for typical kinds of organizations •  Independent SoftwareVendors •  Online Service Providers •  Financial Services Organizations •  Government Organizations •  Organization types chosen because •  They represent common use-cases •  Each organization has variations in typical software-induced risk •  Optimal creation of an assurance program is different for each [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Building Assurance Programs [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Case Studies •  A full walkthrough with prose explanations of decision-making as an organization improves •  Each Phase described in detail •  Organizational constraints •  Build/buy choices •  One case study exists today, several more in progress using industry partners [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Exploring the Model s Levels and Activities [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved The SAMM 1.0 release [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved SAMM and the Real World [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved SAMM History •  Beta released August 2008 •  1.0 released March 2009 •  Originally funded by Fortify •  Still actively involved and using this model •  Released under a Creative Commons Attribution Share-Alike license •  Donated to OWASP and is currently an OWASP project [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Expert Contributions •  Built based on collected experiences with 100 s of organizations •  Including security experts, developers, architects, development managers, IT managers [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Industry Support •  Several more case studies underway [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved The OpenSAMM Project •  http://www.opensamm.org •  Dedicated to defining, improving, and testing the SAMM framework •  Always vendor-neutral, but lots of industry participation •  Open and community driven •  Targeting new releases every 6-12 months •  Change management process •  SAMM Enhancement Proposals (SEP) [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved OpenSAMM Resources •  Nick Coblentz - SAMM Assessment Interview Template (xls/ googledoc) •  Christian Frichot - SAMM Assessment Spreadsheet (xls) •  Colin Watson - Roadmap Chart Template (xls) •  Jim Weiler - MS Project Plan Template (mpp) •  Denim Group – ThreadFix (web application) [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved Quick Recap on Using SAMM •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved The Problems of Scale •  Too many applications •  Too many developers •  Not enough security professionals •  Everything moves too fast: •  Releases •  New technologies (ie mobile, cloud)
© 2015 Denim Group – All Rights Reserved Some Approaches to Scale •  Automate everything you possibly can •  But realize you can’t automate everything •  Asymmetric warfare •  Identify security champions on development teams and have them spread the word •  Track metrics •  Learn what works and what does not •  Put your self in a position to better characterize application security risks alongside network/infrastructure security risks (and all the other risks in a scary and ever-changing world)
© 2015 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.org 75

Recommended

Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 

Recommended

Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More Related Content

What's hot

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 

What's hot (20)

ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 

Similar to Structuring and Scaling an Application Security Program

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
The savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_laThe savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_la
ISSA LA
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Capgemini
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
CA API Management
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
DaveEdwards12
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
Imperva Incapsula
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablementWeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 

Similar to Structuring and Scaling an Application Security Program (20)

Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
The savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_laThe savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_la
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS AttackAn Inside Look at a Sophisticated Multi-Vector DDoS Attack
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablementWeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 

More from Denim Group (17)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 

Recently uploaded

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 

Recently uploaded (20)

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 

Structuring and Scaling an Application Security Program

  • 1. © 2015 Denim Group – All Rights Reserved Structuring and Scaling! an Application Security Program! ! Dan Cornell! @danielcornell
  • 2. © 2015 Denim Group – All Rights Reserved My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio 2
  • 3. © 2015 Denim Group – All Rights Reserved Denim Group Background •  Secure software services and products company •  Builds secure software •  Helps organizations assess and mitigate risk of in-house developed and third party software •  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security •  Application security experts are practicing developers •  Development pedigree translates to rapport with development managers •  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution •  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix •  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI •  World class alliance partners accelerate innovation to solve client problems 3
  • 4. © 2015 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? •  Great! •  What a software security program ISN’T •  Question: “What are you doing to address software security concerns?” •  Answer: “We bought scanner XYZ” •  What a software security program IS •  People, process, tools (naturally) •  Set of activities intended to repeatedly produce appropriately-secure software 4
  • 5. © 2015 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs •  Resources •  Raw budget and cost issues •  Level of effort issues •  Resistance: requires organizational change •  Apparently people hate this •  Open source tools •  Can help with raw budget issues •  May exacerbate problems with level of effort •  View the rollout as a multi-stage process •  Not one magical effort •  Use short-term successes and gains to fuel further change 5
  • 6. © 2015 Denim Group – All Rights Reserved 6 You can’t defend unknown attack surface If everything is important then nothing is important
  • 7. © 2015 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 7
  • 8. © 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 8 Software You Currently Know About Why? •  Lots of value flows through it •  Auditors hassle you about it •  Formal SLAs with customers mention it •  Bad guys found it and caused an incident (oops) What? •  Critical legacy systems •  Notable web applications
  • 9. © 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 9 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? •  Forgot it was there •  Line of business procured through non- standard channels •  Picked it up through a merger / acquisition What? •  Line of business applications •  Event-specific applications
  • 10. © 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 10 Add In the Software You Bought from Somewhere Why Did You Miss Them? •  Most scanner only really work on web applications so no vendors pester you about your non-web applications •  Assume the application vendor is handling security What? •  More line of business applications •  Support applications •  Infrastructure applications
  • 11. © 2015 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 11 MOBILE! THE CLOUD! Why Did You Miss Them? •  Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? •  Support for line of business functions •  Marketing and promotion
  • 12. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Two Dimensions: •  Perception of Software Attack Surface •  Insight into Exposed Assets 12 Perception Insight
  • 13. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 13 Perception Insight Web Applications
  • 14. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 14 Perception Insight Web Applications Client-Server Applications
  • 15. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 15 Perception Insight Web Applications Client-Server Applications Desktop Applications
  • 16. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 16 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
  • 17. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  As perception of the problem of attack surface widens the scope of the problem increases 17 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 18. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 18 Perception Insight Web Applications
  • 19. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 19 Perception Insight Web Applications
  • 20. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Discovery activities increase insight 20 Perception Insight Web Applications
  • 21. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 21 Perception Insight Web Applications
  • 22. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 22 Perception Insight Web Applications Client-Server Applications
  • 23. © 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 23 Perception Insight Web Applications
  • 24. © 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 24 Perception Insight Web Applications Cloud Applications and Services
  • 25. © 2015 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey •  Over time you end up with a progression 25 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
  • 26. © 2015 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey •  When you reach this point it is called “enlightenment” •  You won’t reach this point 26 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
  • 27. © 2015 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed •  Some Applications Matter More Than Others •  Value and character of data being managed •  Value of the transactions being processed •  Cost of downtime and breaches •  Therefore All Applications Should Not Be Treated the Same •  Allocate different levels of resources to assurance •  Select different assurance activities •  Also must often address compliance and regulatory requirements 27
  • 28. © 2015 Denim Group – All Rights Reserved Do Not Treat All Applications the Same •  Allocate Different Levels of Resources to Assurance •  Select Different Assurance Activities •  Also Must Often Address Compliance and Regulatory Requirements 28
  • 29. © 2015 Denim Group – All Rights Reserved An Application Test What Goes Into An Application Test? 29
  • 30. © 2015 Denim Group – All Rights Reserved Dynamic Analysis What Goes Into An Application Test? 30 Static Analysis
  • 31. © 2015 Denim Group – All Rights Reserved Automated Application Scanning What Goes Into An Application Test? 31 Static Analysis Manual Application Testing
  • 32. © 2015 Denim Group – All Rights Reserved Automated Application Scanning What Goes Into An Application Test? 32 Automated Static Analysis Manual Application Testing Manual Static Analysis
  • 33. © 2015 Denim Group – All Rights Reserved Unauthenticated AutomatedScan What Goes Into An Application Test? 33 Automated Static Analysis Blind Penetration Testing Manual Static Analysis Authenticated AutomatedScan Informed ManualTesting
  • 34. © 2015 Denim Group – All Rights Reserved Unauthenticated AutomatedScan What Goes Into An Application Test? 34 Automated SourceCode Scanning Blind Penetration Testing ManualSource CodeReview Authenticated AutomatedScan Informed ManualTesting Automated BinaryAnalysis ManualBinary Analysis
  • 35. © 2015 Denim Group – All Rights Reserved How To Allocate Scarce Resources? •  What Do You HAVE To Do? •  What discretion do you have within these constraints? •  What Is Left Over? •  Strategies •  Breadth-first •  Depth-first •  Hybrid 35
  • 36. © 2015 Denim Group – All Rights Reserved Breadth-First •  Do Base-level Security Testing of Everything •  Well, everything you can find •  And everything you test with automation •  Automation is key •  Understand the limitations •  Some applications cannot be effectively scanned •  Often scans are unauthenticated •  Whole classes of vulnerabilities are out of testing scope 36
  • 37. © 2015 Denim Group – All Rights Reserved Depth-First •  Do Deeper Testing of Critical Applications •  Typically Combination of Automation and Manual Testing •  Understand the Limitations •  Some applications remain unexamined •  And breaches to those applications put shared resources and infrastructure at risk 37
  • 38. © 2015 Denim Group – All Rights Reserved Hybrid •  Combination of Automation and Manual Testing Across Portfolio •  This is where most organizations end up •  Often because regulatory and compliance mandates •  Know Your Gaps 38
  • 39. © 2015 Denim Group – All Rights Reserved 39 You can’t defend unknown attack surface If everything is important then nothing is important
  • 40. © 2015 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 40
  • 41. © 2015 Denim Group – All Rights Reserved Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization •  Useful for: •  Evaluating an organization’s existing software security practices •  Building a balanced software security program in well-defined iterations •  Demonstrating concrete improvements to a security assurance program •  Defining and measuring security-related activities within an organization •  Main website: •  http://www.opensamm.org/ 41
  • 42. © 2015 Denim Group – All Rights Reserved Using OpenSAMM You Can… •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
  • 43. © 2015 Denim Group – All Rights Reserved Review of Existing Secure SDLC Efforts [This slide content © Pravir Chandra]
  • 44. © 2015 Denim Group – All Rights Reserved CLASP •  Comprehensive, Lightweight Application Security Process •  Centered around 7 AppSec Best Practices •  Cover the entire software lifecycle (not just development) •  Adaptable to any development process •  Defines roles across the SDLC •  24 role-based process components •  Start small and dial-in to your needs [This slide content © Pravir Chandra]
  • 45. © 2015 Denim Group – All Rights Reserved Microsoft SDL •  Built internally for MS software •  Extended and made public for others •  MS-only versions since public release [This slide content © Pravir Chandra]
  • 46. © 2015 Denim Group – All Rights Reserved Touchpoints •  Gary McGraw s and Cigital s model [This slide content © Pravir Chandra]
  • 47. © 2015 Denim Group – All Rights Reserved Lessons Learned •  Microsoft SDL •  Heavyweight, good for large ISVs •  Touchpoints •  High-level, not enough details to execute against •  CLASP •  Large collection of activities, but no priority ordering •  ALL: Good for experts to use as a guide, but hard for non- security folks to use off the shelf [This slide content © Pravir Chandra]
  • 48. © 2015 Denim Group – All Rights Reserved Drivers for a Maturity Model •  An organization s behavior changes slowly over time •  Changes must be iterative while working toward long-term goals •  There is no single recipe that works for all organizations •  A solution must enable risk-based choices tailor to the organization •  Guidance related to security activities must be prescriptive •  A solution must provide enough details for non-security-people •  Overall, must be simple, well-defined, and measurable [This slide content © Pravir Chandra]
  • 49. © 2015 Denim Group – All Rights Reserved Therefore, a Viable Model Must... •  Define building blocks for an assurance program •  Delineate all functions within an organization that could be improved over time •  Define how building blocks should be combined •  Make creating change in iterations a no-brainer •  Define details for each building block clearly •  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev) [This slide content © Pravir Chandra]
  • 50. © 2015 Denim Group – All Rights Reserved Understanding the Model [This slide content © Pravir Chandra]
  • 51. © 2015 Denim Group – All Rights Reserved SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra]
  • 52. © 2015 Denim Group – All Rights Reserved SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra]
  • 53. © 2015 Denim Group – All Rights Reserved Under Each Security Practice •  Three successive Objectives under each Practice define how it can be improved over time •  This establishes a notion of a Level at which an organization fulfills a given Practice •  The three Levels for a Practice generally correspond to: •  (0: Implicit starting point with the Practice unfulfilled) •  1: Initial understanding and ad hoc provision of the Practice •  2: Increase efficiency and/or effectiveness of the Practice •  3: Comprehensive mastery of the Practice at scale [This slide content © Pravir Chandra]
  • 54. © 2015 Denim Group – All Rights Reserved Check Out This One... [This slide content © Pravir Chandra]
  • 55. © 2015 Denim Group – All Rights Reserved Per Level, SAMM Defines... •  Objective •  Activities •  Results •  Success Metrics •  Costs •  Personnel •  Related Levels [This slide content © Pravir Chandra]
  • 56. © 2015 Denim Group – All Rights Reserved Approach to Iterative Improvement •  Since the twelve Practices are each a maturity area, the successive Objectives represent the building blocks for any assurance program •  Simply put, improve an assurance program in phases by: 1.  Select security Practices to improve in next phase of assurance program 2.  Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics [This slide content © Pravir Chandra]
  • 57. © 2015 Denim Group – All Rights Reserved Applying the Model [This slide content © Pravir Chandra]
  • 58. © 2015 Denim Group – All Rights Reserved Conducting Assessments •  SAMM includes assessment worksheets for each Security Practice [This slide content © Pravir Chandra]
  • 59. © 2015 Denim Group – All Rights Reserved Assessment Process •  Supports both lightweight and detailed assessments •  Organizations may fall in between levels (+) [This slide content © Pravir Chandra]
  • 60. © 2015 Denim Group – All Rights Reserved Creating Scorecards •  Gap analysis •  Capturing scores from detailed assessments versus expected performance levels •  Demonstrating improvement •  Capturing scores from before and after an iteration of assurance program build- out •  Ongoing measurement •  Capturing scores over consistent time frames for an assurance program that is already in place [This slide content © Pravir Chandra]
  • 61. © 2015 Denim Group – All Rights Reserved Roadmap Templates •  To make the building blocks usable, SAMM defines Roadmaps templates for typical kinds of organizations •  Independent SoftwareVendors •  Online Service Providers •  Financial Services Organizations •  Government Organizations •  Organization types chosen because •  They represent common use-cases •  Each organization has variations in typical software-induced risk •  Optimal creation of an assurance program is different for each [This slide content © Pravir Chandra]
  • 62. © 2015 Denim Group – All Rights Reserved Building Assurance Programs [This slide content © Pravir Chandra]
  • 63. © 2015 Denim Group – All Rights Reserved Case Studies •  A full walkthrough with prose explanations of decision-making as an organization improves •  Each Phase described in detail •  Organizational constraints •  Build/buy choices •  One case study exists today, several more in progress using industry partners [This slide content © Pravir Chandra]
  • 64. © 2015 Denim Group – All Rights Reserved Exploring the Model s Levels and Activities [This slide content © Pravir Chandra]
  • 65. © 2015 Denim Group – All Rights Reserved The SAMM 1.0 release [This slide content © Pravir Chandra]
  • 66. © 2015 Denim Group – All Rights Reserved SAMM and the Real World [This slide content © Pravir Chandra]
  • 67. © 2015 Denim Group – All Rights Reserved SAMM History •  Beta released August 2008 •  1.0 released March 2009 •  Originally funded by Fortify •  Still actively involved and using this model •  Released under a Creative Commons Attribution Share-Alike license •  Donated to OWASP and is currently an OWASP project [This slide content © Pravir Chandra]
  • 68. © 2015 Denim Group – All Rights Reserved Expert Contributions •  Built based on collected experiences with 100 s of organizations •  Including security experts, developers, architects, development managers, IT managers [This slide content © Pravir Chandra]
  • 69. © 2015 Denim Group – All Rights Reserved Industry Support •  Several more case studies underway [This slide content © Pravir Chandra]
  • 70. © 2015 Denim Group – All Rights Reserved The OpenSAMM Project •  http://www.opensamm.org •  Dedicated to defining, improving, and testing the SAMM framework •  Always vendor-neutral, but lots of industry participation •  Open and community driven •  Targeting new releases every 6-12 months •  Change management process •  SAMM Enhancement Proposals (SEP) [This slide content © Pravir Chandra]
  • 71. © 2015 Denim Group – All Rights Reserved OpenSAMM Resources •  Nick Coblentz - SAMM Assessment Interview Template (xls/ googledoc) •  Christian Frichot - SAMM Assessment Spreadsheet (xls) •  Colin Watson - Roadmap Chart Template (xls) •  Jim Weiler - MS Project Plan Template (mpp) •  Denim Group – ThreadFix (web application) [This slide content © Pravir Chandra]
  • 72. © 2015 Denim Group – All Rights Reserved Quick Recap on Using SAMM •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
  • 73. © 2015 Denim Group – All Rights Reserved The Problems of Scale •  Too many applications •  Too many developers •  Not enough security professionals •  Everything moves too fast: •  Releases •  New technologies (ie mobile, cloud)
  • 74. © 2015 Denim Group – All Rights Reserved Some Approaches to Scale •  Automate everything you possibly can •  But realize you can’t automate everything •  Asymmetric warfare •  Identify security champions on development teams and have them spread the word •  Track metrics •  Learn what works and what does not •  Put your self in a position to better characterize application security risks alongside network/infrastructure security risks (and all the other risks in a scary and ever-changing world)
  • 75. © 2015 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.org 75