:: History :: TASSCC Annual Conference 2011 - August 8, 2011 (Philip J Beyer and John B Dickson) :: Summary :: We will present the process TEA took to assess its application security program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity. :: Abstract :: In times of economic hardship and shrinking budgets, security risks are unchanged. When we in state government have to be the most resourceful, the bad guys are no less active and determined. So, how do you stay secure in these lean times? What are the most important and effective security measures to take? In its mission to serve students and educators across the state, the Texas Education Agency has developed a program to manage risk in its web applications. In response to budget constraints, TEA shifted the focus of its application security program. We will present the process TEA took to assess the program, identify essential components, realign the development lifecycle, and build a roadmap to software assurance maturity.

1. Lean and (Prepared for) Mean:Application Security Program Essentials Philip J. Beyer - Texas Education Agency philip.beyer@tea.state.tx.us John B. Dickson - Denim Group john@denimgroup.com 1 TASSCC 2011 Annual Conference Copyright 2011 by Texas Education Agency. All rights reserved.

2. Overview Background Trends Essentials Roadmap TASSCC 2011 Annual Conference 2 Copyright 2011 by Texas Education Agency. All rights reserved.

3. About Phil Beyer Information Security Officer Consulting background John Dickson Application security industry leader TEA ~700 employees ~1200 school districts ~5 million students TASSCC 2011 Annual Conference 3 Copyright 2011 by Texas Education Agency. All rights reserved.

4. Application Security – What? Why? In Brief Web applications can be attacked Attacks are different from network or OS levels Becoming a significant attack vector Impact Attackers bypass traditional infrastructure security controls Users are a target as well as data TASSCC 2011 Annual Conference 4 Copyright 2011 by Texas Education Agency. All rights reserved.

5. Trends At TEA Applications created regularly and retired slowly Ability to outsource remediation decreased due to funding limitations In the Industry Attacks are increasingly sophisticated and automated Remediation costs increase in later phases of the development cycle TASSCC 2011 Annual Conference 5 Copyright 2011 by Texas Education Agency. All rights reserved.

6. EssentialsWhere Did TEA Start Application Security Program established Some policy and procedure Initial training and exposure to concepts Historically siloed approach Outsourcing for subject matter expertise Veracode Denim Group TASSCC 2011 Annual Conference 6 Copyright 2011 by Texas Education Agency. All rights reserved.

7. EssentialsThe Premise Some things you Don’t Need Some things you Do Need Some things you Just Don’t Need Yet TASSCC 2011 Annual Conference 7 Copyright 2011 by Texas Education Agency. All rights reserved.

8. EssentialsWhat You Don’t Need An Expensive Scanner A Security Process for scanning is more important Simple (free) scanners will get you started Buy the software later TASSCC 2011 Annual Conference 8 Copyright 2011 by Texas Education Agency. All rights reserved.

9. EssentialsWhat You Don’t Need A Complicated Scoring/Tracking Tool A Security Process for profiling is more important Risk ranking doesn’t have to be hard Keeping track of your applications can be simple Buy the software later TASSCC 2011 Annual Conference 9 Copyright 2011 by Texas Education Agency. All rights reserved.

10. EssentialsWhat You Don’t Need A Dedicated Application Security Team A Security Process for testing is more important Leverage your existing QA and Testing team Simple security testing will get you started Build and train your testing capability gradually TASSCC 2011 Annual Conference 10 Copyright 2011 by Texas Education Agency. All rights reserved.

11. EssentialsWhat You Don’t Need A Perfect SDLC Get started with what you have now Update your policies and procedures as you go Don’t try to drop in “The Secure SDLC” all at once TASSCC 2011 Annual Conference 11 Copyright 2011 by Texas Education Agency. All rights reserved.

12. EssentialsWhat You Do Need A Champion That’s You! Understand the problem Communicate the risk Work with the business TASSCC 2011 Annual Conference 12 Copyright 2011 by Texas Education Agency. All rights reserved.

13. EssentialsWhat You Do Need A Team that Gets It Managers Developers Testers Security TASSCC 2011 Annual Conference 13 Copyright 2011 by Texas Education Agency. All rights reserved.

14. EssentialsWhat You Do Need Good Training Resources exist, some are free The trainer is important Attacks evolve, so should your training TASSCC 2011 Annual Conference 14 Copyright 2011 by Texas Education Agency. All rights reserved.

15. EssentialsWhat You Do Need Expert Help Technical questions will arise Some vendors will dispute vulnerabilities Be sure your team can consult with experts TASSCC 2011 Annual Conference 15 Copyright 2011 by Texas Education Agency. All rights reserved.

16. EssentialsWhat You Do Need A Roadmap to Maturity Use an established maturity model OpenSAMM BSIMM Design a roadmap to get to maturity Don’t try to do it all at once TASSCC 2011 Annual Conference 16 Copyright 2011 by Texas Education Agency. All rights reserved.

17. RoadmapUse a Maturity Model OpenSAMM - Software Assurance Maturity Model Maturity levels 1 thru 4 Governance Strategy & Metrics (2), Policy & Compliance (3), Education & Guidance (3) Construction Threat Assessment (3), Security Requirements (3), Secure Architecture (3) Verification Design Review (2), Code Review (2), Security Testing (3) Deployment Vulnerability Management (3), Environment Hardening (3), Operational Enablement (3) TASSCC 2011 Annual Conference 17 Copyright 2011 by Texas Education Agency. All rights reserved.

18. Roadmap – Phase 1Governance Estimate overall business risk profile Build and maintain an application security program roadmap Build and maintain compliance guidelines Conduct technical security awareness training Build and maintain technical guidelines TASSCC 2011 Annual Conference 18 Copyright 2011 by Texas Education Agency. All rights reserved.

19. Roadmap – Phase 1Construction Derive security requirements based on business functionality Evaluate security and compliance guidance for requirements TASSCC 2011 Annual Conference 19 Copyright 2011 by Texas Education Agency. All rights reserved.

20. Roadmap – Phase 1Verification Derive test cases from known security requirements Conduct penetration testing on software releases TASSCC 2011 Annual Conference 20 Copyright 2011 by Texas Education Agency. All rights reserved.

21. Roadmap – Phase 1Deployment Identify point of contact for security issues Create informal security response team(s) TASSCC 2011 Annual Conference 21 Copyright 2011 by Texas Education Agency. All rights reserved.

22. Resources OWASP – Open Web Application Security Project http://www.owasp.org/ OpenSAMM - Software Assurance Maturity Model http://www.opensamm.org/ Denim Group – Remediation Resource Center http://www.denimgroup.com/remediation/ TASSCC 2011 Annual Conference 22 Copyright 2011 by Texas Education Agency. All rights reserved.

23. Questions? TASSCC 2011 Annual Conference 23 Copyright 2011 by Texas Education Agency. All rights reserved.