Information Security In Pakistan

& Software Security As A Quality Aspect

Nahil Mahmood, Chairman,

Pakistan Cyber Security Association (PCSA)

Software Quality

[Includes Security]

LETS OWN SECURITY !

Agenda

What is global extent of Cybercrime market ?

Where does Pakistan stand ?

Information & Software Security – Challenges in PK

The Solution – Software Security Transformation

Software Security Benchmarks & Standards

Extent of Cybercrime &

Cybercrime As A Service

Research-as-a-service

Crimeware-as-a-service

Cybercrime-infrastructure-as-

service

Hacking-as-a-service

Where does Pakistan stand ?

Legal

Technical

Organizational

Capacity building

Cooperation

Global Cybersecurity Index & Wellness Profile

Asia Pacific Region

South Asia Comparison

As per Microsoft report:

https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-

cybersecurity.pdf

Global Infection Heatmap

https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-

cybersecurity.pdf

Information & Software Security

challenges in Pakistan

Cyber Security Survey ResultsSurvey Question Yes No

Formal information security policy signed off by Board/Steering Committee ? 7 3

Separate department for Information Security with a Head of Infosec / CISO ? 6 4

Internal vulnerability management program (VM) and appropriate tools for VM ? 3 7

Independent security assessment by a 3rd party in the last 6 months ? 1 9

Penetration testing by a 3rd party in the last 6 months ? 3 7

Security hardening benchmark such as CIS/DISA/OWASP for IT assets hardening ? 1 9

Security awareness program and testing mechanism for IT staff ? 2 8

Implemented global security framework such as ISO27001:2013 or PCI ? 1 9

Cooperative culture among depts such as IT/Risk/InfoSec/Audit/Compliance ? 1 9

Process oriented culture for IT and Information Security ? 2 8

Formal process for InfoSecurity team to conduct security accreditation ? 4 6

For in-house software development, is security well-embedded in the SDLC ? 2 8

Organization demonstrates management commitment ? 2 8

InfoSec staff is atleast 15-20% of IT staff ? 1 9

Do you have a formal incident management and change management process ? 2 8

AVERAGE SCORE = 2.5/10

Information Security: Ground Realities

IT

InfoSec

Compliance

Risk

Audit

IT Challenges Summary

IT is complex and difficult to manage

IT under pressure from business groups

Lack of sufficient (competent) resources

Lack of process culture

IT IS CLEARLY NOT ALIGNED TO PERFORM

DILIGENT SECURITY WORK

Information Security Challenges

Silos and lack of coherent Information Security

ownership

Lot of time and energy wasted in traversing

departmental boundaries

Information Security is tough work – enabling

environment missing

Fundamental security hardening of IT assets

(including software)

“in the trenches” is glaringly absent

Industry Characteristics

Wavering management commitment

“Superficial dressing” security

Reactive to regulator, audit/compliance, or

International customer mandate

Security hardening remains largely

“untouched”

Industry in denial

Security

Network

Systems (OS)

DB

Application

Physical

Mobile

The Solution – Software

Security Transformation

Building-In Security Into The SDLC

Design Flaws

1. Educate personnel on

software security

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Requirements Gathering

TRAINING

2. Formally assign

responsibility for

software security

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Requirements Gathering

SOFTWARE SECURITY

GROUP (SSG)

3. Perform security

focused requirements

gathering

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Requirements Gathering

-ABUSE CASES

-INITIAL RISK ANALYSIS

Abuse Cases

4. Establish

comprehensive risk

management process

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Requirements Gathering

-IDENTIFY MAJOR RISKS &

EXECUTE A MITIGATION PLAN

-ENSURE PROPER SECURITY

DESIGN

5. Perform architecture

reviews & threat

modelling

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Design

ARCHITECTURE RISK ANALYSIS

1. Analyzing fundamental design

principles

2. Assessing the attack surface

3. Enumerating various threat agents

4. Identifying weaknesses and gaps in

security controls

6. Carry out code reviews

during implementation

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Implementation

-ABUSE & MISUSE CASES

-INITIAL RISK ANALYSIS

7. Execute test plans and

perform penetration tests

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Verification -Malformed input handling

-Business logic flaws

-Authentication/authorization

bypass attempts

-Overall security posture

8.Deploy software product

https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-

development-life-cycle/

SDLC Phase: Deployment/Maintenance

-Deployment plan

-Change management plan

-Roll-back plan

-DR & IR plans

Software Security

Benchmarks & Standards

OWASP Source Code Flaws – Top 10

OWASP PROJECTS

OWASP PROJECTS

OWASP PROJECTS

OWASP PROJECTS

32 WORKING GROUPS

SECURITY, TRUST & ASSURANCE

REGISTRY (STAR)

CSA STAR is the industry’s most powerful program for security assurance in the cloud.

STAR encompasses key principles of transparency, rigorous auditing, harmonization of

standards, with continuous monitoring also available in late 2015. STAR certification

provides multiple benefits, including indications of best practices and validation of

security posture of cloud offerings.

CLOUD CONTROLS MATRIX (CCM)

Other Security Benchmarks & Standards

Conclusion

Conclusion

Security implementation is generally weak in Pakistan’s IT sector

Security is hard work, and requires cooperation from all stakeholders

Security to be linked with annual performance appraisals for best results

For software security, build-in security into all phases of the sec-SDLC

QA Depts must offer an integrated QA+Security quality gate for developers

Software security eco-system to be addressed by improving software security awareness and training in Universities & industry

Role of Pakistan Cyber Security Association (PCSA)

Software Quality

[Includes Security]

LETS OWN SECURITY !

Thank you

Questions ?

nahil@deltatechglobal.com