OWASP Indonesia Day 2017

Suman Sourav Director –DevSecOps, Vantage Point Security

VANTAGEPOINT

About me

• Certified Secure Software Lifecycle Professional (CSSLP) • 12+ Years of Experience in Software Security • Co-Founder of DevSecOps Singapore & DevSecCon Asia • Speakers

• IoT Asia • OWASP Singapore • DevOps Singapore • Jenkins Singapore • Security Conferences in USA, China • Trained 4000+ developers and 1000+ QA

VANTAGEPOINT

Indonesia Information Security

Vantage Point Security Confidential

Important numbers

VANTAGEPOINT

Reference : https://www.pwc.com/id/en/publications/assets/assurance/Risk%20Assurance/gsiss-2017-web.pdf

Important numbers

VANTAGEPOINT

Reference : https://www.pwc.com/id/en/publications/assets/assurance/Risk%20Assurance/gsiss-2017-web.pdf

Application Security Approach

VANTAGEPOINT

REQUIREMENTS DESIGN DEVELOP TEST UAT

SAST PENETRATION TESTING

DAST

REMEDIATION CYCLE

Security Requirements

Security Requirements are missing

Cost of Vulnerability Remediation

VANTAGEPOINT

0x

5x

10x

15x

20x

25x

30x

35x

Requirements/Design Coding Integration Testing Acceptance Testing Production

Relative Cost to fix, based on time of…

Penetration Testing

Source: NIST

Agile Security

VANTAGEPOINT

Source: NIST

1-4 Weeks

24 hours

Develop

Test

Design

Plan

Output

Shippable Increment

Product Backlog Sprint Backlog

Security Training

Security Requirements

Security Activities

Threat Modelling

Arch & Design Review

Pairing

Manual Security Tests

Automatic Security Tests

Security Feature Demo

Security Acceptance Criteria

DevOps & SecOps

VANTAGEPOINT

Lack of

Security

Orchestration

& Automation

in the SDLC

DevOps SecOps

Rise of the Developer Overburdened Security

Security Developer

Major Challenges

VANTAGEPOINT

• Shortage of Application Security Resources

• Lack of awareness in the organization

• Influences of technology vendors • Slow adoption of security tools in

development environment • Lack of education & training • No application security dashboard

Time to Change Our Approach of Application Security

VANTAGEPOINT

• Define Security Metrics for Application Security

• Build Internal Resources from Development Team

• Define the Application Security Technology Evaluation Process

• Build the DevSecOps Technology Roadmap

• Adoption of Cloud Security Solution • Adoption of Security As a Service

What we need is : DevSecOps

VANTAGEPOINT

Developmen

t

Operation

s

Q

A

Customer Centric

Immediate Results

Automation

Scale

Agile

90% of surveyed

organizations are

implementing or

piloting DevOps

and

99% Agree DevOps is an opportunity

to improve application security

but only

20% Are doing application

security testing

during development

SecOp

s

SecOps Needs to Shift Left

Key Elements

VANTAGEPOINT

• People

Training

Role

• Process

Compliance

Certifications

• Technology

Security tools

Dev tools

VANTAGEPOINT

People

Vantage Point Security Confidential

Training Approach

VANTAGEPOINT

• Culture Change • Traditional Training

• Shorter Training Duration

• Integrated in IDE/ALM

• New Joinee Induction Training

• Product Manager • Secure SDLC

• Security Requirements

• Architects • Secure Design

Principles

• Threat Modeling

• Developer • Secure Coding

• SAST Tools

• QA • Security Testing

• Dynamic Testing Tools

• Operation • Security

Configurations

• Secure Deployments

Secure Coding Training Program

VANTAGEPOINT

Level 1 Level 2

Level 3 Level 4

Level 5

Security Champion Development Roadmap

Software Security Group

VANTAGEPOINT

SSG

SSG Lead

Project Group 1

Project Group 2

Project Group N

Software Security Group Roles & Responsibilities

VANTAGEPOINT

Vantage Point Security Confidential

SSG • Security Best Practices • Security tournaments • Secure Coding Training • Security Policy • Security Process • Security Technologies • Security Forum • Security Events (Internal

Conference) • Security Hackathon • Security Summits

VANTAGEPOINT

Process

Vantage Point Security Confidential

Appsec Program

VANTAGEPOINT

Onboarding

Definition Execution Optimization

Initial Communication

Assessments

Remediation

Application Portfolio

Program Oversight

Integrations

Reporting & Analytics

ISO/IEC 27034

VANTAGEPOINT

OPEN SAMM

VANTAGEPOINT

VANTAGEPOINT

Technology

Vantage Point Security Confidential

OWASP Appsec Pipeline Project

VANTAGEPOINT

Application Security Execution from Left

VANTAGEPOINT

Dynamic Scans

IDE Plugin

Repository Scan

Nightly Scans

Development Environment

Code Repository

Build Server

SAST/

Dependencies

check

Incremental

Report

False Positives

Custom Rules Set

DAST Security

Unit test

Cases

IAST

Immediate

Feedback

Generated

from

Threat

Modelling

Secure

Coding

Principles

ALM

Security

Requirements

Deployment Server

Developers

QA

PM

DevSecOps Orchestration

VANTAGEPOINT

Master

Branch1

Compile Test Publish Deploy

Build

GitHub Build Tools Deploy Env

Open Source Libraries

DevSecOps Orchestration Platform

• Sec Requirements • Design Review • Threat Modelling

• Security Unit Tests • SAST • SCA

• DAST • IAST • VA

• Security as Code • RASP • NG WAF

Security As a service

Vulnerability Normalization &

Analytics

VANTAGEPOINT

Q&A suman.sourav@vantagepoint.sg