SlideShare a Scribd company logo

NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey

Download as PPTX, PDF
North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

Harold Toomey, Principal Product Security Architect; McAfee, Part of Intel Security My Other Marathon When it comes to enterprise IT applications, what happens before you purchase the software can significantly impact your business even after it is installed with the best security controls. Learn what software developers should be doing to ensure their code is free from vulnerabilities before you ever put their products into an operational environment. People, processes, and technology needed to run a successful software security program and incident response team (PSIRT) will be covered. The tasks required to do this have been adapted to both waterfall and agile development methodologies. Each task will be compared to my recent journey of running my first 100 mile ultra-marathon. I will answer the question: “Which is less painful, developing secure software or running a 100 mile race?”

Internet
1 of 32
@NTXISSA Software Security – My Other Marathon Harold Toomey Past President, ISSA North Texas, 2013 Principal Product Security Architect & PSIRT Manager Intel Security April 24, 2015
@NTXISSA Introduction • Responsibilities • PSIRT Manager • Manage a team of 50+ Sr. Security Architects (PSCs) • Manage the SDL, policies and PSG program • Training program • Metrics • Experience • 4 Years: Eng. Software Security • 2 Years: IT Operational Security • 11 Years: Product Management • 10 Years: Software Development (C++) • ISSA North Texas Chapter, Past President • CISSP, CISA, CISM, CRISC, CGEIT, ITIL, … • CVSS Special Interest Group (SIG) NTX ISSA Cyber Security Conference – April 24-25, 2015 2 Harold Toomey Principal Product Security Architect
@NTXISSA Agenda • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? NTX ISSA Cyber Security Conference – April 24-25, 2015 3 vs.
@NTXISSA Scenario #1 – Secure Software • 110+ Enterprise and consumer security products • 4,000+ software engineers • 200M+ customers • Someone reports a vulnerability • Now what? • How did this happen? NTX ISSA Cyber Security Conference – April 24-25, 2015 4
@NTXISSA Scenario #2 – 100M Ultra Run • You gained 50 pounds over the past 10 years • You hear running gets you healthy again • You sign up for a 100 mile ultra marathon • Are you crazy? (yes, of course) • How long will it take for you to pull this off? NTX ISSA Cyber Security Conference – April 24-25, 2015 5
@NTXISSA #1 The Development Team • Executive Support • Software Engineering Teams • Product Security Group / PSIRT • Product Security Champions (PSCs) • Tier III Technical Support • Knowledgebase Team • Extended Team • IT, PR, Legal, Training NTX ISSA Cyber Security Conference – April 24-25, 2015 6
@NTXISSA #2 Your Running Crew • Supportive spouse • Trainer • Running buddies • Your dog (Roxy) • Facebook running friends • Marathon Maniacs • Race volunteers • Pacers NTX ISSA Cyber Security Conference – April 24-25, 2015 7
@NTXISSA #1 PSIRT Process • Contact engineering network (PSCs) • Verify the vulnerability • Score the vulnerability’s severity (CVSS) • Communicate fix schedule to the discoverer • Develop and publish the patch • Publish Security Bulletin • Next week: “lather, rinse, repeat” NTX ISSA Cyber Security Conference – April 24-25, 2015 8
@NTXISSA #2 Ultra Training • Start running • Sign up for weekend races (milestones) • Set goals • Read about it • Friend like minded runners • Learn by experience (pain) • Build up to it NTX ISSA Cyber Security Conference – April 24-25, 2015 9
@NTXISSA #2 Possible Training Goals • Year 1 • Run a 5K to see how out of shape you are • Run a half marathon after 6 months • Run a full marathon after 1 year • Year 2 • Run a half marathon or farther every weekend • Year 3 • Run an ultra every month, with 2x 100M by end of year • Try Sprint and Olympic Ironman Triathlons • Year 4 • Run a 100 miler every month (Jun – Feb) NTX ISSA Cyber Security Conference – April 24-25, 2015 10
@NTXISSA #1 Named Vulnerabilities NTX ISSA Cyber Security Conference – April 24-25, 2015 11 Date Description # Vuln. Products SB 8 Apr 2014 Heartbleed 19 SB10071 2 Jun 2014 Heartbleed II 22 SB10075 24 Sep 2014 Shellshock/BASH 23 SB10085 14 Oct 2014 POODLE 28 SB10090 14 Oct 2014 3 SSLv3 CVEs 15 SB10091 27 Jan 2015 GHOST 28 SB10100 4 Mar 2015 FREAK 3 SB10108 19 Mar 2015 14 OpenSSL CVEs 22 SB10110 Summer 2015 OpenSSL Security Audit TBD TBD “OpenSSL: The gift that keeps on giving.”
@NTXISSA #2 Popular/Local Races • Boston Marathon (20 Apr 2015) • Badwater 135 (28-30 July 2015) • Big Cedar 100M (30-31 Oct 2015) • Brazos Bend 100M (11-12 Dec 2015) • Rocky Raccoon 100M (1-2 Feb 2016) NTX ISSA Cyber Security Conference – April 24-25, 2015 12
@NTXISSA #1 Doing the Basics 1. Minimum SDL activities 2. Compile with security flags set 3. Remove banned C/C++ functions 4. Fix high severity vulnerabilities 5. Complete Static/Dynamic Analysis/Fuzzing 6. Manual code reviews 7. Validate inputs 8. Build in privacy/protect PII 9. Remove debugging code 10. Scan for viruses/malware 11. Don’t implement backdoors NTX ISSA Cyber Security Conference – April 24-25, 2015 13
@NTXISSA #2 Doing the Basics • You can’t outrun a bad diet • 15% Exercise • 85% Diet • Sleep • Regular run schedule • Buy good equipment • Positive attitude (“Never give up”), but • Never run on an injury NTX ISSA Cyber Security Conference – April 24-25, 2015 14
@NTXISSA #1 Proactive Measures – Waterfall • SDL NTX ISSA Cyber Security Conference – April 24-25, 2015 15 Security Assessment Architecture Design & Development Ship Post-Release, Legacy, & M&A S0 S1 S2 S3 S4 S5 • Product security team is looped in early (Product Security Group & Product Security Champions) • Product security team hosts a discovery meeting • Product security team creates an SDL project plan (states what further work will be done) • Product team initiates a Privacy Impact Assessment (PIA) • S1 Security Plan • SDL policy assessment & scoping • Threat modeling / architecture security analysis • Privacy information gathering and analysis • S2 Security Plan • Security test plan composition • Static analysis • Threat model updating • Design security analysis & review • Secure coding • Privacy implementation assessment • S3 Security Plan • Security test case execution • Static analysis • Dynamic analysis • Fuzz testing • Manual code review • Privacy validation and remediation • S4 Security Plan • Final security review • Vulnerability scan • Penetration test • Open source licensing review • Final privacy review • External vulnerability disclosure response (PSIRT) • Reviews by 3rd party service contractors • Post-release certifications • Internal review for new product combinations or cloud deployment • Security architectural reviews & tool-based assessments of legacy and M&A products 0 1 2 3 4 5 Concept Planning Design & Development Readiness Release & Launch Support & Sustain
@NTXISSA #1 Proactive Measures – Agile NTX ISSA Cyber Security Conference – April 24-25, 2015 16 Sprint User/abuser stories (chewable design bites) Potentially Shippable Increments (PSI)
@NTXISSA #2 Proactive Measures • Heart Rate • Muscle Fatigue • Pain Killers • Breathing • Timing NTX ISSA Cyber Security Conference – April 24-25, 2015 17
@NTXISSA #1 Learn from Pain • Lessons Learned from Heartbleed • New “Crisis Scenario” policy • Updated security bulletin template • Product buckets • Customer communication policy • Shared technology inventory • Early notification expectations • PSIRT process training NTX ISSA Cyber Security Conference – April 24-25, 2015 18
@NTXISSA #2 Learn from Pain NTX ISSA Cyber Security Conference – April 24-25, 2015 19 • Countermeasures • Advil • Bandages • Body Glide • Mustard • Weather • Sun screen • Mosquito repellant • Course Review
@NTXISSA #1 Do it Better NTX ISSA Cyber Security Conference – April 24-25, 2015 20 None Initial Basic Acceptable Mature • Preventive measures modeling • Defect rates near 0 • Best-in-class tools • All products pen tested • Open source SLAs • Standards adapted to environment • Metrics integrated into risk mgt. tools • Frequent attacks • No reviews • No constraints • Email tracking • Major releases threat modeled • All primary tools used • BlackDuck • Standards adopted • PSIRT XLS • All releases threat modeled • Defect rates decreasing • Fuzzing scripts written • Accept risks of open source • Tracking DB w/dashboard • Major attack vectors addressed • Freeware tools used • Standard awareness Level of Maturity PSMM Phase
@NTXISSA #1 PS Maturity Model Parameters NTX ISSA Cyber Security Conference – April 24-25, 2015 21 Operational Technical 1. Program 2. Process 3. Resources 4. Training 5. Security Reviews 6. Tools 7. PSIRT 8. SDL 9. Policy 10. Privacy 11. Certification 12. M&A 13. Extended Team 14. Threat Modeling / Architecture Reviews 15. Static Analysis 16. Dynamic Analysis (Web Apps) 17. Fuzz Testing 18. Vulnerability Scans / Penetration Testing 19. Manual Code Reviews 20. Secure Coding Standards 21. Open Source / 3rd Party Libraries 22. Tracking Tools
@NTXISSA #2 Push Farther / Faster NTX ISSA Cyber Security Conference – April 24-25, 2015 22 • Distance 1. 5K (3.1) 2. 10K (6.2) 3. ½ Marathon (13.1) 4. Marathon (26.2) 5. 50K (31.1) 6. 50M 7. 100K (62.2) 8. 100M 9. 72 Hour Endurance • Speed • 6:00 Marathon Limit (US) • 5:00 Marathon Limit (EU) • 4:00 Marathon (25%) • 3:30 Boston Qualifier • 2:00 Marathon Glass Ceiling (2:03:23) • 12:00 100M USA Record (11:59:28)
@NTXISSA #1 Metrics NTX ISSA Cyber Security Conference – April 24-25, 2015 23
@NTXISSA #2 Measuring Progress NTX ISSA Cyber Security Conference – April 24-25, 2015 24
@NTXISSA Continual Evolution • There is always a better way – find it NTX ISSA Cyber Security Conference – April 24-25, 2015 25
@NTXISSA #1 The Reward NTX ISSA Cyber Security Conference – April 24-25, 2015 26 • Secure code = Less fire stomping (PSIRT) • Customer satisfaction = Increased business • Protects the brand • Meets compliance requirements
@NTXISSA #2 The Reward NTX ISSA Cyber Security Conference – April 24-25, 2015 27
@NTXISSA Finishing the Hawk Hundred NTX ISSA Cyber Security Conference – April 24-25, 2015 28 13 Sep 2014 Finish Time: 31:38
@NTXISSA Finishing the Brazos Bend 100 NTX ISSA Cyber Security Conference – April 24-25, 2015 29 13 Dec 2014 Finish Time: 28:22
@NTXISSA Conclusion • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? NTX ISSA Cyber Security Conference – April 24-25, 2015 30 vs.
@NTXISSA Q&A NTX ISSA Cyber Security Conference – April 24-25, 2015 31 Harold Toomey Principle Product Security Architect Product Security Group Intel Security Harold_Toomey@IntelSecurity.com (801) 830-9987
@NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 32 Thank you

Recommended

NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 

Recommended

NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug LandollNTXISSACSC2 - Why Lead with Risk? by Doug Landoll
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John WhitedNTXISSACSC2 - Software Assurance (SwA) by John Whited
NTXISSACSC2 - Software Assurance (SwA) by John Whited
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 
Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11
Skybox Security
 
NTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan HorseNTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan Horse
North Texas Chapter of the ISSA
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
North Texas Chapter of the ISSA
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense
Alert Logic
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Alert Logic
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
Alert Logic
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
North Texas Chapter of the ISSA
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Priyanka Aash
 
Issa symc la 5min mr
Issa symc la 5min mrIssa symc la 5min mr
Issa symc la 5min mrISSA LA
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
Javier Godinez
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
North Texas Chapter of the ISSA
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
North Texas Chapter of the ISSA
 

More Related Content

What's hot

Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11
Skybox Security
 
NTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan HorseNTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan Horse
North Texas Chapter of the ISSA
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
North Texas Chapter of the ISSA
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense
Alert Logic
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Alert Logic
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
Alert Logic
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
North Texas Chapter of the ISSA
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Priyanka Aash
 
Issa symc la 5min mr
Issa symc la 5min mrIssa symc la 5min mr
Issa symc la 5min mrISSA LA
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
Javier Godinez
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 

What's hot (20)

Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11
 
NTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan HorseNTXISSACSC4 - How Not to Build a Trojan Horse
NTXISSACSC4 - How Not to Build a Trojan Horse
 
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
NTXISSACSC3 - HELP! My Vulnerability Management Program is Failing! by Kevin ...
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
 
Issa symc la 5min mr
Issa symc la 5min mrIssa symc la 5min mr
Issa symc la 5min mr
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 

Similar to NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey

NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
North Texas Chapter of the ISSA
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
North Texas Chapter of the ISSA
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-Virus
North Texas Chapter of the ISSA
 
NTXISSACSC3 - Metasploit Year in Review by James Lee
NTXISSACSC3 - Metasploit Year in Review by James LeeNTXISSACSC3 - Metasploit Year in Review by James Lee
NTXISSACSC3 - Metasploit Year in Review by James Lee
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
North Texas Chapter of the ISSA
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
CMG - The Digital Transformation Association
 
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
Social Engineering 101 or The Art of How You Got Owned by That Random StrangerSocial Engineering 101 or The Art of How You Got Owned by That Random Stranger
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
Steven Hatfield
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
Security for developers
Security for developersSecurity for developers
Security for developers
Abdelrhman Shawky
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
SurfWatch Labs
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
SurfWatch Labs
 
SurfWatch Labs Threat Intelligence Solution Demo
SurfWatch Labs Threat Intelligence Solution DemoSurfWatch Labs Threat Intelligence Solution Demo
SurfWatch Labs Threat Intelligence Solution Demo
SurfWatch Labs
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture Change
Priyanka Aash
 
PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0
Praveen Vackayil
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume todayNana Owusu
 

Similar to NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey (20)

NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
 
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
NTXISSACSC3 - Find, Fix, Finish ... Tracking the Real Bad Guys in Cyberspace ...
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-Virus
 
NTXISSACSC3 - Metasploit Year in Review by James Lee
NTXISSACSC3 - Metasploit Year in Review by James LeeNTXISSACSC3 - Metasploit Year in Review by James Lee
NTXISSACSC3 - Metasploit Year in Review by James Lee
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
 
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
Social Engineering 101 or The Art of How You Got Owned by That Random StrangerSocial Engineering 101 or The Art of How You Got Owned by That Random Stranger
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
SurfWatch Labs Threat Intelligence Solution Demo
SurfWatch Labs Threat Intelligence Solution DemoSurfWatch Labs Threat Intelligence Solution Demo
SurfWatch Labs Threat Intelligence Solution Demo
 
AppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture ChangeAppSec Awareness: A Blueprint for Security Culture Change
AppSec Awareness: A Blueprint for Security Culture Change
 
PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume today
 

More from North Texas Chapter of the ISSA

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNtxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
North Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNtxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
 

Recently uploaded

This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 

Recently uploaded (16)

This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 

NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey

  • 1. @NTXISSA Software Security – My Other Marathon Harold Toomey Past President, ISSA North Texas, 2013 Principal Product Security Architect & PSIRT Manager Intel Security April 24, 2015
  • 2. @NTXISSA Introduction • Responsibilities • PSIRT Manager • Manage a team of 50+ Sr. Security Architects (PSCs) • Manage the SDL, policies and PSG program • Training program • Metrics • Experience • 4 Years: Eng. Software Security • 2 Years: IT Operational Security • 11 Years: Product Management • 10 Years: Software Development (C++) • ISSA North Texas Chapter, Past President • CISSP, CISA, CISM, CRISC, CGEIT, ITIL, … • CVSS Special Interest Group (SIG) NTX ISSA Cyber Security Conference – April 24-25, 2015 2 Harold Toomey Principal Product Security Architect
  • 3. @NTXISSA Agenda • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? NTX ISSA Cyber Security Conference – April 24-25, 2015 3 vs.
  • 4. @NTXISSA Scenario #1 – Secure Software • 110+ Enterprise and consumer security products • 4,000+ software engineers • 200M+ customers • Someone reports a vulnerability • Now what? • How did this happen? NTX ISSA Cyber Security Conference – April 24-25, 2015 4
  • 5. @NTXISSA Scenario #2 – 100M Ultra Run • You gained 50 pounds over the past 10 years • You hear running gets you healthy again • You sign up for a 100 mile ultra marathon • Are you crazy? (yes, of course) • How long will it take for you to pull this off? NTX ISSA Cyber Security Conference – April 24-25, 2015 5
  • 6. @NTXISSA #1 The Development Team • Executive Support • Software Engineering Teams • Product Security Group / PSIRT • Product Security Champions (PSCs) • Tier III Technical Support • Knowledgebase Team • Extended Team • IT, PR, Legal, Training NTX ISSA Cyber Security Conference – April 24-25, 2015 6
  • 7. @NTXISSA #2 Your Running Crew • Supportive spouse • Trainer • Running buddies • Your dog (Roxy) • Facebook running friends • Marathon Maniacs • Race volunteers • Pacers NTX ISSA Cyber Security Conference – April 24-25, 2015 7
  • 8. @NTXISSA #1 PSIRT Process • Contact engineering network (PSCs) • Verify the vulnerability • Score the vulnerability’s severity (CVSS) • Communicate fix schedule to the discoverer • Develop and publish the patch • Publish Security Bulletin • Next week: “lather, rinse, repeat” NTX ISSA Cyber Security Conference – April 24-25, 2015 8
  • 9. @NTXISSA #2 Ultra Training • Start running • Sign up for weekend races (milestones) • Set goals • Read about it • Friend like minded runners • Learn by experience (pain) • Build up to it NTX ISSA Cyber Security Conference – April 24-25, 2015 9
  • 10. @NTXISSA #2 Possible Training Goals • Year 1 • Run a 5K to see how out of shape you are • Run a half marathon after 6 months • Run a full marathon after 1 year • Year 2 • Run a half marathon or farther every weekend • Year 3 • Run an ultra every month, with 2x 100M by end of year • Try Sprint and Olympic Ironman Triathlons • Year 4 • Run a 100 miler every month (Jun – Feb) NTX ISSA Cyber Security Conference – April 24-25, 2015 10
  • 11. @NTXISSA #1 Named Vulnerabilities NTX ISSA Cyber Security Conference – April 24-25, 2015 11 Date Description # Vuln. Products SB 8 Apr 2014 Heartbleed 19 SB10071 2 Jun 2014 Heartbleed II 22 SB10075 24 Sep 2014 Shellshock/BASH 23 SB10085 14 Oct 2014 POODLE 28 SB10090 14 Oct 2014 3 SSLv3 CVEs 15 SB10091 27 Jan 2015 GHOST 28 SB10100 4 Mar 2015 FREAK 3 SB10108 19 Mar 2015 14 OpenSSL CVEs 22 SB10110 Summer 2015 OpenSSL Security Audit TBD TBD “OpenSSL: The gift that keeps on giving.”
  • 12. @NTXISSA #2 Popular/Local Races • Boston Marathon (20 Apr 2015) • Badwater 135 (28-30 July 2015) • Big Cedar 100M (30-31 Oct 2015) • Brazos Bend 100M (11-12 Dec 2015) • Rocky Raccoon 100M (1-2 Feb 2016) NTX ISSA Cyber Security Conference – April 24-25, 2015 12
  • 13. @NTXISSA #1 Doing the Basics 1. Minimum SDL activities 2. Compile with security flags set 3. Remove banned C/C++ functions 4. Fix high severity vulnerabilities 5. Complete Static/Dynamic Analysis/Fuzzing 6. Manual code reviews 7. Validate inputs 8. Build in privacy/protect PII 9. Remove debugging code 10. Scan for viruses/malware 11. Don’t implement backdoors NTX ISSA Cyber Security Conference – April 24-25, 2015 13
  • 14. @NTXISSA #2 Doing the Basics • You can’t outrun a bad diet • 15% Exercise • 85% Diet • Sleep • Regular run schedule • Buy good equipment • Positive attitude (“Never give up”), but • Never run on an injury NTX ISSA Cyber Security Conference – April 24-25, 2015 14
  • 15. @NTXISSA #1 Proactive Measures – Waterfall • SDL NTX ISSA Cyber Security Conference – April 24-25, 2015 15 Security Assessment Architecture Design & Development Ship Post-Release, Legacy, & M&A S0 S1 S2 S3 S4 S5 • Product security team is looped in early (Product Security Group & Product Security Champions) • Product security team hosts a discovery meeting • Product security team creates an SDL project plan (states what further work will be done) • Product team initiates a Privacy Impact Assessment (PIA) • S1 Security Plan • SDL policy assessment & scoping • Threat modeling / architecture security analysis • Privacy information gathering and analysis • S2 Security Plan • Security test plan composition • Static analysis • Threat model updating • Design security analysis & review • Secure coding • Privacy implementation assessment • S3 Security Plan • Security test case execution • Static analysis • Dynamic analysis • Fuzz testing • Manual code review • Privacy validation and remediation • S4 Security Plan • Final security review • Vulnerability scan • Penetration test • Open source licensing review • Final privacy review • External vulnerability disclosure response (PSIRT) • Reviews by 3rd party service contractors • Post-release certifications • Internal review for new product combinations or cloud deployment • Security architectural reviews & tool-based assessments of legacy and M&A products 0 1 2 3 4 5 Concept Planning Design & Development Readiness Release & Launch Support & Sustain
  • 16. @NTXISSA #1 Proactive Measures – Agile NTX ISSA Cyber Security Conference – April 24-25, 2015 16 Sprint User/abuser stories (chewable design bites) Potentially Shippable Increments (PSI)
  • 17. @NTXISSA #2 Proactive Measures • Heart Rate • Muscle Fatigue • Pain Killers • Breathing • Timing NTX ISSA Cyber Security Conference – April 24-25, 2015 17
  • 18. @NTXISSA #1 Learn from Pain • Lessons Learned from Heartbleed • New “Crisis Scenario” policy • Updated security bulletin template • Product buckets • Customer communication policy • Shared technology inventory • Early notification expectations • PSIRT process training NTX ISSA Cyber Security Conference – April 24-25, 2015 18
  • 19. @NTXISSA #2 Learn from Pain NTX ISSA Cyber Security Conference – April 24-25, 2015 19 • Countermeasures • Advil • Bandages • Body Glide • Mustard • Weather • Sun screen • Mosquito repellant • Course Review
  • 20. @NTXISSA #1 Do it Better NTX ISSA Cyber Security Conference – April 24-25, 2015 20 None Initial Basic Acceptable Mature • Preventive measures modeling • Defect rates near 0 • Best-in-class tools • All products pen tested • Open source SLAs • Standards adapted to environment • Metrics integrated into risk mgt. tools • Frequent attacks • No reviews • No constraints • Email tracking • Major releases threat modeled • All primary tools used • BlackDuck • Standards adopted • PSIRT XLS • All releases threat modeled • Defect rates decreasing • Fuzzing scripts written • Accept risks of open source • Tracking DB w/dashboard • Major attack vectors addressed • Freeware tools used • Standard awareness Level of Maturity PSMM Phase
  • 21. @NTXISSA #1 PS Maturity Model Parameters NTX ISSA Cyber Security Conference – April 24-25, 2015 21 Operational Technical 1. Program 2. Process 3. Resources 4. Training 5. Security Reviews 6. Tools 7. PSIRT 8. SDL 9. Policy 10. Privacy 11. Certification 12. M&A 13. Extended Team 14. Threat Modeling / Architecture Reviews 15. Static Analysis 16. Dynamic Analysis (Web Apps) 17. Fuzz Testing 18. Vulnerability Scans / Penetration Testing 19. Manual Code Reviews 20. Secure Coding Standards 21. Open Source / 3rd Party Libraries 22. Tracking Tools
  • 22. @NTXISSA #2 Push Farther / Faster NTX ISSA Cyber Security Conference – April 24-25, 2015 22 • Distance 1. 5K (3.1) 2. 10K (6.2) 3. ½ Marathon (13.1) 4. Marathon (26.2) 5. 50K (31.1) 6. 50M 7. 100K (62.2) 8. 100M 9. 72 Hour Endurance • Speed • 6:00 Marathon Limit (US) • 5:00 Marathon Limit (EU) • 4:00 Marathon (25%) • 3:30 Boston Qualifier • 2:00 Marathon Glass Ceiling (2:03:23) • 12:00 100M USA Record (11:59:28)
  • 23. @NTXISSA #1 Metrics NTX ISSA Cyber Security Conference – April 24-25, 2015 23
  • 24. @NTXISSA #2 Measuring Progress NTX ISSA Cyber Security Conference – April 24-25, 2015 24
  • 25. @NTXISSA Continual Evolution • There is always a better way – find it NTX ISSA Cyber Security Conference – April 24-25, 2015 25
  • 26. @NTXISSA #1 The Reward NTX ISSA Cyber Security Conference – April 24-25, 2015 26 • Secure code = Less fire stomping (PSIRT) • Customer satisfaction = Increased business • Protects the brand • Meets compliance requirements
  • 27. @NTXISSA #2 The Reward NTX ISSA Cyber Security Conference – April 24-25, 2015 27
  • 28. @NTXISSA Finishing the Hawk Hundred NTX ISSA Cyber Security Conference – April 24-25, 2015 28 13 Sep 2014 Finish Time: 31:38
  • 29. @NTXISSA Finishing the Brazos Bend 100 NTX ISSA Cyber Security Conference – April 24-25, 2015 29 13 Dec 2014 Finish Time: 28:22
  • 30. @NTXISSA Conclusion • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? NTX ISSA Cyber Security Conference – April 24-25, 2015 30 vs.
  • 31. @NTXISSA Q&A NTX ISSA Cyber Security Conference – April 24-25, 2015 31 Harold Toomey Principle Product Security Architect Product Security Group Intel Security Harold_Toomey@IntelSecurity.com (801) 830-9987
  • 32. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference – April 24-25, 2015 32 Thank you

Editor's Notes

  1. Good morning. My name is Harold Toomey. I work for Intel Security. I attended the first Cyber Security Conference last year and wanted to contribute more this year, so here I am. I have worked for McAfee/Intel Security for the past 9 years. Before that I worked for Symantec for 8 years. For the past 4 years I have worked in software security. I manage our PSIRT team as well as other SDL programs.
  2. “Product Security is like running a marathon. It’s not a sprint. Prepare for the long haul.”
  3. Redshirts “Well gentlemen, you’re all going to die.” Product Security Champions (PSCs) Qualification: A minimum of 3-5 years software development experience (architects preferred) A passion for or background in software security Approved by the BU General Manager & BU PSC Lead Dedicate 10% - 20% of their time doing product security tasks Time to be trained in software security, tools, plans, and processes Must not only know how to develop (build) software, but also know how to deconstruct it (take it apart) while “thinking like a hacker” Responsibilities: Enforce the SDL: Assist the PSG in assuring the security tenants of confidentiality, integrity, availability, and privacy are adhered to Reviews: Assist the PSG’s software security architects in conducting architecture security analysis, reviews, and threat modeling Escalations: Assist with Security Bulletins and patches for externally disclosed vulnerabilities (PSIRT) Tools Expert: e.g. static, dynamic – which includes fuzzing, within each product development team, and/or business unit (BU) Collocated: Be the eyes, ears, and advocate of the PSG within each product development team / BU Attend Meetings: Participate in weekly Admin / Technical meetings as a team
  4. OpenSSL Facts April 8, 2014 – The Heartbleed OpenSSL vulnerability was announced. This vulnerability went undetected for several years. OpenSSL is widely used in the public. We have seen it used in ¼ of our products. In 2012 & 2013, we only saw one (1) OpenSSL vulnerability per year. Then, in April 2014 we saw our first cutely named vulnerability - “Heartbleed”. Every quarter since then we have seen a new named OpenSSL vulnerabilities. We call OpenSSL “The gift that keeps on giving.” We expect to see more OpenSSL vulnerabilities. Cryptography Services, a part of the Linux Foundation's Core Infrastructure Initiative (CII), has begun an extensive audit of OpenSSL security. Preliminary results of the audit could be out by the beginning of the summer, Cryptography Services said. http://gcn.com/blogs/cybereye/2015/03/openssl-audit.aspx Linux/UNIX The crisis created by the Heartbleed bug fed into our concern about open source software overall. I am sure you have all heard of other named vulnerabilities, such as Shellshock and GHOST. Both have a CVSS score of 10.0. Both primarily impact Linux and UNIX systems. Shellshock affected only the Linux and Unix operating systems. This vulnerability allows malicious code execution within the Bash shell. GHOST was caused by a Linux glibc library vulnerability. It allows attackers to remotely take complete control of the target system without having any prior knowledge of system credentials.
  5. Static Analysis: A method of examining software at compile time, reporting potential defects Dynamic Analysis: A method of examining software at runtime, by executing the code over multiple test cases Fuzz Testing: Providing unexpected, invalid, or random data to an application with the intention of triggering a bug
  6. Static Analysis: A method of examining software at compile time, reporting potential defects Dynamic Analysis: A method of examining software at runtime, by executing the code over multiple test cases Fuzz Testing: Providing unexpected, invalid, or random data to an application with the intention of triggering a bug
  7. 1. Heartbleed Post-Mortem Listing All Products in Advisories Post-Mortem = Retrospective Problem Policy states only publish a security bulletin if there is a patch or workaround (something actionable). Customers demand to know immediately if their products are vulnerable or not to highly publicized named vulnerabilities. Facts April 8, 2014 – The Heartbleed OpenSSL vulnerability was announced. This vulnerability went undetected for several years. OpenSSL is widely used in the public. We have seen it used in ¼ of our products. Lessons Learned Created a shared technologies security bulletin template Updated PSIRT Procedures with the “Crisis Scenario” For publicly known high-severity vulnerabilities affecting multiple products Consolidated Security Bulletin listing all enterprise products into buckets “Being Investigated” bucket only used if vulnerability is readily identified by customers Shared technology inventory needed What you can tell customers Policy on communicating products known “Not Vulnerable” “Not Patched Yet” exception SNS Expectations – Early Notification
  8. 8. Measuring How Well Teams Do Product Security The Intel Security Product Security Maturity Model (PSMM) Problem We have an SDL. It is well defined for both waterfall and agile. How well are the product teams following it? Facts This metric indicates how well the BUs are implementing the product security program. Lessons Learned We designed our own MM to match our SDL Engineers asked for a spreadsheet with drop-downs so they can easily rate their product teams Automation Peer review
  9. PSMM Parameters Our simple maturity model categorizes 22 parameters into two categories: Operational for the program and Technical for the engineers. Operational Program Process Resources Training Security Reviews Tools PSIRT SDL Policy Privacy Certification M&A Extended Team Technical Threat Modeling / Architecture Reviews Static Analysis Dynamic Analysis (Web Apps) Fuzz Testing Vulnerability Scans / Penetration Testing Manual Code Reviews Secure Coding Standards Open Source / 3rd Party Libraries Tracking Tools
  10. 100-Mile American Record Smashed On October 4, 2013 Jon Olsen ran 11:59:28 to break 24-year old record.
  11. 8. Measuring How Well Teams Do Product Security The Intel Security Product Security Maturity Model (PSMM) Problem We have an SDL. It is well defined for both waterfall and agile. How well are the product teams following it? Facts This metric indicates how well the BUs are implementing the product security program. Lessons Learned We designed our own MM to match our SDL Engineers asked for a spreadsheet with drop-downs so they can easily rate their product teams Automation Peer review
  12. May vary by individual. I feel an Ultra is easier since, unlike software security, it has an end … until you sign up for another ultra.