Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey

  • View
    37

  • Download
    4

Embed Size (px)

Text of Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Herding Cats and Security Tools

    Harold Toomey

    Product and Application Security

    McAfee LLC

    10 Nov 2017

    NTXISSA.orgNTXISSA.orgNTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Table of Contents

    Cat Herding

    Product & Application Security

    Problem Statement

    SDL Activities

    Tool Integrations Diagrams

    Disclaimer

    Usage Scenarios

    Considerations

    2

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Cat Herding

    3

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Product & Application Security

    Product Software developed by engineering BUs to sell to customers

    Application Software developed by IT Enterprise Applications team to run on company systems, websites, and servers

    Primary difference is the target audience Customers (Public) - Full SDL External-Facing (Partners) Internal-Facing (Employees) - Minimal SDL

    4

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Current Trend

    Waterfall Agile Continuous (CICD)

    5

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Problem Statement

    CICD requires automation

    Software developers want single place to go (ALM)

    6

    ALM

    SDLC

    SDL

    ALM Application Lifecycle ManagementSDLC Software Development LifecycleSDL Security Development Lifecycle

    SDL Activity

    Entry Criteria Tasks Exit Criteria

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    SDL Operational Activities

    1. Program2. SDL3. PSIRT4. People & Resources5. Tools & Services6. Policy, Compliance, & Certifications7. Training8. Metrics9. Maturity Models

    7

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    SDL Technical Activities

    1. Security Definition of Done (DoD)

    2. Security Architecture Review

    3. Security Design Review4. Threat Modeling5. Security Testing &

    Validation6. Static Analysis (SAST)

    Interactive Analysis (IAST)

    7. Dynamic Analysis (DAST)

    8

    8. Fuzz Testing9. Vulnerability Scan10. Penetration Testing11. Manual Code Review12. Secure Coding Standards13. Open Source & 3rd Party

    Libraries14. Vendor Management15. Privacy16. Operating Environment

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    When to do the Technical Activities

    9

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Why the Different Tools

    10

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Tools Integration Generic

    Flow Diagram Example

    11

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Herding Cats (Tools)

    12

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    13

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    14

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    15

    Vulnerability

    Aggregation

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    16

    Service Desk

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Solution

    17

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Disclaimer

    Mention of vendor names and tools does not imply endorsement

    Vendor list is intentionally incomplete

    Based on my limited research

    Best integration for me may not be best for you

    18

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    ALMs

    19

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Tools Integration Real Tools

    Flow Diagram Examples

    20

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    21

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    22

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Scenario #1 SDL Requirements

    1. SW security requirements management Custom SDL, FedRAMP (NIST 800-53), GDPR

    2. Use templates in ALM and/or

    3. Use 3rd party tool with seamless bi-directional ALM integration

    SD Elements, HP ALM

    23

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Scenario #2 Vulnerabilities

    1. Black Duck Hub identifies CVEs in open source

    2. High severity CVEs are sent to JIRA

    3. Engineer sees CVEs in project backlog and fixes

    4. JIRA syncs back to Black Duck Hub and verifies fix

    24

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Considerations

    Tool integration considerations

    1. Availability (Y/N)? When?

    2. Push, pull, both (bidirectional), or none?

    3. Native or through a 3rd party connector?

    4. Tight or loose integration?

    5. Server-side or client plugin?

    6. Ability to throttle? (high severity only)

    7. Cost?

    25

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Considerations

    Business considerations1. Due diligence researched (all options)

    2. Integration with existing systems?

    3. Buy, build or use existing?

    4. When? This Fiscal Year, next FY?

    5. Who will use?

    6. Which BUs will purchase? (other benefactors)

    7. Who will install, host, and maintain?

    8. Who will configure and customize?

    26

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Considerations

    Engineer considerations1. Does ALM contain all user stories?

    Insight manual integration (email)

    2. Ticketing system adds advanced workflow and SLA reminders Does it need to be engineer friendly or just tightly

    integrated with ALM?

    3. Data overload - throttle settings Issue severity: Critical, High, Medium, Low

    Business Impact vs. Risk score vs. CVSS v3 score

    27

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    Questions?

    28

    Harold Toomey

    Sr. Software Security Architect

    Product & App. Security Group

    McAfee LLC

    Harold_Toomey@McAfee.com

    W: (972) 963-7754

    M: (801) 830-9987

    NTXISSA.orgNTXISSA.org

  • NTXISSA Cyber Security Conference November 10-11, 2017 @NTXISSA #NTXISSACSC5

    29

    Thank you

    NTXISSA.orgNTXISSA.org