Join the conversation #devseccon
Integrating crowdsourced security into agile SDLCBy Ante Gulam
Disclaimer
The opinions expressed in this presentation are my own and do not necessarily represent those of my employer.
$whoami
• Chief Information Security Officer• Application Security Evangelist• Ranked world's Top 10 AppSec researchers (cobalt.io)• 13 years of experience in information security• Governance & compliance + hands-on roles
• https://uk.linkedin.com/in/agulam • https://twitter.com/ante_gulam
Interpreting and staging a scene
• Application security threat landscape trends• Emerging technologies & attack vectors• Cyber security skills gap• Inefficient regulations• “Find and adopt” approach• …
TheUKgovernment'srecentCyberSecurityStrategycalledBritain'scyber-security skillsgap a“nationalvulnerabilitythatmustberesolved”.
SCMagazine,Feb2017
Breach Level Index
“Thestateofapplicationsecurityisnotimprovingsignificantly,”Asma Zubair,Whitehat
Internal Challenges (change drivers)
• Cost to fix vulnerabilities vs. cost of exploitation• Mobilizing business lines• Tracking risk posture• Tactical vs. strategic goals• Threat modelling complexity• Real attack surface discovery• 2 fast + 2 complex
Bonus - IaaS and DevOps
• Reducing time to market• Narrowing down attack surface?• Immutable objects (Pets vs Cattle)
• Additional layer requiring visibility• Logging, monitoring, alerting capability
• Re-inventing NSM, NIDS, HIDS etc.• S3, CloudTrail, SQS, ELK …
• Key management (Ansible Vault, CredStash (KMS/DynamoDB) …)
Thespeedoflightsucks.(JohnCarmack)
CURRENT STATE TARGETED STATE
SECURITY MATURITY LEVEL
TRADITIONAL PENETRATION TEST
Traditional approaches
• Fully reactive principles obsolete• Continuous looping• Quick wins over strategic improvement• Slow internal response• Box-ticking exercise• Weak integration
Tailoring security for early delivery
• Crowdsourced assessment != Bug bounty program• Full staged integration capability• Centralized comms and visibility• Full risk remediation tracking• Integration into ticketing systems (Jira)• Broad skill-set pools matching specific assignments• Flexible re-test capability
WEBAPPLICATIONSSECURITYSTATISTICSREPORT2016,WhiteHatSecurity
Crowdsourced(cobalt.io)
17.6days
TIME-TO-FIX: 2016
Crowdsourced workforce
• Targeted skillset matching capability• Strong diversity • Different backgrounds and environments• Commercial and custom toolset base• Collective threat intelligence
Crowdsourced coverage
• Security requirements• Threat modelling• Architecture / design review• Source code analysis• Penetration testing• Awareness and training
Internal preparation
• Functional risk workflow• Security “champions” within existing teams• Strategy driven process• Fundamental documentation• Basic process hygiene• Open-mind
Staged integration scenario
• On-demand assessments• Flexible, controllable timeframes• Full remediation assistance• Reduced noise
• Conceptual buy-in• Natural maturity growth• Risk reduction
• Staged Bug bounty integration• Curated Private -> Public
BUG BOUNTY PROGRAM
Shaping the future posture
• Case specific assessments• Attacker profiling• More granular sets of requirements• Playbook approach (Julian Cohen, RSA)
• Staged threat modelling
Takeaways
• Agile SDLC needs agile security• Crowdsourced integration seems flexible enough• Mythbusting: crowdsourcing and security• What is the alternative?• Transparency builds trust!
Join the conversation #devseccon
Thank you
Recommended