information security in pakistan & software security as a ... · process oriented culture for...
TRANSCRIPT
![Page 1: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/1.jpg)
Information Security In Pakistan
& Software Security As A Quality Aspect
Nahil Mahmood, Chairman,
Pakistan Cyber Security Association (PCSA)
![Page 2: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/2.jpg)
Software Quality
[Includes Security]
LETS OWN SECURITY !
![Page 3: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/3.jpg)
Agenda
What is global extent of Cybercrime market ?
Where does Pakistan stand ?
Information & Software Security – Challenges in PK
The Solution – Software Security Transformation
Software Security Benchmarks & Standards
![Page 4: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/4.jpg)
Extent of Cybercrime &
Cybercrime As A Service
![Page 5: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/5.jpg)
![Page 6: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/6.jpg)
![Page 7: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/7.jpg)
![Page 8: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/8.jpg)
Research-as-a-service
Crimeware-as-a-service
Cybercrime-infrastructure-as-
service
Hacking-as-a-service
![Page 9: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/9.jpg)
Where does Pakistan stand ?
![Page 10: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/10.jpg)
Legal
Technical
Organizational
Capacity building
Cooperation
![Page 11: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/11.jpg)
Global Cybersecurity Index & Wellness Profile
![Page 12: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/12.jpg)
![Page 13: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/13.jpg)
![Page 14: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/14.jpg)
Asia Pacific Region
![Page 15: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/15.jpg)
South Asia Comparison
![Page 16: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/16.jpg)
As per Microsoft report:
https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-
cybersecurity.pdf
![Page 17: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/17.jpg)
Global Infection Heatmap
https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-
cybersecurity.pdf
![Page 18: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/18.jpg)
Information & Software Security
challenges in Pakistan
![Page 19: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/19.jpg)
Cyber Security Survey ResultsSurvey Question Yes No
Formal information security policy signed off by Board/Steering Committee ? 7 3
Separate department for Information Security with a Head of Infosec / CISO ? 6 4
Internal vulnerability management program (VM) and appropriate tools for VM ? 3 7
Independent security assessment by a 3rd party in the last 6 months ? 1 9
Penetration testing by a 3rd party in the last 6 months ? 3 7
Security hardening benchmark such as CIS/DISA/OWASP for IT assets hardening ? 1 9
Security awareness program and testing mechanism for IT staff ? 2 8
Implemented global security framework such as ISO27001:2013 or PCI ? 1 9
Cooperative culture among depts such as IT/Risk/InfoSec/Audit/Compliance ? 1 9
Process oriented culture for IT and Information Security ? 2 8
Formal process for InfoSecurity team to conduct security accreditation ? 4 6
For in-house software development, is security well-embedded in the SDLC ? 2 8
Organization demonstrates management commitment ? 2 8
InfoSec staff is atleast 15-20% of IT staff ? 1 9
Do you have a formal incident management and change management process ? 2 8
AVERAGE SCORE = 2.5/10
![Page 20: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/20.jpg)
Information Security: Ground Realities
IT
InfoSec
Compliance
Risk
Audit
![Page 21: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/21.jpg)
IT Challenges Summary
IT is complex and difficult to manage
IT under pressure from business groups
Lack of sufficient (competent) resources
Lack of process culture
IT IS CLEARLY NOT ALIGNED TO PERFORM
DILIGENT SECURITY WORK
![Page 22: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/22.jpg)
Information Security Challenges
Silos and lack of coherent Information Security
ownership
Lot of time and energy wasted in traversing
departmental boundaries
Information Security is tough work – enabling
environment missing
Fundamental security hardening of IT assets
(including software)
“in the trenches” is glaringly absent
![Page 23: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/23.jpg)
Industry Characteristics
Wavering management commitment
“Superficial dressing” security
Reactive to regulator, audit/compliance, or
International customer mandate
Security hardening remains largely
“untouched”
Industry in denial
![Page 24: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/24.jpg)
Security
Network
Systems (OS)
DB
Application
Physical
Mobile
![Page 25: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/25.jpg)
The Solution – Software
Security Transformation
![Page 26: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/26.jpg)
Building-In Security Into The SDLC
![Page 27: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/27.jpg)
Design Flaws
![Page 28: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/28.jpg)
1. Educate personnel on
software security
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
TRAINING
![Page 29: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/29.jpg)
2. Formally assign
responsibility for
software security
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
SOFTWARE SECURITY
GROUP (SSG)
![Page 30: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/30.jpg)
3. Perform security
focused requirements
gathering
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
-ABUSE CASES
-INITIAL RISK ANALYSIS
![Page 31: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/31.jpg)
Abuse Cases
![Page 32: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/32.jpg)
4. Establish
comprehensive risk
management process
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
-IDENTIFY MAJOR RISKS &
EXECUTE A MITIGATION PLAN
-ENSURE PROPER SECURITY
DESIGN
![Page 33: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/33.jpg)
5. Perform architecture
reviews & threat
modelling
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Design
ARCHITECTURE RISK ANALYSIS
1. Analyzing fundamental design
principles
2. Assessing the attack surface
3. Enumerating various threat agents
4. Identifying weaknesses and gaps in
security controls
![Page 34: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/34.jpg)
6. Carry out code reviews
during implementation
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Implementation
-ABUSE & MISUSE CASES
-INITIAL RISK ANALYSIS
![Page 35: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/35.jpg)
7. Execute test plans and
perform penetration tests
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Verification -Malformed input handling
-Business logic flaws
-Authentication/authorization
bypass attempts
-Overall security posture
![Page 36: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/36.jpg)
8.Deploy software product
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Deployment/Maintenance
-Deployment plan
-Change management plan
-Roll-back plan
-DR & IR plans
![Page 37: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/37.jpg)
Software Security
Benchmarks & Standards
![Page 38: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/38.jpg)
OWASP Source Code Flaws – Top 10
![Page 39: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/39.jpg)
![Page 40: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/40.jpg)
![Page 41: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/41.jpg)
OWASP PROJECTS
![Page 42: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/42.jpg)
OWASP PROJECTS
![Page 43: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/43.jpg)
OWASP PROJECTS
![Page 44: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/44.jpg)
OWASP PROJECTS
![Page 45: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/45.jpg)
32 WORKING GROUPS
![Page 46: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/46.jpg)
SECURITY, TRUST & ASSURANCE
REGISTRY (STAR)
CSA STAR is the industry’s most powerful program for security assurance in the cloud.
STAR encompasses key principles of transparency, rigorous auditing, harmonization of
standards, with continuous monitoring also available in late 2015. STAR certification
provides multiple benefits, including indications of best practices and validation of
security posture of cloud offerings.
![Page 47: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/47.jpg)
CLOUD CONTROLS MATRIX (CCM)
![Page 48: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/48.jpg)
Other Security Benchmarks & Standards
![Page 49: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/49.jpg)
Conclusion
![Page 50: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/50.jpg)
Conclusion
Security implementation is generally weak in Pakistan’s IT sector
Security is hard work, and requires cooperation from all stakeholders
Security to be linked with annual performance appraisals for best results
For software security, build-in security into all phases of the sec-SDLC
QA Depts must offer an integrated QA+Security quality gate for developers
Software security eco-system to be addressed by improving software security awareness and training in Universities & industry
Role of Pakistan Cyber Security Association (PCSA)
![Page 51: Information Security In Pakistan & Software Security As A ... · Process oriented culture for IT and Information Security ? 2 8 Formal process for InfoSecurity team to conduct security](https://reader035.vdocuments.us/reader035/viewer/2022071012/5fcab6f10bf86403c31d0359/html5/thumbnails/51.jpg)
Software Quality
[Includes Security]
LETS OWN SECURITY !