ISACA 2016 Application Security RGJ
Download as PPTX, PDF1 like424 views
This document discusses ensuring information security in the system development lifecycle process. It provides an overview of several frameworks for implementing an enterprise software security program, including the Microsoft Security Development Lifecycle, OpenSAMM, and BSIMM. It also discusses application security challenges, market drivers for security, and using these frameworks across different industries like financial services.
ISACA 2016 Application Security RGJ
- 1. ENSURING INFORMATION SECURITY IN THE SYSTEM DEVELOPMENT LIFECYCLE PROCESS RENE G. JASPE CISSP, CSSLP
- 2. Sinag Solutions Founder and CISO Phylasso Corp., Founder and Managing Director MobKard, CoFounder and CTO Rene Jaspe CISSP, CSSLP • 13 yrs with Telos Corp., a US Federal Gov’t Defense Contractor, servicing various US Defense and Intelligence Agencies as well as NATO allies. • 10 years Software Development and 5 Years Application Security Background.
- 3. 2015: “We Take It Very Seriously” IBM Xforce Threat Intelligence Report 2016
- 4. HEALTHCARE, EDUCATION & FINANCIAL SERVICES LEADS GLOBALLY. Source: Ponemon Institute Research Report 2016 Cost of Data Breach
- 5. Incident Pattern By Industry Verizon Data Breach Incident 2016 Report
- 6. • Regulatory & Standards Compliance – eCommerce: PCI-DSS, PA-DSS – Financial Services: GLBA – Energy: NERC / FERC – Government: FISMA – PH: Data Privacy Act, BSP • 81% of organizations subject to PCI had not been found compliant prior to the breach Market Drivers
- 7. Application security challenges: Security-development disconnect fails to prevent vulnerabilities in production applications •Developers Lack Security Insights (or Incentives to Address Security) •Mandate to deliver functionality on-time and on-budget – but not to develop secure applications •Developers rarely educated in secure code practices •Product innovation drives development of increasingly complicated applications Security Team = SDLC Bottleneck •Security tests executed just before launch – Adds time and cost to fix vulnerabilities late in the process •Growing number of web applications but small security staff – Most enterprises scan ~10% of all applications •Continuous monitoring of production apps limited or non-existent – Unidentified vulnerabilities & risk
- 8. 3 Great Frameworks For Implementing an Enterprise Software Security Program (MOB)
- 9. Application Security Pros Hold These Truths to Be Self Evident • Software Security is more than a set of security functions. – Not magic crypto fairy dust – Not silver bullet security mechanisms. • Non-functional aspects of design are essential • Bugs and flaws are 50/50. • Security is an emergent property of the entire system (just like quality). • To end up with secure software, deep integration with the SDLC is necessary. Source: Cigital on BSIMM VI
- 10. Prescriptive vs. Descriptive Models Prescriptive Models • Prescriptive models describe what you should do. • OpenSAMM • Microsoft SDL • Every company has a methodology they follow (often a hybrid) • You need an SSDL. Descriptive Models • Descriptive models describe what is actually happening. • The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.
- 11. Microsoft Security Development Lifecycle 5.2 (May 2012)
- 12. SDL for Agile Bucket Bucket Bucket Bucket One-TimeOne-TimeOne-Time One-Time One-Time Bucket practices:: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
- 13. SDL Practice #7 USE THREAT MODELING Applying a structure approach to threat scenarios during design helps a team more effectively and less expensive identify security vulnerabilities, determines risks from those threats, and establish appropriate mitigations.
- 14. THREAT MODEL SAMPLE • S – poofing • T – ampering • R – epudiation • I - nformation Disclosure • D – enial of Service • E - levation of Privilege
- 15. OpenSAMM 1.1 (March 2016)
- 16. OpenSAMM 1.1 (March 2016)
- 21. Cost: Phase 1(Months 0 – 3) - Awareness & Planning
- 22. BSIMM 7 ( October 2016) The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing contained in the model. You can then identify goals and objectives of your own and refer to the BSIMM to determine which additional activities make sense for you. The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.
- 23. BSIMM 7
- 29. • Microsoft Security Development LifeCycle https://www.microsoft.com/en-us/sdl/ • OpenSAMM http://www.opensamm.org/ • BSIMM https://www.bsimm.com/ KEY TAKE AWAY (MOB)
- 30. “Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.” THANK YOU QUESTIONS??? Rene.Jaspe@sinagsolutions.com @renejaspe https://ph.linkedin.com/in/renejaspe