manoranjan paul - owasp · security lingo (roi) functionality and assurance iron triangle triple...
TRANSCRIPT
![Page 1: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/1.jpg)
Manoranjan Paul
© 2007-2012. SecuRisk Solutions. 1
![Page 2: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/2.jpg)
!= Marijuana Paul
© 2007-2012. SecuRisk Solutions. 2
![Page 3: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/3.jpg)
Entertainment Paul
© 2007-2012. SecuRisk Solutions. 3
![Page 4: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/4.jpg)
Entertainment + Education ==
Enlightenment
© 2007-2012. SecuRisk Solutions. 4
![Page 5: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/5.jpg)
Entertainment - Education ==
© 2007-2012. SecuRisk Solutions. 5
![Page 6: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/6.jpg)
© 2007-2012. SecuRisk Solutions. 6
![Page 7: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/7.jpg)
wise
© 2007-2012. SecuRisk Solutions. 7
![Page 8: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/8.jpg)
cracker
© 2007-2012. SecuRisk Solutions. 8
![Page 9: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/9.jpg)
wise
© 2007-2012. SecuRisk Solutions. 9
![Page 11: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/11.jpg)
Christian
© 2007-2012. SecuRisk Solutions. 11
![Page 12: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/12.jpg)
“L33t”
© 2007-2012. SecuRisk Solutions. 12
![Page 13: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/13.jpg)
“L4m3”
© 2007-2012. SecuRisk Solutions. 13
![Page 14: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/14.jpg)
After 2 near death calls
Christian
© 2007-2012. SecuRisk Solutions. 14
![Page 16: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/16.jpg)
Teach Security
© 2007-2012. SecuRisk Solutions. 16
![Page 17: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/17.jpg)
Teach Christ
© 2007-2012. SecuRisk Solutions. 17
![Page 18: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/18.jpg)
Teach Security in Christ
© 2007-2012. SecuRisk Solutions. 18
![Page 19: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/19.jpg)
http://www.facebook.com/getpearls
http://thepauls.wordpress.com
© 2007-2012. SecuRisk Solutions. 19
![Page 20: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/20.jpg)
Author
© 2007-2012. SecuRisk Solutions. 20
![Page 21: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/21.jpg)
© 2007-2012. SecuRisk Solutions. 21
![Page 22: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/22.jpg)
Advisor Software Assurance
© 2007-2012. SecuRisk Solutions. 22
![Page 23: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/23.jpg)
© 2007-2012. SecuRisk Solutions. 23
![Page 24: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/24.jpg)
And a few more
• MCAD
• MCSD
• ECSA
• CompTIA Network +
© 2007-2012. SecuRisk Solutions. 24
![Page 25: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/25.jpg)
SecuRisk Solutions
Training
Products
Consulting
© 2007-2012. SecuRisk Solutions. 25
![Page 26: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/26.jpg)
Express Certifications Certification Practice Tests
CISSP
CSSLP
SSCP
CAP
© 2007-2012. SecuRisk Solutions. 26
![Page 27: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/27.jpg)
© 2007-2012. SecuRisk Solutions. 27
![Page 28: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/28.jpg)
© 2007-2012. SecuRisk Solutions. 28
![Page 29: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/29.jpg)
© 2007-2012. SecuRisk Solutions. 29
![Page 30: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/30.jpg)
© 2007-2012. SecuRisk Solutions. 30
![Page 31: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/31.jpg)
© 2007-2012. SecuRisk Solutions. 31
![Page 32: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/32.jpg)
© 2007-2012. SecuRisk Solutions. 32
![Page 33: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/33.jpg)
‘dash4rk’
© 2007-2012. SecuRisk Solutions. 33
![Page 34: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/34.jpg)
© 2007-2012. SecuRisk Solutions. 34
![Page 35: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/35.jpg)
© 2007-2012. SecuRisk Solutions. 35
![Page 36: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/36.jpg)
© 2007-2012. SecuRisk Solutions. 36
![Page 37: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/37.jpg)
2nd Degree Brown Belt
© 2007-2012. SecuRisk Solutions. 37
![Page 38: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/38.jpg)
© 2007-2012. SecuRisk Solutions. 38
Black Belt
![Page 39: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/39.jpg)
© 2007-2012. SecuRisk Solutions. 39
![Page 40: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/40.jpg)
© 2007-2012. SecuRisk Solutions. 40
![Page 41: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/41.jpg)
My son once asked me
“Dada, Are I Famous?”
© 2007-2012. SecuRisk Solutions. 41
![Page 42: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/42.jpg)
© 2007-2012. SecuRisk Solutions. 42
![Page 43: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/43.jpg)
© 2007-2012. SecuRisk Solutions. 43
Censored
Censored
NOT
ME
![Page 44: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/44.jpg)
So who am I?
© 2007-2012. SecuRisk Solutions. 44
![Page 45: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/45.jpg)
Christian
Author-Biologist-CEO-Dash4rk ABCD
© 2007-2012. SecuRisk Solutions. 45
![Page 46: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/46.jpg)
Love my Savior,
Love my Spouse,
Love my Sons,
Love Shaolin,
Love Sharks,
Love Security
![Page 47: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/47.jpg)
Mano ‘dash4rk’ Paul
© 2007-2012. SecuRisk Solutions. 47
![Page 48: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/48.jpg)
The
7 Qualities
of
Highly Secure Software
© 2007-2012. SecuRisk Solutions. 48
![Page 49: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/49.jpg)
Disclaimer
!Pimp my book talk
◦ One time on a flight … someone asked me
What is this book about?
Is it any good?
All opinions expressed are my own and
not reflective of my employer …. Wait a
minute!
Tweet/Facebook/Blogs … permission?
© 2007-2012. SecuRisk Solutions. 49
![Page 50: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/50.jpg)
What we …
Produce
◦ Insecure (Hackable) Software
Need
◦ Highly Secure Software
© 2007-2012. SecuRisk Solutions. 50
![Page 51: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/51.jpg)
What is this talk about?
Not about
◦ 7 things I need to put in my code (software)
About
◦ 7 things you should take into account when
Designing
Developing
Deploying
Software.
Technical – Operations – Management focused
© 2007-2012. SecuRisk Solutions. 51
![Page 52: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/52.jpg)
7 Myths to bust
#1 – We have a firewall
#2 – We use SSL
#3 – We have IDS/IPS
#4 – We are not be accessible from the
Internet
#5 – We have never been compromised
#6 – Security is “Not my job”
#7 – Security adds little/no business value
© 2007-2012. SecuRisk Solutions. 52
![Page 53: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/53.jpg)
What is Highly Secure Software?
Hacker-proof
3Rs of Software Assurance (Trust)
◦ Reliable
◦ Resilient
◦ Recoverable
© 2007-2012. SecuRisk Solutions. 53
![Page 54: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/54.jpg)
007 …
#1 – Security is Built In, Not Bolted On
#2 – Functionality Maps to a Security Plan
#3 – Includes Foundational Assurance Elements
#4 – Is Balanced
#5 – Incorporates Security Requirements
#6 – Is Developed Collaboratively
#7 – Is Adaptable
© 2007-2012. SecuRisk Solutions. 54
![Page 55: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/55.jpg)
#1 – Security is Built In, Not Bolted
On The Ant and the Grasshopper
Be proactive not reactive
Be strategic and not just tactical (Tool
centric)
© 2007-2012. SecuRisk Solutions. 55
![Page 56: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/56.jpg)
Security Development Lifecycle
Lessons Learned
Security Requirements
Security Plan
Attack Surface Eval.
Threat Modeling
Security Arch. Review
Secure Coding
Static Analysis
Dynamic Analysis
Assurance Testing
C&A
Secure Installation
V&V.
Continuous Monitoring
Rotation/Archival
Secure Disposal
© 2007-2012. SecuRisk Solutions. 56
![Page 57: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/57.jpg)
Building Security In
MOM in Cybercrime
◦ Motive ? Hacker Motivations
◦ Opportunities < Reduced Attack Surface
◦ Means < Controls to Mitigate
Security Processes and Implementing
Controls
Integrated with the SDLC
◦ Requirements to Release … is there more?
© 2007-2012. SecuRisk Solutions. 57
![Page 58: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/58.jpg)
#2 – Functionality Maps to a
Security Plan Breaking the Tape
Begin with the End in Mind
◦ How “secure” is your software going to be?
Functionality Controls in Security
Plan
© 2007-2012. SecuRisk Solutions. 58
![Page 59: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/59.jpg)
Security Plan
Framework for ‘Assurance’ Foundation
Failing to plan =
Overview of applicable security requirements
◦ External (GRC+P)
◦ Internal (Policies/Standards)
Controls
◦ Safeguards / Countermeasures
◦ Technical (System) / Operational (People) / Management (Risk based)
© 2007-2012. SecuRisk Solutions. 59
planning to Fail
![Page 60: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/60.jpg)
Mapped Software
Functionality: Each user must have an
unique account for interacting with the
software.
Controls: Unique usernames and
passwords
Security Requirements: Remove test and
default accounts before release (PCI DSS
6.3.1)
Threat: Impersonation and Repudiation
© 2007-2012. SecuRisk Solutions. 60
![Page 61: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/61.jpg)
#3 – Includes Foundational
Assurance Elements What lies beneath?
Put first things first
© 2007-2012. SecuRisk Solutions. 61
![Page 62: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/62.jpg)
First things First
© 2007-2012. SecuRisk Solutions. 62
![Page 63: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/63.jpg)
#4 – Is Balanced
The Clown Fish and the Anemone
Think Win/Win
© 2007-2012. SecuRisk Solutions. 63
![Page 64: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/64.jpg)
Balancing what?
Risk and Reward
◦ Security Lingo (ROI)
Functionality and Assurance
◦ Iron Triangle Triple Constraints
◦ “It is a real trade off. You always want the functionality and you always know you are providing opportunities so you need to take that into account and try to build in additional security every time. It is a race”
Richard ‘Dickie’ George
Technical Director, NSA
© 2007-2012. SecuRisk Solutions. 64
![Page 65: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/65.jpg)
Balancing what (contd.)
Threats and Controls
© 2007-2012. SecuRisk Solutions. 65
S.No. Threat Control(s)
1 Overflow strlen <= bytesize, safe APIs …
2 Injection Flaws Parameterized Queries, Validate input …
3 XSS Response Encoding, Validate Request …
4 CSRF Session specific tokens, POST vs. GET …
5 DoS Load Balancing, Replication …
6 Repudiation Logging, Code signing …
7 Reversing Obfuscation, IsDebuggerPresent API
![Page 66: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/66.jpg)
#5 – Incorporates Security
Requirements Lost in translation
◦ Send reinforcements, we’re going to advance.
◦ Send three and four pence, we’re going to a
dance.
Seek First to understand, then to be
understood
© 2007-2012. SecuRisk Solutions. 66
![Page 67: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/67.jpg)
Security Requirements
External
Regulations & Compliance
Industry Standards
Privacy
Internal
Company Governance
Business Functionality
SOX
HIPAA
GLBA
FISMA
ISO
NIST
PCI
OASIS
COPPA
Data Classification
Subject-Object Matrix
Use / Abuse Case Modeling
© 2007-2012. SecuRisk Solutions. 67
![Page 68: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/68.jpg)
#6 – Is Collaboratively Developed
There is no ‘I’ in Team
Synergize
© 2007-2012. SecuRisk Solutions. 68
![Page 69: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/69.jpg)
Whose viewpoint?
Highly Secure
Software
Business
Security
Management
Development Legal
Privacy
Auditors
Vendors
© 2007-2012. SecuRisk Solutions. 69
![Page 70: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/70.jpg)
#7 – Is Adaptable
The shark is a Polyphyodont
Sharpen the Saw
© 2007-2012. SecuRisk Solutions. 70
![Page 71: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/71.jpg)
Adaptable Software
Law of resiliency degradation
Adaptable to
◦ Technology
◦ Threats
◦ Talents
Begin with the Future in mind
◦ Predictive not just proactive
© 2007-2012. SecuRisk Solutions. 71
![Page 72: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/72.jpg)
More information
Questions?
© 2007-2012. SecuRisk Solutions. 72
Book
Signing
![Page 73: Manoranjan Paul - OWASP · Security Lingo (ROI) Functionality and Assurance Iron Triangle Triple Constraints “It is a real trade off. You always want the functionality and you always](https://reader034.vdocuments.us/reader034/viewer/2022051812/602eca3455633d6cb76ba50d/html5/thumbnails/73.jpg)
Cont@ct! If You (Liked the presentation ||
Did not like the presentation ||
Need Encore(other) presentation for your company ||
Have Security Program Development Consulting Needs ||
Have Security Product Development/Evaluations Needs ||
Have Awareness, Training & Education Needs ||
Have Certification Needs)
{
Contact me;
}
else
{
Have a great day!
}
finally
{
Thankyou();
BuildHighlySecureSoftware();
}
73
Twitter (@manopaul)
mano(dot)paul(at)securisksolutions(dot)com
mano(dot)paul(at)expresscertifications(dot)com