using the cloud and saas to secure the sdlc
DESCRIPTION
Using the Cloud and SaaS to Secure the SDLC. About Me. Andy Earle HP/Fortify Security Solutions Architect / Presales Engineer Sell, deliver solutions to commercial and US Fed Past PM for High Assurance computer system at BAE Mobile and App Security, multiple jobs - PowerPoint PPT PresentationTRANSCRIPT
Using the Cloud and SaaS to Secure the SDLC
About Me
Andy Earle• HP/Fortify – Security Solutions Architect / Presales Engineer– Sell, deliver solutions to commercial and US Fed
• Past– PM for High Assurance computer system at BAE– Mobile and App Security, multiple jobs– Software Engineer, multiple jobs
Agenda
• Terms and Background• Application Security (AppSec) Deployment
Models– SaaS / Cloud (On Demand)– On-Premise
• AppSec Industry Evolution– Relevant Trends– Case for “Hybrid” Implementation
• Hybrid On-Premise / cloud delivery of S-SDLC
Terms and Background
• Terms– SaaS : Software as a Service– SDLC : Software Development Lifecycle– SSA : Software Security Assurance
• Background– Focus is static analysis…but many concepts applicable to
dynamic– SaaS and (public) cloud somewhat interchangeable, for this
session– Caveats: Lots of variety of offerings amongst vendors; many of
my statements are necessarily generalities
APPSEC DEPLOYMENT MODELS
What is SaaS?
Software as a Service (SaaS)…or Security as a Service, in the AppSec world• SaaS is a delivery model where software, data and
services are hosted in the cloud and delivered on demand
• Application Security SaaS offerings include– Static, dynamic, and manual analyses– Expert review and prioritization of results– Various delivery offerings (web interface, reports,
artifacts that integrate with onsite infrastructure)
AppSec via SaaS
SaaS Web Portal
Dev Org
Stakeholders
AppSec SME- review & triage
1
Analysis
SaaS Process, On-Demand1) Deliver code or bytes2) Analysis as a Service3) Expert Review4) Results made available
2
3
4
What is an SDLC?
Software Development Lifecycle (SDLC)…or Secure Development Lifecycle…or Secure Software Dev Lifecycle (S-SDLC)
S-SDLC incorporates security across all phases of the development lifecycle. Security is built into applications from the start.
Result: Software Security Assurance (SSA)
Sample Secure SDLC
Developers
Auditor / SecurityPM / Tech Lead
Build MachinePossibly Continuous
Integration
Code Repository
Bug Tracking
Check in Code
Check-out, Build and Scan
Auditor Reviews Results
Submit Findings to Bug Tracker
IDE Plug-in
Repeat as Necessary
Vulnerability Scan
On Premise Deployment
Developer Fixes Bug / Security Finding
Building Security into an SDLC
Build Security in: Activities & Tasks• Developer & staff training• Vulnerability analysis technologies• Technology integrations and automation• AppSec processes, procedures and metrics• Governance, enforcement of the above
…Basically, process reengineering…This is SSA
SSA Challenges
Challenges to implementing an SSA program• Tools “wanted by security, need to be used by
development”• Developers not security trained. Security doesn’t
understand source code• Seamless integration of security requires big
upfront commitment• Expertise is scarce (and expensive in time or $$$)• And more…
SaaS vs. On-Premise
SaaS On Premise
No deployment, no hardware, no training Easy Deployment Involved Requires local installation
and supporting hardware
Scans executed, results triaged by experts and delivered in easy to read reports
Little Expertise Required Significant
Requires expertise to set filters and triage results
Days, sometimes weeks per scan Days Time to Results Hours Hours per scan
Standardized process Less Control More 100% control - instant access to all capabilities at any time
Primary results are in report, but can be sent to bug tracking systems and IDEs
Less Integration MoreTight integration with build systems, bug tracking, revision control, test automation
Reports , web sites, web services challenging for use in fixing found issues
Less Actionable Results VeryResults in-house, consumable & usable in IDEs, development and security infrastructure
The Strengths ofSaaS and On-Premise
Pure SaaS Deployment• Easy and cost effective to get started• Little to no expertise required• Findings make case for future appsec investments• Meet compliance and reporting obligations
Pure On-Premise Deployment• Better model for “The Fix”• Addresses the systemic problem• Integration and automation maximize efficiency
A Solid Plan for SSA
Phase 1: Pure SaaS• Assess Critical Apps• Prioritize and secure funding for Phase 2• Train and/or hire resources• Fix critical vulnerabilities, low hanging fruit
Phase 2: Pure On-Premise• Bring technology and expertise in-house• Solve the systemic problem – reduce repeat vulnerabilities• Integration and automation maximize efficiency• Mature SSA program• This could include putting SaaS onsite (private cloud)
HOW THINGS ARE EVOLVING
Relevant AppSec Trends
People• Developers are increasingly security trained and aware• AppSec SMEs more prevalent, many in the solution providers
and security firmsProduct• Applications increasingly complex
– Hardware and time to analyze steepening– Increased expertise required to scan accurately
• SaaS increasingly integrate-able with onsite systemsProcess• Compliance obligations mandating S-SDLC
S-SDLC Baseline Deployment
Developers
Auditor / Security
Build MachinePossibly Continuous
Integration
Code Repository
Bug Tracking
Check in Code
Check-out, Build and Scan
Auditor Reviews Results
Submit Findings to Bug Tracker
Developer Fixes Bug / Security Finding
Repeat as Necessary
Vulnerability Scan
Basic, On Premise
S-SDLC Needs
Developers
Auditor / Security
Vulnerability Scan
Analysis Needs:• Power, processing, memory• Multiple servers• Expertise to scan accurately
Development Needs:• Security, vulnerability training• IDE integration of results• Low impact to current processes
Auditor Needs:• Deep appsec knowledge• Expertise with scanning tool• Knowledge of app deployment
= SaaS
= On Premise
SaaS Integration Points
Developers
Auditor / Security
Build Machine orContinuous Integration
Code Repository
Bug Tracking
Check in Code
Check-out, Build and Scan
Auditor Reviews Results
Submit Findings to Bug Tracker
Developer Fixes Bug / Security Finding
Repeat as Necessary
Vulnerability Scan
On Premise Infrastructure
SaaS Integration Points
Developers
Auditor / SecurityPM / Tech Lead
Code Repository
Bug Tracking
On Premise Infrastructure
SaaS
• Point & click• Automated• Web-based
Build Machine orContinuous Integration
Bringing it all Together
• Key Concepts in a Hybrid S-SDLC Deployment– Expertise available via SaaS is typically superior to
that found on-premise (they are the experts)– Some tasks require on-site activity (like fixing bugs)– Disruptions to existing processes can slow
adoption; start small and build slowly– Integration points can blur the on-premise / on-
demand separation, facilitating adoption
Hybrid Delivered Secure SDLC
Developers
ContinuousIntegration
Code Repository
Bug Tracking
Check in CodeTriggered Check-out
Download, Prioritize Results
Submit Findings to Bug Tracker
IDE Plug-in
Hybrid Deployment
Developer views bugs & findings
SaaS
Triggered send for Analysis
• Analyze/Scan• Expert Review
Auditor / PM
Dev loads issues in IDE Plug-in
Integration Points
Development and Security TechnologyDeliverSource
View/PullResults
Developer IDE Y Y
Continuous Integration Server Y Y
Code Repository / Version Control Y
Web Interface Y Y
Web Services / Custom Integrations Y Y
Lots of opportunity for customization and fitting the deployment model to the customer environment
Plan for SSA, Revisited
Phase 1: Pure SaaS• Assess Critical Apps• Prioritize and secure funding for Phase 2Phase 2: On-Premise Pilot and SaaS • Continue SaaS regime• Deploy on-premise technology, design and test long term processes• Train and/or hire resources• Fix critical vulnerabilities, low hanging fruitPhase 3: Hybrid On-Premise and SaaS Deployment• Deploy more technology and expertise in-house• Difficult apps (for example) are still analyzed, triaged via SaaS• Integration and automation max efficiency across deployments• Mature SSA program
Final Thoughts
Take advantage of expertise where it resides, potentially buying time to bring it in-house
The general maturity curve is stillon-demand --> on-premise
Automated or easy integrations are vital to successful hybrid deployment
Plan! Think long term.
Sometimes a pure on-premise or on-demand deployment is still the best answer. The important thing is to fit the solution to the problem and need.
Resources
http://www.owasp.orghttp://www.opensamm.org/
…and check out the next session on this trackhttp://bsimm.com/http://buildsecurityin.us-cert.gov/bsi/
…Many, many others…