Implementation Patterns For Software Security Programs
-
date post
19-Oct-2014 -
Category
Technology
-
view
2.098 -
download
0
description
Transcript of Implementation Patterns For Software Security Programs
© Copyright 2013 Denim Group - All Rights Reserved
Implementation Patterns for!Software Security Programs!!!Dan Cornell!@danielcornell
© Copyright 2013 Denim Group - All Rights Reserved
Denim Group Background
• Professional services firm that builds & secures enterprise applications – External application assessments
• Web, mobile, and cloud – Software development lifecycle development (SDLC) consulting
• Classroom and e-Learning for PCI compliance • Secure development services:
– Secure .NET and Java application development – Post-assessment remediation
• Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors
• Customer base spans Fortune 500 • Contributes to industry best practices through the Open Web
Application Security Project (OWASP)
2
© Copyright 2013 Denim Group - All Rights Reserved 3
Dan Cornell • Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
• 15 years experience in software architecture, development and security
• Heads Denim Group’s application security team
© Copyright 2013 Denim Group - All Rights Reserved
Agenda
• What Makes a Successful Software Security Program? – Key commonalities
• Software Security Program Implementations – Approaches – Customization – Considerations
• Three Example Program Activities – Security Testing – Code Review – Education and Guidance
• Selecting What Works for your Organization
4
© Copyright 2013 Denim Group - All Rights Reserved
Successful Software Security Programs • Common Goal
– Reduce Risk by… • Reliably Creating Acceptably Secure Software
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d settle for a von Clausewitz…
• Common Activities – Implementation must be tied to the specific organization
5
© Copyright 2013 Denim Group - All Rights Reserved
Software Assurance Maturity Model (OpenSAMM) • Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks racing the organization
• Useful for: – Evaluating an organization’s existing software security practices – Building a balanced software security program in well-defined iterations – Demonstrating concrete improvements to a security assurance program – Defining and measuring security-related activities within an organization
• Main website:
– http://www.opensamm.org/
6
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Security Practices • From each of the Business Functions, three Security Practices are defined • The Security Practices cover all areas relevant to software security
assurance • Each one is a ‘silo’ for improvement
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
Check Out This One...
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
Program Implementation • Approaches
• Customization
• Considerations
10
© Copyright 2013 Denim Group - All Rights Reserved
Approaches • Automated vs. Manual • Depth-First vs. Breadth-First • Centralized vs. Distributed • Top-Down vs. Bottom-Up • SaaS vs. On-Premise • In-House vs. Outsourced
• All of the Above (and More)
11
© Copyright 2013 Denim Group - All Rights Reserved
Organizational Fit • Not “One Size Fits All”
– What Are the Threats to Your Organization? – How Much of an Executive Mandate Do You Have? – How Much Risk Are You Willing (Or Going) to Bear?
• Differences Across Industries – Financial Services Firms Do This Differently Than Energy Sector – Different Threats, Different Regulatory Environment
• Differences Within Industries – Oilfield Services versus Mid-majors – Banks versus Credit Unions
12
© Copyright 2013 Denim Group - All Rights Reserved 13
$0
$500,000,000
$1,000,000,000
$1,500,000,000
$2,000,000,000
$2,500,000,000 JP
Mor
gan
& C
hase
Ban
k of
Am
eric
an
Citi
grou
p
Wel
ls F
argo
Gol
dman
Sac
hs G
roup
Met
Life
Mor
gan
Sta
nley
U.S
. Ban
corp
Ban
k of
New
Yor
k M
ello
n
HS
BC
PN
C F
inan
cial
Ser
vice
s G
roup
Cap
itol O
ne
TD B
ank
Sta
te S
treet
Cor
pora
tion
Ally
Fin
anci
al
BB
&T
Cor
pora
tion
Sun
trust
Ban
ks
Prin
cipa
l Fin
anci
al G
roup
Am
eric
an E
xpre
ss
Am
erip
rise
Fina
ncia
l
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Hol
ding
s
Total Assets for Top Holding Companies
© Copyright 2013 Denim Group - All Rights Reserved
Considerations • Raw Budget Constraints
• Organizational Structure
• Regulatory and Compliance Mandates
• Culture and Risk Appetite
• Leadership Buy in
14
© Copyright 2013 Denim Group - All Rights Reserved
Patterns and Anti-Patterns • Every Organization is Different
– But there are commonalities
• Similar approaches – Some good – Some … less good
• Do you know the “right” thing to do? • Are you doing it?
– If not – why not?
15
© Copyright 2013 Denim Group - All Rights Reserved
Example Program Activities • Take Three Common Activities from OpenSAMM
• Security Testing • Code Review • Education and Guidance
16
© Copyright 2013 Denim Group - All Rights Reserved
Examples of Activities • Security Testing
– Recurring dynamic scanning – Manual penetration tests
• Code Review – Automated static analysis – Manual security code review
• Education and Guidance – Instructor-led training for developers – e-Learning – Develop and publish “Top 10” list for developers
17
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing • Also known as “black box testing” and “penetration testing”
• Testing the security of a running system – Automated scanners help – But don’t forget the manual component
• As with any testing activity – How frequently? – How thorough?
18
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing: Anti-Patterns • “Dude with a scanner” approach
– Can also be implemented as the “lady with a scanner” approach
• “SaaS and forget” approach
19
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing: Better Patterns • Deep Assessment of Critical
Applications – Automated scanning, manual
scan review and assessment
• Breadth-First Scanning – You want a scanning program,
not a scanner
• Understand that security testing is a means to an end – Not an end in and of itself – Start of vulnerability management
20
© Copyright 2013 Denim Group - All Rights Reserved
Code Review • Also known as “static analysis”
• Again – scanners are great, but manual review and assessment are required for depth
• Code review can be (is) complicated – Often more so than dynamic
security testing – Clean scans, false positives,
prioritization…
21
© Copyright 2013 Denim Group - All Rights Reserved
Code Review: Anti-Patterns • “Dude with a scanner” approach (redux)
– Can still be implemented as the “lady with a scanner” approach – Even worse for code review because source code (or binary) access is required
• “I’m sure the developers are taking care of this” – “They’re using [FindBugs|PMD|XYZ tool]”
22
© Copyright 2013 Denim Group - All Rights Reserved
Code Review: Better Patterns • Key Questions:
– Who runs the scan? – What do you do with the results?
• Centralized Code Review Group – Helps if you have a mandate and/or the ability to block applications from production
• Deploy to Developer Desktops – Can be great for certain organizations, but… – Many potential pitfalls and hidden costs here
23
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance • It is really hard to hold developers to a standard if you have not
communicated that standard to them and provided guidance on how they can meet that standard
– Only fair…
• Can take a variety of forms – Instructor-led training (ILT) – e-Learning – Lunch and learns – Mentoring – Knowledge bases
24
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance: Anti-Patterns • “Email a link to OWASP” approach
– Site is www.owasp.org by the way – OWASP is great, but…
• “I made you all a Powerpoint”
• “Cattle car” instructor-led training
• Fire and forget e-Learning
25
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance: Better Patterns • Informal approaches can have value
– But that is not a training program – Best used to identify staff with a special interest in security
• e-Learning for everyone – Make it part of their bonus or annual evaluation
• Instructor-led training for “mavens” – Provide context, link to their roles and responsibilities
• Technology- and role-specific guidance – Do not force developers to think
26
© Copyright 2013 Denim Group - All Rights Reserved
Where Do We Go From Here?
• Evaluate where you are
• Determine the next plateau you want to reach
• Make a plan to get there (that works for your organization)
27
© Copyright 2013 Denim Group - All Rights Reserved 28
Questions / Contact Information
Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (210) 572-4400
www.denimgroup.com blog.denimgroup.com