SlideShare a Scribd company logo

Introduction to Software Security Initiative

S
Sudarshan Narayanan

Application development in today's day and age involves building Scalable and Reliable software in an Agile manner. The challenge is in incorporating security controls without throttling down the speed of application delivery. Individual activities like threat modeling, static code analysis and penetration testing though might add value, are currently performed in silos. Product and Security engineering teams need to leverage these piecemeal activities and bring them under one robust framework - The Software Security Initiative (SSI) This webinar on Software Security Initiative aims to create awareness on what constitutes an SSI, the various security gates and their corresponding integration points in the application development lifecycle and how companies can benefit by adopting a software security initiative to continuously assess their security posture and maturity over time. The webinar aims to cover some of the most popular Secure SDLC frameworks such as BSIMM and OpenSAMM how companies stand to gain by adopting these frameworks based on what works best for them

Software
1 of 26
Download to read offline
INTRODUCTION TO SOFTWARE SECURITY INITIATIVE Sudarshan Narayanan 1
AGENDA ➤ What is a Software Security Initiative? ➤ Objectives & Benefits of a Software Security Initiative ➤ The 1-2-3 of Software Security Initiative implementation ➤ Types of Software Security Frameworks ➤ Questions 2
PRODUCT ENGINEERING TODAY ➤ Agile Product Engineering ➤ Accelerated Deployment - Advent of DevOps ➤ Micro-services and Serverless Architecture ➤ Dependence on Third Party Libraries ➤ Automation Testing - Functional and Performance 3
CURRENT STATE OF APPSEC ➤ AppSec Testing = Manual Pen-testing (and/or) Code Review ➤ Threat Modelling (???) ➤ Regressing security issues across releases ➤ Increased time to fix security vulnerabilities ➤ Lack of metrics to measure Software Security 4
IN SHORT….. 5
WHAT IS A SOFTWARE SECURITY INITIATIVE?? 6
7 AN ADDITIONAL 20 HOURS A WEEK?
EVERY SECURITY ENGINEERING TEAM 8 Penetration Tests Threat Modeling Infra Sweeps Adhering to Compliance Training Security Automation Design Review Code Review Secure Coding Guidelines Security Toolchain Bug Bounty Program SAST DAST Architecture Review DevSecOps Risk Assessment Security Governance Server Hardening Security Regressions Vulnerability Assessments Vulnerability Correlation
SOFTWARE SECURITY INITIATIVE (SSI) “Collection of activities that Measure, Maintain and Improve the state of Software Security” 9
OBJECTIVES ➤ Drive software security through shared ownership across teams ➤ Build a culture of software security awareness ➤ Equip teams to increase their “secure product throughput” ➤ Measure and Communicate success of building secure software ➤ Security -> Cost Center to Revenue Center 10
THE 1-2-3-4 OF AN SSI 11
STEP 1 - PLAN 12
GATHER HISTORICAL/ CURRENT STATE DATA ORGANIZE YOUR TOOL CHEST APPLICATION : TEAM MAPPING IDENTIFY TRAINING NEEDS IDENTIFY SECURITY GATES ASCERTAIN COMPLIANCE / LEGAL OBJECTIVES ESTABLISH SSI GOVERNANCE 13 Incident Reports Assmt Reports GA Reports Dev / OpsQA DAST SAST Dep Checks Commit Builds Deploy Prod PLAN
STEP 2 - DO 14
TOOLCHAIN IMPLEMENTATION ENHANCE EXISTING AUTOMATION BUILD INTERNAL CAPABILITY (TRAINING)SIG COLLABORATIONS TRANSCEND BEYOND PEN TESTS ENFORCE SECURITY GATES 15 QA Scripts+ DAST Exploit Scripts Threat Modeling Infra Audits Config Checks Code Reviews DO
STEP 3 - CHECK 16
CHOOSE FRAMEWORK 17 BSIMM OpenSAMM CHECK
BSIMM VS OPENSAMM (Slight Deviation….but its worth it guys!) 18
A QUICK COMPARISON ➤ OpenSAMM ➤ Business Functions - 4 ➤ Security Practices - 12 ➤ Activities - 72 ➤ Maturity Levels - 3 ➤ Scoring ➤ Each practice area gets a score from 0.00 - 3.00 ➤ Answers from each activity across all maturity levels, scores are calculated. ➤ Metrics ➤ Spider chart ➤ Roadmap projections ➤ BSIMM8 ➤ Domains - 4 ➤ Practice Areas - 12 ➤ Activities - 113 ➤ Maturity Levels - 3 ➤ Scoring Method ➤ Performed activities are scored with 1 ➤ No score for activities that are not performed ➤ Metrics ➤ Spider charts - Activities with highest maturity considered as highest water mark 19
CHOOSE FRAMEWORK PERFORMANCE ANALYSIS SECURITY ASSESSMENT DATA COMPLIANCE AUDIT DATA DEFECT TRIAGE 20 BSIMM OpenSAMM CHECK
STEP 4 - ACT 21
EVOLVE USING FRAMEWORKS MITIGATION ROADMAPRESPOND TO CHANGES PROJECT MANAGEMENT TOOL - SSI 22 ACT
TO SUM IT ALL UP 23 PLAN DO CHECK ACT Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI
BEFORE WE END… ➤ Having trouble mapping security, compliance, legal, risk mandates? ➤ Have product releases been blocked or delayed owing to open security issues? ➤ Realise security is important, but just not able to catch up with deployments? ➤ Had trouble optimising / securing additional security budgets? ➤ You know you’ve done some great stuff on the security front, but just can’t convince your customers? 24
25 SSI FOR THE WIN!
OPEN HOUSE Questions , Clarifications et all….. 26

Recommended

StatsCraft 2015: Top down approach to monitoring - Shahar Kedar
StatsCraft 2015: Top down approach to monitoring - Shahar KedarStatsCraft 2015: Top down approach to monitoring - Shahar Kedar
StatsCraft 2015: Top down approach to monitoring - Shahar KedarStatsCraft
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftMathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftAshley Zupkus
 
How to manage your testing automation project ttm methodology
How to manage your testing automation project ttm methodologyHow to manage your testing automation project ttm methodology
How to manage your testing automation project ttm methodologyRam Yonish
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportPuppet
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and SecurityNew Relic
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEric Fay
 

Recommended

StatsCraft 2015: Top down approach to monitoring - Shahar Kedar
StatsCraft 2015: Top down approach to monitoring - Shahar KedarStatsCraft 2015: Top down approach to monitoring - Shahar Kedar
StatsCraft 2015: Top down approach to monitoring - Shahar KedarStatsCraft
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftMathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftAshley Zupkus
 
How to manage your testing automation project ttm methodology
How to manage your testing automation project ttm methodologyHow to manage your testing automation project ttm methodology
How to manage your testing automation project ttm methodologyRam Yonish
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportPuppet
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and SecurityNew Relic
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEric Fay
 
Hello
HelloHello
HelloPallavi Batra
 
Software metrics
Software metricsSoftware metrics
Software metricsSophia Girls' College(Autonomous), Ajmer
 
Software engineering testing and types
Software engineering testing and typesSoftware engineering testing and types
Software engineering testing and typesDr. Anthony Vincent. B
 
Testing introduction
Testing introductionTesting introduction
Testing introductionFACTS Computer Software L.L.C
 
Human factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research PaperHuman factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research PaperMuhammad Ahmad Zia
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...iosrjce
 
ST-All about Test Case-p3
ST-All about Test Case-p3ST-All about Test Case-p3
ST-All about Test Case-p3Prachi Sasankar
 
Types of software testing
Types of software testingTypes of software testing
Types of software testingPrachi Sasankar
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...AgileNZ Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Presentation1
Presentation1Presentation1
Presentation1anuvip
 
Software Engineering Overview
Software Engineering OverviewSoftware Engineering Overview
Software Engineering OverviewPrachi Sasankar
 
I ntroduction to software testing part1
I ntroduction to software testing part1I ntroduction to software testing part1
I ntroduction to software testing part1Prachi Sasankar
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceRadu_Negulescu
 
FAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSISFAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSISANOOPA NARAYANAN
 
Integration testing in Scaled agile projects
Integration testing in Scaled agile projectsIntegration testing in Scaled agile projects
Integration testing in Scaled agile projectsDerk-Jan de Grood
 
Failure Mode Effect Analysis - FMEA
Failure Mode Effect Analysis - FMEAFailure Mode Effect Analysis - FMEA
Failure Mode Effect Analysis - FMEASasidharan Manivannan
 
Sop test planning
Sop test planningSop test planning
Sop test planningFrank Gielen
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principlesDonato Di Pierro
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 

More Related Content

What's hot

Software engineering testing and types
Software engineering testing and typesSoftware engineering testing and types
Software engineering testing and typesDr. Anthony Vincent. B
 
Human factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research PaperHuman factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research PaperMuhammad Ahmad Zia
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...iosrjce
 
ST-All about Test Case-p3
ST-All about Test Case-p3ST-All about Test Case-p3
ST-All about Test Case-p3Prachi Sasankar
 
Types of software testing
Types of software testingTypes of software testing
Types of software testingPrachi Sasankar
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...AgileNZ Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Presentation1
Presentation1Presentation1
Presentation1anuvip
 
Software Engineering Overview
Software Engineering OverviewSoftware Engineering Overview
Software Engineering OverviewPrachi Sasankar
 
I ntroduction to software testing part1
I ntroduction to software testing part1I ntroduction to software testing part1
I ntroduction to software testing part1Prachi Sasankar
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceRadu_Negulescu
 
FAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSISFAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSISANOOPA NARAYANAN
 
Integration testing in Scaled agile projects
Integration testing in Scaled agile projectsIntegration testing in Scaled agile projects
Integration testing in Scaled agile projectsDerk-Jan de Grood
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principlesDonato Di Pierro
 

What's hot (20)

Hello
HelloHello
Hello
 
Software metrics
Software metricsSoftware metrics
Software metrics
 
Software engineering testing and types
Software engineering testing and typesSoftware engineering testing and types
Software engineering testing and types
 
Testing introduction
Testing introductionTesting introduction
Testing introduction
 
Human factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research PaperHuman factors in software reliability engineering - Research Paper
Human factors in software reliability engineering - Research Paper
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
 
ST-All about Test Case-p3
ST-All about Test Case-p3ST-All about Test Case-p3
ST-All about Test Case-p3
 
Types of software testing
Types of software testingTypes of software testing
Types of software testing
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...Security Certification or How I Learned to Stop Worrying & Love Stories - And...
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Presentation1
Presentation1Presentation1
Presentation1
 
Software Engineering Overview
Software Engineering OverviewSoftware Engineering Overview
Software Engineering Overview
 
I ntroduction to software testing part1
I ntroduction to software testing part1I ntroduction to software testing part1
I ntroduction to software testing part1
 
Intro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality AssuranceIntro to Software Engineering - Software Quality Assurance
Intro to Software Engineering - Software Quality Assurance
 
FAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSISFAILURE MODE EFFECT ANALYSIS
FAILURE MODE EFFECT ANALYSIS
 
Integration testing in Scaled agile projects
Integration testing in Scaled agile projectsIntegration testing in Scaled agile projects
Integration testing in Scaled agile projects
 
Failure Mode Effect Analysis - FMEA
Failure Mode Effect Analysis - FMEAFailure Mode Effect Analysis - FMEA
Failure Mode Effect Analysis - FMEA
 
Sop test planning
Sop test planningSop test planning
Sop test planning
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principles
 

Similar to Introduction to Software Security Initiative

Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleRishi Kant
 
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...BAINIDA
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Using JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony WebinarUsing JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony WebinarQASymphony
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum Bangalore
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
 

Similar to Introduction to Software Security Initiative (20)

Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Software Process Improvement - RKREDDY
Software Process Improvement - RKREDDYSoftware Process Improvement - RKREDDY
Software Process Improvement - RKREDDY
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...
DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Using JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony WebinarUsing JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony Webinar
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Unit 4- Testing.pptx
Unit 4- Testing.pptxUnit 4- Testing.pptx
Unit 4- Testing.pptx
 
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
 
t map brief
t map brieft map brief
t map brief
 

Recently uploaded

HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Recently uploaded (20)

HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Introduction to Software Security Initiative

  • 1. INTRODUCTION TO SOFTWARE SECURITY INITIATIVE Sudarshan Narayanan 1
  • 2. AGENDA ➤ What is a Software Security Initiative? ➤ Objectives & Benefits of a Software Security Initiative ➤ The 1-2-3 of Software Security Initiative implementation ➤ Types of Software Security Frameworks ➤ Questions 2
  • 3. PRODUCT ENGINEERING TODAY ➤ Agile Product Engineering ➤ Accelerated Deployment - Advent of DevOps ➤ Micro-services and Serverless Architecture ➤ Dependence on Third Party Libraries ➤ Automation Testing - Functional and Performance 3
  • 4. CURRENT STATE OF APPSEC ➤ AppSec Testing = Manual Pen-testing (and/or) Code Review ➤ Threat Modelling (???) ➤ Regressing security issues across releases ➤ Increased time to fix security vulnerabilities ➤ Lack of metrics to measure Software Security 4
  • 6. WHAT IS A SOFTWARE SECURITY INITIATIVE?? 6
  • 7. 7 AN ADDITIONAL 20 HOURS A WEEK?
  • 8. EVERY SECURITY ENGINEERING TEAM 8 Penetration Tests Threat Modeling Infra Sweeps Adhering to Compliance Training Security Automation Design Review Code Review Secure Coding Guidelines Security Toolchain Bug Bounty Program SAST DAST Architecture Review DevSecOps Risk Assessment Security Governance Server Hardening Security Regressions Vulnerability Assessments Vulnerability Correlation
  • 9. SOFTWARE SECURITY INITIATIVE (SSI) “Collection of activities that Measure, Maintain and Improve the state of Software Security” 9
  • 10. OBJECTIVES ➤ Drive software security through shared ownership across teams ➤ Build a culture of software security awareness ➤ Equip teams to increase their “secure product throughput” ➤ Measure and Communicate success of building secure software ➤ Security -> Cost Center to Revenue Center 10
  • 11. THE 1-2-3-4 OF AN SSI 11
  • 12. STEP 1 - PLAN 12
  • 13. GATHER HISTORICAL/ CURRENT STATE DATA ORGANIZE YOUR TOOL CHEST APPLICATION : TEAM MAPPING IDENTIFY TRAINING NEEDS IDENTIFY SECURITY GATES ASCERTAIN COMPLIANCE / LEGAL OBJECTIVES ESTABLISH SSI GOVERNANCE 13 Incident Reports Assmt Reports GA Reports Dev / OpsQA DAST SAST Dep Checks Commit Builds Deploy Prod PLAN
  • 14. STEP 2 - DO 14
  • 15. TOOLCHAIN IMPLEMENTATION ENHANCE EXISTING AUTOMATION BUILD INTERNAL CAPABILITY (TRAINING)SIG COLLABORATIONS TRANSCEND BEYOND PEN TESTS ENFORCE SECURITY GATES 15 QA Scripts+ DAST Exploit Scripts Threat Modeling Infra Audits Config Checks Code Reviews DO
  • 16. STEP 3 - CHECK 16
  • 18. BSIMM VS OPENSAMM (Slight Deviation….but its worth it guys!) 18
  • 19. A QUICK COMPARISON ➤ OpenSAMM ➤ Business Functions - 4 ➤ Security Practices - 12 ➤ Activities - 72 ➤ Maturity Levels - 3 ➤ Scoring ➤ Each practice area gets a score from 0.00 - 3.00 ➤ Answers from each activity across all maturity levels, scores are calculated. ➤ Metrics ➤ Spider chart ➤ Roadmap projections ➤ BSIMM8 ➤ Domains - 4 ➤ Practice Areas - 12 ➤ Activities - 113 ➤ Maturity Levels - 3 ➤ Scoring Method ➤ Performed activities are scored with 1 ➤ No score for activities that are not performed ➤ Metrics ➤ Spider charts - Activities with highest maturity considered as highest water mark 19
  • 20. CHOOSE FRAMEWORK PERFORMANCE ANALYSIS SECURITY ASSESSMENT DATA COMPLIANCE AUDIT DATA DEFECT TRIAGE 20 BSIMM OpenSAMM CHECK
  • 21. STEP 4 - ACT 21
  • 22. EVOLVE USING FRAMEWORKS MITIGATION ROADMAPRESPOND TO CHANGES PROJECT MANAGEMENT TOOL - SSI 22 ACT
  • 23. TO SUM IT ALL UP 23 PLAN DO CHECK ACT Prepare to Kick Start / Improve your SSI Take Control and Implement your SSI Measure Success of your SSI Identify Continuous Improvements of your SSI
  • 24. BEFORE WE END… ➤ Having trouble mapping security, compliance, legal, risk mandates? ➤ Have product releases been blocked or delayed owing to open security issues? ➤ Realise security is important, but just not able to catch up with deployments? ➤ Had trouble optimising / securing additional security budgets? ➤ You know you’ve done some great stuff on the security front, but just can’t convince your customers? 24
  • 26. OPEN HOUSE Questions , Clarifications et all….. 26