Upload
steve-markey
View
18
Download
1
Tags:
Embed Size (px)
Citation preview
Secure Development
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud+
Principal, nControl, LLCAdjunct Professor
• Presentation Overview– Application Security (AppSec) Driver(s)– Textbook–Processes (SDLC, SDL, STRIDE, DREAD)–People (InfoSec Staff, Developer Training)–Tools (Scanners, Policies & Standards)–Procuring Secure Applications
– Real World–10 Commandments for AppSec–AppSec Use Cases
Secure Development
• AppSec Drivers– Risk Management– Compliance– Revenue/Costs
Secure Development
• Risk Management– One of Many Risks–Operational Risk–Financial Risk–Reputational Risk
– Transfer from Network Security to AppSec
Secure Development
Source: OWASP
Secure Development
Source: ISC2
Secure Development
• Compliance– Specific–PCI DSS 6.6
– Vague–SOX–HIPAA–FISMA/FIPS–NERC/FERC–FDA 21 CFRF Part 11/ERES
Secure Development
• Revenue/Costs– Value-Add– Key Differentiator– Precursor to 3rd Party Accreditation– ICSA Labs
Secure Development
Source: KLP Consulting
• AppSec Programs– Architecture + Threat & Vulnerability Management (TVM)– Enterprise Architecture (EA)–Enterprise Security Architecture (ESA)–Sherwood Applied Biz Security Arch (SABSA)–The Open Group Arch Framework (TOGAF)–Jericho Model
– AppSec Maturity Models–Building Security In Maturity Model (BSIMM)–OWASP’s Software Assurance Maturity Model (SAMM)
Secure Development
Secure Development
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: NYSE Euronext
Source: Mountain Goat Software
Source: Microsoft
Secure Development
Source: Microsoft
Secure Development
Secure Development
Secure Development
Source: Microsoft
Source: Microsoft
Secure Development
Source: Microsoft
• Training– Know Stakeholders–Project Managers –Development Managers
– Tailor to Development Team– Use an Iterative Model– Incorporate Train the Trainer– Reinforce Training with Formal / Informal Incentives
Secure Development
• Scanners– Static Application Security Testing (SAST)– Dynamic Application Security Testing (DAST)– AppSec Pen Testing– Supplemental Tools–Fuzzing, Tracing, Scanning, Sniffing– IDEs–Proxies / Gateways–Firewalls (WAFs, DbFs / DAM, XML)
Secure Development
• Coding Conventions & Architectural Standards– Development Team Specific– Coding Enumeration–Error / Exception Handling– Input / Output Validation–Comments / Documentation–Session Management–Memory / Thread Management–PKI– IAM / IdM
Secure Development
• Coding Conventions & Architectural Standards– Architectural Enumeration–Thick / Thin– Internal / External–Transactional–Message / Information Delivery–Monitoring–SOA / Mobile / Cloud–App / Middleware–Database
Secure Development
• Coding Conventions & Architectural Standards– Architectural Enumeration Scenario–LAMP with Drupal–IAM via AD-based LDAP–Zend (PHP-based) Framework–Imperva DAM–Syslogd with Arcsight SIEM–DMZ w/ Load Balancing
Secure Development
• Procuring Secure Applications– Beware of Your Business Ecosystem– Weakest Link Mentality– Legal / SLA Verbiage– 3rd Party Reviews–ASP / Cloud / ISV–Mobile–COTS–Subsidiaries / Customers
Secure Development
• 10 AppSec Commandments1. Though Shall Execute AppSec at the Speed of Business2. Though Shall Not Architect Security3. Though Shall Evolve Your Testing Methodologies4. Though Shall Not Surprise Dev Teams5. Though Shall Test Apps in Production6. Though Shall Not Let Frameworks Replace Intelligence7. Though Shall Put Vulnerabilities in Proper Context8. Though Shall Not Give Dev Teams Access to Prod Data9. Though Shall Use a WAF/DAM with a Plan10. Though Shall Not Blame the Dev Team
Secure Development
Source: Dark Reading
• AppSec Use Cases– Strong SDLC & SDL Alignment– Socialize & Incentivize SDL Implementation– Embed AppSec SMEs in Dev Teams– Start on New Projects– Retrofit Legacy Apps / Systems as Time Permits– Iterative Improvement & Wins– No (Process / Tool) Silver Bullets
Secure Development
• Questions?• Contact– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey