24
Secure SDLC: The Good, The Bad, and The Ugly Joey Peloquin, Director, Application Security FishNet Security Information Assurance Security Technology Security Integration 24x7 Support Training Managed Services INFORMATION SECURITY PRACTICES

Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

Secure SDLC: The Good, The Bad, and The UglyJoey Peloquin, Director, Application Security

FishNet Security

Information Assurance Security Technology Security Integration 24x7 Support Training Managed Services

INFORMATION SECURITY PRACTICES

Page 2: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

2

Agenda

• Secure Development Programs– The Good, The Bad, and The Ugly

• QSA Perspectives– Application Security in a PCI World

• Secure SDLC– The Essential Elements & Where to Start

• Post-Mortem– A Flawed “AppSec” Program Made Right

• Q & A

Page 3: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

3

Secure Development Programs

Page 4: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

4

Page 5: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

5

• Top -> Down Support• Clearly Defined Processes• Focus on Training and Education• Security is a Function of Quality Management• Properly Leveraging Technology• Third-party Partnerships• Go – No-Go Authority• Working Smarter, Not Harder

Page 6: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

6

Page 7: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

7

• Insufficient Support from Management

• Reactive Security Posture• Check-in-the-box Mentality• Insufficient Vulnerability Management• No Developer Training• Lack of Application Security

Awareness• Insufficient Standardization• Development Silos

Page 8: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

8

Page 9: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

9

• Complete Lack of Management Support Support

• Devoid of Security Awareness• “Wow, there’s organizations devoted to

Application Security that offer free information, tools, and standards?”

• Complete Lack of Vulnerability Management

• Little Standardization• No Quality Management• Pattern of Denial

Page 10: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

10

QSA Perspectives

Page 11: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

11

QSA Perspectives

“I’m concerned that as long as the payment card industry is writing the standards, we’ll

never see a more secure system. We in Congress must consider whether we can

continue to rely on industry-created standards, particularly if they’re inadequate to address the

ongoing threat.”- Rep. Bennie Thompson

Page 12: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

12

Elements of a PCI Compliant Program

• Security Throughout the Lifecycle– Requirements, checkpoints, accreditation, testing– No concept of OWASP, inability to examine code for

common defects, no peer reviews, etc.• Well-documented and Maintained SDLC

– I’m from Missouri…• Knowledgeable Developers

– Coding examples, processes• Peer Reviews

– Someone other than the dev; examine comments

Page 13: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

13

Um, sorry, that is not compliant…

• Homegrown Encryption– Publically available, commercial/open source

• Code Reviews– No, you can’t review your own…

• Look at the Pretty WAF!– Yes, it has to actually be configured to block, /sigh

• “We have a WAF, so we don’t need to fix our code.”• “Our IPS can totally block SQLi and XSS!”

Page 14: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

14

Section 6.6 Compliance

WAF– Network diagrams– Configuration– Logging

Code Reviews– Documented policy, process, methodologies– Reports– Internal or third-party?– Tester’s role– Tester’s credentials

Page 15: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

15

Secure SDLC

Page 16: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

16

Essential Elements

• Executive Champion• Mid-level Support• Support of The

Business• People• Process• Technology• …and unfortunately;

– Time & Money help a great deal

Page 17: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

17

Page 18: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

18

Where to Start?

• Assess your current maturity level• Identify Business and Security Objectives• Plan your work and work your plan!• Document your approach

– Who, what, when, where, how?• Dr. McGraw’s Touchpoints:

– Code Reviews (Static Analysis)– Risk Analysis– Skills Assessment and Training– Penetration Testing (Dynamic Analysis)

Page 19: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

19

Scale of Maturity

Sustained Maturity

Centralized People, Processes and Technology

Application security integrated seamlessly into quality lifecycle, becoming third pillar

Application security team has Enterprise influence

Security addressed throughout SDLC and applied retroactively to legacy applications

Security Fitness

Security baked into SDLC, discussed during design phase

Security checkpoints defined and enforced

Centralized, reusable resources for developers

Centralized testing and remediation tracking

Development mentors identified and trained

Proactive Security

Champion and stake-holders identified

Policies, standards & processes established

Tools evaluated and purchased

Automated and manual internal testing

Developer training and awareness

Reactive Security

Standards-based internal processes lead to a basic level of awareness

Some manual testing, looking into automation

Recognize need for application security, but don’t know where to start

Security Unaware

No documented Application Security practices

No internal testing, merely annual penetration test

No application security awareness or developer training

Increasing Maturity

Decreasing Overall Development Cost

Page 20: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

20

Post-Mortem: A Flawed Attempt at Building Security In…

Page 21: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

21

Mistakes / Issues (Opportunities?!)

• Lost executive champion

• Lack of mid-level support

• Staff Reorganization• No business support• No defined processes• Not enough expertise• Development silos• Shelfware

Page 22: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

22

Putting the Pieces Back Together

• Educate The Business• Security Requirements• Define Standards• Define Processes• Development Mentors• HP AMP – SaaS• Offensive Security

– License to Pen-test

Page 23: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

23

Page 24: Secure SDLC: The Good, The Bad, and The Ugly - OWASP• Working Smarter, Not Harder 6 7 • Insufficient Support from Management • Reactive Security Posture • Check-in-the-box

24

Joey Peloquin, CSSLP, GCIHDirector, Application Security

972.788.7206 (O)214.909.0763 (M)

[email protected]