Embed Size (px)
Citation preview
UISGCON11
December 4 t h 2015
Svavar Ingi HermannssonCISSP, CISA, CISM
THE JOURNEY TO A SECURE SOFTWARE DEVELOPMENT LIFE
CYCLE
$whoamiUseful StandardsBuilding blocksAdding more security
OVERVIEW
Svavar has been specializing in IT security and software development for the last 18 years and has held various roles in programming and IT Security consulting with vast experience in penetration testing, vulnerabil ity assessment, code auditing, information security management - including ISO/IEC 27001, PCIDSS and PADSS. These roles include a manager posit ion at KPMG, as well as a CISO position at DH samskipti. Svavar has taught classes on computer security at the University of Iceland and the University of Reykjavik.
Svavar was the chairman of the information security focus group at the Icelandic Computer Society from 2007-2012. He has given talks at multiple events in Iceland, the UK, Germany and the US, including OWASP, BSides and Hacker Halted Europe.
Svavar holds various certifi cations, including CISSP, CISA and CISM.
WHO AM I?
Why do we standardize?USEFUL STANDARDS
USEFUL STANDARDS
Security Policy, Access Control, Backups, BCP (more)
ISO/IEC 27034 Information technology -- Security techniques -- Application security
USEFUL STANDARDS
OpenSAMM (Softare Assurance Maturity Model – curtesy of OWASP)
How to build a strong foundation?
BUILDING BLOCKS
Expected implementation time for an SME 2 – 3 years
BUILDING BLOCKS
Decide on a software development methodology Agile / SCRUM?
Formalize Digitize
Source Control System Pick one Decide how to use it Branching? Release Versioning
Connect the two
BUILDING BLOCKS
Separate Development / Testing / Production Separation of duties
BUILDING BLOCKS
Adding security to the SDLC Start differentiating between bugs and security bugs. Secure coding training Secure coding Practices Add a design + design review part (assistant from Security
Architects) Add Threat modeling (STRIDE) Code auditing with focus on IT security Security testing prior to release
ADDING MORE SECURITY
CISO Security notifications Security portal / vulnerability management Incident response Bug bounties
ADDING MORE SECURITY
