Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved....
Transcript of Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved....
![Page 1: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/1.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Secure Product Lifecycle (SPLC) In PracticeMohit Kalra | Senior Manager, Secure Software Engineering (Adobe)
![Page 2: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/2.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Introduction
Senior Manager @ Adobe’s Secure Software Engineering Team (ASSET) I lead the proactive security efforts. @adobesecurity / @mohitkalra
![Page 3: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/3.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
ADVANCINGSTATE OF THE ART
FOR CONTENT
Adobe’s Strategy
HARNESSINGTHE POWER
OF DATA
DRIVING DIGITALTRANSFORMATION
OF INDUSTRIES
![Page 4: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/4.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
ADOBE.IOADOBE.IO
PRIVATE, PUBLIC OR HYBRID CLOUDPRIVATE, PUBLIC OR HYBRID CLOUD
CORE TECHNOLOGIESCORE TECHNOLOGIES
ADOBE CLOUD PLATFORM
CONTENT DATA
Adobe Document Cloud Adobe Creative Cloud Adobe Marketing Cloud
![Page 5: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/5.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Secure Product Lifecycle
Credit:http://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle.htmlhttps://technet.microsoft.com/en-us/security/gg622918.aspx
![Page 6: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/6.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Does a diagram capture everything?
Secure Product Lifecycle (SPLC) is a set of processes designed to help product teams engineer secure software.
![Page 7: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/7.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
For our team, the approach to security is much more complex
7
![Page 8: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/8.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security is all about making choices
8
![Page 9: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/9.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
… and balance
9
![Page 10: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/10.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Implementing security is about providing high ROI and business alignment
10
![Page 11: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/11.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
…. while trying to fix the weak links
11
![Page 12: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/12.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
The challenges in this complex world.
12
![Page 13: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/13.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #1
13
Scaling the security work with a small team.
- Hiring skilled security professionals is difficult.
- Team needs to learn continuously.- Time spent => high premium $$$.
![Page 14: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/14.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #2
14
A growing and diverse company product portfolio.
![Page 15: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/15.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #3
15
The business critical products vs the legacy applications.
![Page 16: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/16.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyVarying
business criticality
The challenges for a security team
16
![Page 17: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/17.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
How can a security team overcome these challenges?
17
![Page 18: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/18.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyVarying
business criticality
The challenges for a security team
18
![Page 19: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/19.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security teams @ Adobe
Product Team
Product Team
EngineeringChampionsResearchers
& PMs
ASSET
(Adobe Secure
Software Engineering
Team)
Products
![Page 20: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/20.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Establish the minimum bar
20
- Create a SPLC standard that the product teams need to follow- Standardize the tool chain
SPLC Baseline Tasks for every teamTrainingStatic analysis of codeSecurity testing3rd party component trackingCode reviewsSecurity requirements reviewThreat modellingReview of high risk findings and sign-off
![Page 21: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/21.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security is a shared responsibility
21
![Page 22: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/22.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Split and share responsibilities
22
Spend premium security skill mindshare where it matters.
SPLC Tasks Product team ownership
Central securityteam driven
Training ✔Static analysis of code ✔Security testing ✔3rd party component tracking ✔Code reviews ✔Security requirements review ✔Threat modelling ✔Review of high risk findings and sign-off
✔
![Page 23: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/23.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Set up product teams for security success with their security practices
23
Onboard Team
Review ProductGather intel
Automation onboarding
Train team Routine SPLC tasks
![Page 24: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/24.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyBusiness criticality
The challenges for a security team
24
![Page 25: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/25.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Implementing Security Measures for a wide technology spectrum
25
![Page 26: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/26.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A product may be offered on one or many platforms.
26
![Page 27: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/27.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements
27
Baseline SPLC
Services SPLC
Mobile SPLC
Desktop SPLC
![Page 28: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/28.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (web)
28
![Page 29: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/29.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (mobile)
29
![Page 30: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/30.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (desktop)
30
![Page 31: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/31.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyBusiness criticality
The challenges for a security team
31
![Page 32: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/32.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Tune for business criticality
32
![Page 33: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/33.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Factor in business criticality for a security engagement
33
![Page 34: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/34.jpg)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Summary
We presented you with the real world experiences of running a SPLC program at Adobe
At a minimum, a product should get access to a baseline SPLC guidance
A SPLC program : Scales premium security bandwidth through shared
responsibility. Evolves continuously as the company evolves and
innovates. Is flexible and adapts to the business needs of an
organization.
34
![Page 35: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f8cf58f78010842380d85b3/html5/thumbnails/35.jpg)