This document outlines a 5-step approach to establishing a Software Security Assurance program:
1) Conduct an assessment of capabilities, resources, assets, and organization.
2) Develop a resource strategy and plan based on assessment.
3) Build intelligent processes that leverage existing processes and accommodate business needs.
4) Implement processes strategically and augment with automation technologies.
5) Continuously measure business impact and reassess goals as business priorities change.
2. Catch more info from me –
Podcast:
http://podcast.wh1t3rabbit.net
Blog:
http://hp.com/go/white-rabbit
Twitter:
@Wh1t3Rabbit
3. What Type of Organization Are You?
Be honest with yourself
“Get SSA”
Randomly Spending
$ on “App Sec”
Fooling Themselves
3 Enterprise Security – HP Public
4. App Security vs. Software Security Assurance
• Application Security (AppSec)
– “Securing software”
– Tactical approach, marked by erratic spending
– Measured to CISO level
– Tools, tools, tools
• Software Security Assurance (SSA)
– Program approach driven by risks
– Acknowledge there is no such thing as secure software
– Measured to CIO level as impact on IT performance
– People & process first, then smart application of technology
4 Enterprise Security – HP Public
5. Step 1: Assessment
Know where you’re starting
• Perform a rational assessment of
– Capabilities
– Resources
– Assets
– Liabilities
– Organization & structure
– Organizational goals
• Be careful of paralysis by analysis
• Be thorough, but move swiftly
5 Enterprise Security – HP Public
6. Step 2: Resource Planning
Build resource strategy from your assessment
• What can you do with what you’ve got?
– Human resources
– Technology
– Time & capital
• Plan for resource allocation
– Plan 6, 12, 18, 36 months into the future
– What is current capacity (work-load), how will it grow over time
– Will you in-source, outsource, hybridize or all of the above?
– Will budgets increase, decrease, and can you leverage your LoB?
– Do you have the right resources in the right positions to succeed?
6 Enterprise Security – HP Public
7. Step 3: Intelligent Process Building
Process makes success possible
• Don’t reinvent the wheel (you probably don’t have to) Start
– Leverage existing processes
– Less friction within the organization
– How are things being done today? Can you fit in the right controls?
• Accommodate, align, associate ?
– Accommodate processes that LoB is already using
– Align to others’ goals (remember, they’re not yours …yet)
– Associate your success to theirs, then vice versa Secur
– DevOps! e
• Think of the full ALM span (Application Lifecycle)
7 Enterprise Security – HP Public
8. Step 4: Implementation and Technology
Implement, then automate
• Implement strategically
– Start small, where failure won’t be noticed
– Tweak processes, approach as you go
– Do whatever it takes to succeed the pilot
– Shout your success, encourage others to sign on
• Augment and automate with technology
– People don’t scale well
– Ensure right technology, to the right resources, at the right time
– Your process must produce consistent, repeatable results
– Remove burden from the user
8 Enterprise Security – HP Public
9. Step 5: Measurement and Re-Assessment
Make sure you measure business relevance
• Measure impact to the business
– Get beyond “vulnerabilities” and “criticals”
– Demonstrate risk reduction with less negative business impact
– Build IT-relevant KPIs
– “How is your activity contributing to business value?
• Re-assess each {quarter | half-year | year} to align goals
– As business priorities change, so should your program
– What causes a change in program?
• Industry security “climate”
• Budget
• Technology shifts
9 Enterprise Security – HP Public
10. Things Everyone Forgets
Things only failure teaches
• Planning for things you can’t plan for
– Cloud computing
– Consumer device adoption
• Being a smart victim
– Plan for incident response
– “Would you know you’ve become a victim?”
• Adopt to boardroom requirements
– Business objectives change – learn how to listen
– Priorities, budgets change
• What happens after you’ve been promoted?
10 Enterprise Security – HP Public
11. If this was easy, everyone
wouldn’t be getting pwn3d
through a 10 year old bug.
11