The maturity on securing network and system infrastructures has been the key focus and application security was mostly overlooked. In the slides I try to give a quick and crisp brief on why application security practices are important and how to embark on application security assurance programs

1. Walls of Steel, Doors
of Wood
RELEVANCE OF APPLICATION SECURITY
By Abdul Jaleel

2. Agenda
 Speaker Intro
 Statistics, Top Vulnerabilities and Risks in Application and Software Supply
Chain
 Answering the What, Who, Why and How of Application Security
 Frameworks and Best Practices
 Examples

3. Speaker intro
Name : Abdul jaleel
Academics : MBA , BS(Cs)
Certifications : CCISO, CISM, CISSP, CEH, ITIL….
Industry experience : IT, Retail, Banking and Utilities(overall 15 years)
Present role : Sr. Information Security Officer
Functions : InfoSec Strategy, Governance, Assurance and Risk Mgmt.
*Disclaimer : All content presented is speaker’s views.

4. Interesting statistics
of websites have some vulnerability*78%
60% of application vulnerabilities can be exploited in < 30 mins **<30
1 bug per 1000 lines of code (kloc)***
1Bug /
KLOC
Energy industry faced 27 confirmed data breaches****27
per-record cost of a data breach reached $154*****$$$
* Internet Security Treat Report – Symantec 2016
** Tripwire “ state of security report “
*** http://www.techrepublic.com/blog/it-security/the-danger-of-complexity-more-code-more-bugs/
**** Verizon DBIR 2015
***** http://www.csoonline.com/article/2926727/data-protection/ponemon-data-breach-costs-now-average-154-per-record.html

5. Vulnerabilities and references
 OWASP Web Application Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 OWASP Mobile Top 10
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
 CSA Cloud Treacherous 12
https://cloudsecurityalliance.org/group/top-threats/
 ICS Cyber Vulnerabilities
https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

6. Example : Demo of an SQL injection attack
Name
AHMED
ATTACKER
INTERNET
FIREWALL
IPS/IDS
WEB SERVER DATABASE
SEARCH
AHMED’ OR 1=1; go; --

7. Brand Image, Reputation, Stake holder confidence are at stake
Data Leakage & PII disclosures
Unauthorized access to corporate strategic and financial information, systems
& ICS
Financial and non Financial frauds, Service Disruption
Weak Software Supplier Chain, and component level vulnerabilities
Potential risks induced via applications

8. Corruption along the software supply chain
Malicious insiders can change compiled binary into malware / backdoor
Substantial open source components
Ownerships and accountabilities
Bubble companies and lack of ESCROW
Risks in software supply chain

9. What is Application Security Assurance ?
“Application security assurance
encompass various measures taken to
prevent, identify, remediate and mitigate
security gaps or flaws, in
applications/code across it’s lifecycle -
design, development/sourcing,
deployment, upgrade, maintenance and
retirement of the application”.
These measures covers people, process
and technology dimensions.
Design
Develop
OR
Source
Deploy
OperateA
ND
Maintain
Retire
Prevent
Detect
Remediate
Mitigate

10. Who shall be involved ?

11. Why Application Security is important?
Protect Data, Reputation and Services
– Confidentiality, Integrity & Availability -
Mitigate risk and vulnerabilities introduced
- thru suppliers-chain/firmware/applications -
Save resources and meet stakeholder expectations
- Cost, Time, Efficiency, Effectiveness and Efforts -
Network Layer Protections are not sufficient
- Layer 7 protections required-
Compliance & Regulatory requirements
Support & Enable Sustainable Innovations

12. How to start with Application security ?
• Develop Application security Assurance Strategy & Governance Framework01
• Enable and Empower – Resources, Training, Technology and Authority02
• Process Integration – SDLC, ITSM, Legal and Supplier Mgmt.03
• Define & Communicate – clearance gates, inputs, outputs, SLA/OLA04
• Ensure Coverage – In-house, Out-sourced, and Software supply Chain05
• Security Assurance & Integration – Monitoring, SIEM, Incident Response and VA06
• Tracking & Performance – Reporting, KPI, Trend Analysis …07

13. Frameworks and best practices that
helps to start-off
 C2M2- Cyber Capability Maturity Model
http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-
c2m2-program/cybersecurity
 SAMM – OWASP Software Assurance Maturity Model
https://www.owasp.org/index.php/OWASP_SAMM_Project
 BSIMM Software Security Framework
https://www.bsimm.com/framework/
 SwA Forum – NIST Software Assurance
http://csrc.nist.gov/groups/SMA/forum/documents/october-2012_fcsm-jjarzombek.pdf

14. Maturity and value realization
Efficiency&Effectiveness
Reactive Pro-active
Initial – adhoc, poorly controlled
Repeatable – reactive processes
Defined – Documented and Integrated Processes
Managed – KPIs defined
Optimizing – Measure, feedbacks
continuous Improvements

15. Example : Secure-SDLC
Requirements
• Map Security
Requirement
• Map Data
privacy
requirements
Design/Procure
• Threat
Modelling
• Security Design
Reviews
• Security
Architecture
Review
Develop/Source
• Static code
analysis
• Business Logic
analysis
Test
• Security Test
cases
• Dynamic Code
Analysis
• Configuration
Reviews
Deploy
• Final security
review & Sign-
off
• Integration
with IR process
• Monitoring
and &
AssuranceClearance Gates that’s clearly communicated, with defined Inputs, Outputs and SLA/OLA

16. Example : Mitigating Software Supplier
Chain Risks
Supplier Capabilities
• Supplier follows
industry best
practices
• Supplier has
financial, technical
and business
continuity
capabilties
Product Security
• Secured by design
• Product’s security
features are tested
and acceptable
Product Procurement
and Distribution
• The binaries and
source codes are
protected
• Process and
technical controls
exists to verify
integrity of the
solution/product
Operational Controls
• Product is deployed
and works in
secured way

17. Thank You
Email : jaleel80@gmail.com
Twitter : tweet4jaleel
Linkedin : https://ae.linkedin.com/in/jaleel80