isaca 2016 application security rgj
Post on 14-Feb-2017
Embed Size (px)
ENSURING INFORMATION SECURITY IN THE SYSTEM DEVELOPMENT LIFECYCLE PROCESSRENE G. JASPE CISSP, CSSLP
Sinag Solutions Founder and CISO Phylasso Corp., Founder and Managing DirectorMobKard, CoFounder and CTO Rene Jaspe CISSP, CSSLP
13 yrs with Telos Corp., a US Federal Govt Defense Contractor, servicing various US Defense and Intelligence Agencies as well as NATO allies.
10 years Software Development and 5 Years Application Security Background.
Previous assignment in Telos Corp.
Only one who is practicing a CSSLP and CISSP in the country.
Practicing CISSPs in the country.
2015: We Take It Very Seriously
IBM Xforce Threat Intelligence Report 2016
By January 2016, IBM X-Force had tracked 272 security incidents for 2015, on par with the 279 incidents tracked in 2014. In terms of total disclosed records, 2014 was notable for more than one billion records being leaked, while 2015 was down to a still staggering 600 million leaked records in incidents tracked by X-Force using public breach disclosures.
The color of each circle represents the technical means that was used to breach these organizations based on what has been publicly made available. We made a rough estimate of the financial impact of each breach which is represented by the size of the circle. Youll notice in the latter half of the year, many of the circles are grey which means we dont know how that particular entity was breached. This leads to an important point. There are a lot of things that motivate organizations to publically disclose that their security has been breached. But usually those things have to do with the privacy of personal information, and often the organizations dont take the time to disclose the technical problem that was exploited by the attacker. Having access to that information is valuable because it enables other organizations to prioritize the security work they are doing to make sure they address threats that have actually been used against other organizations. Many of these breaches were disclosed with out that information so unfortunately the information is less actionable for security professionals. Wed like to see more of that technical information brought to the forefront when possible.
HEALTHCARE, EDUCATION & FINANCIAL SERVICES LEADS GLOBALLY.Source: Ponemon Institute Research Report 2016 Cost of Data Breach
Certain industries had higher data breach costs. Figure 4 reports the per capita costs for the consolidated sample by industry classification. Heavily regulated industries such as healthcare, education and financial organizations had a per capita data breach cost substantially above the overall mean of $158. Public sector, research and transportation organizations have a per capita cost well below the overall mean value.
Incident Pattern By Industry
Verizon Data Breach Incident 2016 Report
The most interesting discovery in the breach patterns to industry matrix was the rise of Web App Attacks across the board, but especially for financial services organizations (up from 31% in the 2015 DBIR). The next item that raised an eyebrow or two (or perhaps a unibrow) was the decline (downfrom 36% last year) in Crimeware, also in Finance. Is there anything to this? Actually, yes. This year, again thanks to the organizations involved in the Dridex takedown, we have even more data involving the reuse of stolen credentials. This caused the spike in the Web App Attack pattern and if we removed these breaches, the numbers would be more in line with 2014.
Regulatory & Standards ComplianceeCommerce: PCI-DSS, PA-DSSFinancial Services: GLBAEnergy: NERC / FERCGovernment: FISMAPH: Data Privacy Act, BSP81% of organizations subject to PCI had not been found compliant prior to the breach
6Use of MD 5. 41% still uses SHA-1. 519 certificates only 2.5% have deployed last 90 days.
Application security challenges:Security-development disconnect fails to prevent vulnerabilities in production applicationsDevelopers Lack Security Insights (or Incentives to Address Security) Mandate to deliver functionality on-time and on-budget but not to develop secure applicationsDevelopers rarely educated in secure code practicesProduct innovation drives development of increasingly complicated applicationsSecurity Team = SDLC BottleneckSecurity tests executed just before launchAdds time and cost to fix vulnerabilities late in the processGrowing number of web applications but small security staffMost enterprises scan ~10% of all applicationsContinuous monitoring of production apps limited or non-existentUnidentified vulnerabilities & risk
3 Great Frameworks For Implementing an Enterprise Software Security Program (MOB)
Recommend frameworks to jumpstart or augment your existing SDLC.8
Application Security Pros Hold These Truths to Be Self EvidentSoftware Security is more than a set of security functions.Not magic crypto fairy dustNot silver bullet security mechanisms.Non-functional aspects of design are essentialBugs and flaws are 50/50.Security is an emergent property of the entire system (just like quality).To end up with secure software, deep integration with the SDLC is necessary.
Source: Cigital on BSIMM VI
Prescriptive vs. Descriptive Models
Prescriptive ModelsPrescriptive models describe what you should do.OpenSAMMMicrosoft SDLEvery company has a methodology they follow (often a hybrid)You need an SSDL.
Descriptive ModelsDescriptive models describe what is actually happening.The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.
Microsoft Security Development Lifecycle 5.2 (May 2012)
SDL for Agile
BucketBucketBucketBucketOne-TimeOne-TimeOne-TimeOne-TimeOne-TimeBucket practices::Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.One-Time practices:Foundational security practices that must be established once at the start of every new Agile project.
Every-Sprint practices:Essential security practices that should be performed in every release.Bucket practices::Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.One-Time practices:Foundational security practices that must be established once at the start of every new Agile project. 12
Rene Jaspe (RJ) - SDL Practice #7 USE THREAT MODELING
Applying a structure approach to threat scenarios during design helps a team more effectively and less expensive identify security vulnerabilities, determines risks from those threats, and establish appropriate mitigations.
When should this practice be implemented?Traditional: Design PhaseAgile Development: Every Sprint13
THREAT MODEL SAMPLE
S poofingT amperingR epudiationI - nformation DisclosureD enial of ServiceE - levation of Privilege
When should this practice be implemented?Traditional: Design PhaseAgile Development: Every Sprint14
OpenSAMM 1.1 (March 2016)
A guide to building security into software development
OpenSAMM 1.1 (March 2016)
At the highest level, SAMM defines four critical Business Functions. Each Business Function (listed below) is a category of activities related to the nuts-and-bolts of software development, or stated another way, any organization involved with software development must fulfill each of these Business Functions to some degree. For each Business Function, SAMM defines three Security Practices. Each Security Practice (listed opposite) is an area of security-related activities that build assurance for the related Business Function. So overall, there are twelve Security Practices that are the independent silos for improvement that map underneath the Business Functions of software development. For each Security Practice, SAMM defines three Maturity Levels as Objectives. Each Level within a Security Practice is char- acterized by a successively more sophisticated Objective defined by specific activities and more stringent success metrics than the previous level. Additionally, each Security Practice can be improved independently, though related activities can lead to optimizations.
FINANCIAL SERVICES ORGANIZATION
FINANCIAL SERVICES ORGANIZATION
Due to the limited amount of expertise in-house within VirtualWare, the company engaged with a third party security consulting group to assist with the creation of the training program, and assist in writing the threat modeling and strategic roadmap for the organization.
Cost: Phase 1(Months 0 3) - Awareness & Planning
Implementation Costs A significant amount of internal resources and costs were invested in this phase of the project. There were three different types of costs associated with this phase. Internal Resource Requirements Internal resource effort used in the creation of content, workshops and review of application security initia- tives within this phase. Effort is shown in total days per role.
BSIMM 7 ( October 2016)The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing contained in the model. You can then identify goals and objectives of your own and refer to the BSIMM to determine which additional activities make sense for you. The BSIMM data show that high maturity initiatives are well-roundedcarrying out numerous activities in all 12 of the practices described by the mo