Contenu connexe
Similaire à Software Security Assurance - Bruce Jenkins (20)
Software Security Assurance - Bruce Jenkins
- 1. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SoftwareSecurityAssurance
Managingriskinthefaceofdigitaltransformation
- 2. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
IT-oLogy Trends 2015 –Columbia, SC
Bruce C Jenkins
CISM, CISSP, CSSLP
Fortify Security Lead
AppSec Program Strategist
Hewlett-Packard Company
Current
Fortify product and information security
HP-internal application security program strategy
Customer-facing appsec workshops and strategy
Former
Fortify Pro Services, 2007-2011
US Air Force, 1979-2007
About me
- 3. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
IT-oLogy Trends 2015 –Columbia, SC
• 2005: USAir Force personnel systembreached;
33Krecords exfiltrated
• 2006: VA employee’s personal external drive stolen;
26M VA records at risk
• 2007-2011: ???
• 2012: Thrift Saving Plan contractor’s systemattacked;
123KSSNs stolen
• 2013: Target POS systemcompromised;
up to 70M customers impacted
• 2014: University of Maryland, 309Krecords;
Home Depot, e-mail, cr cds
• 2015: Several… + Office of Personnel Management, 18M records
About my motivation for developing secure systems…
- 4. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
IT-oLogy Trends 2015 –Columbia, SC
Let’s talk about risk management…
- 5. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
IT-oLogy Trends 2015 –Columbia, SC
What is “Security”?
- 6. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
IT-oLogy Trends 2015 –Columbia, SC
What is “Security”?
Definitions
from The American Heritage® Dictionary of the English Language, 4th Edition
n. Freedom from risk or danger; safety.
n. Freedom from doubt, anxiety, or fear; confidence.
n. Something that gives or assures safety
- 7. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
IT-oLogy Trends 2015 –Columbia, SC
Security Issue?
- 8. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
IT-oLogy Trends 2015 –Columbia, SC
“Security is never black and white, and
context matters more than technology”
– Bruce Schneier
Secrets & Lies: Digital Security
in a Networked World
Security Issue?
- 9. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
IT-oLogy Trends 2015 –Columbia, SC
So… Security Issue?
- 10. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
IT-oLogy Trends 2015 –Columbia, SC
So… Security Issue?
As you go about the business of developing and enhancing systems
in support of today’s digital transformation, it’s important to keep
findings in perspective. Pay attention to the weeds—youmay need
to eliminate them—but don’t get lostin them.
Maybe
- 11. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
IT-oLogy Trends 2015 –Columbia, SC
Agenda
Why Software Security is Hard
Creating a Foundation
Building Security In
Lessons Learned
- 12. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
WhySoftwareSecurityisHard
- 13. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
IT-oLogy Trends 2015 –Columbia, SC
Current solutions protect the perimeter
Yet, 84% of breaches occur in the application software
- 14. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
IT-oLogy Trends 2015 –Columbia, SC
The number of apps is growing
IN-HOUSE DEVELOPMENTLEGACY SOFTWARE OPEN SOURCEOUTSOURCED COMMERCIAL
PRODUCTION
Increasing platforms and complexity …many delivery models
- 15. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
IT-oLogy Trends 2015 –Columbia, SC
15
“I just want to be a coder; I’m really not
interested in security.”
– Security Consultant Candidate
Developers are NOT trained to be security experts
- 16. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
IT-oLogy Trends 2015 –Columbia, SC
Attacks have a proven life cycle
Research
Research potential
targets
Monetization
Data sold
on black market
Infiltration
Phishing attack and
malware
Discovery
Mapping breached
environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy
stolen data
- 17. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
IT-oLogy Trends 2015 –Columbia, SC
Attack life cycle risk mitigation
Research
Research Potential
Targets
Monetization
Data sold
on black market
Infiltration
Phishing Attack and
Malware
Discovery
Mapping Breached
Environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy
Stolen data
Threat intelligence
• Security Research
Block adversary
• Network
• Software
Detect adversary
• SEIM
• UBA
Protect data
• At rest
• In motion
Mitigate damage
• Breach Response
- 18. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
IT-oLogy Trends 2015 –Columbia, SC
median time to detect breach205days
2013 January February March April May June July August September October November December 2014 January February March April
Source:Mandiant M-Trends 2015Threat Report
- 19. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
IT-oLogy Trends 2015 –Columbia, SC
Conflicting views over the priority of security
1 Source: Osterman Research White Paper, Jan 2015
- 20. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
IT-oLogy Trends 2015 –Columbia, SC
Top challenges in achieving software security goals*
Source:Gatepoint Research Pulse Report,Oct 2014
n = 300 executives
*Read as: software security assurance (SSA) program goals
- 21. © Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice.
“Itisnecessarythatpeopleworktogether
inunisontowardcommonobjectivesand
avoidworkingatcrosspurposesat all
levelsifthe ultimateinefficiencyand
achievementisto beobtained.”
Dave Packard
Co-founder,Hewlett-Packard
- 22. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
CreatingaFoundation
- 23. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
IT-oLogy Trends 2015 –Columbia, SC
Obtain stakeholder alignment with a common vision
Creating a Foundation
• Establish security-related goals that
are directly tied to the firm’s mission
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
- 24. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
IT-oLogy Trends 2015 –Columbia, SC
Example: Hewlett-Packard Co
Creating a Foundation
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Goal n
Security Group
Goal 1
.........
Ent. Security
...
Goal n
See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
- 25. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
IT-oLogy Trends 2015 –Columbia, SC
Example: Hewlett-Packard Co
Creating a Foundation
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
Goal 1
.........
Ent. Security
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Goal n
Security Group
...
Goal n
See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
- 26. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
IT-oLogy Trends 2015 –Columbia, SC
Example: Hewlett-Packard Co
Creating a Foundation
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
Goal 1
.........
Ent. Security
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Goal n
Security Group
...
Goal n
See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
- 27. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
IT-oLogy Trends 2015 –Columbia, SC
Example: Hewlett-Packard Co
Creating a Foundation
Profit
Customer Loyalty
Growth
Market Leadership
Commitment to
Employees
Leadership
Capability
Global Citizenship
Hewlett-Packard
...
Goal 1
......
Goal n
HPSoftware
Goal 1
.........
Ent. Security
...
Goal 1
...
Goal n
Fortify
…
Security Goal 1
………
Security Group
...
Goal n Security Goal n
See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
- 28. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
IT-oLogy Trends 2015 –Columbia, SC
Example: Private SectorFinancial
Creating a Foundation
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
- 29. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
IT-oLogy Trends 2015 –Columbia, SC
Example: Private SectorFinancial
Creating a Foundation
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
- 30. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
IT-oLogy Trends 2015 –Columbia, SC
Example: Private SectorFinancial
Creating a Foundation
Corp Mission Statement
Goal 1
Goal 2
Goal 3
Protect our customers’ data
Goal n
Corp Security Group
Security Goal 1
Security Goal 2
Security Goal 3
Security Goal n
Proactively identify
and mitigateriskin
all Mission Critical
applications
- 31. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
BuildingSecurityIn
- 32. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
IT-oLogy Trends 2015 –Columbia, SC
Consider using a software security framework (SSF)as a guide
Building Security In
• Establish security-related goals that
are directly tied to the firm’s mission
• Develop a security strategy that is designed to
support achievement of the security goal(s)
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
- 33. © Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice.
“There are knownknowns. These are things
weknowthat we know.Thereareknown
unknowns.Thatisto say,there arethings
thatweknowwedon'tknow.But there are
also unknownunknowns. There are things
wedon't knowwedon't know.
Donald Rumsfeld
FormerUS Secretary ofDefence
- 34. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36
IT-oLogy Trends 2015 –Columbia, SC
Building Security In
Design Construct Test Deploy
Establish a security gate to understand security posture of portfolio
Security Gate
Governance
• Strategy and Metrics
• Policy and Compliance
• Education and Guidance
Construction
• Security Requirements
• Threat Assessment
• Security Architecture
Verification
• Design Review
• Implementation Review
• Security testing
Operations
• Environment Hardening
• Issue Management
• Operational Enablement
- 35. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37
IT-oLogy Trends 2015 –Columbia, SC
With assessment results available, the unknown is known
Building Security In
• Establish security-related goals that
are directly tied to the firm’s mission
• Develop a security strategy that is designed to
support achievement of the security goal(s)
• Based upon business priorities and portfolio risk*,
design time-constrained, measurable objectives
• Only choosemetrics and constructKPI’s that show
progress toward meeting the objectives; nothing else
*portfolio isknown, classified and risk-ranked
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
- 36. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41
IT-oLogy Trends 2015 –Columbia, SC
Measure thoughtfully
Building Security In
• Establish security-related goals that
are directly tied to the firm’s mission
• Develop a security strategy that is designed to
support achievement of the security goal(s)
• Based upon business priorities and portfolio risk*,
design time-constrained, measurable objectives
• Only choosemetrics and constructKPI’s that show
progress toward meeting the objectives; nothing else
*portfolio isknown, classified and risk-ranked
Mission
Goals
Objectives
Strategy
m m m KPI
Policy
Standards
Training
- 37. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42
IT-oLogy Trends 2015 –Columbia, SC
Building Security In: Lessons Learned
• Complex problems with complex solutions
• All organizational levels must be made aware of the risks associated with
software vulnerabilities
• No education / training == unmet expectations
Awareness, Education and Training
- 38. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
IT-oLogy Trends 2015 –Columbia, SC
• Before assessment,establish policies and set expectations
• Ensure that policies and expectations are communicated to all stakeholders
• Consistently enforce policies and measure expectation achievement
Clear Communication Regarding Security
Building Security In: Lessons Learned
- 39. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
IT-oLogy Trends 2015 –Columbia, SC
• Network Security / Information Assurance people are not software security people
• Development background is a necessity
• Even with a development background, extensive training and experience is needed
Software Security is a Unique Skill Set
Building Security In: Lessons Learned
- 40. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45
IT-oLogy Trends 2015 –Columbia, SC
• Network Security / Information Assurance people are not software security people
• Development background is a necessity
• Even with a development background, extensive training and experience is needed
• Developers should NOT be expected to be security experts
Software Security is a Unique Skill Set
Building Security In: Lessons Learned
- 41. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
IT-oLogy Trends 2015 –Columbia, SC
Summary
• Workto gain and maintain executive-levelsupport
• Developsecuritygoals, strategy& objectives
• Train staffto comply withpolicy
• Use technologyappropriately
• Measure,report,adjust
Managing risk in the face of digital transformation
- 42. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thankyou
hp.com/go/fortifyssa
Bruce C Jenkins
bcj@hpe.com