SlideShare a Scribd company logo

The Permanent Campaign

Denim Group
Denim Group

This presentation focuses on how security officers or development leaders can apply a disciplined approach to building internal consensus to build secure software. A five-step process will be laid out that will enable a manager to characterize the landscape, secure management buy-in, baseline the existing risks, set modest goals and attempt to achieve them, and sustain the initiative. Emphasis will be on actionable steps that successful managers have used to drive the adoption of secure software strategies in large organizations.

Technology
1 of 20
Download to read offline
The Permanent Campaign – Driving Software Security Initiatives in the Enterprise John B. Dickson, CISSP © Copyright 2010 Denim Group - All Rights Reserved
Personal Background – 15-year information security consultant background – Ex-Air Force security analyst at AFCERT – Trident Data Systems, KPMG, SecureLogix, and Denim Group information security consultant – President of the Alamo Chapter of ISSA – Works with CIO’ s and CSO’s to build successful software security initiatives – Educates non-developer security professionals how to manager application risk © Copyright 2010 Denim Group - All Rights Reserved 1
Denim Group Background – Professional services firm that builds & secures enterprise applications – Secure development services: • Secure .NET and Java application development • Post-assessment remediation • Secure web services – Application security services include: • External application assessments • Code reviews • Software development lifecycle development (SDLC) consulting • Classroom and e-Learning instruction for developers © Copyright 2010 Denim Group - All Rights Reserved 2
Presentation Overview Background – the Current State of Affairs Characterizing the Landscape Securing Champions Defining Strategy & Initial Standards Executing the Strategy Sustaining the Initiative © Copyright 2010 Denim Group - All Rights Reserved 3
Background – the Current State of Affairs • Creating meaningful enterprise-wide software security initiatives is hard – Organizational culture or politics can present more daunting challenges than anything in the technical world • The vast majority of info software security focuses on means to write more secure code or strategies for putting controls around the software development process – Very little is written about how one goes about “winning hearts and minds” – The body of literature assumes corporate buy-in • Building custom software on time, on budget, and without bugs is difficult – Building software on time, on budget, and without bugs is even harder! © Copyright 2010 Denim Group - All Rights Reserved 4
Background – the Current State of Affairs • Large and complex organizations have various groups and cultures – this complicates things… – They have groups with cultures that span the spectrum of openness – Mergers and acquisitions and geographic distribution increase this diversity • Large organizations are also likely to have a variety of software development approaches that mirror their organizational diversity – Waterfall, XP, MSF, Agile.... Errr… Fragile • Understand how something called “status quo bias” does not help – The argument of “it hasn’t happened to us” is particularly compelling to C-level executives and senior leaders – Couple this with the current “do more with less” business strategy in the worst recession of our lives – you get the picture © Copyright 2010 Denim Group - All Rights Reserved 5
So Given These Realities? ? How does one go about leading the effort to build secure software within large and complex organizations? ? How does one reengineer one of the most complex, tedious set of process that an organization possesses? © Copyright 2010 Denim Group - All Rights Reserved 6
Characterizing the Landscape • Five Critical Components – Compliance framework – Cultural norms – SDLCs in place – Artifacts of software security – ID Gap between policy and practice © Copyright 2010 Denim Group - All Rights Reserved 7
Characterizing the Landscape – The Compliance Framework • Step 1: Understand the organizational compliance framework • Key Questions: – What are the known regulations or directives that will exert influence on how security should be applied to software? – Who is responsible for monitoring evolving compliance frameworks? – Who audits these regulations, both inside the organization and externally? – How can one use regulations or directives for business justification for a software security initiative? – Does a relationship with the internal audit manager benefit the leader of the software security initiative? © Copyright 2010 Denim Group - All Rights Reserved 8
Characterizing the Landscape – Cultural Norms • Step 2: Analyze and understand the culture of different groups building software in your organization • Key Questions: – Why and for whom are they building software? – What are the terms that would best describe each software team? – How would you characterize their leadership environment? • Is it top-down or collaborative? – How do requirements flow to the software development groups? – How receptive are they to new ideas? © Copyright 2010 Denim Group - All Rights Reserved 9
Characterizing the Landscape – SDLC’s in place • Step 3: Catalog and understand the different way software is built by teams within your organization • Key Questions: – What formal or informal methodology do the different groups use? – How different are they within each division or operating location? – Why are their approaches different and what projects/products are they working on that influence the choice of development approach? – How long have the different approaches been in place? © Copyright 2010 Denim Group - All Rights Reserved 10
Characterizing the Landscape – Artifacts of software security • Step 4: Identify and capture what is already being done in the way of application security • Key Questions: – Who has done what to this point? – Why haven’t they been more successful? – Are external penetration software tests being conducted in others? – Are policies in place regarding software and data security? – Have any of the groups bought tools or put open source tools in place? © Copyright 2010 Denim Group - All Rights Reserved 11
Characterizing the Landscape – ID Gap between policy and practice • Step 5: Quantify the gap between what is policy and what is happening in practice with software security • Key Questions: – Is there a gap between what management portrays and is in place in the development teams? – Is it a recurring approach? – Is it consistent across development teams? – Are they aware of benchmarking tools like OpenSAMM? © Copyright 2010 Denim Group - All Rights Reserved 12
Securing Champions • Understand and explicitly focus on winning over champions to build a successful software security initiative • Three key stakeholders should be brought into the fold: – CIO and one of his/her peers – A security evangelist in each development team – Internal audit, if relevant… • How does on secure champions? – Lunch and learns – Attack demonstrations – Audit opinions – Telling relevant stories © Copyright 2010 Denim Group - All Rights Reserved 13
Defining Strategy & Initial Standards • Conduct a “lightweight” risk assessment of applications to ID the most vulnerable applications for qualitative ranking for decision-making • Conduct a brief risk analysis and rank order the applications from most critical to least critical • Pick on application and conduct a security assessment © Copyright 2010 Denim Group - All Rights Reserved 14
Defining Strategy & Initial Standards • Set reasonable goals and to demonstrate future progress • Examples of modest goals – Conduct a ½-day classroom overview of application security concepts – Publish a “Top 10” list of coding standards that reflect fundamental – Remediate one of the applications you assessed earlier in the process. – Implement threat modeling at the early stages of a handful of big projects – Improve one facet of the SDLC to inject a software security “control” • Great resources from which to pull: – OpenSAMM – OWASP Testing Guide – NIST Publications © Copyright 2010 Denim Group - All Rights Reserved 15
Executing the Strategy • Focus: Grab attention of development managers and keep their interest • Put champions to work! – ID substantive tasks for them to undertake – Keep them briefed on the software security initiative – Consider a team wiki • Tailor the delivery to the audience – Monitor success – Adapt and adjust as you see fit • Measure goal attainment – The old cliché “what is measured matters” is 100% relevant – Communicate success to the champions, teams, and management © Copyright 2010 Denim Group - All Rights Reserved 16
Sustaining the Initiative • Bottom line: Show quick wins, highlight positive behaviors, and do it over and over again, ratcheting up expectations and software security with each iteration • Increase the depth and breadth of activities across the different development teams • Use benchmarks such as OpenSAMM to chart progress • Regular, disciplined update of the regulatory framework must occur • Monitor the market: keep an ear to the ground in the commercial tools arena, as rapid innovation is changing the game • Observe what’s occurring within your organization to determine whether there are new risk areas emerging © Copyright 2010 Denim Group - All Rights Reserved 17
Conclusions • Changing the way organizations build software is difficult. Crafting a software security initiative has to methodical and tailored to the organization • Organizational and cultural hurdles are likely to be more challenging than technical – if one understands how to address them, one can have an impact • Implement a sustained effort that highlights wins, publicly praises positive behaviors, and do it over and over again, ratcheting up expectations and software security with each iteration © Copyright 2010 Denim Group - All Rights Reserved 18
Contact Information • John B. Dickson, CISSP – john@denimgroup.com – Twitter @johnbdickson www.denimgroup.com © Copyright 2010 Denim Group - All Rights Reserved 19

Recommended

The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
Denim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Security For Free
Security For FreeSecurity For Free
Security For Free
gwarden
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 

Recommended

The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
Denim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Security For Free
Security For FreeSecurity For Free
Security For Free
gwarden
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibition
Dale Butler
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings 2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings
F5 Networks
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUD
Denim Group
 
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Denim Group
 

More Related Content

What's hot

How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibition
Dale Butler
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings 2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings
F5 Networks
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 

What's hot (20)

How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibition
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings 2011 ADC Security Survey—Global Findings
2011 ADC Security Survey—Global Findings
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 

Viewers also liked

Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUD
Denim Group
 
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Denim Group
 
The Return of the Visual Suspects #PCB5
The Return of the Visual Suspects #PCB5The Return of the Visual Suspects #PCB5
The Return of the Visual Suspects #PCB5
Robert Bensley
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
Denim Group
 
ระบบเครือค่าย
ระบบเครือค่ายระบบเครือค่าย
ระบบเครือค่ายเค้ก
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security Community
Denim Group
 
งามคอม200
งามคอม200งามคอม200
งามคอม200
เค้ก
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
Denim Group
 
Implementation Patterns For Software Security Programs
Implementation Patterns For Software Security ProgramsImplementation Patterns For Software Security Programs
Implementation Patterns For Software Security Programs
Denim Group
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 

Viewers also liked (16)

Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUD
 
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
 
The Return of the Visual Suspects #PCB5
The Return of the Visual Suspects #PCB5The Return of the Visual Suspects #PCB5
The Return of the Visual Suspects #PCB5
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
 
ระบบเครือค่าย
ระบบเครือค่ายระบบเครือค่าย
ระบบเครือค่าย
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security Community
 
งามคอม200
งามคอม200งามคอม200
งามคอม200
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
 
Implementation Patterns For Software Security Programs
Implementation Patterns For Software Security ProgramsImplementation Patterns For Software Security Programs
Implementation Patterns For Software Security Programs
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 

Similar to The Permanent Campaign

Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
Denim Group
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
tmbainjr131
 
eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878
Jonathan Hassell
 
Agile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective ActionsAgile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective Actions
TechWell
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Executive Leaders Network
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
Doug Copley
 
Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution
Priyanka Aash
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
ssuser61ebf5
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS
 

Similar to The Permanent Campaign (20)

Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878eAccess-12 roundtable: Case Studies of Implementing BS 88878
eAccess-12 roundtable: Case Studies of Implementing BS 88878
 
Agile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective ActionsAgile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective Actions
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution Top learnings from evaluating and implementing a DLP Solution
Top learnings from evaluating and implementing a DLP Solution
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

The Permanent Campaign

  • 1. The Permanent Campaign – Driving Software Security Initiatives in the Enterprise John B. Dickson, CISSP © Copyright 2010 Denim Group - All Rights Reserved
  • 2. Personal Background – 15-year information security consultant background – Ex-Air Force security analyst at AFCERT – Trident Data Systems, KPMG, SecureLogix, and Denim Group information security consultant – President of the Alamo Chapter of ISSA – Works with CIO’ s and CSO’s to build successful software security initiatives – Educates non-developer security professionals how to manager application risk © Copyright 2010 Denim Group - All Rights Reserved 1
  • 3. Denim Group Background – Professional services firm that builds & secures enterprise applications – Secure development services: • Secure .NET and Java application development • Post-assessment remediation • Secure web services – Application security services include: • External application assessments • Code reviews • Software development lifecycle development (SDLC) consulting • Classroom and e-Learning instruction for developers © Copyright 2010 Denim Group - All Rights Reserved 2
  • 4. Presentation Overview Background – the Current State of Affairs Characterizing the Landscape Securing Champions Defining Strategy & Initial Standards Executing the Strategy Sustaining the Initiative © Copyright 2010 Denim Group - All Rights Reserved 3
  • 5. Background – the Current State of Affairs • Creating meaningful enterprise-wide software security initiatives is hard – Organizational culture or politics can present more daunting challenges than anything in the technical world • The vast majority of info software security focuses on means to write more secure code or strategies for putting controls around the software development process – Very little is written about how one goes about “winning hearts and minds” – The body of literature assumes corporate buy-in • Building custom software on time, on budget, and without bugs is difficult – Building software on time, on budget, and without bugs is even harder! © Copyright 2010 Denim Group - All Rights Reserved 4
  • 6. Background – the Current State of Affairs • Large and complex organizations have various groups and cultures – this complicates things… – They have groups with cultures that span the spectrum of openness – Mergers and acquisitions and geographic distribution increase this diversity • Large organizations are also likely to have a variety of software development approaches that mirror their organizational diversity – Waterfall, XP, MSF, Agile.... Errr… Fragile • Understand how something called “status quo bias” does not help – The argument of “it hasn’t happened to us” is particularly compelling to C-level executives and senior leaders – Couple this with the current “do more with less” business strategy in the worst recession of our lives – you get the picture © Copyright 2010 Denim Group - All Rights Reserved 5
  • 7. So Given These Realities? ? How does one go about leading the effort to build secure software within large and complex organizations? ? How does one reengineer one of the most complex, tedious set of process that an organization possesses? © Copyright 2010 Denim Group - All Rights Reserved 6
  • 8. Characterizing the Landscape • Five Critical Components – Compliance framework – Cultural norms – SDLCs in place – Artifacts of software security – ID Gap between policy and practice © Copyright 2010 Denim Group - All Rights Reserved 7
  • 9. Characterizing the Landscape – The Compliance Framework • Step 1: Understand the organizational compliance framework • Key Questions: – What are the known regulations or directives that will exert influence on how security should be applied to software? – Who is responsible for monitoring evolving compliance frameworks? – Who audits these regulations, both inside the organization and externally? – How can one use regulations or directives for business justification for a software security initiative? – Does a relationship with the internal audit manager benefit the leader of the software security initiative? © Copyright 2010 Denim Group - All Rights Reserved 8
  • 10. Characterizing the Landscape – Cultural Norms • Step 2: Analyze and understand the culture of different groups building software in your organization • Key Questions: – Why and for whom are they building software? – What are the terms that would best describe each software team? – How would you characterize their leadership environment? • Is it top-down or collaborative? – How do requirements flow to the software development groups? – How receptive are they to new ideas? © Copyright 2010 Denim Group - All Rights Reserved 9
  • 11. Characterizing the Landscape – SDLC’s in place • Step 3: Catalog and understand the different way software is built by teams within your organization • Key Questions: – What formal or informal methodology do the different groups use? – How different are they within each division or operating location? – Why are their approaches different and what projects/products are they working on that influence the choice of development approach? – How long have the different approaches been in place? © Copyright 2010 Denim Group - All Rights Reserved 10
  • 12. Characterizing the Landscape – Artifacts of software security • Step 4: Identify and capture what is already being done in the way of application security • Key Questions: – Who has done what to this point? – Why haven’t they been more successful? – Are external penetration software tests being conducted in others? – Are policies in place regarding software and data security? – Have any of the groups bought tools or put open source tools in place? © Copyright 2010 Denim Group - All Rights Reserved 11
  • 13. Characterizing the Landscape – ID Gap between policy and practice • Step 5: Quantify the gap between what is policy and what is happening in practice with software security • Key Questions: – Is there a gap between what management portrays and is in place in the development teams? – Is it a recurring approach? – Is it consistent across development teams? – Are they aware of benchmarking tools like OpenSAMM? © Copyright 2010 Denim Group - All Rights Reserved 12
  • 14. Securing Champions • Understand and explicitly focus on winning over champions to build a successful software security initiative • Three key stakeholders should be brought into the fold: – CIO and one of his/her peers – A security evangelist in each development team – Internal audit, if relevant… • How does on secure champions? – Lunch and learns – Attack demonstrations – Audit opinions – Telling relevant stories © Copyright 2010 Denim Group - All Rights Reserved 13
  • 15. Defining Strategy & Initial Standards • Conduct a “lightweight” risk assessment of applications to ID the most vulnerable applications for qualitative ranking for decision-making • Conduct a brief risk analysis and rank order the applications from most critical to least critical • Pick on application and conduct a security assessment © Copyright 2010 Denim Group - All Rights Reserved 14
  • 16. Defining Strategy & Initial Standards • Set reasonable goals and to demonstrate future progress • Examples of modest goals – Conduct a ½-day classroom overview of application security concepts – Publish a “Top 10” list of coding standards that reflect fundamental – Remediate one of the applications you assessed earlier in the process. – Implement threat modeling at the early stages of a handful of big projects – Improve one facet of the SDLC to inject a software security “control” • Great resources from which to pull: – OpenSAMM – OWASP Testing Guide – NIST Publications © Copyright 2010 Denim Group - All Rights Reserved 15
  • 17. Executing the Strategy • Focus: Grab attention of development managers and keep their interest • Put champions to work! – ID substantive tasks for them to undertake – Keep them briefed on the software security initiative – Consider a team wiki • Tailor the delivery to the audience – Monitor success – Adapt and adjust as you see fit • Measure goal attainment – The old cliché “what is measured matters” is 100% relevant – Communicate success to the champions, teams, and management © Copyright 2010 Denim Group - All Rights Reserved 16
  • 18. Sustaining the Initiative • Bottom line: Show quick wins, highlight positive behaviors, and do it over and over again, ratcheting up expectations and software security with each iteration • Increase the depth and breadth of activities across the different development teams • Use benchmarks such as OpenSAMM to chart progress • Regular, disciplined update of the regulatory framework must occur • Monitor the market: keep an ear to the ground in the commercial tools arena, as rapid innovation is changing the game • Observe what’s occurring within your organization to determine whether there are new risk areas emerging © Copyright 2010 Denim Group - All Rights Reserved 17
  • 19. Conclusions • Changing the way organizations build software is difficult. Crafting a software security initiative has to methodical and tailored to the organization • Organizational and cultural hurdles are likely to be more challenging than technical – if one understands how to address them, one can have an impact • Implement a sustained effort that highlights wins, publicly praises positive behaviors, and do it over and over again, ratcheting up expectations and software security with each iteration © Copyright 2010 Denim Group - All Rights Reserved 18
  • 20. Contact Information • John B. Dickson, CISSP – john@denimgroup.com – Twitter @johnbdickson www.denimgroup.com © Copyright 2010 Denim Group - All Rights Reserved 19