This talk is from ISSA International 2011, reflecting a look out over the horizon of Software Security Assurance for the next 20 years. Fundamentally, we must be able to start with 1 question - "Can you trust your software?" ...and if you can't say "Yes!" for certain, it's time to start somewhere.
6. 1 – Application Modernization
Catalysts:
• Your corporate applications are aging
• Aging application technologies are hindering your business productivity
• Applications deployed ‘before security’ are critically exposed
Opportunity:
• Address software security as a core
business requirement
• Modernize security controls, “bolt-ons”
7. 2 – Cloud Adoption
Catalysts:
• Organizations are adopting cloud whether they acknowledge it or not
• Extreme confusion: what is “cloud security”?
• “The Cloud” brings fundamentally different security challenges
Opportunity:
• A forceful re-evaluation of security paradigms
• Shift security from perimeter, to application
• Engage providers, fully understand risks of the cloud model
8. 3 – Consumerization of the Enterprise
Catalysts:
• Enterprises functions being performed across consumer devices
• Corporate data is spread across devices enterprises don’t control
• Applications must run on diverse platforms, pose unique risks
Opportunity:
• Understand application risk profiles across consumer use-cases
• Focus on minimizing data sprawl, centralizing logic processing
• Create strategic mobile application defenses
9. 4 – Technology Overrun
Catalysts:
• Bleeding-edge client-side technology adoption
• Mobile development is hot, security is lacking
• Development technology over-running security capability
Opportunity:
• Adopt technology-independent security controls
• Control application release processes (ITIL change control)
10. 5 – Incidents
Catalysts:
• Incidents will increase as enterprises become more aware
• Cloud adoption, mobile computing, consumerization increases likelihood
• Regulations and laws continue to drive disclosure
Opportunity:
• Optimized technology responds to incidents faster, smarter
• Identify data acquisition, forensic strategies as part of design plans
12. 1 – Start and End with Requirements
Strategic risk reduction impacts the idea, not the result
• Understand organizational goals, seek to reduce risk
• Influence “what the business wants”
• Abstract security to risk, in business terms
• A defect is a deviation from a requirement
13. 2 – Engage the Full SDLC
Organizations must address the full application lifecycle
IT Handoff Release
14. 3 – Shift SSA Ownership
Software security is not the Security organization’s problem.
SSA Today SSA Tomorrow
• SSA is equated with security • Security governs SSA program
• Security runs SSA program • Security manages key aspects
• Manage all aspects • Govern testing, validates
• Perform security testing findings
• Manage defect tracking • Develop policy, practices
• Fail. • Succeed.
15. 4 – Risk-Based Defense
Application use-cases have unique risk profiles.
It’s time to recognize this fact, and build sane strategies.
• Segregate, segment, build security zones by business criticality
• Short-term tactical defenses for weakest legacy applications
• Fix, defer or accept risk.
• Develop risk profiles for application use-cases such as mobile…
– Encrypt data, virtualize usage
• Fortify more than just the front-end – including services, APIs
16. 5 – Static or Dynamic Testing? Yes.
Static vs. Dynamic security testing is no longer a question.
Static and Dynamic analysis each has advantages, both are needed
Provide the right technology, at the right time, to the right people
Audit source code, validate the running application
Remember, you can’t test yourself secure
17. 6 – Test, but Cheat
When you’re up against attackers, cheat as often as possible.
• Gray-box technology provides deeper insight into application logic
• Link exploits with vulnerable code
• Get to the fix faster.
Web App Function exec_query () {
take user data (x);
construct query (x + y);
execute query;
return results (z);
4 exploitable fields 1 fix }
18. 7 – Dynamic Security Intelligence
Real security isn’t about keeping the ‘bad guys’ out,
it’s about reacting in real-time. Critical
Detect
Data
Respond
Compromised
Remote Corp User
19. 8 – Measure Against Business Goals (KPIs)
Only 2 questions are relevant:
1. What are your organizational, business objectives?
2. How does Software Security Assurance contribute to those objectives?
5 Suggested KPIs:
1. WRT – Weighted Risk Trend
2. DRW – Defect Remediation Window
3. RDR – Rate of Defect Recurrence
4. SCM – Specific Coverage Metric
5. SQR – Security to Quality Defect Ratio
21. You will be breached.
You will lose data, trust, and money.
The incident is will matter.
The response will be the deciding factor.
22. Surviving a Major Breach
In the court of public opinion
Organizational Due Diligence
Response
Incident “Damage”
22 Enterprise Security – HP Confidential