Application development in today's day and age involves building Scalable and Reliable software in an Agile manner. The challenge is in incorporating security controls without throttling down the speed of application delivery. Individual activities like threat modeling, static code analysis and penetration testing though might add value, are currently performed in silos.
Product and Security engineering teams need to leverage these piecemeal activities and bring them under one robust framework - The Software Security Initiative (SSI)
This webinar on Software Security Initiative aims to create awareness on what constitutes an SSI, the various security gates and their corresponding integration points in the application development lifecycle and how companies can benefit by adopting a software security initiative to continuously assess their security posture and maturity over time. The webinar aims to cover some of the most popular Secure SDLC frameworks such as BSIMM and OpenSAMM how companies stand to gain by adopting these frameworks based on what works best for them
2. AGENDA
➤ What is a Software Security Initiative?
➤ Objectives & Benefits of a Software Security Initiative
➤ The 1-2-3 of Software Security Initiative implementation
➤ Types of Software Security Frameworks
➤ Questions
2
3. PRODUCT ENGINEERING TODAY
➤ Agile Product Engineering
➤ Accelerated Deployment - Advent of DevOps
➤ Micro-services and Serverless Architecture
➤ Dependence on Third Party Libraries
➤ Automation Testing - Functional and Performance
3
4. CURRENT STATE OF APPSEC
➤ AppSec Testing = Manual Pen-testing (and/or) Code Review
➤ Threat Modelling (???)
➤ Regressing security issues across releases
➤ Increased time to fix security vulnerabilities
➤ Lack of metrics to measure Software Security
4
8. EVERY SECURITY ENGINEERING TEAM
8
Penetration
Tests
Threat
Modeling
Infra Sweeps
Adhering to
Compliance
Training
Security
Automation
Design
Review
Code Review
Secure
Coding
Guidelines
Security
Toolchain
Bug Bounty
Program
SAST
DAST
Architecture
Review
DevSecOps
Risk
Assessment
Security
Governance
Server
Hardening
Security
Regressions
Vulnerability
Assessments
Vulnerability
Correlation
9. SOFTWARE SECURITY INITIATIVE (SSI)
“Collection of activities that Measure, Maintain and Improve the state of Software Security”
9
10. OBJECTIVES
➤ Drive software security through shared ownership across teams
➤ Build a culture of software security awareness
➤ Equip teams to increase their “secure product throughput”
➤ Measure and Communicate success of building secure software
➤ Security -> Cost Center to Revenue Center
10
13. GATHER HISTORICAL/
CURRENT STATE DATA
ORGANIZE YOUR TOOL
CHEST
APPLICATION : TEAM
MAPPING
IDENTIFY TRAINING
NEEDS
IDENTIFY SECURITY
GATES
ASCERTAIN COMPLIANCE /
LEGAL OBJECTIVES
ESTABLISH SSI
GOVERNANCE
13
Incident
Reports
Assmt
Reports
GA
Reports
Dev / OpsQA
DAST
SAST
Dep
Checks
Commit
Builds Deploy
Prod
PLAN
19. A QUICK COMPARISON
➤ OpenSAMM
➤ Business Functions - 4
➤ Security Practices - 12
➤ Activities - 72
➤ Maturity Levels - 3
➤ Scoring
➤ Each practice area gets a score from 0.00
- 3.00
➤ Answers from each activity across all
maturity levels, scores are calculated.
➤ Metrics
➤ Spider chart
➤ Roadmap projections
➤ BSIMM8
➤ Domains - 4
➤ Practice Areas - 12
➤ Activities - 113
➤ Maturity Levels - 3
➤ Scoring Method
➤ Performed activities are scored with 1
➤ No score for activities that are not performed
➤ Metrics
➤ Spider charts - Activities with highest
maturity considered as highest water mark
19
23. TO SUM IT ALL UP
23
PLAN
DO
CHECK
ACT
Prepare to Kick Start / Improve your SSI
Take Control and Implement your SSI
Measure Success of your SSI
Identify Continuous Improvements of your SSI
24. BEFORE WE END…
➤ Having trouble mapping security, compliance, legal, risk mandates?
➤ Have product releases been blocked or delayed owing to open security issues?
➤ Realise security is important, but just not able to catch up with deployments?
➤ Had trouble optimising / securing additional security budgets?
➤ You know you’ve done some great stuff on the security front, but just can’t convince
your customers?
24