implementation patterns for software security programs
Post on 19-Oct-2014
2.099 views
DESCRIPTION
Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.TRANSCRIPT
© Copyright 2013 Denim Group - All Rights Reserved
Implementation Patterns for!Software Security Programs!!!Dan Cornell!@danielcornell
© Copyright 2013 Denim Group - All Rights Reserved
Denim Group Background
• Professional services firm that builds & secures enterprise applications – External application assessments
• Web, mobile, and cloud – Software development lifecycle development (SDLC) consulting
• Classroom and e-Learning for PCI compliance • Secure development services:
– Secure .NET and Java application development – Post-assessment remediation
• Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors
• Customer base spans Fortune 500 • Contributes to industry best practices through the Open Web
Application Security Project (OWASP)
2
© Copyright 2013 Denim Group - All Rights Reserved 3
Dan Cornell • Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
• 15 years experience in software architecture, development and security
• Heads Denim Group’s application security team
© Copyright 2013 Denim Group - All Rights Reserved
Agenda
• What Makes a Successful Software Security Program? – Key commonalities
• Software Security Program Implementations – Approaches – Customization – Considerations
• Three Example Program Activities – Security Testing – Code Review – Education and Guidance
• Selecting What Works for your Organization
4
© Copyright 2013 Denim Group - All Rights Reserved
Successful Software Security Programs • Common Goal
– Reduce Risk by… • Reliably Creating Acceptably Secure Software
• Obligatory “People, Process, Technology” Reference – Anybody got a good Sun Tzu quote? – I’d settle for a von Clausewitz…
• Common Activities – Implementation must be tied to the specific organization
5
© Copyright 2013 Denim Group - All Rights Reserved
Software Assurance Maturity Model (OpenSAMM) • Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks racing the organization
• Useful for: – Evaluating an organization’s existing software security practices – Building a balanced software security program in well-defined iterations – Demonstrating concrete improvements to a security assurance program – Defining and measuring security-related activities within an organization
• Main website:
– http://www.opensamm.org/
6
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
SAMM Security Practices • From each of the Business Functions, three Security Practices are defined • The Security Practices cover all areas relevant to software security
assurance • Each one is a ‘silo’ for improvement
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
Check Out This One...
This slide content © Pravir Chandra
© Copyright 2013 Denim Group - All Rights Reserved
Program Implementation • Approaches
• Customization
• Considerations
10
© Copyright 2013 Denim Group - All Rights Reserved
Approaches • Automated vs. Manual • Depth-First vs. Breadth-First • Centralized vs. Distributed • Top-Down vs. Bottom-Up • SaaS vs. On-Premise • In-House vs. Outsourced
• All of the Above (and More)
11
© Copyright 2013 Denim Group - All Rights Reserved
Organizational Fit • Not “One Size Fits All”
– What Are the Threats to Your Organization? – How Much of an Executive Mandate Do You Have? – How Much Risk Are You Willing (Or Going) to Bear?
• Differences Across Industries – Financial Services Firms Do This Differently Than Energy Sector – Different Threats, Different Regulatory Environment
• Differences Within Industries – Oilfield Services versus Mid-majors – Banks versus Credit Unions
12
© Copyright 2013 Denim Group - All Rights Reserved 13
$0
$500,000,000
$1,000,000,000
$1,500,000,000
$2,000,000,000
$2,500,000,000 JP
Mor
gan
& C
hase
Ban
k of
Am
eric
an
Citi
grou
p
Wel
ls F
argo
Gol
dman
Sac
hs G
roup
Met
Life
Mor
gan
Sta
nley
U.S
. Ban
corp
Ban
k of
New
Yor
k M
ello
n
HS
BC
PN
C F
inan
cial
Ser
vice
s G
roup
Cap
itol O
ne
TD B
ank
Sta
te S
treet
Cor
pora
tion
Ally
Fin
anci
al
BB
&T
Cor
pora
tion
Sun
trust
Ban
ks
Prin
cipa
l Fin
anci
al G
roup
Am
eric
an E
xpre
ss
Am
erip
rise
Fina
ncia
l
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Hol
ding
s
Total Assets for Top Holding Companies
© Copyright 2013 Denim Group - All Rights Reserved
Considerations • Raw Budget Constraints
• Organizational Structure
• Regulatory and Compliance Mandates
• Culture and Risk Appetite
• Leadership Buy in
14
© Copyright 2013 Denim Group - All Rights Reserved
Patterns and Anti-Patterns • Every Organization is Different
– But there are commonalities
• Similar approaches – Some good – Some … less good
• Do you know the “right” thing to do? • Are you doing it?
– If not – why not?
15
© Copyright 2013 Denim Group - All Rights Reserved
Example Program Activities • Take Three Common Activities from OpenSAMM
• Security Testing • Code Review • Education and Guidance
16
© Copyright 2013 Denim Group - All Rights Reserved
Examples of Activities • Security Testing
– Recurring dynamic scanning – Manual penetration tests
• Code Review – Automated static analysis – Manual security code review
• Education and Guidance – Instructor-led training for developers – e-Learning – Develop and publish “Top 10” list for developers
17
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing • Also known as “black box testing” and “penetration testing”
• Testing the security of a running system – Automated scanners help – But don’t forget the manual component
• As with any testing activity – How frequently? – How thorough?
18
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing: Anti-Patterns • “Dude with a scanner” approach
– Can also be implemented as the “lady with a scanner” approach
• “SaaS and forget” approach
19
© Copyright 2013 Denim Group - All Rights Reserved
Security Testing: Better Patterns • Deep Assessment of Critical
Applications – Automated scanning, manual
scan review and assessment
• Breadth-First Scanning – You want a scanning program,
not a scanner
• Understand that security testing is a means to an end – Not an end in and of itself – Start of vulnerability management
20
© Copyright 2013 Denim Group - All Rights Reserved
Code Review • Also known as “static analysis”
• Again – scanners are great, but manual review and assessment are required for depth
• Code review can be (is) complicated – Often more so than dynamic
security testing – Clean scans, false positives,
prioritization…
21
© Copyright 2013 Denim Group - All Rights Reserved
Code Review: Anti-Patterns • “Dude with a scanner” approach (redux)
– Can still be implemented as the “lady with a scanner” approach – Even worse for code review because source code (or binary) access is required
• “I’m sure the developers are taking care of this” – “They’re using [FindBugs|PMD|XYZ tool]”
22
© Copyright 2013 Denim Group - All Rights Reserved
Code Review: Better Patterns • Key Questions:
– Who runs the scan? – What do you do with the results?
• Centralized Code Review Group – Helps if you have a mandate and/or the ability to block applications from production
• Deploy to Developer Desktops – Can be great for certain organizations, but… – Many potential pitfalls and hidden costs here
23
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance • It is really hard to hold developers to a standard if you have not
communicated that standard to them and provided guidance on how they can meet that standard
– Only fair…
• Can take a variety of forms – Instructor-led training (ILT) – e-Learning – Lunch and learns – Mentoring – Knowledge bases
24
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance: Anti-Patterns • “Email a link to OWASP” approach
– Site is www.owasp.org by the way – OWASP is great, but…
• “I made you all a Powerpoint”
• “Cattle car” instructor-led training
• Fire and forget e-Learning
25
© Copyright 2013 Denim Group - All Rights Reserved
Education and Guidance: Better Patterns • Informal approaches can have value
– But that is not a training program – Best used to identify staff with a special interest in security
• e-Learning for everyone – Make it part of their bonus or annual evaluation
• Instructor-led training for “mavens” – Provide context, link to their roles and responsibilities
• Technology- and role-specific guidance – Do not force developers to think
26
© Copyright 2013 Denim Group - All Rights Reserved
Where Do We Go From Here?
• Evaluate where you are
• Determine the next plateau you want to reach
• Make a plan to get there (that works for your organization)
27
© Copyright 2013 Denim Group - All Rights Reserved 28
Questions / Contact Information
Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (210) 572-4400
www.denimgroup.com blog.denimgroup.com