Upload
tjylen-veselyj
View
967
Download
8
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Secure SDLC
Because the question is not IFThe Question is WHEN
Protecting software is much easier if the software is
built with security in mind
Design Build Test Production
GENERIC APPROACH FOR SECURITY
security requirements / risk and threat
analysis
coding guidelines
/code reviews/ static analysis
security testing / dynamic analysis
vulnerability scanning / WAF
Reactive ApproachProactive Approach
Secure SDLC
SECURE SDLC Re
quire
men
ts Security RequirementsCompliance AnalysisGovernance Definition
Des
ign Risk
AssessmentSecure Architecture
Impl
emen
tatio
n Code ReviewsCode Analysis
Verifi
catio
n Security TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan Re
spon
se Incident ForensicsSecurity Monitoring
Security Awareness Trainings
Ensure the Best Practices are integral to the development program and applied
over the lifecycle of the Application
SOFTWARE SECURITY IS EVERYONE’S JOB
PRIMARY BENEFITS
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current state of the project
ORGANIZATION CHALLENGES
An organization’s behavior changes slowly over time• Changes must be iterative
while working toward long-term goals
There is no single recipe that works for all organizations• A solution must enable risk-
based choices tailored to the organization
Guidance related to security activities must be prescriptive• A solution must provide
enough details for non-security-people
Overall, must be simple, well-defined, and measurable• Understandable
measurement can be used
8
IMPLEMENTATION CHALLENGES
Team Pushback
Security Ownership
The “Security is Special” problem
“Official/Actual Adoption Dilemma”
Benefits Measurement
Typical Engagement Models
AUTOMATED CODE ANALYSIS
LINEAR INTEGRATION APPROACH
• After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-weekDevelopment cycle (iteration) will addressthe highest ranked items
• Upon delivery of completed code, securitytesting is performed both manually and using automated testing tools
• Results from manual and automatedscans end up in the same backlogrepository, to be reviewed and prioritized by Development Management
ITERATION BASED TEST ONLY APPROACH
Analyze Current
Practices
Define Goals
Define Roadmap
Execute /Oversee /Adjust
HOW TO GET STARTED
Discovery
Case Study
BUSINESS ISSUEDrivers: Customer Request, Potential IssuesRequestor: Security Department
Client knows they have an issues and requested a team to address them
SOLUTION
• Tactical Goals: address existing local finding (tool generated)
• Strategic Goals: address security design flaws, prevent issues reappear in the future
Issues Root Cause Analysis
• Team structure to Addressing and Remediation teams, achieving Tactical and Strategic Goals correspondingly
• Prioritized roadmap for the Remediation Team• Security Risk Assessment• Security Architecture Analysis• Security Awareness Trainings for the Team
• Roadmap for the Secure SDLC practices adoption
Solution for the Strategic Goals
SOLUTIONR
equir
em
ents Security
RequirementsCompliance AnalysisGovernance Definition
Desi
gn Risk
AssessmentSecure Architecture
Imple
menta
tion Code ReviewsCode Analysis
Veri
fica
tion Security
TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan R
esp
onse Incident
ForensicsSecurity Monitoring
Security Awareness Trainings
Phase 1: 1 – 2 MonthTeam: FTE Security Analyst
SOLUTIONR
equir
em
ents Security
RequirementsCompliance AnalysisGovernance Definition
Desi
gn Risk
AssessmentSecure Architecture
Imple
menta
tion Code ReviewsCode Analysis
Veri
fica
tion Security
TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan R
esp
onse Incident
ForensicsSecurity Monitoring
Phase 2: 2 – 3 MonthTeam: Part Time Security Analyst
Security Awareness Trainings
VALUE
Approach addressing both Tactical and Strategic Goals
Decrease number of the Security issues on Project
Minimize potential Security issues that might be introduced in the future
Improve Security Expertise/Practices for current Team
Experience Sharing with Client Security Program
POC Remediation Approach for other Products in Client Portfolio
Thank You
Questions?