SlideShare une entreprise Scribd logo

Implementation Patterns For Software Security Programs

Denim Group
Denim Group

The document discusses software security program implementation patterns. It describes common elements of successful programs, such as reducing risk through creating secure software. It also discusses customizing programs based on organizational needs and considering factors like threats, resources, and culture. Specific activities like security testing, code review, and education are examined in more detail, with examples of better and worse implementation patterns provided.

Technologie
1  sur  28
Télécharger pour lire hors ligne
Implementation Patterns for! Software Security Programs! ! ! Dan Cornell! @danielcornell © Copyright 2013 Denim Group - All Rights Reserved
Denim Group Background •  Professional services firm that builds & secures enterprise applications –  External application assessments •  Web, mobile, and cloud –  Software development lifecycle development (SDLC) consulting •  Classroom and e-Learning for PCI compliance •  Secure development services: –  Secure .NET and Java application development –  Post-assessment remediation •  Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors •  Customer base spans Fortune 500 •  Contributes to industry best practices through the Open Web Application Security Project (OWASP) © Copyright 2013 Denim Group - All Rights Reserved 2
Dan Cornell •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio •  15 years experience in software architecture, development and security •  Heads Denim Group’s application security team © Copyright 2013 Denim Group - All Rights Reserved 3
Agenda •  What Makes a Successful Software Security Program? –  Key commonalities •  Software Security Program Implementations –  Approaches –  Customization –  Considerations •  Three Example Program Activities –  Security Testing –  Code Review –  Education and Guidance •  Selecting What Works for your Organization © Copyright 2013 Denim Group - All Rights Reserved 4
Successful Software Security Programs •  Common Goal –  Reduce Risk by… •  Reliably Creating Acceptably Secure Software •  Obligatory “People, Process, Technology” Reference –  Anybody got a good Sun Tzu quote? –  I’d settle for a von Clausewitz… •  Common Activities –  Implementation must be tied to the specific organization © Copyright 2013 Denim Group - All Rights Reserved 5
Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/ © Copyright 2013 Denim Group - All Rights Reserved 6
SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
SAMM Security Practices •  From each of the Business Functions, three Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
Check Out This One... This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
Program Implementation •  Approaches •  Customization •  Considerations © Copyright 2013 Denim Group - All Rights Reserved 10
Approaches •  Automated vs. Manual •  Depth-First vs. Breadth-First •  Centralized vs. Distributed •  Top-Down vs. Bottom-Up •  SaaS vs. On-Premise •  In-House vs. Outsourced •  All of the Above (and More) © Copyright 2013 Denim Group - All Rights Reserved 11
Organizational Fit •  Not “One Size Fits All” –  What Are the Threats to Your Organization? –  How Much of an Executive Mandate Do You Have? –  How Much Risk Are You Willing (Or Going) to Bear? •  Differences Across Industries –  Financial Services Firms Do This Differently Than Energy Sector –  Different Threats, Different Regulatory Environment •  Differences Within Industries –  Oilfield Services versus Mid-majors –  Banks versus Credit Unions © Copyright 2013 Denim Group - All Rights Reserved 12
Holdings $0 $500,000,000 $1,000,000,000 $1,500,000,000 $2,000,000,000 $2,500,000,000 1 JPMorgan & Chase 2 Bank of American 3 Citigroup 4 Wells Fargo © Copyright 2013 Denim Group - All Rights Reserved 5 Goldman Sachs Group 6 MetLife 7 Morgan Stanley 8 U.S. Bancorp 9 Bank of New York Mellon 10 HSBC 11 PNC Financial Services Group 12 Capitol One 13 TD Bank 14 State Street Corporation Total Assets for Top Holding Companies 15 Ally Financial 16 BB&T Corporation 17 Suntrust Banks 18 Principal Financial Group 19 American Express 20 Ameriprise Financial 13
Considerations •  Raw Budget Constraints •  Organizational Structure •  Regulatory and Compliance Mandates •  Culture and Risk Appetite •  Leadership Buy in © Copyright 2013 Denim Group - All Rights Reserved 14
Patterns and Anti-Patterns •  Every Organization is Different –  But there are commonalities •  Similar approaches –  Some good –  Some … less good •  Do you know the “right” thing to do? •  Are you doing it? –  If not – why not? © Copyright 2013 Denim Group - All Rights Reserved 15
Example Program Activities •  Take Three Common Activities from OpenSAMM •  Security Testing •  Code Review •  Education and Guidance © Copyright 2013 Denim Group - All Rights Reserved 16
Examples of Activities •  Security Testing –  Recurring dynamic scanning –  Manual penetration tests •  Code Review –  Automated static analysis –  Manual security code review •  Education and Guidance –  Instructor-led training for developers –  e-Learning –  Develop and publish “Top 10” list for developers © Copyright 2013 Denim Group - All Rights Reserved 17
Security Testing •  Also known as “black box testing” and “penetration testing” •  Testing the security of a running system –  Automated scanners help –  But don’t forget the manual component •  As with any testing activity –  How frequently? –  How thorough? © Copyright 2013 Denim Group - All Rights Reserved 18
Security Testing: Anti-Patterns •  “Dude with a scanner” approach –  Can also be implemented as the “lady with a scanner” approach •  “SaaS and forget” approach © Copyright 2013 Denim Group - All Rights Reserved 19
Security Testing: Better Patterns •  Deep Assessment of Critical Applications –  Automated scanning, manual scan review and assessment •  Breadth-First Scanning –  You want a scanning program, not a scanner •  Understand that security testing is a means to an end –  Not an end in and of itself –  Start of vulnerability management © Copyright 2013 Denim Group - All Rights Reserved 20
Code Review •  Also known as “static analysis” •  Again – scanners are great, but manual review and assessment are required for depth •  Code review can be (is) complicated –  Often more so than dynamic security testing –  Clean scans, false positives, prioritization… © Copyright 2013 Denim Group - All Rights Reserved 21
Code Review: Anti-Patterns •  “Dude with a scanner” approach (redux) –  Can still be implemented as the “lady with a scanner” approach –  Even worse for code review because source code (or binary) access is required •  “I’m sure the developers are taking care of this” –  “They’re using [FindBugs|PMD|XYZ tool]” © Copyright 2013 Denim Group - All Rights Reserved 22
Code Review: Better Patterns •  Key Questions: –  Who runs the scan? –  What do you do with the results? •  Centralized Code Review Group –  Helps if you have a mandate and/or the ability to block applications from production •  Deploy to Developer Desktops –  Can be great for certain organizations, but… –  Many potential pitfalls and hidden costs here © Copyright 2013 Denim Group - All Rights Reserved 23
Education and Guidance •  It is really hard to hold developers to a standard if you have not communicated that standard to them and provided guidance on how they can meet that standard –  Only fair… •  Can take a variety of forms –  Instructor-led training (ILT) –  e-Learning –  Lunch and learns –  Mentoring –  Knowledge bases © Copyright 2013 Denim Group - All Rights Reserved 24
Education and Guidance: Anti-Patterns •  “Email a link to OWASP” approach –  Site is www.owasp.org by the way –  OWASP is great, but… •  “I made you all a Powerpoint” •  “Cattle car” instructor-led training •  Fire and forget e-Learning © Copyright 2013 Denim Group - All Rights Reserved 25
Education and Guidance: Better Patterns •  Informal approaches can have value –  But that is not a training program –  Best used to identify staff with a special interest in security •  e-Learning for everyone –  Make it part of their bonus or annual evaluation •  Instructor-led training for “mavens” –  Provide context, link to their roles and responsibilities •  Technology- and role-specific guidance –  Do not force developers to think © Copyright 2013 Denim Group - All Rights Reserved 26
Where Do We Go From Here? •  Evaluate where you are •  Determine the next plateau you want to reach •  Make a plan to get there (that works for your organization) © Copyright 2013 Denim Group - All Rights Reserved 27
Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (210) 572-4400 www.denimgroup.com blog.denimgroup.com © Copyright 2013 Denim Group - All Rights Reserved 28

Recommandé

Charlie Spies - Private Sector Capital for Public Good
Charlie Spies - Private Sector Capital for Public GoodCharlie Spies - Private Sector Capital for Public Good
Charlie Spies - Private Sector Capital for Public GoodGrowSmart Maine
 
terex Gabelli120408
terex Gabelli120408terex Gabelli120408
terex Gabelli120408finance42
 
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor Group
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor GroupPresentation on SWF Investment at HBS by Drosten Fisher of Monitor Group
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor GroupDrosten Fisher
 
Moly Mines Annual General Meeting Presentation
Moly Mines Annual General Meeting PresentationMoly Mines Annual General Meeting Presentation
Moly Mines Annual General Meeting PresentationCompany Spotlight
 
Chevron Upstream & Gas
Chevron Upstream & GasChevron Upstream & Gas
Chevron Upstream & Gasfinance1
 
Chevron Finance
Chevron FinanceChevron Finance
Chevron Financefinance1
 
Apres europa (1)
Apres europa (1)Apres europa (1)
Apres europa (1)risantander
 
2Q07 Presentation
2Q07 Presentation 2Q07 Presentation
2Q07 Presentation Gafisa RI !
 

Recommandé

Charlie Spies - Private Sector Capital for Public Good
Charlie Spies - Private Sector Capital for Public GoodCharlie Spies - Private Sector Capital for Public Good
Charlie Spies - Private Sector Capital for Public GoodGrowSmart Maine
 
terex Gabelli120408
terex Gabelli120408terex Gabelli120408
terex Gabelli120408finance42
 
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor Group
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor GroupPresentation on SWF Investment at HBS by Drosten Fisher of Monitor Group
Presentation on SWF Investment at HBS by Drosten Fisher of Monitor GroupDrosten Fisher
 
Moly Mines Annual General Meeting Presentation
Moly Mines Annual General Meeting PresentationMoly Mines Annual General Meeting Presentation
Moly Mines Annual General Meeting PresentationCompany Spotlight
 
Chevron Upstream & Gas
Chevron Upstream & GasChevron Upstream & Gas
Chevron Upstream & Gasfinance1
 
Chevron Finance
Chevron FinanceChevron Finance
Chevron Financefinance1
 
Apres europa (1)
Apres europa (1)Apres europa (1)
Apres europa (1)risantander
 
2Q07 Presentation
2Q07 Presentation 2Q07 Presentation
2Q07 Presentation Gafisa RI !
 
Global Corporate & Investment Banking
Global Corporate & Investment BankingGlobal Corporate & Investment Banking
Global Corporate & Investment BankingQuarterlyEarningsReports3
 
Operational plan april 2009
Operational plan april 2009Operational plan april 2009
Operational plan april 2009Mukund Mohan
 
Apres europa
Apres europaApres europa
Apres europarisantander
 
Apres europa
Apres europaApres europa
Apres europarisantander
 
Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18Salesforce Partners
 
Bending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeBending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeLibby Bierman
 
Equator Principles Ppt
Equator Principles PptEquator Principles Ppt
Equator Principles PptJOSE ANTONIO CHAVES
 
Ayllu Overview
Ayllu OverviewAyllu Overview
Ayllu Overviewmricher
 
Bank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. PresentationBank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. PresentationQuarterlyEarningsReports3
 
Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)Samuel Lau
 
Transform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementTransform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementIBM WebSphereIndia
 
SSE Presentation
SSE PresentationSSE Presentation
SSE PresentationShannon Spiess
 
Risk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllenRisk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllenKenneth Bator
 
7 Tips to Help You Prepare for CECL
7 Tips to Help You Prepare for CECL7 Tips to Help You Prepare for CECL
7 Tips to Help You Prepare for CECLColleen Beck-Domanico
 
Brands Can Make Friends Too
Brands Can Make Friends TooBrands Can Make Friends Too
Brands Can Make Friends TooMeddle
 
EASi Broker Direct Raymond James
EASi Broker Direct Raymond JamesEASi Broker Direct Raymond James
EASi Broker Direct Raymond JamesScottPuff
 
Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012ryanvong
 
Clearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRMClearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRMAndrea Rubei
 
Chapter8 - Beyond Classification
Chapter8 - Beyond ClassificationChapter8 - Beyond Classification
Chapter8 - Beyond ClassificationAnna Olecka
 
The regulation of microfinance
The regulation of microfinanceThe regulation of microfinance
The regulation of microfinanceSimone di Castri
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 

Contenu connexe

Similaire à Implementation Patterns For Software Security Programs

Operational plan april 2009
Operational plan april 2009Operational plan april 2009
Operational plan april 2009Mukund Mohan
 
Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18Salesforce Partners
 
Bending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeBending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeLibby Bierman
 
Ayllu Overview
Ayllu OverviewAyllu Overview
Ayllu Overviewmricher
 
Bank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. PresentationBank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. PresentationQuarterlyEarningsReports3
 
Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)Samuel Lau
 
Transform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementTransform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementIBM WebSphereIndia
 
Risk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllenRisk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllenKenneth Bator
 
Brands Can Make Friends Too
Brands Can Make Friends TooBrands Can Make Friends Too
Brands Can Make Friends TooMeddle
 
EASi Broker Direct Raymond James
EASi Broker Direct Raymond JamesEASi Broker Direct Raymond James
EASi Broker Direct Raymond JamesScottPuff
 
Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012ryanvong
 
Clearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRMClearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRMAndrea Rubei
 
Chapter8 - Beyond Classification
Chapter8 - Beyond ClassificationChapter8 - Beyond Classification
Chapter8 - Beyond ClassificationAnna Olecka
 
The regulation of microfinance
The regulation of microfinanceThe regulation of microfinance
The regulation of microfinanceSimone di Castri
 

Similaire à Implementation Patterns For Software Security Programs (20)

Global Corporate & Investment Banking
Global Corporate & Investment BankingGlobal Corporate & Investment Banking
Global Corporate & Investment Banking
 
Operational plan april 2009
Operational plan april 2009Operational plan april 2009
Operational plan april 2009
 
Apres europa
Apres europaApres europa
Apres europa
 
Apres europa
Apres europaApres europa
Apres europa
 
Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18Delivering Vertical Social Apps - Dreamforce - 9/18
Delivering Vertical Social Apps - Dreamforce - 9/18
 
Bending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeBending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for change
 
Equator Principles Ppt
Equator Principles PptEquator Principles Ppt
Equator Principles Ppt
 
Ayllu Overview
Ayllu OverviewAyllu Overview
Ayllu Overview
 
Bank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. PresentationBank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
Bank of America Corporation acquires Merrill Lynch & Co., Inc. Presentation
 
Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)Incisive Media Recruitment Brands - Overview (July2011)
Incisive Media Recruitment Brands - Overview (July2011)
 
Transform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision ManagementTransform your Insurance Processes with BPM and Decision Management
Transform your Insurance Processes with BPM and Decision Management
 
SSE Presentation
SSE PresentationSSE Presentation
SSE Presentation
 
Risk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllenRisk Environment - CliftonLarsenAllen
Risk Environment - CliftonLarsenAllen
 
7 Tips to Help You Prepare for CECL
7 Tips to Help You Prepare for CECL7 Tips to Help You Prepare for CECL
7 Tips to Help You Prepare for CECL
 
Brands Can Make Friends Too
Brands Can Make Friends TooBrands Can Make Friends Too
Brands Can Make Friends Too
 
EASi Broker Direct Raymond James
EASi Broker Direct Raymond JamesEASi Broker Direct Raymond James
EASi Broker Direct Raymond James
 
Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012Silicon Valley Marketo User Group Meeting August 23, 2012
Silicon Valley Marketo User Group Meeting August 23, 2012
 
Clearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRMClearvale overview for Social Intranet and Social CRM
Clearvale overview for Social Intranet and Social CRM
 
Chapter8 - Beyond Classification
Chapter8 - Beyond ClassificationChapter8 - Beyond Classification
Chapter8 - Beyond Classification
 
The regulation of microfinance
The regulation of microfinanceThe regulation of microfinance
The regulation of microfinance
 

Plus de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Plus de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Implementation Patterns For Software Security Programs

  • 1. Implementation Patterns for! Software Security Programs! ! ! Dan Cornell! @danielcornell © Copyright 2013 Denim Group - All Rights Reserved
  • 2. Denim Group Background •  Professional services firm that builds & secures enterprise applications –  External application assessments •  Web, mobile, and cloud –  Software development lifecycle development (SDLC) consulting •  Classroom and e-Learning for PCI compliance •  Secure development services: –  Secure .NET and Java application development –  Post-assessment remediation •  Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors •  Customer base spans Fortune 500 •  Contributes to industry best practices through the Open Web Application Security Project (OWASP) © Copyright 2013 Denim Group - All Rights Reserved 2
  • 3. Dan Cornell •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio •  15 years experience in software architecture, development and security •  Heads Denim Group’s application security team © Copyright 2013 Denim Group - All Rights Reserved 3
  • 4. Agenda •  What Makes a Successful Software Security Program? –  Key commonalities •  Software Security Program Implementations –  Approaches –  Customization –  Considerations •  Three Example Program Activities –  Security Testing –  Code Review –  Education and Guidance •  Selecting What Works for your Organization © Copyright 2013 Denim Group - All Rights Reserved 4
  • 5. Successful Software Security Programs •  Common Goal –  Reduce Risk by… •  Reliably Creating Acceptably Secure Software •  Obligatory “People, Process, Technology” Reference –  Anybody got a good Sun Tzu quote? –  I’d settle for a von Clausewitz… •  Common Activities –  Implementation must be tied to the specific organization © Copyright 2013 Denim Group - All Rights Reserved 5
  • 6. Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/ © Copyright 2013 Denim Group - All Rights Reserved 6
  • 7. SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
  • 8. SAMM Security Practices •  From each of the Business Functions, three Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
  • 9. Check Out This One... This slide content © Pravir Chandra © Copyright 2013 Denim Group - All Rights Reserved
  • 10. Program Implementation •  Approaches •  Customization •  Considerations © Copyright 2013 Denim Group - All Rights Reserved 10
  • 11. Approaches •  Automated vs. Manual •  Depth-First vs. Breadth-First •  Centralized vs. Distributed •  Top-Down vs. Bottom-Up •  SaaS vs. On-Premise •  In-House vs. Outsourced •  All of the Above (and More) © Copyright 2013 Denim Group - All Rights Reserved 11
  • 12. Organizational Fit •  Not “One Size Fits All” –  What Are the Threats to Your Organization? –  How Much of an Executive Mandate Do You Have? –  How Much Risk Are You Willing (Or Going) to Bear? •  Differences Across Industries –  Financial Services Firms Do This Differently Than Energy Sector –  Different Threats, Different Regulatory Environment •  Differences Within Industries –  Oilfield Services versus Mid-majors –  Banks versus Credit Unions © Copyright 2013 Denim Group - All Rights Reserved 12
  • 13. Holdings $0 $500,000,000 $1,000,000,000 $1,500,000,000 $2,000,000,000 $2,500,000,000 1 JPMorgan & Chase 2 Bank of American 3 Citigroup 4 Wells Fargo © Copyright 2013 Denim Group - All Rights Reserved 5 Goldman Sachs Group 6 MetLife 7 Morgan Stanley 8 U.S. Bancorp 9 Bank of New York Mellon 10 HSBC 11 PNC Financial Services Group 12 Capitol One 13 TD Bank 14 State Street Corporation Total Assets for Top Holding Companies 15 Ally Financial 16 BB&T Corporation 17 Suntrust Banks 18 Principal Financial Group 19 American Express 20 Ameriprise Financial 13
  • 14. Considerations •  Raw Budget Constraints •  Organizational Structure •  Regulatory and Compliance Mandates •  Culture and Risk Appetite •  Leadership Buy in © Copyright 2013 Denim Group - All Rights Reserved 14
  • 15. Patterns and Anti-Patterns •  Every Organization is Different –  But there are commonalities •  Similar approaches –  Some good –  Some … less good •  Do you know the “right” thing to do? •  Are you doing it? –  If not – why not? © Copyright 2013 Denim Group - All Rights Reserved 15
  • 16. Example Program Activities •  Take Three Common Activities from OpenSAMM •  Security Testing •  Code Review •  Education and Guidance © Copyright 2013 Denim Group - All Rights Reserved 16
  • 17. Examples of Activities •  Security Testing –  Recurring dynamic scanning –  Manual penetration tests •  Code Review –  Automated static analysis –  Manual security code review •  Education and Guidance –  Instructor-led training for developers –  e-Learning –  Develop and publish “Top 10” list for developers © Copyright 2013 Denim Group - All Rights Reserved 17
  • 18. Security Testing •  Also known as “black box testing” and “penetration testing” •  Testing the security of a running system –  Automated scanners help –  But don’t forget the manual component •  As with any testing activity –  How frequently? –  How thorough? © Copyright 2013 Denim Group - All Rights Reserved 18
  • 19. Security Testing: Anti-Patterns •  “Dude with a scanner” approach –  Can also be implemented as the “lady with a scanner” approach •  “SaaS and forget” approach © Copyright 2013 Denim Group - All Rights Reserved 19
  • 20. Security Testing: Better Patterns •  Deep Assessment of Critical Applications –  Automated scanning, manual scan review and assessment •  Breadth-First Scanning –  You want a scanning program, not a scanner •  Understand that security testing is a means to an end –  Not an end in and of itself –  Start of vulnerability management © Copyright 2013 Denim Group - All Rights Reserved 20
  • 21. Code Review •  Also known as “static analysis” •  Again – scanners are great, but manual review and assessment are required for depth •  Code review can be (is) complicated –  Often more so than dynamic security testing –  Clean scans, false positives, prioritization… © Copyright 2013 Denim Group - All Rights Reserved 21
  • 22. Code Review: Anti-Patterns •  “Dude with a scanner” approach (redux) –  Can still be implemented as the “lady with a scanner” approach –  Even worse for code review because source code (or binary) access is required •  “I’m sure the developers are taking care of this” –  “They’re using [FindBugs|PMD|XYZ tool]” © Copyright 2013 Denim Group - All Rights Reserved 22
  • 23. Code Review: Better Patterns •  Key Questions: –  Who runs the scan? –  What do you do with the results? •  Centralized Code Review Group –  Helps if you have a mandate and/or the ability to block applications from production •  Deploy to Developer Desktops –  Can be great for certain organizations, but… –  Many potential pitfalls and hidden costs here © Copyright 2013 Denim Group - All Rights Reserved 23
  • 24. Education and Guidance •  It is really hard to hold developers to a standard if you have not communicated that standard to them and provided guidance on how they can meet that standard –  Only fair… •  Can take a variety of forms –  Instructor-led training (ILT) –  e-Learning –  Lunch and learns –  Mentoring –  Knowledge bases © Copyright 2013 Denim Group - All Rights Reserved 24
  • 25. Education and Guidance: Anti-Patterns •  “Email a link to OWASP” approach –  Site is www.owasp.org by the way –  OWASP is great, but… •  “I made you all a Powerpoint” •  “Cattle car” instructor-led training •  Fire and forget e-Learning © Copyright 2013 Denim Group - All Rights Reserved 25
  • 26. Education and Guidance: Better Patterns •  Informal approaches can have value –  But that is not a training program –  Best used to identify staff with a special interest in security •  e-Learning for everyone –  Make it part of their bonus or annual evaluation •  Instructor-led training for “mavens” –  Provide context, link to their roles and responsibilities •  Technology- and role-specific guidance –  Do not force developers to think © Copyright 2013 Denim Group - All Rights Reserved 26
  • 27. Where Do We Go From Here? •  Evaluate where you are •  Determine the next plateau you want to reach •  Make a plan to get there (that works for your organization) © Copyright 2013 Denim Group - All Rights Reserved 27
  • 28. Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (210) 572-4400 www.denimgroup.com blog.denimgroup.com © Copyright 2013 Denim Group - All Rights Reserved 28