Secure_Development_ISSA_v4

Secure Development

Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud+

Principal, nControl, LLCAdjunct Professor

• Presentation Overview– Application Security (AppSec) Driver(s)– Textbook–Processes (SDLC, SDL, STRIDE, DREAD)–People (InfoSec Staff, Developer Training)–Tools (Scanners, Policies & Standards)–Procuring Secure Applications

– Real World–10 Commandments for AppSec–AppSec Use Cases

Secure Development

• AppSec Drivers– Risk Management– Compliance– Revenue/Costs

Secure Development

• Risk Management– One of Many Risks–Operational Risk–Financial Risk–Reputational Risk

– Transfer from Network Security to AppSec

Secure Development

Source: OWASP

Secure Development

Source: ISC2

Secure Development

• Compliance– Specific–PCI DSS 6.6

– Vague–SOX–HIPAA–FISMA/FIPS–NERC/FERC–FDA 21 CFRF Part 11/ERES

Secure Development

• Revenue/Costs– Value-Add– Key Differentiator– Precursor to 3rd Party Accreditation– ICSA Labs

Secure Development

Source: KLP Consulting

• AppSec Programs– Architecture + Threat & Vulnerability Management (TVM)– Enterprise Architecture (EA)–Enterprise Security Architecture (ESA)–Sherwood Applied Biz Security Arch (SABSA)–The Open Group Arch Framework (TOGAF)–Jericho Model

– AppSec Maturity Models–Building Security In Maturity Model (BSIMM)–OWASP’s Software Assurance Maturity Model (SAMM)

Secure Development

Secure Development

Source: NYSE Euronext

Source: NYSE Euronext

Source: Mountain Goat Software

Source: Microsoft

Secure Development

Secure Development

Source: Microsoft

Source: Microsoft

Secure Development

Source: Microsoft

• Training– Know Stakeholders–Project Managers –Development Managers

– Tailor to Development Team– Use an Iterative Model– Incorporate Train the Trainer– Reinforce Training with Formal / Informal Incentives

Secure Development

• Scanners– Static Application Security Testing (SAST)– Dynamic Application Security Testing (DAST)– AppSec Pen Testing– Supplemental Tools–Fuzzing, Tracing, Scanning, Sniffing– IDEs–Proxies / Gateways–Firewalls (WAFs, DbFs / DAM, XML)

Secure Development

• Coding Conventions & Architectural Standards– Development Team Specific– Coding Enumeration–Error / Exception Handling– Input / Output Validation–Comments / Documentation–Session Management–Memory / Thread Management–PKI– IAM / IdM

Secure Development

• Coding Conventions & Architectural Standards– Architectural Enumeration–Thick / Thin– Internal / External–Transactional–Message / Information Delivery–Monitoring–SOA / Mobile / Cloud–App / Middleware–Database

Secure Development

• Coding Conventions & Architectural Standards– Architectural Enumeration Scenario–LAMP with Drupal–IAM via AD-based LDAP–Zend (PHP-based) Framework–Imperva DAM–Syslogd with Arcsight SIEM–DMZ w/ Load Balancing

Secure Development

• Procuring Secure Applications– Beware of Your Business Ecosystem– Weakest Link Mentality– Legal / SLA Verbiage– 3rd Party Reviews–ASP / Cloud / ISV–Mobile–COTS–Subsidiaries / Customers

Secure Development

• 10 AppSec Commandments1. Though Shall Execute AppSec at the Speed of Business2. Though Shall Not Architect Security3. Though Shall Evolve Your Testing Methodologies4. Though Shall Not Surprise Dev Teams5. Though Shall Test Apps in Production6. Though Shall Not Let Frameworks Replace Intelligence7. Though Shall Put Vulnerabilities in Proper Context8. Though Shall Not Give Dev Teams Access to Prod Data9. Though Shall Use a WAF/DAM with a Plan10. Though Shall Not Blame the Dev Team

Secure Development

Source: Dark Reading

• AppSec Use Cases– Strong SDLC & SDL Alignment– Socialize & Incentivize SDL Implementation– Embed AppSec SMEs in Dev Teams– Start on New Projects– Retrofit Legacy Apps / Systems as Time Permits– Iterative Improvement & Wins– No (Process / Tool) Silver Bullets

Secure Development

• Questions?• Contact– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey

Secure_Development_ISSA_v4

Documents

Transcript of Secure_Development_ISSA_v4