The document outlines the future of software security assurance, highlighting the necessity for modernized security practices in response to outdated applications and the challenges posed by cloud adoption. It identifies five key catalysts for change and proposes eight evolutions in software security strategies, emphasizing risk-based defense and the need for organizations to engage in the full application lifecycle. The overarching message is that proactive measures and adapting to emerging security challenges are critical to mitigating risks effectively.

1. The Future of Software
Security Assurance:
Cloudy, with Storms Likely
Rafal Los
Enterprise & Cloud Security Strategist
HP Software
©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice

2. SSA
Software Security Assurance
©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice

3. Software Security Assurance
Can you trust your software?

4. THE FUTURE …of software security.
©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice

5. 5 Inevitables

6. 1 – Application Modernization
Catalysts:
• Your corporate applications are aging
• Aging application technologies are hindering your business productivity
• Applications deployed ‘before security’ are critically exposed
Opportunity:
• Address software security as a core
business requirement
• Modernize security controls, “bolt-ons”

7. 2 – Cloud Adoption
Catalysts:
• Organizations are adopting cloud whether they acknowledge it or not
• Extreme confusion: what is “cloud security”?
• “The Cloud” brings fundamentally different security challenges
Opportunity:
• A forceful re-evaluation of security paradigms
• Shift security from perimeter, to application
• Engage providers, fully understand risks of the cloud model

8. 3 – Consumerization of the Enterprise
Catalysts:
• Enterprises functions being performed across consumer devices
• Corporate data is spread across devices enterprises don’t control
• Applications must run on diverse platforms, pose unique risks
Opportunity:
• Understand application risk profiles across consumer use-cases
• Focus on minimizing data sprawl, centralizing logic processing
• Create strategic mobile application defenses

9. 4 – Technology Overrun
Catalysts:
• Bleeding-edge client-side technology adoption
• Mobile development is hot, security is lacking
• Development technology over-running security capability
Opportunity:
• Adopt technology-independent security controls
• Control application release processes (ITIL change control)

10. 5 – Incidents
Catalysts:
• Incidents will increase as enterprises become more aware
• Cloud adoption, mobile computing, consumerization increases likelihood
• Regulations and laws continue to drive disclosure
Opportunity:
• Optimized technology responds to incidents faster, smarter
• Identify data acquisition, forensic strategies as part of design plans

11. 8 Evolutions

12. 1 – Start and End with Requirements
Strategic risk reduction impacts the idea, not the result
• Understand organizational goals, seek to reduce risk
• Influence “what the business wants”
• Abstract security to risk, in business terms
• A defect is a deviation from a requirement

13. 2 – Engage the Full SDLC
Organizations must address the full application lifecycle
IT Handoff Release

14. 3 – Shift SSA Ownership
Software security is not the Security organization’s problem.
SSA Today SSA Tomorrow
• SSA is equated with security • Security governs SSA program
• Security runs SSA program • Security manages key aspects
• Manage all aspects • Govern testing, validates
• Perform security testing findings
• Manage defect tracking • Develop policy, practices
• Fail. • Succeed.

15. 4 – Risk-Based Defense
Application use-cases have unique risk profiles.
It’s time to recognize this fact, and build sane strategies.
• Segregate, segment, build security zones by business criticality
• Short-term tactical defenses for weakest legacy applications
• Fix, defer or accept risk.
• Develop risk profiles for application use-cases such as mobile…
– Encrypt data, virtualize usage
• Fortify more than just the front-end – including services, APIs

16. 5 – Static or Dynamic Testing? Yes.
Static vs. Dynamic security testing is no longer a question.
Static and Dynamic analysis each has advantages, both are needed
Provide the right technology, at the right time, to the right people
Audit source code, validate the running application
Remember, you can’t test yourself secure

17. 6 – Test, but Cheat
When you’re up against attackers, cheat as often as possible.
• Gray-box technology provides deeper insight into application logic
• Link exploits with vulnerable code
• Get to the fix faster.
Web App Function exec_query () {
take user data (x);
construct query (x + y);
execute query;
return results (z);
4 exploitable fields  1 fix }

18. 7 – Dynamic Security Intelligence
Real security isn’t about keeping the ‘bad guys’ out,
it’s about reacting in real-time. Critical
Detect
Data
Respond
Compromised
Remote Corp User

19. 8 – Measure Against Business Goals (KPIs)
Only 2 questions are relevant:
1. What are your organizational, business objectives?
2. How does Software Security Assurance contribute to those objectives?
5 Suggested KPIs:
1. WRT – Weighted Risk Trend
2. DRW – Defect Remediation Window
3. RDR – Rate of Defect Recurrence
4. SCM – Specific Coverage Metric
5. SQR – Security to Quality Defect Ratio

20. 1 Cold Hard Fact

21. You will be breached.
You will lose data, trust, and money.
The incident is will matter.
The response will be the deciding factor.

22. Surviving a Major Breach
In the court of public opinion
Organizational Due Diligence
Response
Incident “Damage”
22 Enterprise Security – HP Confidential

23. SOFTWARE SECURITY ASSURANCE
MUST EVOLVE
Enterprise Security – HP Confidential
23

24. Twitter: @Wh1t3Rabbit
Blog: http://hp.com/go/white-rabbit
Podcast: http://podcast.wh1t3rabbit.net
THANK YOU, LET’S TALK!