the art of securing 100 products...•utilizing automation is great if all bug tracking, code repo,...
TRANSCRIPT
![Page 1: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/1.jpg)
THE ART OF SECURING
100 PRODUCTS
Nir Valtman
@ValtmaNir
![Page 2: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/2.jpg)
as the <HEAD> Application Security </HEAD>
, except at
Neither of my previous startups succeeded!
1st time speaking publicly
But at least I invented few open source tools.
Mmmm… OH, AND
SAPIA
Lastly… I’m not a fan of the buzzword ”Cyber”!Cyber Cyber Cyber Arghhh!!!!
I work for
The trademark specified above is a trademark or a registered trademark of its respective company. This slide is intended for informational purposes only and does not represent any endorsement by this company.
![Page 3: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/3.jpg)
Why Does This Talk Matter?
You Like Expensive Stuff!
Someone Will Pay You Lots Of $$$ To Do It
You May Need To Secure Many Products
It's A Big Challenge To Secure 100 Products
Provides Practical Approaches To Secure 100 Products
Why Does It Matter?
Why Does It Matter?
Why Does It Matter?
Why Does It Matter?
![Page 4: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/4.jpg)
Agenda
Plan
Reality
![Page 5: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/5.jpg)
Meet The Application Security Lead!
▪ Accountable for Product Security
‾ Cloud-based, self-hosted or installed on customers’ premise
‾ Part of the products are regulated
▪ Needs to keep the company out of the news
▪ Got executive leadership to support him
* Avatar generated on avatarmaker.com
![Page 6: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/6.jpg)
Legal Internal Audit
The Daily Challenges
Need to secure a single high-risk product. Who’s involved?
IT Services
CISO
Solution
Management
Hardware
Solutions
Professional
ServicesProduct
ManagementSoftware R&D
![Page 7: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/7.jpg)
Mapping The Business Owners
7
Product #1
✓ Software R&D
✓ CISO
✓ Legal
✓ Product
Management
✓ Internal Audit
Product #2
✓ Software R&D
✓ CISO
✓ Legal
✓ Product
Management
✓ Solution
Management
✓ Hardware
Solutions
Product #100
✓ Software R&D
✓ IT
✓ CISO
✓ Legal
✓ Product
Management
✓ Solution
Management
✓ Professional
Services
![Page 8: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/8.jpg)
Will I Finish This Mapping Soon?
Start Date Done!
![Page 9: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/9.jpg)
WE NEED TECHNOLOGY!
![Page 10: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/10.jpg)
RESOURCE DIVERSITY &
LIMITATIONS
![Page 11: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/11.jpg)
Distinct Technologies
The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement
![Page 12: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/12.jpg)
Diverse Application Security Tools
Static Application Security
Testing (SAST)
Dynamic Application
Security Testing (DAST)
Interactive Application
Security Testing (IAST)
Software Composition
Analysis
The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement.
Runtime AST Container Security Code Obfuscation& More…
![Page 13: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/13.jpg)
What is the Application
Security labor percentage of
the engineering labor?
Labor Limitations
1%-2%of engineering org size
![Page 14: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/14.jpg)
APPLICATION SECURITY
MATURITY PROGRAM
Maturity is knowing when and where to be immature
![Page 15: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/15.jpg)
Governance – Easy To Say, Difficult To Control
Develop an S-SDLC Enforce the S-SDLC
Provide Technology-Specific
Training
Map, Track & Drive Towards
Completion Of Trainings
Define Risk Management & Risk
Acceptance Process
Get Executives To Sign On A
Security Risk
Best Practice…
![Page 16: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/16.jpg)
Construction – Relatively DifficultTh
reat
Ass
ess
men
t
Documenting
risks in agile
development
lifecycle
consumes
much
resources Secu
rity
Req
uir
em
en
ts Should app
security be
involved in ALL
requirements
sessions?
Secu
rity
Arc
hit
ect
ure Providing best
practices for
various
product types
![Page 17: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/17.jpg)
Verification – Roadblocks Ahead!
• Get a design diagram from engineering teams… lots of teams!!!
• Working with many smart engineering people – they know everything!
Design Review
• Utilizing automation is great if ALL bug tracking, code repo, and build systems are
centralized
• Scaling automation for 100 products is nearly impossible (technology & labor wise)
• Building a central security library is a waste of time if technologies are vary!
Code Review
• Automation = [sophisticated] vulnerability scanning. Manual work = penetration test!
• $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Security Testing
![Page 18: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/18.jpg)
Deployment – Only Sounds Easy
”Shadow”-operated IRT Corporate IRT
Work w/ every engineering
team to QA hardening
If I define & It doesn’t work,
they’re responsible
![Page 19: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/19.jpg)
Perspective On 1 Of 100 Products
1.60
2.60
3.00
1.00
2.601.35
1.702.10
1.67
1.68
2.35
1.70
0.00
0.50
1.00
1.50
2.00
2.50
3.00Strategy&Metrics
Policy&Compliance
Education&Guidance
ThreatAssessment
SecurityRequirements
SecureArchitecture
DesignAnalysis
ImplementationReview
SecurityTesting
IssueManagement
EnvironmentHardening
OperationalEnablement
Application Security Maturity Overview
![Page 20: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/20.jpg)
Perspective On 1 Of 100 Products
Additional Considerations
▪ Number of items per development lifecycle stage
‾ E.g. pending QA, not started, in dev, etc.
▪ Average time to mitigate a vulnerability
▪ Prioritized list of outstanding Epics/US/Bugs
1
4
5
9
11
17
21
1
2
3
5
9
11
14
0
5
10
15
20
25
1/17 2/17 3/17 4/17 5/17 6/17 7/17
Createdvs.ResolvedChart:ProductXSecurityBugs
BugsCreated BugsResolved
![Page 21: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/21.jpg)
Perspective On 100 Products
![Page 22: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/22.jpg)
Perspective On 100 Products
Product names are sanitized
![Page 23: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/23.jpg)
DON’T REINVENT THE
WHEEL, JUST REALIGN IT(Anthony J. D’Angelo)
![Page 24: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/24.jpg)
NCR’s App Sec Team’s Specialties
Application Security
Architect
Application Security
Engineer
Application Security
Program Manager
Application Security
Risk & Compliance
Manager
![Page 25: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/25.jpg)
NCR’s App Sec Team’s Specialties Mapping
OpenSAMM Speciality
Domain Activity Security Architecture
Program Management
Risk Management & Compliance
Application Security
Engineering
Governance Strategy & Metrics V VPolicy & Compliance V
Education & Guidance V V V VConstruction Threat Assessment V
Security Requirements V V V
Secure Architecture VVerification Design Review V
Code Review V VSecurity Testing V
Deployment Vulnerability Mgmt V VEnvironment Hardening VOperational Enablement V
![Page 26: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/26.jpg)
Prioritizing Security
26
Internet-
Facing &
Regulated
Internet-
FacingInternal
Internal
Regulated>$5M
$500K-
$1M<$500K
$1M-
$5M
Product Type Financial ImpactStrategy
Investments
&
Commitments
![Page 27: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/27.jpg)
Budgeting Labor Correctly – The Formula
Product Type % Of R&D
Internet-Facing & Regulated 2%
Internet-Facing 1%
Internal & Regulated 1%
Internal 0.3%
Product Type % Of AppSec
Program Manager 20%
Risk & Compliance 10%
Architecture 23%
Engineering 47%
R&D
Labor
Count
Example
An Internet-facing & regulated product suite that is
developed by an org size of 1000 employees needs:
2% X 1000 = 20 App Sec Team Members, consisting
of 4 PM, 2 R&C, 4.6 Architects and 9.4 Engineers
![Page 28: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/28.jpg)
A Lesson Learned
Even with an aggressive strategy, hiring app sec people is a REAL bottleneck!
![Page 29: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/29.jpg)
A Satellite Program
Give a poor man a fish and you feed him for a day. Teach him to fish and you give him an occupation that will feed him for a lifetime.”
(Chinese proverb.)
![Page 30: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/30.jpg)
Yellow Belt Green Belt Brown Belt Black Belt
Online TrainingFoundation app
sec classesAdvanced classes
Instructor-led or conferences participation
Various advanced
topics
Special InterestPII, GDPR, PCI,
FFIEC
Static/Dynamic/Interacti
ve Security AnalysisOn-boarding
Tool/Process
improvement
Advanced Threat modeling
Standards
review, reusable
IP
A Satellite Program Example
![Page 31: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/31.jpg)
Measuring Effectiveness!
Ongoing
▪Escalations asking for security resources by the
engineering teams are good!
▪Status reports must be balanced
‾ Neither too Green nor Red
![Page 32: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/32.jpg)
Measuring Effectiveness!
Year Over Year
▪Overall Application Security Maturity rank
increases
▪Decreased number of security vulnerability
reporting per X (you to define) lines of code
‾ Engineers will always make mistakes
‾ Use 3rd parties to assess it
![Page 33: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/33.jpg)
Scaling Out Team’s Capabilities
33
10 Yes/No Questions
Security Questionnaire For Engaging An App Sec Architect
![Page 34: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/34.jpg)
Scaling Out Team’s Capabilities
34
10 Yes/No QuestionsIs Data Classified?
Do You Follow The S-
SDLC?
Data Encryption?
Handle Sensitive Data
Related To PII/PCI?
Security Automation
Integrated Into Pipeline?
Consumer-Facing Mobile
App?
Security Questionnaire For Engaging An App Sec Architect
![Page 35: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/35.jpg)
Scaling Up Security
35
Application Security Must Fit Into Any Pipeline
Plan Code Build Test Release Deploy Operate
DEV OPS
Continuous Delivery
Continuous Integration
Agile Development
![Page 36: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/36.jpg)
PlanSecurity
Requirements
Security
Design
Security
Architecture
Code Code Review
BuildSAST
Scanning
SCA
Scanning
Container
Build Security
Scan
Push To
Registry
Container
Registry
Security Scan
Test Execute Tests
Container
Runtime
Protection
IAST
Scanning
Penetration
Testing
(incremental)
Release/
Deploy/
Operate
Deploy
Container
Runtime
Protection
DAST/ IAST/
RASP
Containerized Application Security Pipeline Example
![Page 37: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/37.jpg)
Scaling Up Security Using Release Automation
37
Static App Sec Testing
Interactive App Sec
Testing (IAST)
Binary Signing
Code Obfuscation
Dynamic App Sec
Testing (DAST)
Vulnerability Scanning
Dynamic App Sec
Testing (DAST)
Vulnerability Scanning
Runtime App Self
Protection (RASP)
Runtime App Self
Protection (RASP)
![Page 38: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/38.jpg)
Scaling Up Security When Lacking Automation
Identify Quick Wins
Static App Sec Testing Binary Signing
Code ObfuscationDynamic App Sec
Testing (DAST)
Vulnerability Scanning
Even A Long-Term Plan Is A Viable Plan
Penetration Tests
Manual Code Review
![Page 39: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/39.jpg)
Additional Tips
▪Securing 100 products takes years.
‾ Start by investing 80% of the resources in 20% of the products.
▪Reflect your success!
‾ Trending charts of app sec metrics
‾ Integration of tools into the build process
‾ Share product certifications completion
‾ Speak at Secure DevOps Summit ☺
![Page 40: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/40.jpg)
40
![Page 41: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/41.jpg)
Apply What You Have Learned Today
▪ Next week you should:
‾ Generate security engagement questionnaire (10 Yes/No Qs)
‾ Identify security tool implementation quick wins
▪ In the first three months following this presentation you should:
‾ Establish an application security maturity program
‾ Develop a product security strategy based on
• Company’s strategy
• Development methodologies & pipelining tools
• Product Types
▪ Within six months you should:
‾ Hopefully map all products & owners ☺
‾ Start executing the strategy
![Page 42: THE ART OF SECURING 100 PRODUCTS...•Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly](https://reader034.vdocuments.us/reader034/viewer/2022042119/5e989bcbbb58d45d8f4dc15e/html5/thumbnails/42.jpg)
THANK YOU
Nir Valtman
@ValtmaNir