ISACA 2016 Application Security RGJ

ENSURING INFORMATION SECURITY IN THE SYSTEM DEVELOPMENT LIFECYCLE PROCESS

RENE G. JASPE CISSP, CSSLP

Sinag Solutions Founder and CISO Phylasso Corp., Founder and Managing DirectorMobKard, CoFounder and CTO Rene Jaspe CISSP, CSSLP• 13 yrs with Telos Corp., a US Federal Gov’t

Defense Contractor, servicing various US Defense and Intelligence Agencies as well as NATO allies.

• 10 years Software Development and 5 Years Application Security Background.

2015: “We Take It Very Seriously”

IBM Xforce Threat Intelligence Report 2016

HEALTHCARE, EDUCATION & FINANCIAL SERVICES LEADS GLOBALLY.

Source: Ponemon Institute Research Report 2016 Cost of Data Breach

Incident Pattern By Industry

Verizon Data Breach Incident 2016 Report

• Regulatory & Standards Compliance

– eCommerce: PCI-DSS, PA-DSS– Financial Services: GLBA– Energy: NERC / FERC– Government: FISMA– PH: Data Privacy Act, BSP

• 81% of organizations subject to PCI had not been found compliant prior to the breach

Market Drivers

Application security challenges:Security-development disconnect fails to prevent vulnerabilities in production applications

•Developers Lack Security Insights (or Incentives to Address Security)

•Mandate to deliver functionality on-time and on-budget – but not to develop secure applications•Developers rarely educated in secure code practices•Product innovation drives development of increasingly complicated applications

Security Team = SDLC Bottleneck• Security tests executed just before launch

– Adds time and cost to fix vulnerabilities late in the process

• Growing number of web applications but small security staff

– Most enterprises scan ~10% of all applications

• Continuous monitoring of production apps limited or non-existent

– Unidentified vulnerabilities & risk

3 Great Frameworks For Implementing an Enterprise

Software Security Program (MOB)

Application Security Pros Hold These Truths to Be Self Evident

• Software Security is more than a set of security functions.

– Not magic crypto fairy dust– Not silver bullet security mechanisms.

• Non-functional aspects of design are essential• Bugs and flaws are 50/50.• Security is an emergent property of the entire

system (just like quality).• To end up with secure software, deep

integration with the SDLC is necessary.

Source: Cigital on BSIMM VI

Prescriptive vs. Descriptive ModelsPrescriptive Models

• Prescriptive models describe what you should do.

• OpenSAMM• Microsoft SDL

• Every company has a methodology they follow (often a hybrid)

• You need an SSDL.

Descriptive Models

• Descriptive models describe what is actually happening.

• The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.

Microsoft Security Development Lifecycle 5.2 (May 2012)

SDL for Agile

Bucket

Bucket

Bucket

Bucket

One-TimeOne-TimeOne-Time

One-Time

One-Time

Bucket practices:: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.

One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.

SDL Practice #7 USE THREAT MODELINGApplying a structure approach to threat scenarios during design helps a team more effectively and less expensive identify security vulnerabilities, determines risks from those threats, and establish appropriate mitigations.

THREAT MODEL SAMPLE

• S – poofing• T – ampering• R – epudiation• I - nformation Disclosure• D – enial of Service• E - levation of Privilege

OpenSAMM 1.1 (March 2016)

OpenSAMM 1.1 (March 2016)

Sample: Construction

FINANCIAL SERVICES ORGANIZATION

FINANCIAL SERVICES ORGANIZATION

Cost: Phase 1(Months 0 – 3) - Awareness & Planning

BSIMM 7 ( October 2016)

The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing contained in the model. You can then identify goals and objectives of your own and refer to the BSIMM to determine which additional activities make sense for you. The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.

BSIMM 7

Standards & Requirements

“EVERYBODY” DOES IT

SAMPLE SPIDER CHART

VERTICAL COMPARISON

• Microsoft Security Development LifeCyclehttps://www.microsoft.com/en-us/sdl/

• OpenSAMMhttp://www.opensamm.org/

• BSIMMhttps://www.bsimm.com/

KEY TAKE AWAY (MOB)

“Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.”

THANK YOU QUESTIONS???

Rene.Jaspe@sinagsolutions.com@renejaspe

https://ph.linkedin.com/in/renejaspe