Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Building an Organizational Application SecurityApplication Security Competency
Dan CornellDenim Group4/24/09 | Session ID: PROF-401|
Worst Class Kickoff … Ever
• Scenario: ½ day application security awareness class for all developers and architectsclass for all developers and architects
• Trainer: “What do you hope to get out of this class?”
• Student: “I’m only here because my boss made me come.”
• Trainer: “Amazing - me too!”
1
Agenda
Imperative for Internal Security Competency
Who and What?Who and What?
T i i O tiTraining Options
Putting It Together
2
ImperativeImperative for an InternalInternal Security yCompetency
Application Security Competency
• You Can’t Bolt It On – You’re Going to Have To Build It InBuild It In
• State of the Industry
4
You Can’t Bolt It On
• Security must be incorporated into theincorporated into the lifecycle
• Too expensive to fullyToo expensive to fully outsource
• Must develop someMust develop some degree of internal competency
5
State of the Industry
• Computer Science programs typically do not address security issuesaddress security issues
• Compliance regimes require developers to be trained in securitytrained in security– PCI being the most specific
6
Who andWho and What?
Who and What?
• Who needs to learn about application security?
• What do they need to know?
8
Who
• Executives
• Software Developers
• Quality Assurance
• Information Security
• IT Audit• IT Audit
9
Executives
• Business impact
• Compliance implications
10
Software Developers
• General background
• Security concepts
• Specific code and tool examples
11
Quality Assurance
• Already good at breaking thingsbreaking things
• Incorporate negative testing into theirtesting into their practices
12
Information Security
• Often do not have modern softwaremodern software development backgrounds
• Threat modeling and other architectural
happroaches
13
IT Audit
• Often lacking modern software developmentsoftware development experience
• How to link auditHow to link audit requirements to recommended
ti iti d lt ?activities and results?
14
Mapping Curriculum to Roles
Business Case
Introduction Threat Modeling
Application Testing
Secure Coding
Executives CRITICAL IMPORTANT USEFUL
Software Development
IMPORTANT IMPORTANT IMPORTANT CRITICAL
Quality IMPORTANT IMPORTANT CRITICALQualityAssurance
IMPORTANT IMPORTANT CRITICAL
InformationSecurity
IMPORTANT IMPORTANT IMPORTANT IMPORTANT
IT A dit IMPORTANT IMPORTANT IMPORTANT USEFULIT Audit IMPORTANT IMPORTANT IMPORTANT USEFUL
15
TrainingTraining Options
Training Options
• Background Materials
• Instructor-Led– Informal Seminars – “Lunch and Learn”
Cl T i i– Classroom Training
• eLearning
17
Background Materials
• Create an environment whereenvironment where the curious can access the i f ti th dinformation they need
• OWASP: www.owasp.org
• WASC: bwww.webappsec.org
18
Informal Seminars
• Internal presentations to target audiencesto target audiences
• “Lunch and Learn”
• Pros– Inexpensive
– Great starting point
• Cons– Often ad hoc
– Not comprehensiveNot comprehensive
19
Classroom Training
• Formal classroom instructioninstruction
• ProsC b h d– Can be hands-on
– Interaction with instructor is invaluableinstructor is invaluable
• ConsE i d ti– Expensive and time-consuming
– AttritionAttrition
20
eLearning
• Self-paced, delivered electronicallyelectronically
• ProsL i ti– Logistics are easy
– Can be done as-neededneeded
• ConsN i t ti ith– No interaction with instructors
21
Putting ItPutting It Together
Approach
• Understand your requirements
• Set the stage
• Train
• Maintain
• Report• Report
23
Requirements
• Understand business goals and compliance requirementsrequirements
• Enumerate software development groups and methodologiesmethodologies
24
Set the Stage
• Goal is to create a security-conscious cultureM k i t h i– Makes maintenance much easier
• Provide background materials and informal trainingtraining– Seminars/Lunch and Learns
– Use this to identify mavensUse this to identify mavens
25
Mavens
• Highly-connected peoplepeople– The Tipping Point:
Malcolm Gladwell
• Cultural leaders for development groupsp g p
• “Go-to” individuals, interested in securityy
26
Educate
• Instructor-Led TrainingTraining– Mavens
Architects and Team– Architects and Team Leads
• eLearningeLearning– All relevant parties
Tailored curriculum to– Tailored curriculum to role
27
Maintain
• Not a one-time activityactivity
• Incrementally build a sustaining culturesustaining culture
• eLearning is invaluable hereinvaluable here
• Training is not enough – must beenough must be linked to doing
28
Report
• Track activity:Wh t i d– Who was trained
– Training materials
• Proactive reporting helps with compliance
29
BestBest Practices
Curriculum Best Practices
• Language-specific materials are key
• Link to tools used in your organization
• Provide guidance on what is and is not acceptable
31
Delivery Best Practices
• Demonstrate executive commitment
• Track success stories and use them to drive the culture
32
Apply
• Send free materials provided by OWASP and WASC to developersWASC to developers
• Run a series of informal seminars to provide background information on application securitybackground information on application security
• Identify one person on each development team to act as the application security mavento act as the application security maven
• Run one or more instructor-led training classes for key development stafffor key development staff
• Provide eLearning to all development staff
33
Questions
Dan Cornell
Email: [email protected]
Twitter: @danielcornell
Web: www.denimgroup.com
Blog: denimgroup typepad comBlog: denimgroup.typepad.com
Facebook: www.denimgroup.com/facebook
Phone: (210) 572-4400
34
Reference Materials
• OWASP Top 10htt // /i d h /OWASP T T P j t– http://www.owasp.org/index.php/OWASP_Top_Ten_Project
• OWASP Education Projecthtt // /i d h /C t OWASP Ed ti P j t– http://www.owasp.org/index.php/Category:OWASP_Education_Project
• OWASP University Membership// / /– https://www.owasp.org/index.php/Membership
35