developing*a*software** securityassuranceprogram
TRANSCRIPT
![Page 1: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/1.jpg)
Software Confidence. Achieved.
Presented by Kabir Mulchandani Managing Principal, Cigital
Developing a Software Security Assurance Program
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 1
![Page 2: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/2.jpg)
Agenda
q Introduction
q What is Software Security Assurance?
q Why is Software Security Assurance important?
q What does a Software Security Assurance Program look like?
q Elements of a Software Security Assurance Program
q Developing a Program
q Assessing Your Software Security Assurance Program
q Moving Forward
q Questions and Answers
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2
![Page 3: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/3.jpg)
Introduction
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
• Founded in 1992 to provide software security and software quality professional services
• Recognized experts in software security o Widely published in books, white papers, and articles o Industry thought leaders
![Page 4: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/4.jpg)
What is Software Security Assurance?
q Ensuring software is designed and developed to minimize risks to an organization
q Risks may include data integrity, data leakage, data misuse, website defacement, etc.
q Capabilities across the organization to ensure software is built securely throughout the SDLC
q Software security assurance is an application of risk management techniques throughout the SDLC
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 4
![Page 5: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/5.jpg)
What is Software Security Assurance?
Components q Software Security Initiative (SSI) - An effort dedicated to improving the security of all deployed software
- Includes responsibility for software security in vendor environments
q Software Security Group (SSG) - Team with the mandate to ensure software security - Responsible to define, implement and enforce software security policies and standards throughout the SDLC
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5
![Page 6: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/6.jpg)
Why is Software Security Assurance important?
Major Drivers Influencing SSA Programs
q Compliance
q Contractual
q Reactionary
q Security
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6
![Page 7: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/7.jpg)
Why is Software Security Assurance important?
Some Trends Influencing SSA Programs
q Traditional focus on network and perimeter, but attack surface is shifting to application software
q The proliferation of end-‐user applications has created more code, more insecure code, more vulnerabilities
q Emergence of “do-‐it-‐yourself” development toolkits and easy-‐to-‐learn programming languages have introduced more new developers with little or no security knowledge
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 7
![Page 8: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/8.jpg)
Why is Software Security Assurance important?
A Shifting Trend
q Many software security programs focus on pre-‐deployment penetration testing, late in the SDLC
q Primary focus is on finding implementation bugs and bolting on security controls
q Organizations are now learning that software security needs to be integrated within the SDLC
q Preventive measures need to be established to avoid bugs and to define security architecture early in the SDLC to prevent flaws at inception
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 8
![Page 9: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/9.jpg)
What does an SSA Program look like?
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9
Integrating best practices into large organizations q Microsoft’s SDL q Cigital’s Touchpoints q OWASP Comprehensive, Lightweight Application Security Process (CLASP)
![Page 10: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/10.jpg)
What does an SSA Program look like?
software security touchpoints
![Page 11: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/11.jpg)
What does an SSA Program look like?
• Real data from (42) real SSA initiatives
• 81 measurements • McGraw, Chess, &
Migues
BSIMM: software security measurement
PlexLogic
![Page 12: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/12.jpg)
What does an SSA Program look like?
• Four domains, twelve practices • A ‘blueprint’ for a SSA Program based on best practices
software security framework
![Page 13: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/13.jpg)
Elements of an SSA Program
Governance q Strategy and Metrics – Planning, assigning roles and responsibilities, identifying software security goals, determining budgets, identifying metrics and gates.
q Compliance and Policy– Identifying controls for compliance regiments, developing contractual controls (COTS SLA), setting organizational policy and auditing against policy.
q Training– Establishing awareness and training programs and campaigns, hosting internal and external software security events and promoting a culture of software security.
![Page 14: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/14.jpg)
Elements of an SSA Program
Intelligence q Attack Models– Establishing threat modeling, abuse cases, data classification, and technology-‐specific attack patterns.
q Security Features and Design– Identifying security patterns for major platforms, middleware frameworks and providing proactive security guidance early in the SDLC.
q Standards and Requirements– Defining explicit security requirements, coding standards, managing use of open source technologies and establishing a standards review board.
![Page 15: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/15.jpg)
Elements of an SSA Program
Secure Software Development Lifecycle Touchpoints q Architecture Analysis– Capturing software architecture diagrams, applying lists of risks and threats, adopting a process for review, and building an assessment and remediation plan.
q Code Review– Use of code review tools (e.g., HP Fortify, IBM AppScan), development of customized rulesets, manual analysis and ranking/measuring results.
q Security Testing– Use of black box testing, risk driven white box testing, application of the attack model and code coverage analysis.
![Page 16: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/16.jpg)
Elements of an SSA Program
Deployment q Penetration Testing– Using automated and manual testing methods to assess vulnerabilities in final configuration and remediation based on residual risks.
q Software Environment– Ensuring OS and platform patching, use of web application firewalls, install and config. documentation, application monitoring, change management and code signing.
q Config. Management and Vulnerability Management– Ensuring procedures are in place for patching and updating applications, version control, defect tracking and remediation and incident handling.
![Page 17: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/17.jpg)
Twelve things “almost everybody” does (66%)
Core activities q Identify SDLC gates q Know PII obligations q Awareness training q Data classification &
inventory q Build security features q Security standards q Review security features q Static analysis tools q QA boundary testing q External pen testers q Good host/network security q Close ops bugs loop
![Page 18: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/18.jpg)
Developing an SSA Program
Building a program from the ground up:
q Establish the Software Security
q Build the Software Security Group
q Develop strategy, policies and standards
q Integrate SDLC checkpoints
q Analyze the application portfolio
q Establish metrics
q Conduct training and awareness activities
![Page 19: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/19.jpg)
Developing an SSA Program
Improving on already existing program:
q Expand scope
q Engage earlier
q Invest in competencies across the SDLC
q Automate
q Achieve scalability
![Page 20: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/20.jpg)
Assessing and improving your SSA Program
A Maturity Model
Not Started • No capabilities exist
Identified and Scoped • Plans exist • Not implemented
Functional • Basic, everyday needs
met • Only a subset of total
problem space addressed
Scalable • Integrated processes with
automated tools • All of the current and
evolving (i.e., cloud, mobile, vendor) needs are being addressed
Self Correcting • Feedback loop in place • Continuous improvement
CAPABILITY IMPROVEMENT DRIVERS þ Clarity of Line-‐of-‐Sight þ Compliance þ Cost Reduction þ Efficiency þ Risk Reduction
Reactive Proactive
þ Scalability
![Page 21: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/21.jpg)
Moving Forward
q Establish the objectives of your SSA program q Conduct a risk assessment, ensure you address all emerging risk areas
q Assess the maturity of your program, if one exists q Develop a plan to initiate or enhance the program q Continue with training and awareness initiatives q Execute your plan q Establish a process to periodically re-‐evaluate your program and look for continuous improvement opportunities
![Page 22: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/22.jpg)
22 © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
![Page 23: Developing*a*Software** SecurityAssuranceProgram](https://reader033.vdocuments.us/reader033/viewer/2022053120/629228407708e22e4f5b054f/html5/thumbnails/23.jpg)
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 23