Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Developing anDeveloping anApplication Security Strategy for
Large Enterprise Systems
Major Bruce C Jenkins (USAF, Ret.)San Antonio OWASP, 06 Sep 2007
Overview
Organizational ContextDeployment Challenges and AssumptionsDeployment Challenges and AssumptionsGetting Down to Business
Security Wake-up Call
Percent of Reported Air Force CAT I / II IntrusionsCAT I / II Intrusions
that Targeted Applications
“75 % of hacks occur at the application l l ”level…”
Dec 2005
Security Wake-up Call
May 2005: Air Force Assignment ManagementS (AMS) C i d
Unauthorized individual accessed valid
System (AMS) Compromised
Unauthorized individual accessed valid user accountInitiated Password ResetD l d d 33 000 l dDownloaded 33,000 personnel records
System Access Controls Complied with Published Guidance
4
Systems Development Profile
Program Management Offices: 50+Software Developers: 600-900pAutomated Information Systems: 120+Programming Languages: 12+Source Lines of Code: 40M+
Quick Fix Countermeasures
Activated 554 ELSW Crisis Action TeamProgram Management OfficesSecurity AnalystsAFOSI Liaison to the AFNOSC-NOD
Top-to-Bottom Review of all Wing AppsTop-to-Bottom Review of all Wing AppsReview Password Reset Procedures*Revalidate Privileges*Review of System Audit Logs*Reduce Concurrent Log Ons
Develop Long-term Security Strategy
*AFMAN 33-223 Requirements
Develop Long term Security Strategy
6
Way Ahead: Securing the SDLC
Application Defense
Centralized Project ManagementVulnerability trend analysis and reporting; view multiple projects, all mission areas
Source Code Analysis (SCA) Proactive security with targeted, accurate analysis tuned for low false positives
Developers
Application DefenseMonitor, prevent and report on intrusion attempts against applications / databases
Security Ops Team
PR
Management
Application Virtualization“Wrap” legacy apps in virtual environment for low-cost SDC compliance
Code AuditingP b ild it diti dSecurity Testers Pre-build security auditing and analysis of application’s entire code base
RunTime Analysis
Penetration TestingScripted, controlled external probing of the application’s security features
Security TestersBuild Server
RunTime AnalysisBlack box integration testing and vulnerability analysis
Security Leads / Auditors
Overview
Organizational Context
Deployment Challenges and AssumptionsDeployment Challenges and AssumptionsGetting Down to Business
Challenges and Assumptions
Challenges – Some you can change, most you cannot; however, if necessary, you can work around all of themall of them
CulturalFinancial
l lPoliticalTime Constraints (schedules)Internal PolicyPersonal
AssumptionsEveryone above you in the food chain is on boardEveryone above you in the food chain is on boardYou have at least some resources
Overview
Organizational ContextDeployment Challenges and Assumptionsp y g p
Getting Down to Business
Getting Down to Business
Success is often the result of taking aSuccess is often the result of taking a misstep in the right direction.
-- Al BernsteinAl Bernstein
Getting Down to Business
1. Determine the Strategic Objective2. Deal with the Challengesg3. Identify your Champions… and your Detractors4. Sell Hard to Key Leaders5. Sell Soft to Developers6. Target Early Successes
C d t L L d7. Conduct Lessons Learned
Take Baby Steps… but do something!
Data are just data—don’t be overwhelmed….
20000 3018 997
Total Issues Issues / 1K SLOC
16000
1800025
18,997
12000
14000 20
6000
8000
10000
10
158,102
2000
4000
6000
5
10
0
2000
1 2 3 4 6 7 80
904 885 152 50852
Questions?