ise north america leadership summit · lessons learned- defect categories top 5 high severity...
TRANSCRIPT
ISE® NORTH AMERICA LEADERSHIP SUMMIT
Aetna
Raising the Bar: Becoming a Leader in Software Security
Jim Routh
CISO
Nominee Showcase Presentation
1
ISE® North America Leadership Summit #ISEawards
Company Overview
Aetna is one of the nation’s leading diversified health care benefits companies, serving an estimated 45 million people with information and resources to help them make better informed decisions about their health care. Aetna offers a broad range of traditional, voluntary and consumer-directed health insurance products and related services, including medical, pharmacy, dental, behavioral health, group life and disability plans, and medical management capabilities, Medicaid health care management services, workers’ compensation administrative services and health information technology products and services. Aetna’s customers include employer groups, individuals, college students, part-time and hourly workers, health plans, health care providers, governmental units, government-sponsored plans, labor groups and expatriates.
2
ISE® North America Leadership Summit #ISEawards
The Economic Benefit of Software Security
Aetna’s Secure SDLC
Requirements Design Development Test
PREVENTATIVE DETECTIVE
Static Analysis Dynamic ScanningLibrariesThreat Modeling
Attack Models Threat-Based Pen TestOpen Source
Risk Classification
Security Reqs.
Software Security Training (Role-Based Curriculum)
3
ISE® North America Leadership Summit #ISEawards
Know Where You Want to Go…
www.bsimm.com
4
Data from May, 2013
ISE® North America Leadership Summit #ISEawards
Best Practices- Security Mavens
Static Analysis
* Review and prioritize static analysis results and recommend rule enhancements
Threat Models
* Contribute to building threat models during the design phase
Vulnerability Remediation
* Lead and support vulnerability remediation efforts
Community Initiatives
* Help implement re-usable software security libraries and components
As software security experts, mavens have a direct impact on improving the
resiliency of Aetna applications. Mavens complete advanced software
security training and join a community across the enterprise to help shape
the future of software security at Aetna.
Certification Program
• Software Security
eLearning
• Instructor Led Training
• Static Analysis
Training
• Program Contributions
Primary Workflows
Yellow Belt
Green Belt
Brown Belt
Black Belt
5
ISE® North America Leadership Summit #ISEawards
Software Security Curriculum
6
ISE® North America Leadership Summit #ISEawards
Best Practices- KPIs
Course # Assigned # Completed % Completed Last Month
% Completed This Month
Foundations of Software Security [200026] 1497 1377 92% 92%
OWASP Top 10 Plus 2 [200148] 1497 1380 92% 92%
Developer Curriculum
Course # Assigned # Completed % Completed Last Month
% CompletedThis Month
Foundations of Software Security [200026] 260 258 89% 99%
Architecture Risk Analysis [200144] 260 256 90% 98%
Attack and Defense [200146] 260 254 87% 98%
OWASP Top 10 Plus 2 [200148] 260 254 79% 98%
Architect Curriculum
7
ISE® North America Leadership Summit #ISEawards
Component Lifecycle Management
13 BillionRequests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Awareness from
development to
operations
MonitorScan for malware &
vulnerabilities
Secure
remediation through flexible
policy enforcement
Manage
8
Industry data
ISE® North America Leadership Summit #ISEawards
Open Source Component Scan
Component Evaluation Criteria:
1. Security Risk2. Applicable License3. Architecture Quality4. Proprietary
Components5. Component Age6. Component Overlap
ISE® North America Leadership Summit #ISEawards
Lessons Learned- Defect DensityLOC # Highs Defect Density
New Projects in Sept 5,071,419 163 0.32
Existing Projects 14,084,006 1,445 1.03
All Projects 19,155,425 1,608 0.84
0 0.16 00.67 0.320
2
4
6
8
10
12
Feb Mar April May June July Aug Sept
All
Net New
Existing
10
ISE® North America Leadership Summit #ISEawards
Lessons Learned- Dynamic Scanning
11
ISE® North America Leadership Summit #ISEawards
Lessons Learned- Defect Categories
Top 5 High Severity Findings
1. Dynamic Web Page Content
2. Cross-site Scripting
3. ASP.NET Configuration
4. Dynamic Database Query
5. Processing Sensitive Data
8%
36%56%
Defect Categories
High
Medium
Low
New defect type to Top 5
Software security flaws (design) and defects (development) are simply treated as defects during development. When they are discovered in production, they are treated as security incidents
12