ISE® NORTH AMERICA LEADERSHIP SUMMIT

Aetna

Raising the Bar: Becoming a Leader in Software Security

Jim Routh

CISO

Nominee Showcase Presentation

1

ISE® North America Leadership Summit #ISEawards

Company Overview

Aetna is one of the nation’s leading diversified health care benefits companies, serving an estimated 45 million people with information and resources to help them make better informed decisions about their health care. Aetna offers a broad range of traditional, voluntary and consumer-directed health insurance products and related services, including medical, pharmacy, dental, behavioral health, group life and disability plans, and medical management capabilities, Medicaid health care management services, workers’ compensation administrative services and health information technology products and services. Aetna’s customers include employer groups, individuals, college students, part-time and hourly workers, health plans, health care providers, governmental units, government-sponsored plans, labor groups and expatriates.

2

ISE® North America Leadership Summit #ISEawards

The Economic Benefit of Software Security

Aetna’s Secure SDLC

Requirements Design Development Test

PREVENTATIVE DETECTIVE

Static Analysis Dynamic ScanningLibrariesThreat Modeling

Attack Models Threat-Based Pen TestOpen Source

Risk Classification

Security Reqs.

Software Security Training (Role-Based Curriculum)

3

ISE® North America Leadership Summit #ISEawards

Know Where You Want to Go…

www.bsimm.com

4

Data from May, 2013

ISE® North America Leadership Summit #ISEawards

Best Practices- Security Mavens

Static Analysis

* Review and prioritize static analysis results and recommend rule enhancements

Threat Models

* Contribute to building threat models during the design phase

Vulnerability Remediation

* Lead and support vulnerability remediation efforts

Community Initiatives

* Help implement re-usable software security libraries and components

As software security experts, mavens have a direct impact on improving the

resiliency of Aetna applications. Mavens complete advanced software

security training and join a community across the enterprise to help shape

the future of software security at Aetna.

Certification Program

• Software Security

eLearning

• Instructor Led Training

• Static Analysis

Training

• Program Contributions

Primary Workflows

Yellow Belt

Green Belt

Brown Belt

Black Belt

5

ISE® North America Leadership Summit #ISEawards

Software Security Curriculum

6

ISE® North America Leadership Summit #ISEawards

Best Practices- KPIs

Course # Assigned # Completed % Completed Last Month

% Completed This Month

Foundations of Software Security [200026] 1497 1377 92% 92%

OWASP Top 10 Plus 2 [200148] 1497 1380 92% 92%

Developer Curriculum

Course # Assigned # Completed % Completed Last Month

% CompletedThis Month

Foundations of Software Security [200026] 260 258 89% 99%

Architecture Risk Analysis [200144] 260 256 90% 98%

Attack and Defense [200146] 260 254 87% 98%

OWASP Top 10 Plus 2 [200148] 260 254 79% 98%

Architect Curriculum

7

ISE® North America Leadership Summit #ISEawards

Component Lifecycle Management

13 BillionRequests in 2013

Growth Drivers

Mobile Cloud

Web Apps Big Data

Awareness from

development to

operations

MonitorScan for malware &

vulnerabilities

Secure

remediation through flexible

policy enforcement

Manage

8

Industry data

ISE® North America Leadership Summit #ISEawards

Open Source Component Scan

Component Evaluation Criteria:

1. Security Risk2. Applicable License3. Architecture Quality4. Proprietary

Components5. Component Age6. Component Overlap

ISE® North America Leadership Summit #ISEawards

Lessons Learned- Defect DensityLOC # Highs Defect Density

New Projects in Sept 5,071,419 163 0.32

Existing Projects 14,084,006 1,445 1.03

All Projects 19,155,425 1,608 0.84

0 0.16 00.67 0.320

2

4

6

8

10

12

Feb Mar April May June July Aug Sept

All

Net New

Existing

10

ISE® North America Leadership Summit #ISEawards

Lessons Learned- Dynamic Scanning

11

ISE® North America Leadership Summit #ISEawards

Lessons Learned- Defect Categories

Top 5 High Severity Findings

1. Dynamic Web Page Content

2. Cross-site Scripting

3. ASP.NET Configuration

4. Dynamic Database Query

5. Processing Sensitive Data

8%

36%56%

Defect Categories

High

Medium

Low

New defect type to Top 5

Software security flaws (design) and defects (development) are simply treated as defects during development. When they are discovered in production, they are treated as security incidents

12