Implementing AppSec Policies with TeamMentor


Published on

This is a nice little prezo that keeps with its promise - a part 3 of 3 parts, and it pulls a story together to round out some solid product use cases going from the more practical application to the higher level application of a product - TeamMentor.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Implementing AppSec Policies with TeamMentor

  1. 1. Implementing Application Security PolicySimplify Your Process with TeamMentor (Part Three of our Three-Part Series) Fred Pinkett VP Product Management Security Innovation, Inc.
  2. 2. Today’s Presenter Fred Pinkett Vice President Product ManagementØ  Responsible for product strategy and roadmapØ  Extensive security industry experience (Core Security, RSA)Ø  MBA, Boston College; BS, Computer Science & Engineering, MITØ  Regular blogger and author
  3. 3. About Security InnovationApplication Security Experts • 10+ Years vulnerability research• Security Testing Methodology adopted bySAP, Microsoft, Symantec• Authors of 8+ booksProducts and Services • Standards - Best Practices• Education - CBT & Instructor-Led• Assessment - Software and SDLCReducing Application Security Risk • Critical Vulnerability Discovery• Secure SDLC Rollout• Internal Competency Development
  4. 4. AgendaØ A Review of Part 1 & 2•  Application Security Policies Defined•  Attributes of an Effective Policy•  Deploying Your Security Policy –  Importing into TeamMentor –  Linking to Articles in TeamMentor –  Creating Views –  Customizing
  5. 5. Common Use Cases: A Review1. Development teams don’t know where to go for best practices guidance on software vulnerabilities.2. There’s a need to communicate and share intelligence around specific vulnerabilities with your team.3. Teams need to fix vulnerabilities and map to internal policies.4. There’s a market need for making more sense of static analysis results to get to full-circle remediation.
  6. 6. Common Use Cases: Security Teams•  Use Case: Security team - Discovery –  Software vulnerability identified. –  Need for verification & more information –  Where do go for guidance?•  Use Case: Security team - Communication –  Software vulnerability verified –  Need to communicate to your team –  What’s the most effective way to accomplish this?
  7. 7. Common Use Cases: Development Teams•  Use Case: Development team - Prioritize –  Need to prioritize verified vulnerabilities. –  Need to map against internal process or policies. –  How can I simplify this process and integrate with what I already have?•  Use Case: Development team with Tools –  Your tool(s) report findings. –  Need to make more sense out of results. –  Findings point to guidance specific to the findings. –  Fix vulnerabilities and re-scan.
  8. 8. How do you define your process?•  Determine your risk tolerance –  Inventory high-risk applications. –  Determine business criticality of those applications. –  What’s your attack probability? Attack surface? –  Rank your applications.•  Define your data: Classify and Prioritize –  How sensitive is your data? –  Relevant to internal mandates/compliance initiatives? –  Build a threat model. –  Compile the most effective set of testing criteria & tools.
  9. 9. How do you define your process? (con’t.)•  Select your tools for testing –  Apply your rankings to your tools selection. –  Determine your combination of automated vs manual tools. –  Consider how many applications, how much code and time-to-result. –  Do you need them to run on their own, or are they better for a singular, manual purpose? –  Assume that automated tools cannot target business logic attacks. –  Interpret your results with remediation in mind.
  10. 10. Now…Map Activity to Your Criteria Threat Static Dynamic Manual Pen Threat Rating Analysis Analysis Test Modeling Complete/ Complete/ Complete/ Complete/ Frequency Frequency Frequency Frequency Required/ Required/ Required/Per Required/Per Tier 1 Major code Major code Milestone Release changes changes Suggested/ Required/ Required/Per Suggested/ Tier 2 Monthly Quarterly Release Per Release Optional/ Required/ Optional/As Optional/As Tier 3 Quarterly Annually Needed Needed
  11. 11. Agenda•  A Review of Parts 1 & 2Ø Application Security Policies Defined•  Attributes of an Effective Policy•  Deploying Your Security Policy –  Importing into TeamMentor –  Linking to Articles in TeamMentor –  Creating Views –  Customizing
  12. 12. Application Security Policies Defined•  Information security policies focus primarily on infrastructure and how software is deployed•  Application security policies focus primarily on how software is developed•  Information security policies are far more common and sometimes will imply application security policies
  13. 13. Application Security Policy - Goal•  The goal of an application security policy is to define the business’s security expectations for its development organization•  That’s all.
  14. 14. Information Security Policy - Example•  Agencies will establish procedures for the secure storage of all electronically stored information that is owned or controlled by such agency/department•  Users with access to State of Vermont customer sensitive information are strictly prohibited from downloading any customer information onto laptops, disk, flash drives, etc. unless the portable device is encrypted –  Examples of sensitive information may be a combination of any of the following but not limited to this list: •  Customer name •  Credit card information •  Mailing address •  Social Security Number •  Email address •  Health information •  Phone number
  15. 15. Application Security Policy - Example•  During the project design phase, the business needs for security must be integrated into the system design•  The project’s technology and processes for using the system should be examined for their ability to support the confidentiality, integrity, authorization and availability objectives identified in Project Concept Phase•  Security considerations and recommended control measures shall be documented in the project specifications and approved by the agency•  Security goals of the system should include: –  Confidentiality of the data –  Authentication of the data –  Integrity of the data –  Non-repudiation of the data –  Availability of the data –  Auditing of the data
  16. 16. Agenda•  Application Security Policies DefinedØ Attributes of an Effective Policy•  Deploying Your Security Policy –  Importing into TeamMentor –  Linking to Articles in TeamMentor –  Creating Views –  Customizing
  17. 17. An Effective Application Security PolicyThere are things we can do to make it easierAn effective application security policy has the followingattributes: •  Clearly states what must be done •  Clearly states why it matters •  Technology agnostic, widely applicable •  Tied to a real business objective •  Deployed in such a way that it is easy to access and maintain
  18. 18. An Effective Application Security Policy - Example•  Cross Site Scripting must be prevented by escaping all user input before it is used on a web page•  Cross Site Scripting vulnerabilities allow attackers to execute scripts in the victim’s browser. –  This attack can be used by an attacker to hijack user sessions, deface your web site, or redirect your user to malicious sites•  Use standard libraries, do not write custom escaping code
  19. 19. Anatomy of an Effective PolicyThis is an effective policy•  Clearly states why it matters –  Cross site scripting can result in hijacking of user sessions, web site defacement, or redirection to malicious sites.•  Clearly states what must be done, very little interpretation needed –  Escape all user input before echoing back to a web page
  20. 20. An Effective Application Security PolicyThere are additional steps you can take: •  Tie the policy to role or SDLC phase •  Map to compliance or customer requirements •  Consider criticality of application and data –  requirements, activities and level of detail needed will differ •  Provide an exception policy –  What if minimum standards can’t be met? What is considered acceptable? Who approves?
  21. 21. Agenda•  Application Security Policies Defined•  Attributes of an Effective PolicyØ Deploying Your Security Policy –  Importing into TeamMentor –  Linking to Articles in TeamMentor –  Creating Views –  Customizing
  22. 22. Use Case: SQL Injection✔  EFFECTIVE POLICY STATEMENT –  If your application connects to a SQL database, you must defend against SQL injection attacks –  A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database. It can be used by an attacker to steal sensitive data, modify existing data or log in as a user with higher privileges –  Usage of parameterize queries is strongly recommended
  23. 23. Interpret the Policy•  This is a well written policy and is easy to interpret –  Any application that connects to a SQL database must protect against SQL Injection attacks –  Parameterized queries are the recommended solution
  24. 24. Find SQL Injection – ASP.NET 4.0
  25. 25. Open the Article to View Best Practices
  26. 26. Coding Best Practices•  We can do the same thing for implementation best practices•  We look in TeamMentor and find: –  Use Parameterized APIs for Database Access
  27. 27. Best Practice - Details
  28. 28. Our Application Security Solutions Computer Based Training –  48 Technical & Awareness courses –  Secure Design, Coding, Testing –  .NET, Java, C/C++, C#, PHP, Mobile, OWASP, PCI, Database Secure Development Standards –  Aligns development activities to policies –  3,500 secure development best practices for OWASP, PCI, Web Services –  Create dedicated guidance views for your security policies –  Meets PCI requirements 6.3, 6.5 and 6.6 out of the box Professional Services –  Application Assessment –  SDLC Optimization & Compliance
  29. 29. Thank you!!Evaluate TeamMentor:•  OWASP Guidance Library (Creative Commons content)•  Install locally or use web•  Watch a video:•  OWASP:•  SI Library: Enterprise & Partner Versions: •  Full set of guidance libraries (4500+ articles) •  Single user, cloud instnace, business unit, & enterprise licensing •  Partner organization pricing •  Contact Sales: •  Contact Fred: