Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
OWASP Indonesia Day 2017
Suman Sourav Director –DevSecOps, Vantage Point Security
VANTAGEPOINT
About me
• Certified Secure Software Lifecycle Professional (CSSLP) • 12+ Years of Experience in Software Security • Co-Founder of DevSecOps Singapore & DevSecCon Asia • Speakers
• IoT Asia • OWASP Singapore • DevOps Singapore • Jenkins Singapore • Security Conferences in USA, China • Trained 4000+ developers and 1000+ QA
VANTAGEPOINT
Indonesia Information Security
Vantage Point Security Confidential
Important numbers
VANTAGEPOINT
Reference : https://www.pwc.com/id/en/publications/assets/assurance/Risk%20Assurance/gsiss-2017-web.pdf
Important numbers
VANTAGEPOINT
Reference : https://www.pwc.com/id/en/publications/assets/assurance/Risk%20Assurance/gsiss-2017-web.pdf
Application Security Approach
VANTAGEPOINT
REQUIREMENTS DESIGN DEVELOP TEST UAT
SAST PENETRATION TESTING
DAST
REMEDIATION CYCLE
Security Requirements
Security Requirements are missing
Cost of Vulnerability Remediation
VANTAGEPOINT
0x
5x
10x
15x
20x
25x
30x
35x
Requirements/Design Coding Integration Testing Acceptance Testing Production
Relative Cost to fix, based on time of…
Penetration Testing
Source: NIST
Agile Security
VANTAGEPOINT
Source: NIST
1-4 Weeks
24 hours
Develop
Test
Design
Plan
Output
Shippable Increment
Product Backlog Sprint Backlog
Security Training
Security Requirements
Security Activities
Threat Modelling
Arch & Design Review
Pairing
Manual Security Tests
Automatic Security Tests
Security Feature Demo
Security Acceptance Criteria
DevOps & SecOps
VANTAGEPOINT
Lack of
Security
Orchestration
& Automation
in the SDLC
DevOps SecOps
Rise of the Developer Overburdened Security
Security Developer
Major Challenges
VANTAGEPOINT
• Shortage of Application Security Resources
• Lack of awareness in the organization
• Influences of technology vendors • Slow adoption of security tools in
development environment • Lack of education & training • No application security dashboard
Time to Change Our Approach of Application Security
VANTAGEPOINT
• Define Security Metrics for Application Security
• Build Internal Resources from Development Team
• Define the Application Security Technology Evaluation Process
• Build the DevSecOps Technology Roadmap
• Adoption of Cloud Security Solution • Adoption of Security As a Service
What we need is : DevSecOps
VANTAGEPOINT
Developmen
t
Operation
s
Q
A
Customer Centric
Immediate Results
Automation
Scale
Agile
90% of surveyed
organizations are
implementing or
piloting DevOps
and
99% Agree DevOps is an opportunity
to improve application security
but only
20% Are doing application
security testing
during development
SecOp
s
SecOps Needs to Shift Left
Key Elements
VANTAGEPOINT
• People
Training
Role
• Process
Compliance
Certifications
• Technology
Security tools
Dev tools
VANTAGEPOINT
People
Vantage Point Security Confidential
Training Approach
VANTAGEPOINT
• Culture Change • Traditional Training
• Shorter Training Duration
• Integrated in IDE/ALM
• New Joinee Induction Training
• Product Manager • Secure SDLC
• Security Requirements
• Architects • Secure Design
Principles
• Threat Modeling
• Developer • Secure Coding
• SAST Tools
• QA • Security Testing
• Dynamic Testing Tools
• Operation • Security
Configurations
• Secure Deployments
Secure Coding Training Program
VANTAGEPOINT
Level 1 Level 2
Level 3 Level 4
Level 5
Security Champion Development Roadmap
Software Security Group
VANTAGEPOINT
SSG
SSG Lead
Project Group 1
Project Group 2
Project Group N
Software Security Group Roles & Responsibilities
VANTAGEPOINT
Vantage Point Security Confidential
SSG • Security Best Practices • Security tournaments • Secure Coding Training • Security Policy • Security Process • Security Technologies • Security Forum • Security Events (Internal
Conference) • Security Hackathon • Security Summits
VANTAGEPOINT
Process
Vantage Point Security Confidential
Appsec Program
VANTAGEPOINT
Onboarding
Definition Execution Optimization
Initial Communication
Assessments
Remediation
Application Portfolio
Program Oversight
Integrations
Reporting & Analytics
ISO/IEC 27034
VANTAGEPOINT
OPEN SAMM
VANTAGEPOINT
VANTAGEPOINT
Technology
Vantage Point Security Confidential
OWASP Appsec Pipeline Project
VANTAGEPOINT
Application Security Execution from Left
VANTAGEPOINT
Dynamic Scans
IDE Plugin
Repository Scan
Nightly Scans
Development Environment
Code Repository
Build Server
SAST/
Dependencies
check
Incremental
Report
False Positives
Custom Rules Set
DAST Security
Unit test
Cases
IAST
Immediate
Feedback
Generated
from
Threat
Modelling
Secure
Coding
Principles
ALM
Security
Requirements
Deployment Server
Developers
QA
PM
DevSecOps Orchestration
VANTAGEPOINT
Master
Branch1
Compile Test Publish Deploy
Build
GitHub Build Tools Deploy Env
Open Source Libraries
DevSecOps Orchestration Platform
• Sec Requirements • Design Review • Threat Modelling
• Security Unit Tests • SAST • SCA
• DAST • IAST • VA
• Security as Code • RASP • NG WAF
Security As a service
Vulnerability Normalization &
Analytics
VANTAGEPOINT