Building Security into the Software Life Cycle
|
|
- Milton Hines
- 8 years ago
- Views:
Transcription
1 Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee
2 Outline» Glossary» What is at risk, what we do about it and when» Is software complexity the root cause?» Vulnerability management challenges» Application security vs. software security» A change of perspective: the Software Security Life Cycle (SDLC)» Security-enhancing lifecycle process models» CLASP, activities, phases and roles» Secure-SDLC requirements, how we get there?» Secure software best practices and activities» Guidelines for building secure software» The Secure-SDLC touch-point Model» Secure software best practices and software development models» In summary: take away lessons» Resources 2
3 Glossary» Risk: the probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur» Threat: any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.» Vulnerability: a weakness in system security requirements, design, implementation, or operation, that could be accidentally triggered or intentionally exploited» Security Defects: implementation vulnerabilities and design vulnerabilities» Security Bugs: implementation-level security software problem» Security Flaw: design-level security software problem 3
4 What is at risk? 4
5 What we do about it 1) Security defects discovered BEFORE the product release gets into production: - Found during functional tests - Dealt with as bugs - Fixed with changes into the product - Deployed with product release 2) Vulnerabilities discovered AFTER the product release gets into production: - Found during operation & maintenance - Dealt with as security defects - Fixed with new security patches - Deployed in all products already released 5
6 When we do something about it?» Today most people test after software is built! 6
7 Is software complexity the root cause?» Software is getting bigger and more complex: Windows complexity ~ 2 million lines of code in Windows 3.1 (1990) ~ 20 million lines of code in Windows 95 (1997) ~ 40 million lines of code in Windows XP (2001)» More lines of code means more security bugs: - Average Security Bugs in Code: 6 every one Thousand Line Of Code (KLOC) - Millions of LOC => Thousands of Security Bugs» Network centric approach means a penetrate and patch mentality: - 47% of security defects that are exploitable are preventable (@stake)» Lack of focus on secure software development best practices: - Best designed applications have 80% fewer defects than the worst designed (@stake) 7
8 Application Security vs. Software Security» Penetrate and patch» Look at the issue» Just in time solution: fix one application in one single time» Network Security Centric Perspective» Information Security Knowledge» Short term tactical solutions (e.g. penetration tests)» Security as an afterthought, consider risks only when you are exposed» High risk low ROI activities» Manage software security risks» Looks at the root cause» Lifecycle solution: from start (e,g, inception) to end (e.g. decommissioning)» Software Security Engineering Perspective» Software Security Knowledge» Long term strategic solution (e.g. software security best practices)» Security thought early on, consider risks from software inception» Low risk High ROI activities 8
9 Change of perspective: software security life cycle 9
10 Security-enhancing Lifecycle Process Models» Repetitive and measurable processes» Provide guidance on secure software activities» Apply development best practices to various software artifacts» Integrate with foundational software security activities» Include tactical resources» Provision the use of automation tools» Provide a framework for mapping security activities into SDLC such as: SDLC phases, tasks and checkpoints (e.g. M. Howard SDL) Roles, process phases and interactions (e.g. J. Viega CLASP) Risk management, knowledge and touchpoints (e.g. Gary Mc Graw) 10
11 Comprehensive Lightweight Application Security Process (CLASP) 11
12 Mapping Security Activities, Phases and Roles with CLASP 1. Institute a security awareness program Planning Project Manager 2. Monitor security metrics On going Project Manager 3. Specify operational environment Analysis & Design Requirement Specifier 4. Identify global security policy Planning Requirement Specifier 5. Identify resources and trust boundaries Requirements Architect 6. Identify user roles and resource capability Analysis & Design Requirement Specifier 7. Document security-relevant requirements Requirements Requirement Specifier 8. Detail misuse cases Inception & Elaboration Requirement Specifier 9. Identify attack surface Evaluation Designer 10. Apply security principles to design Analysis & Design Designer 11. Research and assess security posture of tech. solutions Ongoing Architect 12. Annotate class designs with security properties Analysis & Design Designer 13. Specify database security configuration Implementation Designer 14. Threat Modeling Analysis & Design Security Auditor 15. Integrate security analysis into source management proc. Implementation Integrator 16. Implement interface contracts Implementation Implementor 17. Implement and elaborate resource policies and tech. Implementation Implementor 18. Address reported security issues Test Designer 19. Perform source level security review Evaluation Security Auditor 20. Identify, implement, and perform security tests Test Designer 21. Verify security attributes of resources Evaluation Integrator/Tester 22. Perform code signing Transition Integrator 23. Build operational security guide Deploy & Maintain Integrator/Tester 24. Manage security issue disclosure Deploy & Maintain Project Manager 12
13 HACME Secure-SDLC requirements 1. Be complaint with HACME security policies and guidelines (e.g. regulatory compliance, information security policy, information risk management guideline) 2. Define security activities that are both strategic (e.g. long term objectives) and tactical (e.g. short term goals) 3. Provide guidance on each security activity with clear objectives artifacts to be produced and dependencies 4. Show how you map security activities into different software development methodologies (e.g waterfall, AGILE, XP, RUP) 13
14 How we get there?» Adopt an activity driven approach» Define and document security activities derived by best practices: Preliminary Software Risk Analysis Secure Requirements Engineering Security Risk Driven Design Secure Code Implementation Security Tests Secure Configuration & Deployment Metrics & Measurements Training & Awareness» Define dependencies and prerequisites (e.g. activities and artifacts)» Define entry scenarios for the activities (e.g. events and reasons)» Position the activities w.r.t. SDLC methodologies and roadmaps (e.g. new development vs. legacy) 14
15 Secure Software Best Practices and Activities» Preliminary Software Risk Analysis - Define use and misuse cases requires: Business Requirements, Security Requirements depends on: none produces: Misuse Cases Diagrams and descriptions» Security Requirements Engineering - Define Security Requirements requires: Business requirements, Functional requirements, Industry Regulations, Organizational Policies, Technical Standards depends on: Misuse cases produces: Security Requirement Document 15
16 Secure Software Best Practices and Activities» Security Risk Driven Design - Secure Architecture & Design Patterns requires: Requirements, Architecture Documentation depends on: Security Requirements produces: Secure Architecture Documents - Threat Modeling requires: Architecture Documents, Data Classification, Requirements depends on: Misuse cases produces: Threat Profile 16
17 Secure Software Best Practices and Activities» Security Risk Driven Design - Secure Architecture Review requires: Functional Requirements, Architecture Diagrams, Network Diagrams, Data Flow Diagrams depends on: Security Architecture & Design Patterns, Threat Model produces: Security Architecture Review Findings - Security Test Planning requires: Requirements, Architecture & Network diagrams, Data Flow Diagrams, Test Tools & Frameworks depends on: Security Requirements, Misuse cases, Threat Model produces: Security Test Plan 17
18 Secure Software Best Practices and Activities» Secure Code Implementation - Peer Code Review requires: Source code, Coding standards, Architecture documents, depends on: Threat Model produces: Code Review Findings - Automated static & dynamic code review requires: Source code, Components and Libraries, Build depends on: Threat Model produces: Automated Code Review Findings - Security Unit Tests requires: Source code, Unit Test Frameworks depends on: Security Requirements, Test Cases produces: Unit Test Results 18
19 Secure Software Best Practices and Activities» Security Tests - Functional - Risk Driven - System - Component - White Box - Black Box all require: Source code, Architecture documents, Data flow Diagrams, Test Environment all depend on: Security Test Planning, Threat Model, Security Requirements all produce: Test reports 19
20 Secure Software Best Practices and Activities» Secure Configuration & Deployment - Secure Configuration requires: depends on: none produces: Operational data and services, source code, build environment, account and password policies, configuration files Secure Configuration Guide/Checklist - Secure Deployment requires: depends on: none produces: Application files and directories, auditing and logging services, registry entries, authentication services, service components, network configuration, service accounts Secure Deployment Guide/Checklist 20
21 Secure Software Best Practices and On Going Activities» Security Training & Awareness - Security Awareness Training - Secure Architecture Design - Secure Coding - Operational Security - Security QA - Ethical hacking» Metrics & Measurements - Number of bugs vs. flaws - Time to fix bugs vs. flaws - Number of vulnerabilities - Time to respond to incident - Support statistical data» Information Risk Management - Investigate Preliminary Risks - Business Analysis - Asset Classification - Threat & Vulnerability Analysis - Business Impact Analysis - Risk Determination - Risk Strategy Selection» Vulnerability management - Policy Compliance - Vulnerability Assessment - Security Configuration - IT Security Risk Management 21
22 Guidelines for Building Secure Software 1.Threat Modeling The purpose of this exercise is to ensure that all known threats to the application are adequately addressed. During design, you will gather information such as requirements and design artifacts to analyze your application from the prospective of the impacts of potential threats. The main outcome at this activity is a threat profile that identifies and categorizes you application threats, recommends countermeasures and identifies application vulnerabilities. Further information on how this activity should be conducted is covered in the Guideline For Conducting Threat Modeling 22
23 Secure-SDLC Touchpoint Model 23
24 Secure Software Best Practices and the Waterfall Model 24
25 Secure Software Best Practices and the Spiral Model 25
26 Secure Software Best Practices and the RUP Model 26
27 In Summary: Take Away Lessons» Software and organizations are not homogenous (e.g. X divisions, Y software applications running on Z platforms implement N software technologies)» Building security into the SDLC is a formal process: - Top Down (organization driven from CIO) - Bottom up (gap analysis from managers and auditors)» S-SDLC and Information Risk Management are integrated processes: - S-SDLC Manage Software Security Risks - Technical Risk Management Information Risk Management» There is no silver bullet for software security: - Strategic and tactical plans - Roadmaps: short term, near term and long term (e.g. maturity levels)» Clients that care about software security know that: - Application Security!= Software Security - Security = Commitment x (Best Practices^2 + Tools) 27
28 Resources» Foundstone Resources, Whitepapers, Articles Comprehensive, Lightweight Application Security (CLASP) Process DHS Build Security In Most recent books on software security: - Gary McGraw Software Security, January 2006 Addison Wesley - M. Howard and S. Lipner: The Security Development Lifecycle, May 2006 Microsoft Press 28
29 Thanks You For Listening! 29
Building Security Into The Software Life Cycle
Building Security Into The Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services a Division of McAfee Email: marco.morana@foundstone.com Outline» Glossary»
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationA Survey on Requirements and Design Methods for Secure Software Development*
A Survey on Requirements and Design Methods for Secure Software Development* Muhammad Umair Ahmed Khan and Mohammad Zulkernine School of Computing Queen s University Kingston, Ontario, Canada K7L 3N6 {umair
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP Italy Day 2, 2008 March 31 th, 2008 Marco.Morana@OWASP.ORG OWASP Copyright 2008
More informationImproving RoI by Using an SDL
Improving RoI by Using an SDL This paper discusses how you can improve return on investment (RoI) by implementing a secure development lifecycle (SDL). It starts with a brief introduction to SDLs then
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationBuilding a Corporate Application Security Assessment Program
Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,
More informationAgile and Secure: Can We Be Both?
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Keith Landrus Director of Technology Denim Group Ltd. keith.landrus@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation Permission
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationSecure Development Lifecycle. Eoin Keary & Jim Manico
Secure Development Lifecycle Jim Manico @manicode OWASP Volunteer Global OWASP Board Member OWASP Cheat-Sheet Series Manager VP of Security Architecture, WhiteHat Security 16 years of web-based, database-driven
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationA PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT
A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu
More informationA Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification
, pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong
More informationProtect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationSecurity Software Engineering: Do it the right way
Proceedings of the 6th WSEAS Int. Conf. on Software Engineering, Parallel and Distributed Systems, Corfu Island, Greece, February 16-19, 2007 19 Security Software Engineering: Do it the right way Ahmad
More informationSecure Software Begins in the Development Process
A S P E S D L C Tr a i n i n g Secure Software Begins in the Development Process A WHITE PAPER PROVIDED TO ASPE BY SECURITY INNOVATION Secure Software Begins in the Development Process written for CIO
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationSDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model
SDL, CLASP & TOUCHPOINTS: A Comparison and Alignment of CLASP with Waterfall Model Nishtha Sankhwar Dept. of Information Technology IIIT Allahabad nishthasankhwar.infosec@gmail.com Anuja Tewari Dept. of
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationSecure By Design: Security in the Software Development Lifecycle
Secure By Design: Security in the Software Development Lifecycle Twin Cities Rational User s Group Security Briefing by Arctec Group (www.arctecgroup.net) Integrating Security into Software Development
More informationSoftware Security Testing
Software Security Testing Elizabeth Sanders Department of Electrical & Computer Engineering Missouri University of Science and Technology ejwxcf@mst.edu 2015 Elizabeth Sanders Pop Quiz What topics am I
More informationBuilding More Secure Commercial Software: The Trustworthy Computing Security Development Lifecycle
Building More Secure Commercial Software: The Trustworthy Computing Development Lifecycle Steven B. Lipner Microsoft Corporation With the growth of the Internet as a vehicle for commercial, governmental,
More informationOn the Secure Software Development Process: CLASP and SDL Compared
On the Secure Software Development Process: CLASP and SDL Compared Johan Grégoire, Koen Buyens, Bart De Win, Riccardo Scandariato, Wouter Joosen DistriNet, Department of Computer Science, K.U.Leuven Celestijnenlaan
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationComparison of Secure Development Frameworks for Korean e- Government Systems
, pp.355-362 http://dx.doi.org/10.14257/ijsia.2014.8.1.33 Comparison of Secure Development Frameworks for Korean e- Government Systems Dongsu Seo School of Information Technology Sungshin University dseo@sungshin.ac.kr
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationWhat is a life cycle model?
What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationTRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW
Year 2014, Vol. 1, issue 1, pp. 49-56 Available online at: http://journal.iecuniversity.com TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW Singh RANDEEP a*, Rathee AMIT b a* Department of
More informationAgile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationW16 INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE. Ryan English SPI Dynamics Inc BIO PRESENTATION 6/28/2006 3:00 PM
BIO PRESENTATION W16 6/28/2006 3:00 PM INTEGRATING SECURITY INTO THE DEVELOPMENT LIFECYCLE Ryan English SPI Dynamics Inc Better Software Conference June 26 29, 2006 Las Vegas, NV USA Ryan English Ryan
More informationBEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES
BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES Disclaimer!! Best Practices are Not rules or rigid standards General solutions to common problems Guidelines and common reference that can
More informationDeveloping Secure Software, assignment 1
Developing Secure Software, assignment 1 During development of software, faults and flaws are introduced either from the implementation or from the design of the software. During runtime these faults and
More informationMatt Bartoldus matt@gdssecurity.com
Matt Bartoldus matt@gdssecurity.com Security in the SDLC: It Doesn t Have To Be Painful 2010 Gotham Digital Science, Ltd Introduction o Me o Who Are You? Assessment (Penetration Tester; Security Auditors)
More informationSoftware Security Engineering: A Key Discipline for Project Managers
Software Security Engineering: A Key Discipline for Project Managers Julia H. Allen Software Engineering Institute (SEI) Email: jha@sei.cmu.edu Sean Barnum Cigital Robert J. Ellison SEI Gary McGraw Cigital
More informationSoftware Security: State of the Practice. Diana Kelley Partner SecurityCurve
Software Security: State of the Practice Diana Kelley Partner SecurityCurve Agenda Why Software Security Matters Vulnerabilities and Risk in Software Building Security In Making it Happen What do These
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationObtaining Enterprise Cybersituational
SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational
More informationBeyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationUSING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES
Christina Kormos National Agency Phone: (410)854-6094 Fax: (410)854-4661 ckormos@radium.ncsc.mil Lisa A. Gallagher (POC) Arca Systems, Inc. Phone: (410)309-1780 Fax: (410)309-1781 gallagher@arca.com USING
More informationNetwork Security. Intertech Associates, Inc.
Network Security Intertech Associates, Inc. Agenda IT Security - Past to Future Security Vulnerabilities Protecting the Enterprise What do we need in each site? Requirements for a Security Architecture
More informationThreat Modeling. Deepak Manohar
Threat Modeling Deepak Manohar Outline Motivation Past Security Approaches Common problems with past security approaches Adversary s perspective Vs Defender s perspective Why defender s perspective? Threat
More informationMicrosoft Patch Management - A Review
Kimberly M. Hubbard University of Illinois Urbana-Champaign BADM 395: IT Governance Professor: Mike Shaw April 29, 2007 Table of Contents Abstract... 3 Purpose... 3 Problems... 4 Vulnerability... 4 Patch
More informationThe Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp.
The Security Development Lifecycle Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. 2 Overview Introduction A look back Trustworthy Computing
More informationRevision History Revision Date 3.0 14.02.10. Changes Initial version published to http://www.isasecure.org
SDLA-312 ISA Security Compliance Institute Security Development Lifecycle Assurance - Security Development Lifecycle Assessment v3.0 Lifecycle Phases Number Phase Name Description PH1 Security Management
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More information-.% . /(.0/.1 . 201 . ) 53%/(01 . 6 (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6
!""#"" ""$"$"# $) ""$"*$"# %%&''$ $( (%( $) (%+"",(%$ -.% Number Phase Name Description. /(.0/.1.(((%( $. 201 2,%%%% %$. %(01 3-(4%%($. ) 53%/(01 %%4.%%2%, ($. 6 (01 (%((. * 7071 (%%2. 8 / 9!0/!1 ((((($%
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationMIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016
MIS 5203 Lifecycle Management 1 Week 13 April 14, 2016 Study Objectives Systems Implementation contd Configuration Management Monitoring and Incident Management Post implementation Reviews Project Success
More informationCITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard
CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in
More informationSecurity Considerations for the Spiral Development Model
Security Considerations for the Spiral Development Model Loye Lynn Ray University of Maryland University College 3501 University Blvd East Adelphi, MD 20783 Loye.ray@faculty.umuc.edu 717-718-5727 Abstract
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationSECURITY AND RISK MANAGEMENT
SECURITY AND RISK MANAGEMENT IN AGILE SOFTWARE DEVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 #WHOAMI Security Architect @ Financial Services Organization Location:
More informationPreventive and Detective Data IntegritySolutions
Preventive and Detective Data IntegritySolutions Abstract Today s market is drifting from Network centric to Customer centric where focus is primarily on Customer experience. Communication Service Providers
More informationThe Security Development Lifecycle. OWASP 24 June 2010. The OWASP Foundation http://www.owasp.org
The Security Development Lifecycle 24 June 2010 Steve Lipner Senior Director of Security Engineering Strategy Trustworthy Computing Microsoft Corporation SLipner@microsoft.com +1 425 705-5082 Copyright
More informationGuidelines 1 on Information Technology Security
Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationThe AppSec How-To: Achieving Security in DevOps
The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be
More informationManagement (CSM) Capability
CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationApplication Security Guide For CISOs
Application Security Guide For CISOs Version 1.0 (November 2013) Project Lead and Main Author Marco Morana Co-authors, Contributors and Reviewers Tobias Gondrom, Eoin Keary, Andy Lewis, Stephanie Tan and
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationDevelopment. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationWeb Application Security Roadmap
Web Application Security Roadmap Joe White joe@cyberlocksmith.com Cyberlocksmith April 2008 Version 0.9 Background Web application security is still very much in it s infancy. Traditional operations teams
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationMicrosoft SDL: Agile Development
Microsoft SDL: Agile Development June 24, 2010 Nick Coblentz, CISSP Senior Security Consultant AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Copyright
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More information112 BSIMM Activities at a Glance
112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
More informationThreat Modeling. 1. Some Common Definition (RFC 2828)
Threat Modeling Threat modeling and analysis provides a complete view about the security of a system. It is performed by a systematic and strategic way for identifying and enumerating threats to a system.
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationInformation & Asset Protection with SIEM and DLP
Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the
More informationPanel: SwA Practices - Getting to Effectiveness in Implementation
Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,
More informationNETWORK PENETRATION TESTING
Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes
More informationSecure Software Development
Master Thesis Software Engineering Thesis no: MSE-2007-12 March 2007 Secure Software Development - Identification of Security Activities and Their Integration in Software Development Lifecycle Syed Rizwan
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More information