Secure SDLC in the Real World:Pitfalls Discovered and Treasure Collected

Along the Way

Philip J. Beyer - Texas Education Agency"philip.beyer@tea.state.tx.us"

@pjbeyer

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 1

Overview• Background"• The Manual"• The Premise"• Treasures and Pitfalls"• Game Over"

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 2

About• Phil Beyer"– Information Security Officer"– Consulting background"

• TEA"– ~700 employees"– ~1200 school districts"– ~5 million students

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 3

Where Did TEA Start?• Application Security Program already

established"– Some policies & procedures"– Initial training & exposure to concepts"– Historically siloed approach"

• Outsourcing for subject matter expertise

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 4

Where Do You Start?• Establish your Application Security

Program"• Be the Champion (or find one)"• Make sure your Team Gets It"• Have a Roadmap to Maturity

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 5

The Manual Business Functions

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 6

The Manual Security Practices

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf" 7

The Manual Phases

1. The Early Levels"2. Racking Up Some

Points"3. Hitting Your Stride"4. Bigger Treasures,

Deeper Pits"The End Game

Copyright 2011 by Texas Education Agency. All rights reserved.

The Premise

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011

• It has already started"• Shortcuts don’t exist"– No cheat codes"– No invincibility"– No God mode"

• There are Pitfalls"• There are Treasures

http://lanyrd.com/skymf" 9

The Early Levels (Phase 1) Treasures

• A Map"– Not necessarily THE Map, but

something to get started"– An organizational roadmap is

a powerful thing"• Some Running Room"– Awareness in the organization

is increasing"

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 10

The Early Levels (Phase 1) Pitfalls

• The Log"– You can’t stand still"–Move through Phase 1 so you

don’t get rolled over"• Inertia"– Getting started is just plain

hard"– Determining who should play

is also hard

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 11

Racking Up Some Points (Phase 2) Treasures

• Silver Bars"– Development teams begin to

appreciate the security problem""

• The Ladder"–More of the team is involved in

practicing security"– You’ve found a new way around

the alligator-infested pond

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 12

Racking Up Some Points (Phase 2) Pitfalls

• The Alligator"– There’s a dangerous thing

there on the screen"– Threats are real, and now

they see some of them too"• More Players"– Other people are going to

play your game"– They may not play as { nice |

carefully | safely } as youCopyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 13

Hitting Your Stride (Phase 3) Treasures

• Gold Bars"– Better visibility instills

confidence in Management"• The Compass"– The Program has direction"– From requirements to

maintenance, a formal process starts to emerge"

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 14

Hitting Your Stride (Phase 3) Pitfalls

• The Scorpion"– Better informed Management

may sting"• The Wall"– A different kind of obstacle will

block your path"– Developers and Operators may

not enjoy working together more closely"

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 15

Bigger Treasures, Deeper Pits (Phase 4) Treasures

• The Bridge"– Get rid of that Rope and jeer at

the Alligators as you walk across"

– The whole Program is working together to build securely and verify aggressively

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 16

Bigger Treasures, Deeper Pits (Phase 4) Pitfalls

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011

• The Hole"– Compliance is not Security"– Don’t let Management fall into the

trap at this stage of the game… It can be a pretty deep pit

http://lanyrd.com/skymf 17

The End Game (Phases 5 & 6) Treasures

• Shangri-La"– You’ve reached the mystical,

harmonious valley; a permanently happy land isolated from the outside world"

– I’d tell you how it feels, but we haven’t gotten there yet

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 18

It’s Time to Play• Build a Mature Software Assurance

Program"• Measure and Report Your Progress"• Have Fun!

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 19

Resources• OWASP – Open Web Application Security

Project"– http://www.owasp.org/"

• OpenSAMM - Software Assurance Maturity Model"– http://www.opensamm.org/"

"

• Attribution"– All OpenSAMM images are licensed under the Creative Commons

Attribution-Share Alike 3.0 License.

Copyright 2011 by Texas Education Agency. All rights reserved. BSides DFW 2011 http://lanyrd.com/skymf 20