Download pdf - Implementation Patterns For Software Security Programs

© Copyright 2013 Denim Group - All Rights Reserved

Implementation Patterns for!Software Security Programs!!!Dan Cornell!@danielcornell


Denim Group Background

•  Professional services firm that builds & secures enterprise applications –  External application assessments

•  Web, mobile, and cloud –  Software development lifecycle development (SDLC) consulting

•  Classroom and e-Learning for PCI compliance •  Secure development services:

–  Secure .NET and Java application development –  Post-assessment remediation

•  Deep penetration in Energy, Financial Services, Banking, Insurance, Healthcare and Defense market sectors

•  Customer base spans Fortune 500 •  Contributes to industry best practices through the Open Web

Application Security Project (OWASP)

2

© Copyright 2013 Denim Group - All Rights Reserved 3

Dan Cornell •  Dan Cornell, founder and CTO of Denim Group

•  Software developer by background (Java, .NET, etc)

•  OWASP San Antonio

•  15 years experience in software architecture, development and security

•  Heads Denim Group’s application security team


Agenda

•  What Makes a Successful Software Security Program? –  Key commonalities

•  Software Security Program Implementations –  Approaches –  Customization –  Considerations

•  Three Example Program Activities –  Security Testing –  Code Review –  Education and Guidance

•  Selecting What Works for your Organization

4


Successful Software Security Programs •  Common Goal

–  Reduce Risk by… •  Reliably Creating Acceptably Secure Software

•  Obligatory “People, Process, Technology” Reference –  Anybody got a good Sun Tzu quote? –  I’d settle for a von Clausewitz…

•  Common Activities –  Implementation must be tied to the specific organization

5


Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a

strategy for software security that is tailored to the specific risks racing the organization

•  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization

•  Main website:

–  http://www.opensamm.org/

6


SAMM Business Functions

•  Start with the core activities tied to any organization performing software development

•  Named generically, but should resonate with any developer or manager

This slide content © Pravir Chandra


SAMM Security Practices •  From each of the Business Functions, three Security Practices are defined •  The Security Practices cover all areas relevant to software security

assurance •  Each one is a ‘silo’ for improvement



Check Out This One...



Program Implementation •  Approaches

•  Customization

•  Considerations

10


Approaches •  Automated vs. Manual •  Depth-First vs. Breadth-First •  Centralized vs. Distributed •  Top-Down vs. Bottom-Up •  SaaS vs. On-Premise •  In-House vs. Outsourced

•  All of the Above (and More)

11


Organizational Fit •  Not “One Size Fits All”

–  What Are the Threats to Your Organization? –  How Much of an Executive Mandate Do You Have? –  How Much Risk Are You Willing (Or Going) to Bear?

•  Differences Across Industries –  Financial Services Firms Do This Differently Than Energy Sector –  Different Threats, Different Regulatory Environment

•  Differences Within Industries –  Oilfield Services versus Mid-majors –  Banks versus Credit Unions

12


$0

$500,000,000

$1,000,000,000

$1,500,000,000

$2,000,000,000

$2,500,000,000 JP

Mor

gan

& C

hase

Ban

k of

Am

eric

an

Citi

grou

p

Wel

ls F

argo

Gol

dman

Sac

hs G

roup

Met

Life

Mor

gan

Sta

nley

U.S

. Ban

corp

Ban

k of

New

Yor

k M

ello

n

HS

BC

PN

C F

inan

cial

Ser

vice

s G

roup

Cap

itol O

ne

TD B

ank

Sta

te S

treet

Cor

pora

tion

Ally

Fin

anci

al

BB

&T

Cor

pora

tion

Sun

trust

Ban

ks

Prin

cipa

l Fin

anci

al G

roup

Am

eric

an E

xpre

ss

Am

erip

rise

Fina

ncia

l

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Hol

ding

s

Total Assets for Top Holding Companies


Considerations •  Raw Budget Constraints

•  Organizational Structure

•  Regulatory and Compliance Mandates

•  Culture and Risk Appetite

•  Leadership Buy in

14


Patterns and Anti-Patterns •  Every Organization is Different

–  But there are commonalities

•  Similar approaches –  Some good –  Some … less good

•  Do you know the “right” thing to do? •  Are you doing it?

–  If not – why not?

15


Example Program Activities •  Take Three Common Activities from OpenSAMM

•  Security Testing •  Code Review •  Education and Guidance

16


Examples of Activities •  Security Testing

–  Recurring dynamic scanning –  Manual penetration tests

•  Code Review –  Automated static analysis –  Manual security code review

•  Education and Guidance –  Instructor-led training for developers –  e-Learning –  Develop and publish “Top 10” list for developers

17


Security Testing •  Also known as “black box testing” and “penetration testing”

•  Testing the security of a running system –  Automated scanners help –  But don’t forget the manual component

•  As with any testing activity –  How frequently? –  How thorough?

18


Security Testing: Anti-Patterns •  “Dude with a scanner” approach

–  Can also be implemented as the “lady with a scanner” approach

•  “SaaS and forget” approach

19


Security Testing: Better Patterns •  Deep Assessment of Critical

Applications –  Automated scanning, manual

scan review and assessment

•  Breadth-First Scanning –  You want a scanning program,

not a scanner

•  Understand that security testing is a means to an end –  Not an end in and of itself –  Start of vulnerability management

20


Code Review •  Also known as “static analysis”

•  Again – scanners are great, but manual review and assessment are required for depth

•  Code review can be (is) complicated –  Often more so than dynamic

security testing –  Clean scans, false positives,

prioritization…

21


Code Review: Anti-Patterns •  “Dude with a scanner” approach (redux)

–  Can still be implemented as the “lady with a scanner” approach –  Even worse for code review because source code (or binary) access is required

•  “I’m sure the developers are taking care of this” –  “They’re using [FindBugs|PMD|XYZ tool]”

22


Code Review: Better Patterns •  Key Questions:

–  Who runs the scan? –  What do you do with the results?

•  Centralized Code Review Group –  Helps if you have a mandate and/or the ability to block applications from production

•  Deploy to Developer Desktops –  Can be great for certain organizations, but… –  Many potential pitfalls and hidden costs here

23


Education and Guidance •  It is really hard to hold developers to a standard if you have not

communicated that standard to them and provided guidance on how they can meet that standard

–  Only fair…

•  Can take a variety of forms –  Instructor-led training (ILT) –  e-Learning –  Lunch and learns –  Mentoring –  Knowledge bases

24


Education and Guidance: Anti-Patterns •  “Email a link to OWASP” approach

–  Site is www.owasp.org by the way –  OWASP is great, but…

•  “I made you all a Powerpoint”

•  “Cattle car” instructor-led training

•  Fire and forget e-Learning

25


Education and Guidance: Better Patterns •  Informal approaches can have value

–  But that is not a training program –  Best used to identify staff with a special interest in security

•  e-Learning for everyone –  Make it part of their bonus or annual evaluation

•  Instructor-led training for “mavens” –  Provide context, link to their roles and responsibilities

•  Technology- and role-specific guidance –  Do not force developers to think

26


Where Do We Go From Here?

•  Evaluate where you are

•  Determine the next plateau you want to reach

•  Make a plan to get there (that works for your organization)

27


Questions / Contact Information

Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (210) 572-4400

www.denimgroup.com blog.denimgroup.com