Building Security into the Software Life Cycle

Save this PDF as:
Size: px
Start display at page:

Download "Building Security into the Software Life Cycle"

Transcription

1 Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee

2 Outline» Glossary» What is at risk, what we do about it and when» Is software complexity the root cause?» Vulnerability management challenges» Application security vs. software security» A change of perspective: the Software Security Life Cycle (SDLC)» Security-enhancing lifecycle process models» CLASP, activities, phases and roles» Secure-SDLC requirements, how we get there?» Secure software best practices and activities» Guidelines for building secure software» The Secure-SDLC touch-point Model» Secure software best practices and software development models» In summary: take away lessons» Resources 2

3 Glossary» Risk: the probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur» Threat: any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.» Vulnerability: a weakness in system security requirements, design, implementation, or operation, that could be accidentally triggered or intentionally exploited» Security Defects: implementation vulnerabilities and design vulnerabilities» Security Bugs: implementation-level security software problem» Security Flaw: design-level security software problem 3

4 What is at risk? 4

5 What we do about it 1) Security defects discovered BEFORE the product release gets into production: - Found during functional tests - Dealt with as bugs - Fixed with changes into the product - Deployed with product release 2) Vulnerabilities discovered AFTER the product release gets into production: - Found during operation & maintenance - Dealt with as security defects - Fixed with new security patches - Deployed in all products already released 5

6 When we do something about it?» Today most people test after software is built! 6

7 Is software complexity the root cause?» Software is getting bigger and more complex: Windows complexity ~ 2 million lines of code in Windows 3.1 (1990) ~ 20 million lines of code in Windows 95 (1997) ~ 40 million lines of code in Windows XP (2001)» More lines of code means more security bugs: - Average Security Bugs in Code: 6 every one Thousand Line Of Code (KLOC) - Millions of LOC => Thousands of Security Bugs» Network centric approach means a penetrate and patch mentality: - 47% of security defects that are exploitable are preventable Lack of focus on secure software development best practices: - Best designed applications have 80% fewer defects than the worst designed 7

8 Application Security vs. Software Security» Penetrate and patch» Look at the issue» Just in time solution: fix one application in one single time» Network Security Centric Perspective» Information Security Knowledge» Short term tactical solutions (e.g. penetration tests)» Security as an afterthought, consider risks only when you are exposed» High risk low ROI activities» Manage software security risks» Looks at the root cause» Lifecycle solution: from start (e,g, inception) to end (e.g. decommissioning)» Software Security Engineering Perspective» Software Security Knowledge» Long term strategic solution (e.g. software security best practices)» Security thought early on, consider risks from software inception» Low risk High ROI activities 8

9 Change of perspective: software security life cycle 9

10 Security-enhancing Lifecycle Process Models» Repetitive and measurable processes» Provide guidance on secure software activities» Apply development best practices to various software artifacts» Integrate with foundational software security activities» Include tactical resources» Provision the use of automation tools» Provide a framework for mapping security activities into SDLC such as: SDLC phases, tasks and checkpoints (e.g. M. Howard SDL) Roles, process phases and interactions (e.g. J. Viega CLASP) Risk management, knowledge and touchpoints (e.g. Gary Mc Graw) 10

11 Comprehensive Lightweight Application Security Process (CLASP) 11

12 Mapping Security Activities, Phases and Roles with CLASP 1. Institute a security awareness program Planning Project Manager 2. Monitor security metrics On going Project Manager 3. Specify operational environment Analysis & Design Requirement Specifier 4. Identify global security policy Planning Requirement Specifier 5. Identify resources and trust boundaries Requirements Architect 6. Identify user roles and resource capability Analysis & Design Requirement Specifier 7. Document security-relevant requirements Requirements Requirement Specifier 8. Detail misuse cases Inception & Elaboration Requirement Specifier 9. Identify attack surface Evaluation Designer 10. Apply security principles to design Analysis & Design Designer 11. Research and assess security posture of tech. solutions Ongoing Architect 12. Annotate class designs with security properties Analysis & Design Designer 13. Specify database security configuration Implementation Designer 14. Threat Modeling Analysis & Design Security Auditor 15. Integrate security analysis into source management proc. Implementation Integrator 16. Implement interface contracts Implementation Implementor 17. Implement and elaborate resource policies and tech. Implementation Implementor 18. Address reported security issues Test Designer 19. Perform source level security review Evaluation Security Auditor 20. Identify, implement, and perform security tests Test Designer 21. Verify security attributes of resources Evaluation Integrator/Tester 22. Perform code signing Transition Integrator 23. Build operational security guide Deploy & Maintain Integrator/Tester 24. Manage security issue disclosure Deploy & Maintain Project Manager 12

13 HACME Secure-SDLC requirements 1. Be complaint with HACME security policies and guidelines (e.g. regulatory compliance, information security policy, information risk management guideline) 2. Define security activities that are both strategic (e.g. long term objectives) and tactical (e.g. short term goals) 3. Provide guidance on each security activity with clear objectives artifacts to be produced and dependencies 4. Show how you map security activities into different software development methodologies (e.g waterfall, AGILE, XP, RUP) 13

14 How we get there?» Adopt an activity driven approach» Define and document security activities derived by best practices: Preliminary Software Risk Analysis Secure Requirements Engineering Security Risk Driven Design Secure Code Implementation Security Tests Secure Configuration & Deployment Metrics & Measurements Training & Awareness» Define dependencies and prerequisites (e.g. activities and artifacts)» Define entry scenarios for the activities (e.g. events and reasons)» Position the activities w.r.t. SDLC methodologies and roadmaps (e.g. new development vs. legacy) 14

15 Secure Software Best Practices and Activities» Preliminary Software Risk Analysis - Define use and misuse cases requires: Business Requirements, Security Requirements depends on: none produces: Misuse Cases Diagrams and descriptions» Security Requirements Engineering - Define Security Requirements requires: Business requirements, Functional requirements, Industry Regulations, Organizational Policies, Technical Standards depends on: Misuse cases produces: Security Requirement Document 15

16 Secure Software Best Practices and Activities» Security Risk Driven Design - Secure Architecture & Design Patterns requires: Requirements, Architecture Documentation depends on: Security Requirements produces: Secure Architecture Documents - Threat Modeling requires: Architecture Documents, Data Classification, Requirements depends on: Misuse cases produces: Threat Profile 16

17 Secure Software Best Practices and Activities» Security Risk Driven Design - Secure Architecture Review requires: Functional Requirements, Architecture Diagrams, Network Diagrams, Data Flow Diagrams depends on: Security Architecture & Design Patterns, Threat Model produces: Security Architecture Review Findings - Security Test Planning requires: Requirements, Architecture & Network diagrams, Data Flow Diagrams, Test Tools & Frameworks depends on: Security Requirements, Misuse cases, Threat Model produces: Security Test Plan 17

18 Secure Software Best Practices and Activities» Secure Code Implementation - Peer Code Review requires: Source code, Coding standards, Architecture documents, depends on: Threat Model produces: Code Review Findings - Automated static & dynamic code review requires: Source code, Components and Libraries, Build depends on: Threat Model produces: Automated Code Review Findings - Security Unit Tests requires: Source code, Unit Test Frameworks depends on: Security Requirements, Test Cases produces: Unit Test Results 18

19 Secure Software Best Practices and Activities» Security Tests - Functional - Risk Driven - System - Component - White Box - Black Box all require: Source code, Architecture documents, Data flow Diagrams, Test Environment all depend on: Security Test Planning, Threat Model, Security Requirements all produce: Test reports 19

20 Secure Software Best Practices and Activities» Secure Configuration & Deployment - Secure Configuration requires: depends on: none produces: Operational data and services, source code, build environment, account and password policies, configuration files Secure Configuration Guide/Checklist - Secure Deployment requires: depends on: none produces: Application files and directories, auditing and logging services, registry entries, authentication services, service components, network configuration, service accounts Secure Deployment Guide/Checklist 20

21 Secure Software Best Practices and On Going Activities» Security Training & Awareness - Security Awareness Training - Secure Architecture Design - Secure Coding - Operational Security - Security QA - Ethical hacking» Metrics & Measurements - Number of bugs vs. flaws - Time to fix bugs vs. flaws - Number of vulnerabilities - Time to respond to incident - Support statistical data» Information Risk Management - Investigate Preliminary Risks - Business Analysis - Asset Classification - Threat & Vulnerability Analysis - Business Impact Analysis - Risk Determination - Risk Strategy Selection» Vulnerability management - Policy Compliance - Vulnerability Assessment - Security Configuration - IT Security Risk Management 21

22 Guidelines for Building Secure Software 1.Threat Modeling The purpose of this exercise is to ensure that all known threats to the application are adequately addressed. During design, you will gather information such as requirements and design artifacts to analyze your application from the prospective of the impacts of potential threats. The main outcome at this activity is a threat profile that identifies and categorizes you application threats, recommends countermeasures and identifies application vulnerabilities. Further information on how this activity should be conducted is covered in the Guideline For Conducting Threat Modeling 22

23 Secure-SDLC Touchpoint Model 23

24 Secure Software Best Practices and the Waterfall Model 24

25 Secure Software Best Practices and the Spiral Model 25

26 Secure Software Best Practices and the RUP Model 26

27 In Summary: Take Away Lessons» Software and organizations are not homogenous (e.g. X divisions, Y software applications running on Z platforms implement N software technologies)» Building security into the SDLC is a formal process: - Top Down (organization driven from CIO) - Bottom up (gap analysis from managers and auditors)» S-SDLC and Information Risk Management are integrated processes: - S-SDLC Manage Software Security Risks - Technical Risk Management Information Risk Management» There is no silver bullet for software security: - Strategic and tactical plans - Roadmaps: short term, near term and long term (e.g. maturity levels)» Clients that care about software security know that: - Application Security!= Software Security - Security = Commitment x (Best Practices^2 + Tools) 27

28 Resources» Foundstone Resources, Whitepapers, Articles Comprehensive, Lightweight Application Security (CLASP) Process DHS Build Security In Most recent books on software security: - Gary McGraw Software Security, January 2006 Addison Wesley - M. Howard and S. Lipner: The Security Development Lifecycle, May 2006 Microsoft Press 28

29 Thanks You For Listening! 29

Building Security Into The Software Life Cycle

Building Security Into The Software Life Cycle Building Security Into The Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services a Division of McAfee Email: marco.morana@foundstone.com Outline» Glossary»

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Software Application Control and SDLC

Software Application Control and SDLC Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to

More information

A Survey on Requirements and Design Methods for Secure Software Development*

A Survey on Requirements and Design Methods for Secure Software Development* A Survey on Requirements and Design Methods for Secure Software Development* Muhammad Umair Ahmed Khan and Mohammad Zulkernine School of Computing Queen s University Kingston, Ontario, Canada K7L 3N6 {umair

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP Italy Day 2, 2008 March 31 th, 2008 Marco.Morana@OWASP.ORG OWASP Copyright 2008

More information

Improving RoI by Using an SDL

Improving RoI by Using an SDL Improving RoI by Using an SDL This paper discusses how you can improve return on investment (RoI) by implementing a secure development lifecycle (SDL). It starts with a brief introduction to SDLs then

More information

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007 Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease

More information

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013 2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to

More information

Building a Corporate Application Security Assessment Program

Building a Corporate Application Security Assessment Program Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,

More information

Agile and Secure: Can We Be Both?

Agile and Secure: Can We Be Both? Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Keith Landrus Director of Technology Denim Group Ltd. keith.landrus@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation Permission

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

Secure Development Lifecycle. Eoin Keary & Jim Manico

Secure Development Lifecycle. Eoin Keary & Jim Manico Secure Development Lifecycle Jim Manico @manicode OWASP Volunteer Global OWASP Board Member OWASP Cheat-Sheet Series Manager VP of Security Architecture, WhiteHat Security 16 years of web-based, database-driven

More information

Software Security Touchpoint: Architectural Risk Analysis

Software Security Touchpoint: Architectural Risk Analysis Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized

More information

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads

More information

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May

More information

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu

More information

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification , pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong

More information

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute

More information

Cutting Edge Practices for Secure Software Engineering

Cutting Edge Practices for Secure Software Engineering Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high

More information

Security Software Engineering: Do it the right way

Security Software Engineering: Do it the right way Proceedings of the 6th WSEAS Int. Conf. on Software Engineering, Parallel and Distributed Systems, Corfu Island, Greece, February 16-19, 2007 19 Security Software Engineering: Do it the right way Ahmad

More information

Secure Software Begins in the Development Process

Secure Software Begins in the Development Process A S P E S D L C Tr a i n i n g Secure Software Begins in the Development Process A WHITE PAPER PROVIDED TO ASPE BY SECURITY INNOVATION Secure Software Begins in the Development Process written for CIO

More information

Software Development: The Next Security Frontier

Software Development: The Next Security Frontier James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006 Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application

More information

SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model

SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model Nishtha Sankhwar Dept. of Information Technology IIIT Allahabad nishthasankhwar.infosec@gmail.com Anuja Tewari Dept. of

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Secure By Design: Security in the Software Development Lifecycle

Secure By Design: Security in the Software Development Lifecycle Secure By Design: Security in the Software Development Lifecycle Twin Cities Rational User s Group Security Briefing by Arctec Group (www.arctecgroup.net) Integrating Security into Software Development

More information

Software Security Testing

Software Security Testing Software Security Testing Elizabeth Sanders Department of Electrical & Computer Engineering Missouri University of Science and Technology ejwxcf@mst.edu 2015 Elizabeth Sanders Pop Quiz What topics am I

More information

Building More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle

Building More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle Building More Secure Commercial Software: The Trustworthy Computing Development Lifecycle Steven B. Lipner Microsoft Corporation With the growth of the Internet as a vehicle for commercial, governmental,

More information

On the Secure Software Development Process: CLASP and SDL Compared

On the Secure Software Development Process: CLASP and SDL Compared On the Secure Software Development Process: CLASP and SDL Compared Johan Grégoire, Koen Buyens, Bart De Win, Riccardo Scandariato, Wouter Joosen DistriNet, Department of Computer Science, K.U.Leuven Celestijnenlaan

More information

Secure Development LifeCycles (SDLC)

Secure Development LifeCycles (SDLC) www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific

More information

Comparison of Secure Development Frameworks for Korean e- Government Systems

Comparison of Secure Development Frameworks for Korean e- Government Systems , pp.355-362 http://dx.doi.org/10.14257/ijsia.2014.8.1.33 Comparison of Secure Development Frameworks for Korean e- Government Systems Dongsu Seo School of Information Technology Sungshin University dseo@sungshin.ac.kr

More information

Security Testing. How security testing is different Types of security attacks Threat modelling

Security Testing. How security testing is different Types of security attacks Threat modelling Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making

More information

What is a life cycle model?

What is a life cycle model? What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each

More information

APPLICATION THREAT MODELING

APPLICATION THREAT MODELING APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation

More information

! Resident of Kauai, Hawaii

! Resident of Kauai, Hawaii SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW

TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW Year 2014, Vol. 1, issue 1, pp. 49-56 Available online at: http://journal.iecuniversity.com TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW Singh RANDEEP a*, Rathee AMIT b a* Department of

More information

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/ Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM

W16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA Ryan English Ryan

More information

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES Disclaimer!! Best Practices are Not rules or rigid standards General solutions to common problems Guidelines and common reference that can

More information

Developing Secure Software, assignment 1

Developing Secure Software, assignment 1 Developing Secure Software, assignment 1 During development of software, faults and flaws are introduced either from the implementation or from the design of the software. During runtime these faults and

More information

Matt Bartoldus matt@gdssecurity.com

Matt Bartoldus matt@gdssecurity.com Matt Bartoldus matt@gdssecurity.com Security in the SDLC: It Doesn t Have To Be Painful 2010 Gotham Digital Science, Ltd Introduction o Me o Who Are You? Assessment (Penetration Tester; Security Auditors)

More information

Software Security Engineering: A Key Discipline for Project Managers

Software Security Engineering: A Key Discipline for Project Managers Software Security Engineering: A Key Discipline for Project Managers Julia H. Allen Software Engineering Institute (SEI) Email: jha@sei.cmu.edu Sean Barnum Cigital Robert J. Ellison SEI Gary McGraw Cigital

More information

Software Security: State of the Practice. Diana Kelley Partner SecurityCurve

Software Security: State of the Practice. Diana Kelley Partner SecurityCurve Software Security: State of the Practice Diana Kelley Partner SecurityCurve Agenda Why Software Security Matters Vulnerabilities and Risk in Software Building Security In Making it Happen What do These

More information

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Obtaining Enterprise Cybersituational

Obtaining Enterprise Cybersituational SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational

More information

Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)

Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

USING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES

USING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING

More information

Network Security. Intertech Associates, Inc.

Network Security. Intertech Associates, Inc. Network Security Intertech Associates, Inc. Agenda IT Security - Past to Future Security Vulnerabilities Protecting the Enterprise What do we need in each site? Requirements for a Security Architecture

More information

Threat Modeling. Deepak Manohar

Threat Modeling. Deepak Manohar Threat Modeling Deepak Manohar Outline Motivation Past Security Approaches Common problems with past security approaches Adversary s perspective Vs Defender s perspective Why defender s perspective? Threat

More information

The Security-Inclusive Development Life Cycle. Kimberly M. Hubbard. University of Illinois Urbana-Champaign. BADM 395: IT Governance

The Security-Inclusive Development Life Cycle. Kimberly M. Hubbard. University of Illinois Urbana-Champaign. BADM 395: IT Governance Kimberly M. Hubbard University of Illinois Urbana-Champaign BADM 395: IT Governance Professor: Mike Shaw April 29, 2007 Table of Contents Abstract... 3 Purpose... 3 Problems... 4 Vulnerability... 4 Patch

More information

The Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp.

The Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. The Security Development Lifecycle Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. 2 Overview Introduction A look back Trustworthy Computing

More information

Revision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org

Revision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org SDLA-312 ISA Security Compliance Institute Security Development Lifecycle Assurance - Security Development Lifecycle Assessment v3.0 Lifecycle Phases Number Phase Name Description PH1 Security Management

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

-.% . /(.0/.1 . 201 . ) 53%/(01 . 6 (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

-.% . /(.0/.1 . 201 . ) 53%/(01 . 6 (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . .(0.1 $) (%+,(%$.(6 !""#"" ""$"$"# $) ""$"*$"# %%&''$ $( (%( $) (%+"",(%$ -.% Number Phase Name Description. /(.0/.1.(((%( $. 201 2,%%%% %$. %(01 3-(4%%($. ) 53%/(01 %%4.%%2%, ($. 6 (01 (%((. * 7071 (%%2. 8 / 9!0/!1 ((((($%

More information

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process

More information

MIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

MIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016 MIS 5203 Lifecycle Management 1 Week 13 April 14, 2016 Study Objectives Systems Implementation contd Configuration Management Monitoring and Incident Management Post implementation Reviews Project Success

More information

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in

More information

Security Considerations for the Spiral Development Model

Security Considerations for the Spiral Development Model Security Considerations for the Spiral Development Model Loye Lynn Ray University of Maryland University College 3501 University Blvd East Adelphi, MD 20783 Loye.ray@faculty.umuc.edu 717-718-5727 Abstract

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

SECURITY AND RISK MANAGEMENT

SECURITY AND RISK MANAGEMENT SECURITY AND RISK MANAGEMENT IN AGILE SOFTWARE DEVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 #WHOAMI Security Architect @ Financial Services Organization Location:

More information

Preventive and Detective Data IntegritySolutions

Preventive and Detective Data IntegritySolutions Preventive and Detective Data IntegritySolutions Abstract Today s market is drifting from Network centric to Customer centric where focus is primarily on Customer experience. Communication Service Providers

More information

The Security Development Lifecycle. OWASP 24 June 2010. The OWASP Foundation http://www.owasp.org

The Security Development Lifecycle. OWASP 24 June 2010. The OWASP Foundation http://www.owasp.org The Security Development Lifecycle 24 June 2010 Steve Lipner Senior Director of Security Engineering Strategy Trustworthy Computing Microsoft Corporation SLipner@microsoft.com +1 425 705-5082 Copyright

More information

Guidelines 1 on Information Technology Security

Guidelines 1 on Information Technology Security Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

More information

NIST National Institute of Standards and Technology

NIST National Institute of Standards and Technology NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are

More information

The AppSec How-To: Achieving Security in DevOps

The AppSec How-To: Achieving Security in DevOps The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be

More information

Management (CSM) Capability

Management (CSM) Capability CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE

More information

Goals. Understanding security testing

Goals. Understanding security testing Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Application Security Guide For CISOs

Application Security Guide For CISOs Application Security Guide For CISOs Version 1.0 (November 2013) Project Lead and Main Author Marco Morana Co-authors, Contributors and Reviewers Tobias Gondrom, Eoin Keary, Andy Lewis, Stephanie Tan and

More information

Interactive Application Security Testing (IAST)

Interactive Application Security Testing (IAST) WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Web Application Security Roadmap

Web Application Security Roadmap Web Application Security Roadmap Joe White joe@cyberlocksmith.com Cyberlocksmith April 2008 Version 0.9 Background Web application security is still very much in it s infancy. Traditional operations teams

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

Microsoft SDL: Agile Development

Microsoft SDL: Agile Development Microsoft SDL: Agile Development June 24, 2010 Nick Coblentz, CISSP Senior Security Consultant AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Copyright

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Cyber Security & Data Privacy. January 22, 2014

Cyber Security & Data Privacy. January 22, 2014 Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies

More information

HP Fortify application security

HP Fortify application security HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router

More information

112 BSIMM Activities at a Glance

112 BSIMM Activities at a Glance 112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve

More information

Threat Modeling. 1. Some Common Definition (RFC 2828)

Threat Modeling. 1. Some Common Definition (RFC 2828) Threat Modeling Threat modeling and analysis provides a complete view about the security of a system. It is performed by a systematic and strategic way for identifying and enumerating threats to a system.

More information

Making your web application. White paper - August 2014. secure

Making your web application. White paper - August 2014. secure Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why

More information

Information & Asset Protection with SIEM and DLP

Information & Asset Protection with SIEM and DLP Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the

More information

Panel: SwA Practices - Getting to Effectiveness in Implementation

Panel: SwA Practices - Getting to Effectiveness in Implementation Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,

More information

NETWORK PENETRATION TESTING

NETWORK PENETRATION TESTING Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

More information

Secure Software Development

Secure Software Development Master Thesis Software Engineering Thesis no: MSE-2007-12 March 2007 Secure Software Development - Identification of Security Activities and Their Integration in Software Development Lifecycle Syed Rizwan

More information

Learning objectives for today s session

Learning objectives for today s session Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify

More information