Application_security_Strategic
Download as PPTX, PDF0 likes395 views
This document discusses building secure applications and outlines several key points: 1) It discusses the importance of application security governance, frameworks, processes and procedures, and secure coding practices across all layers of computing environments. 2) It outlines strategies for building security into the development process from design through testing and deployment. 3) It emphasizes the need for educating developers on security best practices and gaining their buy-in on secure development standards.
Application_security_Strategic
- 1. Building Secure Application • Application Security Governance • Application Security Framework • Application Security Process & Procedure • Application Security in All Layers of Computing Environment • Integrated Secure Coding Environment
- 2. Evolving Threats Source : Cisco
- 3. Application Secure development Development Tools Source control Bug tracking Test Manager Code verification
- 4. Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Web Servers Databases Backend Server Application Servers Info Security Landscape Application Security - Understanding the Problem Secure Infrastructure Weakest link
- 5. Building Security Into the Development Process *Graphics from OWASP.com • Test existing deployed apps • Eliminate security exposure in live applications Production • Test apps before going to production • Deploy secure web applications Deploy • Test apps for security issues in QA organization along with performance and functional testing • Reduce costs of security testing Test • Test apps for security issues in Development identifying issues at their earliest point • Realize optimum security testing efficiencies (cost reduction) Development• Security requirements, architecture, threat modeling, etc Define/Design
- 6. Application Security Adoption Within the SDLC Difficulty & Cost of Test % Applications Tested High Low Low High Security Team Security Team Security Team QA Team QA Team Development Team Phase 1 Phase 2 Phase 3 Criticality & Risk of App. Development Team
- 7. Educating Developers and Getting “Buy in” • Establish security accountability and stds for shipping • Create a “security architect” role • Create a security community of practice • Create a secure development portal or wiki • Conduct hacking demos to demonstrate risks • Online & offline courses for secure coding • Put developers through secure coding exams • Security reviews of real applications • Pay premiums for security architects
- 8. Security Framework Security Governance, Risk Management and Compliance WorleyParsons Security Framework External Representation Network, Server, and End-point Physical Infrastructure People and Identity Data and Information Application and Process Managed Security Services Security Hardware and Software Professional Services Physical Security Solutions Security Governance, Risk & Compliance Solutions Threat and Vulnerability Mgmt & Monitoring Solutions Application Security Lifecycle Mgmt Solutions Identity and Access Management Solutions Information Security Solutions
- 9. Application Security Process Framework Verify In Production Applications Design, Develop, Test, and Verify Secure Apps Educate IT Professionals Maintain and Publish Policies and Guidelines Respond to Security Exposure Incidents ApplyLessonsLearned
- 10. Application Management – Secure Infrastructure NETWORK HOST APPLICATION ACCOUNT TRUST Architecture Transport Network device Access control list (ACL) permission settings Operating system Services Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) File Transfer Protocol (FTP) NetBIOS/Remo te procedure call (RPC) Terminal Services Microsoft SQL Server Input validation Clear text protocol Authentication Authorization Cryptography Auditing and logging Unused accounts Weak or blank passwords Shared accounts Access privileges Rogue trusts
- 11. Application Layer Requirements • Input validation • Session management • Authentication and authorization • Design and code review • Application and server error handling • Application auditing and logging • Application backup and restore • Private data encryption
- 12. Common Application Development Issues • User input validation • Cookies, authentication, and access • Passwords • Access control lists • COM+ application configuration • Auditing and logging