Building an Organizational Application SecurityApplication Security Competency

Dan CornellDenim Group4/24/09 | Session ID: PROF-401|

Worst Class Kickoff … Ever

• Scenario: ½ day application security awareness class for all developers and architectsclass for all developers and architects

• Trainer: “What do you hope to get out of this class?”

• Student: “I’m only here because my boss made me come.”

• Trainer: “Amazing - me too!”

1

Agenda

Imperative for Internal Security Competency

Who and What?Who and What?

T i i O tiTraining Options

Putting It Together

2

ImperativeImperative for an InternalInternal Security yCompetency

Application Security Competency

• You Can’t Bolt It On – You’re Going to Have To Build It InBuild It In

• State of the Industry

4

You Can’t Bolt It On

• Security must be incorporated into theincorporated into the lifecycle

• Too expensive to fullyToo expensive to fully outsource

• Must develop someMust develop some degree of internal competency

5

State of the Industry

• Computer Science programs typically do not address security issuesaddress security issues

• Compliance regimes require developers to be trained in securitytrained in security– PCI being the most specific

6

Who andWho and What?

Who and What?

• Who needs to learn about application security?

• What do they need to know?

8

Who

• Executives

• Software Developers

• Quality Assurance

• Information Security

• IT Audit• IT Audit

9

Executives

• Business impact

• Compliance implications

10

Software Developers

• General background

• Security concepts

• Specific code and tool examples

11

Quality Assurance

• Already good at breaking thingsbreaking things

• Incorporate negative testing into theirtesting into their practices

12

Information Security

• Often do not have modern softwaremodern software development backgrounds

• Threat modeling and other architectural

happroaches

13

IT Audit

• Often lacking modern software developmentsoftware development experience

• How to link auditHow to link audit requirements to recommended

ti iti d lt ?activities and results?

14

Mapping Curriculum to Roles

Business Case

Introduction Threat Modeling

Application Testing

Secure Coding

Executives CRITICAL IMPORTANT USEFUL

Software Development

IMPORTANT IMPORTANT IMPORTANT CRITICAL

Quality IMPORTANT IMPORTANT CRITICALQualityAssurance

IMPORTANT IMPORTANT CRITICAL

InformationSecurity

IMPORTANT IMPORTANT IMPORTANT IMPORTANT

IT A dit IMPORTANT IMPORTANT IMPORTANT USEFULIT Audit IMPORTANT IMPORTANT IMPORTANT USEFUL

15

TrainingTraining Options

Training Options

• Background Materials

• Instructor-Led– Informal Seminars – “Lunch and Learn”

Cl T i i– Classroom Training

• eLearning

17

Background Materials

• Create an environment whereenvironment where the curious can access the i f ti th dinformation they need

• OWASP: www.owasp.org

• WASC: bwww.webappsec.org

18

Informal Seminars

• Internal presentations to target audiencesto target audiences

• “Lunch and Learn”

• Pros– Inexpensive

– Great starting point

• Cons– Often ad hoc

– Not comprehensiveNot comprehensive

19

Classroom Training

• Formal classroom instructioninstruction

• ProsC b h d– Can be hands-on

– Interaction with instructor is invaluableinstructor is invaluable

• ConsE i d ti– Expensive and time-consuming

– AttritionAttrition

20

eLearning

• Self-paced, delivered electronicallyelectronically

• ProsL i ti– Logistics are easy

– Can be done as-neededneeded

• ConsN i t ti ith– No interaction with instructors

21

Putting ItPutting It Together

Approach

• Understand your requirements

• Set the stage

• Train

• Maintain

• Report• Report

23

Requirements

• Understand business goals and compliance requirementsrequirements

• Enumerate software development groups and methodologiesmethodologies

24

Set the Stage

• Goal is to create a security-conscious cultureM k i t h i– Makes maintenance much easier

• Provide background materials and informal trainingtraining– Seminars/Lunch and Learns

– Use this to identify mavensUse this to identify mavens

25

Mavens

• Highly-connected peoplepeople– The Tipping Point:

Malcolm Gladwell

• Cultural leaders for development groupsp g p

• “Go-to” individuals, interested in securityy

26

Educate

• Instructor-Led TrainingTraining– Mavens

Architects and Team– Architects and Team Leads

• eLearningeLearning– All relevant parties

Tailored curriculum to– Tailored curriculum to role

27

Maintain

• Not a one-time activityactivity

• Incrementally build a sustaining culturesustaining culture

• eLearning is invaluable hereinvaluable here

• Training is not enough – must beenough must be linked to doing

28

Report

• Track activity:Wh t i d– Who was trained

– Training materials

• Proactive reporting helps with compliance

29

BestBest Practices

Curriculum Best Practices

• Language-specific materials are key

• Link to tools used in your organization

• Provide guidance on what is and is not acceptable

31

Delivery Best Practices

• Demonstrate executive commitment

• Track success stories and use them to drive the culture

32

Apply

• Send free materials provided by OWASP and WASC to developersWASC to developers

• Run a series of informal seminars to provide background information on application securitybackground information on application security

• Identify one person on each development team to act as the application security mavento act as the application security maven

• Run one or more instructor-led training classes for key development stafffor key development staff

• Provide eLearning to all development staff

33

Questions

Dan Cornell

Email: dan@denimgroup.com

Twitter: @danielcornell

Web: www.denimgroup.com

Blog: denimgroup typepad comBlog: denimgroup.typepad.com

Facebook: www.denimgroup.com/facebook

Phone: (210) 572-4400

34

Reference Materials

• OWASP Top 10htt // /i d h /OWASP T T P j t– http://www.owasp.org/index.php/OWASP_Top_Ten_Project

• OWASP Education Projecthtt // /i d h /C t OWASP Ed ti P j t– http://www.owasp.org/index.php/Category:OWASP_Education_Project

• OWASP University Membership// / /– https://www.owasp.org/index.php/Membership

35