![Page 1: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/1.jpg)
Secure SDLC: The Good, The Bad, and The UglyJoey Peloquin, Director, Application Security
FishNet Security
Information Assurance Security Technology Security Integration 24x7 Support Training Managed Services
INFORMATION SECURITY PRACTICES
![Page 2: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/2.jpg)
2
Agenda
• Secure Development Programs– The Good, The Bad, and The Ugly
• QSA Perspectives– Application Security in a PCI World
• Secure SDLC– The Essential Elements & Where to Start
• Post-Mortem– A Flawed “AppSec” Program Made Right
• Q & A
![Page 3: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/3.jpg)
3
Secure Development Programs
![Page 4: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/4.jpg)
4
![Page 5: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/5.jpg)
5
• Top -> Down Support• Clearly Defined Processes• Focus on Training and Education• Security is a Function of Quality Management• Properly Leveraging Technology• Third-party Partnerships• Go – No-Go Authority• Working Smarter, Not Harder
![Page 6: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/6.jpg)
6
![Page 7: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/7.jpg)
7
• Insufficient Support from Management
• Reactive Security Posture• Check-in-the-box Mentality• Insufficient Vulnerability Management• No Developer Training• Lack of Application Security
Awareness• Insufficient Standardization• Development Silos
![Page 8: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/8.jpg)
8
![Page 9: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/9.jpg)
9
• Complete Lack of Management Support Support
• Devoid of Security Awareness• “Wow, there’s organizations devoted to
Application Security that offer free information, tools, and standards?”
• Complete Lack of Vulnerability Management
• Little Standardization• No Quality Management• Pattern of Denial
![Page 10: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/10.jpg)
10
QSA Perspectives
![Page 11: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/11.jpg)
11
QSA Perspectives
“I’m concerned that as long as the payment card industry is writing the standards, we’ll
never see a more secure system. We in Congress must consider whether we can
continue to rely on industry-created standards, particularly if they’re inadequate to address the
ongoing threat.”- Rep. Bennie Thompson
![Page 12: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/12.jpg)
12
Elements of a PCI Compliant Program
• Security Throughout the Lifecycle– Requirements, checkpoints, accreditation, testing– No concept of OWASP, inability to examine code for
common defects, no peer reviews, etc.• Well-documented and Maintained SDLC
– I’m from Missouri…• Knowledgeable Developers
– Coding examples, processes• Peer Reviews
– Someone other than the dev; examine comments
![Page 13: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/13.jpg)
13
Um, sorry, that is not compliant…
• Homegrown Encryption– Publically available, commercial/open source
• Code Reviews– No, you can’t review your own…
• Look at the Pretty WAF!– Yes, it has to actually be configured to block, /sigh
• “We have a WAF, so we don’t need to fix our code.”• “Our IPS can totally block SQLi and XSS!”
![Page 14: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/14.jpg)
14
Section 6.6 Compliance
WAF– Network diagrams– Configuration– Logging
Code Reviews– Documented policy, process, methodologies– Reports– Internal or third-party?– Tester’s role– Tester’s credentials
![Page 15: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/15.jpg)
15
Secure SDLC
![Page 16: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/16.jpg)
16
Essential Elements
• Executive Champion• Mid-level Support• Support of The
Business• People• Process• Technology• …and unfortunately;
– Time & Money help a great deal
![Page 17: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/17.jpg)
17
![Page 18: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/18.jpg)
18
Where to Start?
• Assess your current maturity level• Identify Business and Security Objectives• Plan your work and work your plan!• Document your approach
– Who, what, when, where, how?• Dr. McGraw’s Touchpoints:
– Code Reviews (Static Analysis)– Risk Analysis– Skills Assessment and Training– Penetration Testing (Dynamic Analysis)
![Page 19: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/19.jpg)
19
Scale of Maturity
Sustained Maturity
Centralized People, Processes and Technology
Application security integrated seamlessly into quality lifecycle, becoming third pillar
Application security team has Enterprise influence
Security addressed throughout SDLC and applied retroactively to legacy applications
Security Fitness
Security baked into SDLC, discussed during design phase
Security checkpoints defined and enforced
Centralized, reusable resources for developers
Centralized testing and remediation tracking
Development mentors identified and trained
Proactive Security
Champion and stake-holders identified
Policies, standards & processes established
Tools evaluated and purchased
Automated and manual internal testing
Developer training and awareness
Reactive Security
Standards-based internal processes lead to a basic level of awareness
Some manual testing, looking into automation
Recognize need for application security, but don’t know where to start
Security Unaware
No documented Application Security practices
No internal testing, merely annual penetration test
No application security awareness or developer training
Increasing Maturity
Decreasing Overall Development Cost
![Page 20: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/20.jpg)
20
Post-Mortem: A Flawed Attempt at Building Security In…
![Page 21: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/21.jpg)
21
Mistakes / Issues (Opportunities?!)
• Lost executive champion
• Lack of mid-level support
• Staff Reorganization• No business support• No defined processes• Not enough expertise• Development silos• Shelfware
![Page 22: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/22.jpg)
22
Putting the Pieces Back Together
• Educate The Business• Security Requirements• Define Standards• Define Processes• Development Mentors• HP AMP – SaaS• Offensive Security
– License to Pen-test
![Page 23: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/23.jpg)
23
![Page 24: Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec99d9181fedd21814d8772/html5/thumbnails/24.jpg)
24
Joey Peloquin, CSSLP, GCIHDirector, Application Security
972.788.7206 (O)214.909.0763 (M)