1 From Chaos to Clarity: Embedding Security into the SDLC Felicia Nicastro Security Testing Services Practice SQS USA
2 Session Description This session will focus on the security testing requirements which have been derived from the NIST Standard. It will also tie in requirements from the OWASP Testing Guide v4 and Industry Best Practices. Through each of the phases of the SDLC, the control gates, entry and exit criteria, as well as the short and long term goals for implementing a mature security testing process as part of the SDLC will be included. The purpose is to provide an overall security testing process an organization can implement that focuses on conducting security testing through the SDLC. This trend has been surfacing over the past few years and is also referred to as embedding security testing into the SDLC or also known as the Shift Left approach.
3 Key Learning Points Learn how to integrate security testing into the SDLC Leverage NIST in order to ensure thorough security testing Learn what tests need to be performed during the SDLC
4 Chaos! If only we could get developers and QA teams to develop, test and implement secure code! How do we accomplish this?
5 Clarity! Why embedding security testing into the Software Development Lifecycle of course!! So how do we do that?
6 Let s count the ways NIST is a great start OWASP v4 has guidance as well Education of developers, QA teams Security testing teams working alongside developers
7 For example.
8 SDLC Phase 1: Initiation
9 Initiate Security Planning Key Security Roles Sources of Security Requirements Understanding between stakeholders Document initial security milestones Outline of security requirements and expectations documented
10 Categorize the Information System Establishes foundation for security standardization Three levels (low, moderate, or high) of potential impact should there be a breach of security (a loss of confidentiality, integrity, or availability) Assists in defining appropriate security controls
11 Assess Business Impact Expected outputs are to identify: lines of business supported and how they will be impacted core system components length of time the system can be down before the business is impacted business tolerance for loss of data
12 Assess Privacy Impact Is the system going to transmit, store, or create information that may be considered Private? Defined during Security Categorization Output: Privacy Impact Assessment
13 Ensure Use of Secure Information System Development Processes Secure Concept of Operations (CONOPS) for Development Standards and Processes Security Training for Development Team Quality Management Secure Environment Secure Code Practices and Repositories
14 Phase 1 sets the foundation on which the remainder of the SDLC is built upon Like a house without a solid foundation it will falter and fail
15 Now is when the fun begins
16 SDLC Phase 2: Development / Acquisition
17 Assess Risk to System NIST Guidance for Risk Assessments Purpose is to: evaluate current knowledge of the system s design stated requirements, and minimal security requirements from the security categorization process Results should show specified security controls provide protections or highlight areas where further planning is needed
18 Select and Document Security Controls Made up of 3 activities: the selection of baseline security controls the application of security control tailoring guidance to adjust the initial security control baseline supplementation of the tailored baseline with additional controls based on an assessment of risk and local conditions
19 Design Security Architecture Minimal security requirements as well as requirements and constraints determined early in the process should provide the architects with a set of assumptions and constraints to build around Can provide the most value in lowering the total cost of ownership by planning the systems core components in a secure way Outputs include: Schematic of security integration providing details on where, within the system, security is implemented and shared. Security architectures should be graphically depicted and detailed to the extent the reader can see where the core security controls are applied and how. Identification of common controls used by the system
20 Engineer in Security and Develop Controls Security controls are implemented Applying security controls in development should be considered carefully and planned logically Intent is to integrate the controls so challenges with system performance are known early Output includes: Implemented controls with documented specification for inclusion into the security plan List of security control variations resulting from development decisions and tradeoffs Potential assessment scenarios to test known vulnerabilities or limitations
21 Develop Security Documentation System Security Plan is most important Others include: Configuration management plan Contingency plan (including a BIA) Continuous monitoring plan Security awareness, training and education plan Incident response plan Privacy impact assessment (PIA)
22 Conduct Testing (Developmental, Functional, and Security) The process focuses on: Specificity - testing must be scoped to test the relevant security requirement as it is intended for use in its environment Repeatability - testing must be capable of the execution of a series of tests against an information system more than once (or against similar systems in parallel) and yield similar results each time Iteration - each system will be required to execute functional tests in whole or in part a number of successive times in order to achieve an acceptable level of compliance with the requirements of the system Functional testing should be automated to the degree possible, and the test cases will be published, in detail, to ensure that the test process is repeatable and iterative
23 Now that the development and testing is completed, we move on to the next phase Plus, look at all the security functions we ve already performed!
24 SDLC Phase 3: Implementation / Assessment
25 Create a Detailed Plan for C&A To ensure proper testing and reduce the likelihood of scope creep, the security accreditation boundary should be clearly delineated. This forms the basis for the test plan to be created and approved Output - Initial Work Plan: A planning document that identifies key players, project constraints, core components, scope of testing, and level of expected rigor. The certification package should be close to completion, and any initial agencyspecified conformance reviews initiated
26 Integrate Security into Established Environments or Systems Integration and acceptance testing occur after information system delivery and installation Security control settings are enabled in accordance with manufacturers instructions, available security implementation guidance, and documented security specification
27 Assess System Security Systems being developed or undergoing software, hardware, and/or communication modification(s) must be formally assessed prior to being granted formal accreditation A security certification must be conducted to assess the extent to which the controls are implemented, operating as intended, and producing the desired outcome Periodic testing and evaluation of the security controls in an information system must be conducted Security certification may uncover and describe actual vulnerabilities in the information system
28 Authorize the Information System This security accreditation is based on the verified effectiveness of security controls to some agreedupon level of assurance and an identified residual risk to agency assets or operations The security authorization decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process
29 A lot of assessing and certifying just occurred Makes us feel more comfortable launching into operations now!
30 SDLC Phase 4: Operations / Maintenance
31 Review Operational Readiness When systems transition into production, unplanned changes can occur Depending on changes, a modified test of the security controls should be performed This review analyzes those changes, performs additional testing if needed, and confirms systems readiness for production This step is not always needed
32 Perform Configuration Management and Control Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently for controlling and maintaining an accurate inventory of any changes to the system. Output includes: Change Control Board (CCB) decisions Updated security documentation Security evaluations of documented system changes
33 Conduct Continuous Monitoring Objective is to determine if the security controls in the information system continue to be effective over time as changes occur in the system as well as the environment in which it operates Ongoing monitoring of security controls can be accomplished in a variety of ways: security reviews, self-assessments, configuration management, antivirus management, patch management, security testing and evaluation, or audits Automation should be leveraged where possible to reduce level of effort and ensure repeatability Don t forget reaccreditation when significant changes have taken place!
34 Wash, Rinse, Repeat! Operational tasks are never finished! Now what happens when it s time to dispose of the system?
35 SDLC Phase 5: Disposal
36 Build and Execute a Disposal/Transition Plan Should account for the disposal / transition status for all critical components, services, and information The plan identifies necessary steps, decisions, and milestones needed to properly close down, transition, or migrate a system or its information. Expected output: Documented disposal/transition plan for closing or transitioning the system and/or its information
37 Ensure Information Preservation When preserving information, organizations should consider the methods that will be required for retrieving information in the future Technology used to retrieve the records may not be readily available in the future Legal requirements for records retention must be considered when disposing of systems Output includes: Index of preserved information, and its location and retention attributes
38 Sanitize Media NIST divides media sanitization into four categories: disposal, clearing, purging and destroying. The system owner categorize the information, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media. Then decide appropriate sanitization process. Output includes: Media sanitization records
39 Dispose of Hardware and Software Hardware and software can be sold, given away, or discarded as provided by applicable law or regulation The disposal of software should comply with license or other agreements with the developer and with government regulations. Outputs include: Disposition records for hardware and software. These records may include lists of hardware and software released (sold, discarded, or donated), and lists of hardware and software redeployed to other projects or tasks within the organization.
40 Closure of System The information system is formally shut down and disassembled at this point Output: Documentation verifying system closure, including final closure notification to the authorizing and certifying officials, configuration management, system owner, ISSO, and program manager
THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology The most effective way to protect
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
DEPARTMENT OF BUDGET & MANAGEMENT (SDLC) Volume 1 Introduction to the SDLC August 2006 Table of Contents Introduction... 3 Overview... 4 Page 2 of 17 INTRODUCTION 1.0 STRUCTURE The SDLC Manual consists
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
PHASE 5: DESIGN PHASE During the Design Phase, the system is designed to satisfy the requirements identified in the previous phases. The requirements identified in the Requirements Analysis Phase are transformed
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
Department Bureau of the Land Interior Management Bureau of Land Management Information System Decommissioning Guide Version Control Log Date Version # Author Description January 11, 2011 0.1 WO-550 Original
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT
Department of Commerce $ National Oceanic & Atmospheric Administration $ National Weather Service NATIONAL WEATHER SERVICE POLICY DIRECTIVE 80-3 October 28, 2009 Science and Technology SYSTEMS ENGINEERING
5.1 Project Control Overview Project Control is a formal process in project management. In most respects, there is not a lot of room for creativity in the Control Phase of project management. The PMBOK
Infrastructure Information Security Assurance (ISA) Process Handbook AS-805-B March 2005 Transmittal Letter A. Explanation. As part of the Postal Service s efforts to enhance security across all technology
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
Table of Contents I. PURPOSE, SCOPE, AND EXCLUSIONS... 3 II. ROLES & RESPONSIBILITIES... 4 III. GRADED APPROACH TO SQA... 5 IV. SQA PROGRAM ELEMENTS... 6 4.1 Lifecycle Activities... 6 4.1.1 Requirements...
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each
Department of Health and Human Services Centers for Medicare & Medicaid Services Center for Consumer Information and Insurance Oversight Guide to Enterprise Life Cycle Processes, Artifacts, and Reviews
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive
PHASE 9: OPERATIONS AND MAINTENANCE PHASE During the Operations and Maintenance Phase, the information system s availability and performance in executing the work for which it was designed is maintained.
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK 6500.5 Washington, DC 20420 Transmittal Sheet March 22, 2010 INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE 1. REASON FOR ISSUE: This
Appendix 10 IT Security Implementation Guide For Information Management and Communication Support (IMCS) 10.1 Security Awareness Training As defined in NPR 2810.1A, all contractor personnel with access
Enterprise Test Management Standards Version 4.0 09/28/2012 Document Number: FSA_TOADG_STDS_TEST.TMS_001 Document Version Control This section summarizes this document revision history. Each entry includes
29 Jun 2009 Security Certification & Accreditation of Federal Information Systems A Tutorial An Introduction to NIST s 800-37 Dr. Vijay Madisetti Professor, Georgia Tech - ECE firstname.lastname@example.org Tutorial Outline
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta email@example.com / firstname.lastname@example.org Table of Contents Abstract... 1
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
Information System Security Officer (ISSO) Guide Office of the Chief Information Security Officer Version 10 September 16, 2013 DEPARTMENT OF HOMELAND SECURITY Document Change History INFORMATION SYSTEM
TEXAS DEPARTMENT OF INFORMATION RESOURCES System Development Life Cycle Guide Version 1.1 30 MAY 2008 Version History This and other Framework Extension tools are available on Framework Web site. Release
Audit Checklist The following provides a detailed checklist to assist the audit team in reviewing the health of a project. Relevance (at this time) How relevant is this attribute to this project or audit?
Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...
The document in this file is adapted from the IEEE standards for Software Project Management Plans, 1058-1998, which conforms to the requirements of ISO standard 12207 Software Life Cycle Processes. Tailor
United States Department of State (PIA) Consular Affairs Enterprise Service Bus (CAESB) 01.00.00 Last Updated: May 1, 2015 Bureau of Administration 1. Contact Information A/GIS/IPS Director Bureau of Administration
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS
of the (Subsystem and Version #) () (Document Revision Number) Contract (No.) Task (No.) GSA Contract (No.) Prepared for: The United States Department of Agriculture Food & Nutrition Service (FNS)/ Information
3SL Requirements Definition and Management Using Cradle November 2014 1 1 Introduction This white paper describes Requirements Definition and Management activities for system/product development and modification
FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory
United States Department of State Global Financial Management System (GFMS) Privacy Impact Assessment CGFS/DCFO/GFMS 1. Contact Information Privacy Impact Assessment (PIA) Department of State Privacy Coordinator
Appendix H Software Development Plan Template Version 2 March 7, 2005 This page is intentionally left blank. Version 2 March 7, 2005 Title Page Document Control Panel Table of Contents List of Acronyms
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
Fiscal Year 2015 Information Security for IT Administrators Introduction Safeguarding the HHS Mission Information Security Program Management Enterprise Performance Life Cycle Enterprise Performance Life
Information System Security Officer (ISSO) Guide Information Security Office Version 8.0 June 06, 2011 DEPARTMENT OF HOMELAND SECURITY Document Change History INFORMATION SYSTEM SECURITY OFFICER (ISSO)
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
PROJECT MANAGEMENT PLAN TEMPLATE < PROJECT NAME > Date of Issue: < date > Document Revision #: < version # > Project Manager: < name > Project Management Plan < Insert Project Name > Revision History Name
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
Privacy by Design Setting a new standard for privacy certification Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure,
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
Version 1.7 March 30, 2011 REVISION HISTORY VERSION NO. DATE DESCRIPTION AUTHOR 1.0 Initial Draft Hkelley 1.2 10/22/08 Updated with feedback Hkelley 1.3 1/7/2009 Copy edited Kevans 1.4 4/22/2010 Updated
EXHIBIT L Application Development Processes Optum Development Methodology Development Overview Figure 1: Development process flow The Development phase consists of activities that include the building,
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
Westinghouse Non-Proprietary Class 3 Advanced Logic System 6002-00002-NP, Rev. 10 Function Author Nuclear Safety Related July 2014 APPROVALS Name and Signature Anthony C. Pagano* Integrated Process Lead,
ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
Computing Services Network Project Prepared By: Todd Brindley, CSN Project Version # 1.0 Updated on 09/15/2008 Version 1.0 Page 1 MANAGEMENT PLANNING Project : Version Control Version Date Author Change
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access