• Home

  • Documents

  • Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved....
35
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior Manager, Secure Software Engineering (Adobe)

Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

  • Upload
    others

  • View
    12

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Secure Product Lifecycle (SPLC) In PracticeMohit Kalra | Senior Manager, Secure Software Engineering (Adobe)

Page 2: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Introduction

Senior Manager @ Adobe’s Secure Software Engineering Team (ASSET) I lead the proactive security efforts. @adobesecurity / @mohitkalra

Page 3: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

ADVANCINGSTATE OF THE ART

FOR CONTENT

Adobe’s Strategy

HARNESSINGTHE POWER

OF DATA

DRIVING DIGITALTRANSFORMATION

OF INDUSTRIES

Page 4: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

ADOBE.IOADOBE.IO

PRIVATE, PUBLIC OR HYBRID CLOUDPRIVATE, PUBLIC OR HYBRID CLOUD

CORE TECHNOLOGIESCORE TECHNOLOGIES

ADOBE CLOUD PLATFORM

CONTENT DATA

Adobe Document Cloud Adobe Creative Cloud Adobe Marketing Cloud

Page 5: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Secure Product Lifecycle

Credit:http://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle.htmlhttps://technet.microsoft.com/en-us/security/gg622918.aspx

Page 6: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Does a diagram capture everything?

Secure Product Lifecycle (SPLC) is a set of processes designed to help product teams engineer secure software.

Page 7: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

For our team, the approach to security is much more complex

7

Page 8: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security is all about making choices

8

Page 9: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

… and balance

9

Page 10: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Implementing security is about providing high ROI and business alignment

10

Page 11: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

…. while trying to fix the weak links

11

Page 12: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

The challenges in this complex world.

12

Page 13: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #1

13

Scaling the security work with a small team.

- Hiring skilled security professionals is difficult.

- Team needs to learn continuously.- Time spent => high premium $$$.

Page 14: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #2

14

A growing and diverse company product portfolio.

Page 15: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #3

15

The business critical products vs the legacy applications.

Page 16: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyVarying

business criticality

The challenges for a security team

16

Page 17: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

How can a security team overcome these challenges?

17

Page 18: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyVarying

business criticality

The challenges for a security team

18

Page 19: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security teams @ Adobe

Product Team

Product Team

EngineeringChampionsResearchers

& PMs

ASSET

(Adobe Secure

Software Engineering

Team)

Products

Page 20: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Establish the minimum bar

20

- Create a SPLC standard that the product teams need to follow- Standardize the tool chain

SPLC Baseline Tasks for every teamTrainingStatic analysis of codeSecurity testing3rd party component trackingCode reviewsSecurity requirements reviewThreat modellingReview of high risk findings and sign-off

Page 21: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security is a shared responsibility

21

Page 22: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Split and share responsibilities

22

Spend premium security skill mindshare where it matters.

SPLC Tasks Product team ownership

Central securityteam driven

Training ✔Static analysis of code ✔Security testing ✔3rd party component tracking ✔Code reviews ✔Security requirements review ✔Threat modelling ✔Review of high risk findings and sign-off

Page 23: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Set up product teams for security success with their security practices

23

Onboard Team

Review ProductGather intel

Automation onboarding

Train team Routine SPLC tasks

Page 24: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyBusiness criticality

The challenges for a security team

24

Page 25: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Implementing Security Measures for a wide technology spectrum

25

Page 26: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A product may be offered on one or many platforms.

26

Page 27: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements

27

Baseline SPLC

Services SPLC

Mobile SPLC

Desktop SPLC

Page 28: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (web)

28

Page 29: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (mobile)

29

Page 30: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (desktop)

30

Page 31: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyBusiness criticality

The challenges for a security team

31

Page 32: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Tune for business criticality

32

Page 33: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Factor in business criticality for a security engagement

33

Page 34: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Summary

We presented you with the real world experiences of running a SPLC program at Adobe

At a minimum, a product should get access to a baseline SPLC guidance

A SPLC program : Scales premium security bandwidth through shared

responsibility. Evolves continuously as the company evolves and

innovates. Is flexible and adapts to the business needs of an

organization.

34

Page 35: Secure Product Lifecycle (SPLC) In Practice© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Secure Product Lifecycle (SPLC) In Practice Mohit Kalra | Senior

Adobe 2017 release · Camera Raw, Adobe Certified Associate, Adobe Generator, Adobe PDF, Adobe Premiere Pro, Adobe Press, Adobe Portfolio, Adobe Preview, Adobe RGB, Adobe RGB (1998),

Adobe 2017 release · Camera Raw, Adobe Certified Associate, Adobe Generator, Adobe PDF, Adobe Premiere Pro, Adobe Press, Adobe Portfolio, Adobe Preview, Adobe RGB, Adobe RGB (1998),

Documents
Peach State Reserves 401(k) and 457 Plansjobs.gdc.ga.gov/NewHire/pdf/PSR_plan_summary.pdf · PSR Lifecycle Funds Lifecycle 2050 Fund Lifecycle 2040 Fund Lifecycle 2030 Fund Lifecycle

Peach State Reserves 401(k) and 457 Plansjobs.gdc.ga.gov/NewHire/pdf/PSR_plan_summary.pdf · PSR Lifecycle Funds Lifecycle 2050 Fund Lifecycle 2040 Fund Lifecycle 2030 Fund Lifecycle

Documents
Lifecycle Manager and the Lifecycle API

Lifecycle Manager and the Lifecycle API

Software
® Copyright 2008 Adobe Systems Incorporated. All rights reserved. Flex Component Lifecycle: Halo and Spark Deepa Subramaniam Flex SDK

® Copyright 2008 Adobe Systems Incorporated. All rights reserved. Flex Component Lifecycle: Halo and Spark Deepa Subramaniam Flex SDK

Documents
EXHIBIT C SPLC APPEAL OF FEE WAIVER DENIAL€¦ · EXHIBIT C SPLC APPEAL OF FEE WAIVER DENIAL Case 1:16-mi-99999-UNA Document 1847-3 Filed 08/09/16 Page 1 of 17

EXHIBIT C SPLC APPEAL OF FEE WAIVER DENIAL€¦ · EXHIBIT C SPLC APPEAL OF FEE WAIVER DENIAL Case 1:16-mi-99999-UNA Document 1847-3 Filed 08/09/16 Page 1 of 17

Documents
2014 Annual Report - Southern Poverty Law Center · splc 2014 annual report 1 ... the . splc 2014 annual report and in 2014. ••• splc 2014 annual report southern poverty law

2014 Annual Report - Southern Poverty Law Center · splc 2014 annual report 1 ... the . splc 2014 annual report and in 2014. ••• splc 2014 annual report southern poverty law

Documents
SPLC Civil Rights Activity Book Web

SPLC Civil Rights Activity Book Web

Documents
AR-M201 Leaflet GB - copiersandservicing.com · Compression (SPLC) technology. SPLC effectively reduces the data size of print jobs, speeding up the data transfer time and printing

AR-M201 Leaflet GB - copiersandservicing.com · Compression (SPLC) technology. SPLC effectively reduces the data size of print jobs, speeding up the data transfer time and printing

Documents
Lifecycle – Fabrication & Construction Lifecycle – Safety

Lifecycle – Fabrication & Construction Lifecycle – Safety

Documents
StartDebatingStopHating.com: FRC's ridiculous attempt to spin the SPLC list

StartDebatingStopHating.com: FRC's ridiculous attempt to spin the SPLC list

Documents
Preliminary Datasheet SPLC-43-GB-BX CSFP Compact SFP Bi ......- 1 - Preliminary Datasheet SPLC-43-GB-BX CSFP Compact SFP Bi-Directional Transceiver DS-6318 Rev 03 2016-12-12 Features

Preliminary Datasheet SPLC-43-GB-BX CSFP Compact SFP Bi ......- 1 - Preliminary Datasheet SPLC-43-GB-BX CSFP Compact SFP Bi-Directional Transceiver DS-6318 Rev 03 2016-12-12 Features

Documents
06& 30 · PFPS is a collaboration of the Southern Poverty Law Center (“SPLC”), Education Law Center (“ELC”), and Munger, Tolles & Olson LLP (“MTO”). SPLC, a nonprofit

06& 30 · PFPS is a collaboration of the Southern Poverty Law Center (“SPLC”), Education Law Center (“ELC”), and Munger, Tolles & Olson LLP (“MTO”). SPLC, a nonprofit

Documents
Technical Communicators and the Product Lifecycle (Adobe Day Lavacon 2013 J Gollner)

Technical Communicators and the Product Lifecycle (Adobe Day Lavacon 2013 J Gollner)

Technology
Logistics Lifecycle Within The Product Lifecycle

Logistics Lifecycle Within The Product Lifecycle

Documents
Adobe Flex Component Lifecycle

Adobe Flex Component Lifecycle

Technology
Mounting instructions SP Positioner TemplatePositioner SPLC

Mounting instructions SP Positioner TemplatePositioner SPLC

Documents
SPLC Information

SPLC Information

Documents
El Salvador 2012 SPLC powerpoint

El Salvador 2012 SPLC powerpoint

Travel
Page 1 Fighting Hate - | Danwgaº º *an. Teaching Tolerance SPLC

Page 1 Fighting Hate - | Danwgaº º *an. Teaching Tolerance SPLC

Documents
splc-rsplc-r.com/yahoo_site_admin/assets/docs/19794_Go_Devil...SPLC graduates of the Class of '79 Holder House Patten Reeves High School Stephen Roy Aaron, son of W R. Aaron. Engineering

splc-rsplc-r.com/yahoo_site_admin/assets/docs/19794_Go_Devil...SPLC graduates of the Class of '79 Holder House Patten Reeves High School Stephen Roy Aaron, son of W R. Aaron. Engineering

Documents
SPLC Posters

SPLC Posters

Documents
Falls Prevention Strategy - SPLC

Falls Prevention Strategy - SPLC

Documents
From Lifecycle Modelling to Lifecycle Analysis A Framework ... · 2.9.2014 / Kaiser MuC 2014 presentation: lifecycle modelling to lifecycle analysis 10 System lifecycle modelling

From Lifecycle Modelling to Lifecycle Analysis A Framework ... · 2.9.2014 / Kaiser MuC 2014 presentation: lifecycle modelling to lifecycle analysis 10 System lifecycle modelling

Documents
2011 splc-using multiple feature models to design applications for mobile phones

2011 splc-using multiple feature models to design applications for mobile phones

Documents
SPLC and FIRE Letter to LACCD President Mona Field, January 15, 2010

SPLC and FIRE Letter to LACCD President Mona Field, January 15, 2010

Documents
Service Lifecycle Management - PLM−Product Lifecycle ... · PDF fileService Lifecycle Management Service Lifecycle Management and product lifecycle management

Service Lifecycle Management - PLM−Product Lifecycle ... · PDF fileService Lifecycle Management Service Lifecycle Management and product lifecycle management

Documents
© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Ashish Mishra Automation Lifecycle of Mobile Applications

© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Ashish Mishra Automation Lifecycle of Mobile Applications

Documents
Splc the trump_effect

Splc the trump_effect

Economy & Finance
Evaluation of Prelude SPLC and TSQ Endura Mass ... · AN64239-EN 0914S Application Note 609 Conclusions The performance of a Prelude SPLC system coupled to a TSQ Endura mass spectrometer

Evaluation of Prelude SPLC and TSQ Endura Mass ... · AN64239-EN 0914S Application Note 609 Conclusions The performance of a Prelude SPLC system coupled to a TSQ Endura mass spectrometer

Documents
Software Lifecycle Software Lifecycle Basics Lifecycle Models Methods and Tools

Software Lifecycle Software Lifecycle Basics Lifecycle Models Methods and Tools

Documents