fortify bjenkins app sec strategy 20070906
TRANSCRIPT
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 1/14
Application Security Strategy forLarge Enterprise Systems
Major Bruce C Jenkins (USAF, Ret.)
San Antonio OWASP, 06 Sep 2007
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 2/14
Overview
Organizational Context
Getting Down to Business
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 3/14
Security Wake-up Call
Percent of Reported Air Force
that Targeted Applications
“75 % of hacks occur
at the applicationeve …
Dec 2005
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 4/14
Security Wake-up Call
May 2005: Air Force Assignment Management
ystem AM ompromise
user account
Initiated Password Resetown oa e , personne recor s
System Access Controls Complied w ith Published Guidance
4
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 5/14
Systems Development Profile
Program Management Offices: 50+
Software Develo ers: 600-900
Automated Information Systems: 120+Programming Languages: 12+
Source Lines of Code: 40M+
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 6/14
Quick Fix Countermeasures
Activated 554 ELSW Crisis Action Team
Program Management Offices
Security Analysts AFOSI Liaison to the AFNOSC-NOD
- -
Review Password Reset Procedures*
Revalidate Privileges*Review of System Audit Logs*
Reduce Concurrent Log Ons
-
*AFMAN 33-223 Requirements
6
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 7/14
Way Ahead: Securing the SDLC
A lication Defense
Centralized Project ManagementVulnerability trend analysis and reporting; view multiple projects, all mission areas
Source Code Analysis (SCA)Proactive security with targeted,accurate analysis tuned for low falsepositives
Developers
Monitor, prevent and report on intrusion
attempts against applications / databases
Security Ops Team
PR
Management
Application Virtualization
“Wrap” legacy apps in virtual environmentfor low-cost SDC compliance
Code Auditing re- u secur y au ng an
analysis of application’s entirecode basePenetration Testing
Scripted, controlled external probing of the application’ssecurity features
Build Server
Black box integration testing and vulnerability analysis
Security Leads / Auditors
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 8/14
Overview
Organizational Context
Getting Down to Business
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 9/14
Challenges and Assumptions
Challenges – Some you can change, most youcannot; how ever, if necessary, you can w ork around
CulturalFinancial
Political
Time Constraints (schedules)
Internal PolicyPersonal
Assumptions
You have at least some resources
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 10/14
Overview
Organizational Context
De lo ment Challen es and Assum tions
Getting Down to Business
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 11/14
Getting Down to Business
u r u misstep in the right direction.
--
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 12/14
Getting Down to Business
1. Determine the Strategic Objective
2. Deal with the Challen es
3. Identify your Champions… and your Detractors4. Sell Hard to Key Leaders
5. Sell Soft to Developers
6. Target Early Successes7. on uct essons earne
Take Baby Steps… but do something!
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 13/14
Data are just data—don’t be overwhelmed….
20000 30
Total Issues Issues / 1K SLOC
16000
18000
25
,
12000
1400020
8000
10000
10
15
8,102
4000
6000
5
0
1 2 3 4 6 7 8
0
904 885152 50852
8/14/2019 Fortify Bjenkins App Sec Strategy 20070906
http://slidepdf.com/reader/full/fortify-bjenkins-app-sec-strategy-20070906 14/14
Questions?