Today’s Agenda way to identify,Development and Security are looking for a better verify,What are the challenges? prioritize and fix software vulnerabilities.What’s the best approach?What process can I apply for better/repeatable results?How do I select my applications? My tools?Visual Studio/TeamMentor/CAT.N ET demonstration
Who We AreApplication Security Experts•10+ Years vulnerability research•Security Testing Methodology adoptedby SAP, Microsoft, Symantec•Authors of 8+ booksProducts and Services•Standards - Best Practices•Education - CBT & Instructor-Led•Assessment - Software and SDLCReducing Application Security Risk•Critical Vulnerability Discovery•Secure SDLC Rollout•Internal Competency Development
Our Approach• Standards: Create security policies, align dev activities with standards and compliance requirements, fix vulnerabilities.• Education: Create internal expertise through eLearning, Instructor-led and virtual classroom training.• Assessment: Audit software apps against policies and compliance requirements and recommend remediation techniques.
Life is a BreachCompanies who suffered 1-10 breaches over the past 2 years, as a result of a software app being compromised.
A Process is LackingState they either have no process (like an SDLC) at all, or an inefficient ad-hoc process for building security into their applications.
What Motivates Action?State there is no formal state that there is no formal mandate in place to remediate vulnerable application code.
Common Use Cases1. Development teams don’t know where to go for best practices guidance on software vulnerabilities.2. There’s a need to communicate and share intelligence around specific vulnerabilities with your team.3. Teams need to fix vulnerabilities and map to internal policies.4. There’s a market need for making more sense of static analysis results to get to full-circle
Where can developers go? Use Case 1- Security Team• A software vulnerability has been identified.• You need to verify it and need more information about it.• What do you do, and where do you go for guidance?
How can you share the information? Use Case 1I - Security Team• You’ve verified a software vulnerability.• You need to communicate the details of that vulnerability or set of vulnerabilities to your team.• How is this accomplished most effectively?
Integrating with what you already have Use Case III - Development Team• You’ve verified a given vulnerability, and can now prioritize it.• You have knowledge internally, or security policies you need to map to.• How can I do this in a streamlined way?
Doing more with test results Use Case IV - Development Team with Tools• The tool reports findings.• You need to make more sense of the results.• The findings point to guidance specific to the findings.• Fix what you’ve found. Re-scan.
Determine your first. Determine your apps Understand your level of risk risk tolerance second.•Take an inventory of your high-riskapplications.•Determine the business criticality ofthose applications.•What’syour attack probability andhow do you define your attacksurface?•Consider the overall businessimpact, security threats andcompliance mandates.•Rank your applications accordingly.•Startthinking about the mosteffective set of testing tools.
Define data and applications Classify sensitive data. Then, prioritize your applications.•How sensitive is your data in agiven application(s)?•Does that data pertain to internalmandates or federal regulations?•Threat modeling can determinethreats, attacks, and the frequencyand severity they are executed with.•Rankand prioritize your applicationsaccordingly.•Compile the most effective set oftesting tools.
Prioritize your applicationsRank your applications using a formulaic approach to measuring risk. Application Criteria Sensitive Compliance Customer-Threat Rating Lifespan Data Stringency Facing Tier 1 Restricted Long High Yes Tier 2 Private Mid Medium Yes Tier 3 Public Short N/A No
Map activity to your criteria Implement your security testing strategy. Depth, Breadth, Frequency Static Dynamic Manual Pen ThreatThreat Rating Analysis Analysis Test Modeling Complete/Fre Complete/Fre Complete/Fre Complete/Fre quency quency quency quency Required/Majo Required/Majo Required/Per Required/Per Tier 1 r code r code Milestone Release changes changes Suggested/Mo Required/Quar Required/Per Suggested/Per Tier 2 nthly terly Release Release Optional/Quart Required/Ann Optional/As Optional/As Tier 3 erly ually Needed Needed
Select your tools Selecting your tool(s) should be the final step before you start testing.•Apply your rankings to your toolsselection.•Determineyour combination ofautomated vs manual tools.-Consider how many applications,how much code and time-to-result.-Do you need them to run on theirown, or are they better used for asingular, manual purpose?-Assume that automated tools cannot target business logic attacks.•Interpret your scan results with remediation in mind
Secure Development GuidanceA Real-Time In-Practice Companion Containing 4500+ Articles of Prescriptive Guidance and Code
Take the TeamMentor Challenge!ign up for a TeamMentor account: • Go to: https://tm-msft.azurewebites.net/ • This is the web version – a 2-week trial. • Solve the challenge question and submit. The winner will receive a new Microsoft Surface RT tablet. TeamMentor for the individual, enterprise or • Full guidance library contains 4,500+ articles partners: • Prescriptive guidance across technologies (.NET, Java, iOS, Android • Single user, cloud instance, business unit, enterprise-wide licensing • Partner organization licensing available also. • Contact us: firstname.lastname@example.org