NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Herding Cats and Security Tools
Harold Toomey
Product and Application Security
McAfee LLC
10 Nov 2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Table of Contents
• Cat Herding
• Product & Application Security
• Problem Statement
• SDL Activities
• Tool Integrations Diagrams
• Disclaimer
• Usage Scenarios
• Considerations
2
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cat Herding
3
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Product & Application Security
• Product – Software developed by engineering BUs to sell to customers
• Application – Software developed by IT Enterprise Applications team to run on company systems, websites, and servers
• Primary difference is the target audience• Customers (Public) - Full SDL• External-Facing (Partners)• Internal-Facing (Employees) - Minimal SDL
4
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Current Trend
• Waterfall Agile Continuous (CICD)
5
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Problem Statement
• CICD requires automation
• Software developers want single place to go (ALM)
6
ALM
SDLC
SDL
ALM – Application Lifecycle ManagementSDLC – Software Development LifecycleSDL – Security Development Lifecycle
SDL Activity
• Entry Criteria• Tasks• Exit Criteria
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
SDL – Operational Activities
1. Program2. SDL3. PSIRT4. People & Resources5. Tools & Services6. Policy, Compliance, & Certifications7. Training8. Metrics9. Maturity Models
7
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
SDL – Technical Activities
1. Security Definition of Done (DoD)
2. Security Architecture Review
3. Security Design Review4. Threat Modeling5. Security Testing &
Validation6. Static Analysis (SAST)
• Interactive Analysis (IAST)
7. Dynamic Analysis (DAST)
8
8. Fuzz Testing9. Vulnerability Scan10. Penetration Testing11. Manual Code Review12. Secure Coding Standards13. Open Source & 3rd Party
Libraries14. Vendor Management15. Privacy16. Operating Environment
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
When to do the Technical Activities
9
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Why the Different Tools
10
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Tools Integration – Generic
Flow Diagram Example
11
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Herding Cats (Tools)
12
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
13
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
14
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
15
Vulnerability
Aggregation
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
16
Service Desk
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Solution
17
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Disclaimer
• Mention of vendor names and tools does not imply endorsement
• Vendor list is intentionally incomplete
• Based on my limited research
• Best integration for me may not be best for you
18
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
ALMs
19
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Tools Integration – Real Tools
Flow Diagram Examples
20
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
21
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
22
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Scenario #1 – SDL Requirements
1. SW security requirements management• Custom SDL, FedRAMP (NIST 800-53), GDPR
2. Use templates in ALM and/or
3. Use 3rd party tool with seamless bi-directional ALM integration
• SD Elements, HP ALM
23
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Scenario #2 – Vulnerabilities
1. Black Duck Hub identifies CVEs in open source
2. High severity CVEs are sent to JIRA
3. Engineer sees CVEs in project backlog and fixes
4. JIRA syncs back to Black Duck Hub and verifies fix
24
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
• Tool integration considerations
1. Availability (Y/N)? When?
2. Push, pull, both (bidirectional), or none?
3. Native or through a 3rd party connector?
4. Tight or loose integration?
5. Server-side or client plugin?
6. Ability to throttle? (high severity only)
7. Cost?
25
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
• Business considerations1. Due diligence researched (all options)
2. Integration with existing systems?
3. Buy, build or use existing?
4. When? This Fiscal Year, next FY?
5. Who will use?
6. Which BUs will purchase? (other benefactors)
7. Who will install, host, and maintain?
8. Who will configure and customize?
26
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
• Engineer considerations1. Does ALM contain all user stories?
• Insight manual integration (email)
2. Ticketing system adds advanced workflow and SLA reminders• Does it need to be engineer friendly or just tightly
integrated with ALM?
3. Data overload - throttle settings• Issue severity: Critical, High, Medium, Low
• Business Impact vs. Risk score vs. CVSS v3 score
27
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Questions?
28
Harold Toomey
Sr. Software Security Architect
Product & App. Security Group
McAfee LLC
W: (972) 963-7754
M: (801) 830-9987
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
29
Thank you