Information Security In Pakistan & Software Security As A Quality Aspect Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)
Software Quality [Includes Security] LETS OWN SECURITY!
Agenda What is global extent of Cybercrime market? Where does Pakistan stand? Information & Software Security Challenges in PK The Solution Software Security Transformation Software Security Benchmarks & Standards
Extent of Cybercrime & Cybercrime As A Service
Research-as-a-service Crimeware-as-a-service Cybercrime-infrastructure-asservice Hacking-as-a-service
Where does Pakistan stand?
Legal Technical Organizational Capacity building Cooperation
Global Cybersecurity Index & Wellness Profile
Asia Pacific Region
South Asia Comparison
As per Microsoft report: https://info.microsoft.com/rs/157-gqe-382/images/en-msft-scrty-cntnt-ebookcybersecurity.pdf
Global Infection Heatmap https://info.microsoft.com/rs/157-gqe-382/images/en-msft-scrty-cntnt-ebookcybersecurity.pdf
Information & Software Security challenges in Pakistan
Cyber Security Survey Results Survey Question Yes No Formal information security policy signed off by Board/Steering Committee? 7 3 Separate department for Information Security with a Head of Infosec / CISO? 6 4 Internal vulnerability management program (VM) and appropriate tools for VM? 3 7 Independent security assessment by a 3rd party in the last 6 months? 1 9 Penetration testing by a 3rd party in the last 6 months? 3 7 Security hardening benchmark such as CIS/DISA/OWASP for IT assets hardening? 1 9 Security awareness program and testing mechanism for IT staff? 2 8 Implemented global security framework such as ISO27001:2013 or PCI? 1 9 Cooperative culture among depts such as IT/Risk/InfoSec/Audit/Compliance? 1 9 Process oriented culture for IT and Information Security? 2 8 Formal process for InfoSecurity team to conduct security accreditation? 4 6 For in-house software development, is security well-embedded in the SDLC? 2 8 Organization demonstrates management commitment? 2 8 InfoSec staff is atleast 15-20% of IT staff? 1 9 Do you have a formal incident management and change management process? 2 8 AVERAGE SCORE = 2.5/10
Information Security: Ground Realities InfoSec Audit IT Complianc e Risk
IT Challenges Summary IT is complex and difficult to manage IT under pressure from business groups Lack of sufficient (competent) resources Lack of process culture IT IS CLEARLY NOT ALIGNED TO PERFORM DILIGENT SECURITY WORK
Information Security Challenges Silos and lack of coherent Information Security ownership Lot of time and energy wasted in traversing departmental boundaries Information Security is tough work enabling environment missing Fundamental security hardening of IT assets (including software) in the trenches is glaringly absent
Industry Characteristics Wavering management commitment Superficial dressing security Reactive to regulator, audit/compliance, or International customer mandate Security hardening remains largely untouched Industry in denial
Network Mobile Systems (OS) Security Physical DB Application
The Solution Software Security Transformation
Building-In Security Into The SDLC
Design Flaws
1. Educate personnel on software security SDLC Phase: Requirements Gathering TRAINING https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
2. Formally assign responsibility for software security SDLC Phase: Requirements Gathering SOFTWARE SECURITY GROUP (SSG) https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
3. Perform security focused requirements gathering SDLC Phase: Requirements Gathering -ABUSE CASES -INITIAL RISK ANALYSIS https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
Abuse Cases
4. Establish comprehensive risk management process SDLC Phase: Requirements Gathering -IDENTIFY MAJOR RISKS & EXECUTE A MITIGATION PLAN -ENSURE PROPER SECURITY DESIGN https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
5. Perform architecture reviews & threat modelling SDLC Phase: Design ARCHITECTURE RISK ANALYSIS 1. Analyzing fundamental design principles 2. Assessing the attack surface 3. Enumerating various threat agents 4. Identifying weaknesses and gaps in security controls https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
6. Carry out code reviews during implementation SDLC Phase: Implementation -ABUSE & MISUSE CASES -INITIAL RISK ANALYSIS https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
7. Execute test plans and perform penetration tests SDLC Phase: Verification -Malformed input handling -Business logic flaws -Authentication/authorization bypass attempts -Overall security posture https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
8.Deploy software product SDLC Phase: Deployment/Maintenance -Deployment plan -Change management plan -Roll-back plan -DR & IR plans https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/
Software Security Benchmarks & Standards
OWASP Source Code Flaws Top 10
OWASP PROJECTS
OWASP PROJECTS
OWASP PROJECTS
OWASP PROJECTS
32 WORKING GROUPS
SECURITY, TRUST & ASSURANCE REGISTRY (STAR) CSA STAR is the industry s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available in late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
CLOUD CONTROLS MATRIX (CCM)
Other Security Benchmarks & Standards
Conclusion
Conclusion Security implementation is generally weak in Pakistan s IT sector Security is hard work, and requires cooperation from all stakeholders Security to be linked with annual performance appraisals for best results For software security, build-in security into all phases of the sec-sdlc QA Depts must offer an integrated QA+Security quality gate for developers Software security eco-system to be addressed by improving software security awareness and training in Universities & industry Role of Pakistan Cyber Security Association (PCSA)
Software Quality [Includes Security] LETS OWN SECURITY!
Thank you Questions? nahil@deltatechglobal.com