View
37
Download
4
Embed Size (px)
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Herding Cats and Security Tools
Harold Toomey
Product and Application Security
McAfee LLC
10 Nov 2017
NTXISSA.orgNTXISSA.orgNTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Table of Contents
Cat Herding
Product & Application Security
Problem Statement
SDL Activities
Tool Integrations Diagrams
Disclaimer
Usage Scenarios
Considerations
2
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Cat Herding
3
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Product & Application Security
Product Software developed by engineering BUs to sell to customers
Application Software developed by IT Enterprise Applications team to run on company systems, websites, and servers
Primary difference is the target audience Customers (Public) - Full SDL External-Facing (Partners) Internal-Facing (Employees) - Minimal SDL
4
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Current Trend
Waterfall Agile Continuous (CICD)
5
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Problem Statement
CICD requires automation
Software developers want single place to go (ALM)
6
ALM
SDLC
SDL
ALM Application Lifecycle ManagementSDLC Software Development LifecycleSDL Security Development Lifecycle
SDL Activity
Entry Criteria Tasks Exit Criteria
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
SDL Operational Activities
1. Program2. SDL3. PSIRT4. People & Resources5. Tools & Services6. Policy, Compliance, & Certifications7. Training8. Metrics9. Maturity Models
7
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
SDL Technical Activities
1. Security Definition of Done (DoD)
2. Security Architecture Review
3. Security Design Review4. Threat Modeling5. Security Testing &
Validation6. Static Analysis (SAST)
Interactive Analysis (IAST)
7. Dynamic Analysis (DAST)
8
8. Fuzz Testing9. Vulnerability Scan10. Penetration Testing11. Manual Code Review12. Secure Coding Standards13. Open Source & 3rd Party
Libraries14. Vendor Management15. Privacy16. Operating Environment
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
When to do the Technical Activities
9
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Why the Different Tools
10
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Tools Integration Generic
Flow Diagram Example
11
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Herding Cats (Tools)
12
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
13
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
14
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
15
Vulnerability
Aggregation
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
16
Service Desk
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Solution
17
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Disclaimer
Mention of vendor names and tools does not imply endorsement
Vendor list is intentionally incomplete
Based on my limited research
Best integration for me may not be best for you
18
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
ALMs
19
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Tools Integration Real Tools
Flow Diagram Examples
20
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
21
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
22
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Scenario #1 SDL Requirements
1. SW security requirements management Custom SDL, FedRAMP (NIST 800-53), GDPR
2. Use templates in ALM and/or
3. Use 3rd party tool with seamless bi-directional ALM integration
SD Elements, HP ALM
23
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Scenario #2 Vulnerabilities
1. Black Duck Hub identifies CVEs in open source
2. High severity CVEs are sent to JIRA
3. Engineer sees CVEs in project backlog and fixes
4. JIRA syncs back to Black Duck Hub and verifies fix
24
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
Tool integration considerations
1. Availability (Y/N)? When?
2. Push, pull, both (bidirectional), or none?
3. Native or through a 3rd party connector?
4. Tight or loose integration?
5. Server-side or client plugin?
6. Ability to throttle? (high severity only)
7. Cost?
25
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
Business considerations1. Due diligence researched (all options)
2. Integration with existing systems?
3. Buy, build or use existing?
4. When? This Fiscal Year, next FY?
5. Who will use?
6. Which BUs will purchase? (other benefactors)
7. Who will install, host, and maintain?
8. Who will configure and customize?
26
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Considerations
Engineer considerations1. Does ALM contain all user stories?
Insight manual integration (email)
2. Ticketing system adds advanced workflow and SLA reminders Does it need to be engineer friendly or just tightly
integrated with ALM?
3. Data overload - throttle settings Issue severity: Critical, High, Medium, Low
Business Impact vs. Risk score vs. CVSS v3 score
27
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
Questions?
28
Harold Toomey
Sr. Software Security Architect
Product & App. Security Group
McAfee LLC
Harold_Toomey@McAfee.com
W: (972) 963-7754
M: (801) 830-9987
NTXISSA.orgNTXISSA.org
NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5
29
Thank you
NTXISSA.orgNTXISSA.org