Software Application Control and SDLC

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Software Application Control and SDLC"

Transcription

1 Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to secure development, deployment, and sustainment principles and practices. Organizations that have adopted a secure software development life cycle (SDLC) process have found almost immediately upon doing so that they have begun finding many more vulnerabilities and weaknesses in their software early enough in the SDLC that they are able to eradicate those problems at an acceptable cost. Moreover, as such secure practices become second nature over time, these same developers start to notice that they seldom introduce such vulnerabilities and weaknesses into their software in the first place. Albert J. Marcella, Jr., Ph.D., CISA, CISM 2 1

2 A proactive quality management strategy is to have multiple defect removal points in the software development life cycle. The more defect removal points there are, the more likely one is to find problems right after they are introduced, enabling problems to be more easily fixed and the root cause to be more easily determined and addressed. Albert J. Marcella, Jr., Ph.D., CISA, CISM 3 Each defect removal activity can be thought of as a filter that removes some percentage of defects that can lead to vulnerabilities from the software product. The more defect removal filters there are in the software development life cycle, the fewer defects that can lead to vulnerabilities will remain in the software product when it is released. More importantly, early measurement of defects enables the organization to take corrective action early in the software development life cycle. Albert J. Marcella, Jr., Ph.D., CISA, CISM 4 2

3 Albert J. Marcella, Jr., Ph.D., CISA, CISM 5 Each time defects are removed, they are measured. Every defect removal point becomes a measurement point. Defect measurement leads to something even more important than defect removal and prevention: it tells teams where they stand against their goals, helps them decide whether to move to the next step or to stop and take corrective action, and indicates where to fix their process to meet their goals Albert J. Marcella, Jr., Ph.D., CISA, CISM 6 3

4 The development team should consider the following questions when managing defects: 1. What type of defects lead to security vulnerabilities? 2. Where in the software development life cycle should defects be measured? 3. What work products should be examined for defects? 4. What tools and methods should be used to measure the defects? 5. How many defects can be removed at each step? 6. How many estimated defects remain after each removal step? Albert J. Marcella, Jr., Ph.D., CISA, CISM 7 Coding Standards End users, designers and developers are expected to maintain standards for the development of the application/software source code. Their purpose is to increase application/software quality, by proper commenting, limiting module complexity, systematic naming conventions, and other techniques. Such standards are often dependent on the choice of programming language. Albert J. Marcella, Jr., Ph.D., CISA, CISM 8 4

5 Coding Standards are NOTmerely a way of enforcing naming conventions on your code. Coding Standards enforcement ISstatic analysis of source code for: 1. Certain rules and patterns to detect problems automatically. 2. Based on the knowledge collected over many years by industry experts. 3. Virtual code review or peer review by industry respected language experts. Albert J. Marcella, Jr., Ph.D., CISA, CISM 9 System Development Tools What is Gantt Chart? Popular tool used to plan and schedule time relationships among project activities. Albert J. Marcella, Jr., Ph.D., CISA, CISM 10 5

6 Albert J. Marcella, Jr., Ph.D., CISA, CISM 11 PERT The Program Evaluation and Review Technique (PERT) is a network model that allows for randomness in activity completion times. An activity is a task that must be performed and an event is a milestone marking the completion of one or more activities. Before an activity can begin, all of its predecessor activities must be completed. Albert J. Marcella, Jr., Ph.D., CISA, CISM 12 6

7 PERT Diagram Albert J. Marcella, Jr., Ph.D., CISA, CISM 13 Software Metrics Metrics are only useful if you know what to do with the answers you get. Albert J. Marcella, Jr., Ph.D., CISA, CISM 14 7

8 A software metric is like a thermometer. The fact that you measure something at 98.6 F doesn't mean anything until you know what the normal temperature is. A temperature of 98.6 is good for body temperature but really bad for ice cream. 13 Albert J. Marcella, Jr., Ph.D., CISA, CISM 15 Examples of Application Security Metrics 2 Process Metrics Is a SDL Process used? Are security gates enforced? Secure application development standards and testing criteria? Security status of a new application at delivery (e.g., % compliance with organizational security standards and application system requirements). Existence of developer support website (FAQ's, Code Fixes, lessons learned, etc.)? % of developers trained, using organizational security best practice technology, architecture and processes Management Metrics % of applications rated business-critical that have been tested. % of applications which business partners, clients, regulators require be certified. Average time to correct vulnerabilities (trending). % of flaws by lifecycle phase. % of applications using centralized security services. Business impact of critical security incidents. Albert J. Marcella, Jr., Ph.D., CISA, CISM 16 8

9 Examples of Application Security Metrics 2 Vulnerability Metrics Number and criticality of vulnerabilities found. Most commonly found vulnerabilities. Reported defect rates based on security testing (per developer/team, per application) Root cause of Vulnerability Recidivism. % of code that is re-used from other products/projects % of code that is third party (e.g., libraries) Results of source code analysis: Vulnerability severity by project, by organization Vulnerabilities by category by project, by organization Vulnerability +/- over time by project % of flaws by lifecycle phase (based on when testing occurs) Albert J. Marcella, Jr., Ph.D., CISA, CISM 17 Software Assurance Maturity Model Albert J. Marcella, Jr., Ph.D., CISA, CISM 18 9

10 Software Assurance Maturity Model (SAMM) This model was developed to aid organizations in formulating and implementing a strategy for software security. It is maintained through the OpenSAMMProject as part of the Open Web Application Security Project (OWASP). This model is designed to be tailored to the specific risk environment each organization faces. Albert J. Marcella, Jr., Ph.D., CISA, CISM 19 The model focuses on four core business functions that are involved in software development: 1. Governance: processes and activities related to the way in which an organization manages its software development. 2. Construction: processes and activities related to the way an organization defines the goals for and the creation of software within development projects. 3. Verification: processes and activities related to the way an organization validates and tests artifacts created throughout software development. 4. Deployment: processes and activities related to the way an organization manages the operational release of software it creates to a runtime environment. Albert J. Marcella, Jr., Ph.D., CISA, CISM 20 10

11 Software Assurance Maturity Model (SAMM) Albert J. Marcella, Jr., Ph.D., CISA, CISM 21 Software Security Framework (SSF) Albert J. Marcella, Jr., Ph.D., CISA, CISM 22 11

12 Software Security Framework (SSF) 1. Governance: practices that help organize, manage, and measure a software security initiative 2. Intelligence: practices for collecting corporate knowledge used in carrying out software security activities throughout the organization 3. SDL Touchpoints: practices associated with analysis and assurance of particular software development artifacts and processes 4. Deployment: practices linked to network security and software maintenance organizations Albert J. Marcella, Jr., Ph.D., CISA, CISM 23 Integrating Security into the Software Life Cycle Albert J. Marcella, Jr., Ph.D., CISA, CISM 24 12

13 Systems Development Life Cycle Project Initiation Classify the data that the system will process Determine if sensitive data absolutely must be collected and/or stored Perform risk analysis based on known requirements & classification of data Develop an initial IT System Security Plan Project Definition Identify, document & incorporate security control requirements into IT System design specifications Develop evaluation procedures to validate that security controls Update the IT System Security Plan to include controls Implementation Execute the evaluation procedures Conduct a risk assessment to evaluate overall system risk Update the IT System Security Plan to include controls Disposition Require that data retention schedules are adhered to Require that electronic media is sanitized prior to disposal Albert J. Marcella, Jr., Ph.D., CISA, CISM New Development Push security involvement to the front end of development: Security Design (for sensitive systems) Encrypted communication channels Sensitive information shall not be stored in hidden fields Application Development Application-based authentication shall be performed for access to data that is not considered publicly accessible Support inactivity timeouts on user sessions Data storage must be separated from the application interface Validate all input irrespective of source, focus on server-side Implement a default deny policy for access control Use the least set of privileges required for processing Internal testing must include one of: penetration testing, fuzz testing or source code auditing Clear cached and temporary data upon exit Production and Maintenance Scan internet-facing sensitive applications periodically for vulnerabilities Albert J. Marcella, Jr., Ph.D., CISA, CISM 13

14 Applications Procurement Work to incorporate language into contracts that includes: General Personnel, Security Training, Background Checks Vulnerabilities, Risks and Threats Application Development Development Environment Secure coding, Configuration management, Distribution, Disclosure, Evaluation Testing General, Source Code, Vulnerability and Penetration Test Patches and Updates Tracking Security Issues Delivery Of The Secure Application Self Certification No Malicious Code Security Acceptance And Maintenance Acceptance Investigating Security Issues Albert J. Marcella, Jr., Ph.D., CISA, CISM Source: Legacy Applications Periodic application vulnerability scanning Strong configuration management If vulnerabilities are identified: Each application may have specific challenges Case by case analysis may reveal options: Easy fix Virtualization Host based intrusion prevention Application firewall technology Third party integration Other technology Albert J. Marcella, Jr., Ph.D., CISA, CISM 14

15 Security enhancement of the SDLC process mainly involves the adaptation or augmentation of existing SDLC activities, practices, and checkpoints, and in a few instances, it may also entail the addition of new activities, practices, or checkpoints. Albert J. Marcella, Jr., Ph.D., CISA, CISM 29 The key elements of a secure software life cycle process are: 1. Security criteria in all software life cycle checkpoints (both at the entry of a life cycle phase and at its exit) 2. Adherence to secure software principles and practices 3. Adequate requirements, architecture, and design 4. Secure coding practices 5. Secure software integration/assembly practices 6. Security testing practices that focus on verifying the dependability, trustworthiness, and sustainability of the software being tested 7. Secure distribution and deployment practices and mechanisms 8. Secure sustainment practices 9. Supportive tools 10. Secure software configuration management systems and processes 11. Security-knowledgeable software professionals 12. Security-aware project management 13. Upper management commitment to production of secure software 6 Albert J. Marcella, Jr., Ph.D., CISA, CISM 30 15

16 General Principles (Control Considerations) for Secure Software Development The following principles should guide the development of secure software, including all decisions made in producing the deliverables at every phase of the software life cycle. Albert J. Marcella, Jr., Ph.D., CISA, CISM Minimize the number of high-consequence targets The software should contain as few high-consequence targets (critical and trusted components) as possible. High-consequence targets are those that represent the greatest potential loss if the software is compromised and therefore require the most protection from attack. Critical and trusted components are high-consequence because of the magnitude of impact if they are compromised. This principle contributes to trustworthiness and, by its implied contribution to smallness and simplicity, also to dependability. Albert J. Marcella, Jr., Ph.D., CISA, CISM 32 16

17 2. Don t expose vulnerable and high-consequence components The critical and trusted components the software contains should not be exposed to attack. In addition, known vulnerable components should also be protected from exposure because they can be compromised with little attacker expertise or expenditure of effort and resources. This principle contributes to trustworthiness. Albert J. Marcella, Jr., Ph.D., CISA, CISM Deny attackers the means to compromise The software should not provide the attacker with the means by which to compromise it. Such means include exploitable weaknesses and vulnerabilities, dormant code, backdoors, etc. Also, provide the ability to minimize damage, recover, and reconstitute the software as quickly as possible following a compromising (or potentially compromising) event to prevent greater compromise. Albert J. Marcella, Jr., Ph.D., CISA, CISM 34 17

18 3. Deny attackers the means to compromise In practical terms, this will require building in the means to monitor, record, and react to how the software behaves and what inputs it receives. This principle contributes to dependability, trustworthiness, and resilience. Albert J. Marcella, Jr., Ph.D., CISA, CISM Always assume the impossible will happen Events that seem to be impossible rarely are. They are often based on an expectation that something in a particular environment is highly unlikely to exist or to happen. If the environment changes or the software is installed in a new environment, those events may become quite likely. The software should be designed to guard against both likely and unlikely events. Albert J. Marcella, Jr., Ph.D., CISA, CISM 36 18

19 5. Never make blind assumptions Validate every assumption made by the software or about the software before acting on that assumption. 6. Security software is not the same as secure software Just because software performs information securityrelated functions does not mean the software itself is secure. Software that performs security functions is just as likely to contain flaws and bugs as other software. Albert J. Marcella, Jr., Ph.D., CISA, CISM 37 Software Assurance Albert J. Marcella, Jr., Ph.D., CISA, CISM 38 19

20 The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products. Software security and secure software are often discussed in the context of software assurance. Software assurance in its broader sense refers to the assurance of any required property of software. Albert J. Marcella, Jr., Ph.D., CISA, CISM 39 An increasingly agreed-upon approach for assuring the security of software is the software security assurance case, which is intended to provide justifiable confidence that the software under consideration: 1. Is free of vulnerabilities; 2. Functions in the intended manner, and this intended manner does not compromise the security or any other required properties of the software, its environment, or the information it handles; and 3. Can be trusted to continue operating dependably under all anticipated circumstances, including anomalous and hostile environmental and utilization circumstances which means that those who build the software need to anticipate such circumstances and design and implement the software to be able to handle them gracefully. Albert J. Marcella, Jr., Ph.D., CISA, CISM 40 20

Sanjay Misra Prof of Computer Engineering Head,Department of Cyber Security Science Federal University of Technology,Minna,Nigeria

Sanjay Misra Prof of Computer Engineering Head,Department of Cyber Security Science Federal University of Technology,Minna,Nigeria Sanjay Misra Prof of Computer Engineering Head,Department of Cyber Security Science Federal University of Technology,Minna,Nigeria 1 A Main Challenge to Cyber Security Science A major difference between

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

Building Security into the Software Life Cycle

Building Security into the Software Life Cycle Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about

More information

The Security Development Lifecycle

The Security Development Lifecycle The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation Context and History 1960s penetrate and patch 1970s

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Security Metrics Rehab. Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management

Security Metrics Rehab. Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management Security Metrics Rehab Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management April 11, 2014 About Me! Author of P.A.S.T.A threat modeling methodology (risk

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Secure Development LifeCycles (SDLC)

Secure Development LifeCycles (SDLC) www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific

More information

Certification Report

Certification Report Certification Report McAfee Network Security Platform v7.1 (M-series sensors) Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of AccessData Cyber Intelligence and Response Technology v2.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

Maruleng Local Municipality

Maruleng Local Municipality Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4

More information

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Extreme Networks Security Analytics G2 Vulnerability Manager

Extreme Networks Security Analytics G2 Vulnerability Manager DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Secure Code Development

Secure Code Development ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop

More information

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document

More information

Panel: SwA Practices - Getting to Effectiveness in Implementation

Panel: SwA Practices - Getting to Effectiveness in Implementation Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1. SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0 Secure Software Development at SAP Table of Contents 4

More information

Building More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle

Building More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle Building More Secure Commercial Software: The Trustworthy Computing Development Lifecycle Steven B. Lipner Microsoft Corporation With the growth of the Internet as a vehicle for commercial, governmental,

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information

Cutting Edge Practices for Secure Software Engineering

Cutting Edge Practices for Secure Software Engineering Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems. 1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Put into test the security of an environment and qualify its resistance to a certain level of attack.

Put into test the security of an environment and qualify its resistance to a certain level of attack. Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

HP Fortify application security

HP Fortify application security HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Goals. Understanding security testing

Goals. Understanding security testing Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

From Chaos to Clarity: Embedding Security into the SDLC

From Chaos to Clarity: Embedding Security into the SDLC From Chaos to Clarity: Embedding Security into the SDLC Felicia Nicastro Security Testing Services Practice SQS USA Session Description This session will focus on the security testing requirements which

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

A Survey on Requirements and Design Methods for Secure Software Development*

A Survey on Requirements and Design Methods for Secure Software Development* A Survey on Requirements and Design Methods for Secure Software Development* Muhammad Umair Ahmed Khan and Mohammad Zulkernine School of Computing Queen s University Kingston, Ontario, Canada K7L 3N6 {umair

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Noorul Islam College of Engineering M. Sc. Software Engineering (5 yrs) IX Semester XCS592- Software Project Management

Noorul Islam College of Engineering M. Sc. Software Engineering (5 yrs) IX Semester XCS592- Software Project Management Noorul Islam College of Engineering M. Sc. Software Engineering (5 yrs) IX Semester XCS592- Software Project Management 8. What is the principle of prototype model? A prototype is built to quickly demonstrate

More information

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of ncipher nshield Family of Hardware Security Modules Firmware Version 2.33.60 Issued by: Communications Security Establishment Canada Certification Body Canadian

More information

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/ An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Certification Report

Certification Report Certification Report EAL 2 Evaluation of with Gateway and Key Management v2.9 running on Fedora Core 6 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of BlackBerry Enterprise Server version 5.0.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of RSA envision platform v4.0 SP 1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of WatchGuard and Fireware XTM Operating System v11.5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

Improving RoI by Using an SDL

Improving RoI by Using an SDL Improving RoI by Using an SDL This paper discusses how you can improve return on investment (RoI) by implementing a secure development lifecycle (SDL). It starts with a brief introduction to SDLs then

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA Ryan English Ryan

More information

Certification Report

Certification Report Certification Report EAL 2+ Evaluation of McAfee Email and Web Security Appliance Version 5.5 Patch 2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

UIIPA - Security Risk Management. June 2015

UIIPA - Security Risk Management. June 2015 UIIPA - Security Risk Management June 2015 1 Introduction Tim Hastings, Chief Information Security Officer State of Utah - Department of Technology Services Tim Hastings has more than 16 years of experience

More information

IBM Security QRadar Vulnerability Manager

IBM Security QRadar Vulnerability Manager IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk

More information

The Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp.

The Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. The Security Development Lifecycle Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. 2 Overview Introduction A look back Trustworthy Computing

More information

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007 Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease

More information

IBM Managed Security Services Vulnerability Scanning:

IBM Managed Security Services Vulnerability Scanning: IBM Managed Security Services August 2005 IBM Managed Security Services Vulnerability Scanning: Understanding the methodology and risks Jerry Neely Network Security Analyst, IBM Global Services Page 2

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

Host/Platform Security. Module 11

Host/Platform Security. Module 11 Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview Description C Service Overview G- Cloud Specialist Cloud Services Security and Penetration Testing This document provides a description of TVS s Security and Penetration Testing Service offered under the

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

PHASE 5: DESIGN PHASE

PHASE 5: DESIGN PHASE PHASE 5: DESIGN PHASE During the Design Phase, the system is designed to satisfy the requirements identified in the previous phases. The requirements identified in the Requirements Analysis Phase are transformed

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

<name of project> Software Project Management Plan

<name of project> Software Project Management Plan The document in this file is adapted from the IEEE standards for Software Project Management Plans, 1058-1998, which conforms to the requirements of ISO standard 12207 Software Life Cycle Processes. Tailor

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service Business Case Outsourcing Information Security: The Benefits of a Managed Security Service seccuris.com (866) 644-8442 Contents Introduction... 3 Full- Time Experts vs. a Part- Time In- House Staff...

More information

Information Systems Security

Information Systems Security Information Systems Security Lecture 4: Security Engineering Prof. Dr. Christoph Karg Aalen University of Applied Sciences Department of Computer Science 11.10.2015 Learning Objective Learning Objective

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

Certification Report

Certification Report Certification Report EAL 4 Evaluation of SecureDoc Disk Encryption Version 4.3C Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification

More information