The Importance of Application Security

Similar documents
Effective Software Security Management

The Value of Vulnerability Management*

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

IT Compliance Volume II

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Practical Overview on responsibilities of Data Protection Officers. Security measures

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

The case for continuous penetration testing

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

The Magazine for IT Security. May issue 3. sör alex / photocase.com

Nine Steps to Smart Security for Small Businesses

Making your web application. White paper - August secure

05.0 Application Development

Procuring Penetration Testing Services

PCI Compliance. Top 10 Questions & Answers

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

PCI Deadline Are you Complying? Mark Cuneo. CardConnect

Is the PCI Data Security Standard Enough?

How To Make A Law Firm More Successful

Lot 1 Service Specification MANAGED SECURITY SERVICES

Secure Web Applications. The front line defense

Marketing and Data Security

This is a sample chapter from A Manager's Guide to Service Management. To read more and buy, visit BSI British

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Getting a head start in Software Asset Management

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

PCI Compliance Top 10 Questions and Answers

Info-Security Conference Securing Your Applications in the Cloud. 29 May 2013

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Web application security: automated scanning versus manual penetration testing.

Cutting Edge Practices for Secure Software Engineering

Outsourcing and Information Security

Securing the Microsoft Cloud

SOLUTION WHITE PAPER. IT Business Management and Compliance Ensuring Cloud Governance

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

PCI Compliance for Cloud Applications

Application Security Report

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

What is Penetration Testing?

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

ANALYTICS STRATEGIES FOR INSURANCE

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Business Opportunity Enablement through Information Security Compliance

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure

Amdocs Customer Success Story. Amdocs Sets the Standard for Managed Service Business Transformation for a Leading Mobile Service Provider

Cloud Business Case G-Cloud 5 Framework

CloudCheck Compliance Certification Program

Web Application security testing: who tests the test?

IBM Rational AppScan: Application security and risk management

Rational AppScan & Ounce Products

SECURITY. Risk & Compliance Services

Managing Vulnerabilities For PCI Compliance

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Security and Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI DSS Top 10 Reports March 2011

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

93% of large organisations and 76% of small businesses

White paper September Realizing business value with mainframe security management

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Application Security in the Software Development Lifecycle

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

The 2014 Manufacturing ERP Report

How To Integrate Security Into Your Application Development

VENDOR MANAGEMENT. General Overview

Best value security report

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

PCI White Paper Series. Compliance driven security

October 7, Presented to. The PMI Washington DC Chapter. Pedro Agosto. Director of Client Services, XA Systems, LLC.

PLM Software as a Service : Enterprise Strategies Report: Improving Product Development Performance for Smaller Manufacturers

Sytorus Information Security Assessment Overview

Corporate Security in 2016.

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Breathing new life into platform rationalization, compliance demands and supporting global expansion

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Magnolia Migration Services

Data Masking Best Practices

Secure Software Development Trends in the Oil & Gas Sectors. How the Microsoft Security Development Lifecycle helps protect critical industries

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

The Security Development Lifecycle

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Acano solution. Security Considerations. August E

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Now Is the Time for Security at the Application Level

Transcription:

End-to-End Application Security: Feasibility, Affordability, and Common Misconceptions Slava Muchnick, EE Ltd 24/10/2014

We re EE the most advanced digital communications company in the UK We have the UK s biggest and fastest network, and we serve 28 million customers. For millions of people and businesses, EE is redefining what it means to be truly connected. We have 15,000 employees and 600 stores across the country. Our vision: To enable our customers to make the most of their entire digital lives 2

A brief history of EE EE was formed in 2010 following the merger of Orange and T-Mobile in the UK. T-Mobile began as Mercury one2one, founded in Borehamwood in the early 90s. It rebranded as one2one before purchase by Deutsche Telekom in 1999 and rebranded as T-Mobile. Orange was founded in Bristol and in 1996 became the youngest ever company to enter the FTSE 100. It was acquired by France Telecom in 2000, and bought Wanadoo to add fixed broadband services alongside the mobile offering. We have invested more than 15 billion building Britain s biggest and best mobile network. Picture messaging HD Voice 4G and LTE-Advanced mobile network Our UK firsts Wi-Fi on trains Consumer shared plans Commercial mobile payments 3

4 Consumer Consumer Consumer Fibre SME Corporate SME SME ADSL

The Application Security function of EE A dedicated AS team was established almost 10 years ago The initial remit covered CRM systems of what used to be T-Mobile UK Subsequently extended to cover all PCI-relevant systems of T-Mobile UK; PCI DSS certification was achieved in 2010 The current remit covers the development work on all qualifying EE systems (the list of which is defined on the basis of principles approved by Governance) The majority of Security Analysts are based at two offshore sites for cost reasons but are selected and managed by EE offshoring, not outsourcing The cost of providing AS support to development projects is charged to the projects, so it needs to be budgeted for AS Manager estimates the effort on the basis of initial project documentation 5

What is Application Security? Application Security is an IT discipline dealing with the security and regulatory compliance aspects of IT systems that are specific to the application layer Logically related matters include: policies and standards (external and internal) processes and practices skills according to the job role specialist tools According to ISO/IEC 27034: Application security is a process performed to apply controls and measurements to an organization s applications in order to manage the risk of using them 6

Current trends in the Application Security space Attackers have changed their focus to the application layer Realisation that application security threats require a different approach than network threats Growing appreciation of the root causes of application vulnerabilities: weak processes or practices inadequate skills incomplete supporting technology Application Security initiatives are producing measurable results Many sectors already require secure applications, eg: PCI DSS is enforced for systems working with payment cards Federal Trade Commission has officially adopted OWASP Top 10 7

How is Application Security generally done? A naive view: Application Security can be addressed by performing security testing prior to deployment and then patching the code to fix the issues detected The reality: Retrofitting AS to a system developed without AS in mind is not a practical option: too late, too expensive, too little can be done Some vulnerabilities and non-compliances can only be eliminated by adjusting the design or even the business requirements expensive if missed at early stages Some AS threats are more reliably and more efficiently mitigated in the design than in the code Therefore, ensuring security and compliance requires undertaking review and assessment activities at all stages of the development lifecycle: an end-toend AS process 8

Secure Development Lifecycle: the key points for PMs The AS team needs to be engaged as soon as an idea for a development project has been conceived. Failure to do this is likely to impact the delivery timeline; if in doubt, engage the AS team. Business requirements, specifications and designs have to be written down and submitted to the AS team for review. Failure to do this will dramatically inflate the cost of fixing any security issues; gamble at your peril. Code in development has to be made available for weekly scanning. This will guarantee an early notice of any security issues in the code, leaving plenty of time for the development team to fix them. The integration (end-to-end) testing environment has to be made available to the AS team and appropriate accounts created in it, so that final Security Audit could be performed. No new security defects of severity Serious+ to be deployed into production. (An exemption mechanism exists: business is the ultimate decision maker.) 9

Cost, time and benefits A naive view: Application Security is an expensive activity performed for the sake of compliance; it often delays the delivery of projects and does not produce any tangible benefits The reality: AS work is performed primarily to protect corporate assets and customer data entrusted to the company. Compliance is a distant second reason. The cost of all AS work done company-wide over several years is insignificant compared to the typical cost (direct and indirect) of a major security incident. When the engagement process is followed, there is usually no impact on delivery timelines. What causes delays is engaging the AS team too late. AS activities produce multiple artefacts that provide objective evidence of the degree of assurance achieved and of the issues still outstanding. 10

Delivering AS work at an affordable cost Do not attempt to work on everything: define a scope that covers the essentials Do not attempt to do everything: concentrate on realistic threats and aim to provide sensible mitigation Use automation where possible (though always in combination with skilled manual work: trusting a robot to do all of your AS is asking for trouble) Do the bulk of the manual work offshore: the nature of AS activities allows this if you do it correctly Be clever with accounting: end-to-end AS often detects security issues early in the process, which eliminates expensive re-working and hence reduces the overall development effort; this saving offsets some of the cost of AS 11

Defining the scope of involvement Regulation-driven criteria: Solutions involving payment card details (to ensure compliance to PCI DSS) Solutions involving customer data (to ensure compliance to the Data Protection Act) Technology-driven criteria: Web applications Web services exposing or consuming Mobile apps 12

Why offshoring rather than outsourcing? Protecting our secrets Able to select AS Analysts; know who of them has had access to what secrets The number of people who have ever worked for the AS team is kept low Ensuring a high quality of AS deliverables Validating a piece of AS work would typically require doing it all over again and comparing the results Complexity of interfaces to other development-related activities End-to-end AS activities permeate the whole development lifecycle Third parties are often involved: development/saas partners, testers etc Other participants of the SDL do not always deliver to plan Can be creative with the AS Analysts assignments when pre-requisites for their planned work are not ready 13

Other responsibilities of the Application Security team Own and maintain the AS process integrated into the Development Lifecycle Own and maintain EE General Application Security Requirements Provide input into EE security policies, standards and best practices Maintain and configure the tools used for automating some of the AS work Provide advice and guidance to development teams in performing AS analysis and threat modelling for business requirements and technical designs Provide consultancy services to business owners of in-house systems and to development teams in finding compromise solutions that meet the needs of the business without creating unacceptable security risks Educate EE employees in AS matters according to their respective job roles 14

Relevant standards and requirements PCI DSS (if payment cards are involved) but it protects primarily card issuers and hence is only a baseline as far as protecting EE is concerned Data Protection Act (if personal data is involved) but anonymous customer data and sensitive business information also have to be protected OWASP recommendations cross-referenced by PCI DSS but important in their own right In-house Application Security Requirements: a set of generic requirements applicable to all custom development done by, and for, EE; it forms part of the Security Schedule attached to all contracts with development partners and SaaS suppliers Platform-specific in-house requirements, such as Security Requirements to Web Services 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information