Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

Similar documents
OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Building a Resilient Security Posture for Effective Breach Prevention

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Embedding GDPR into the SDLC

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

BHConsulting. Your trusted cybersecurity partner

Manchester Metropolitan University Information Security Strategy

locuz.com SOC Services

Penetration testing.

Cyber Security Program

90% of data breaches are caused by software vulnerabilities.

Cybersecurity for Service Providers

Information Security Risk Strategies. By

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

SDLC Maturity Models

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

TEL2813/IS2820 Security Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISE Canada Executive Forum and Awards

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Security Management Models And Practices Feb 5, 2008

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Avanade s Approach to Client Data Protection

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

MIS Week 9 Host Hardening

Workshop Item 1 - ISO 9001: 2008 migration

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Threat and Vulnerability Assessment Tool

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Certified Information Security Manager (CISM) Course Overview

Rethinking Cybersecurity from the Inside Out

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Cyber Criminal Methods & Prevention Techniques. By

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

Twilio cloud communications SECURITY

EU General Data Protection Regulation (GDPR) Achieving compliance

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

IoT & SCADA Cyber Security Services

BHConsulting. Your trusted cybersecurity partner

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Building Security Into Applications

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Position Description IT Auditor

Cyber Resilience. Think18. Felicity March IBM Corporation

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Layer Security White Paper

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

NIS Standardisation ENISA view

Continuous protection to reduce risk and maintain production availability

GDPR Update and ENISA guidelines

Digital Health Cyber Security Centre

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

K12 Cybersecurity Roadmap

Cybersecurity Session IIA Conference 2018

SECURITY & PRIVACY DOCUMENTATION

ENISA EU Threat Landscape

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell

SECURITY TRAINING SECURITY TRAINING

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Department of Management Services REQUEST FOR INFORMATION

Nebraska CERT Conference

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

Objectives of the Security Policy Project for the University of Cyprus

Session 5311 Critical Testing Programs for Security Operations

Information Technology Branch Organization of Cyber Security Technical Standard

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

the SWIFT Customer Security

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

ASD CERTIFICATION REPORT

Why you should adopt the NIST Cybersecurity Framework

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

ITG. Information Security Management System Manual

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Development*Process*for*Secure* So2ware

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Designing and Building a Cybersecurity Program

Cybersecurity, safety and resilience - Airline perspective

OWASP CISO Survey Report 2015 Tactical Insights for Managers

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Rethinking Information Security Risk Management CRM002

Transcription:

Information Security In Pakistan & Software Security As A Quality Aspect Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

Software Quality [Includes Security] LETS OWN SECURITY!

Agenda What is global extent of Cybercrime market? Where does Pakistan stand? Information & Software Security Challenges in PK The Solution Software Security Transformation Software Security Benchmarks & Standards

Extent of Cybercrime & Cybercrime As A Service

Research-as-a-service Crimeware-as-a-service Cybercrime-infrastructure-asservice Hacking-as-a-service

Where does Pakistan stand?

Legal Technical Organizational Capacity building Cooperation

Global Cybersecurity Index & Wellness Profile

Asia Pacific Region

South Asia Comparison

As per Microsoft report: https://info.microsoft.com/rs/157-gqe-382/images/en-msft-scrty-cntnt-ebookcybersecurity.pdf

Global Infection Heatmap https://info.microsoft.com/rs/157-gqe-382/images/en-msft-scrty-cntnt-ebookcybersecurity.pdf

Information & Software Security challenges in Pakistan

Cyber Security Survey Results Survey Question Yes No Formal information security policy signed off by Board/Steering Committee? 7 3 Separate department for Information Security with a Head of Infosec / CISO? 6 4 Internal vulnerability management program (VM) and appropriate tools for VM? 3 7 Independent security assessment by a 3rd party in the last 6 months? 1 9 Penetration testing by a 3rd party in the last 6 months? 3 7 Security hardening benchmark such as CIS/DISA/OWASP for IT assets hardening? 1 9 Security awareness program and testing mechanism for IT staff? 2 8 Implemented global security framework such as ISO27001:2013 or PCI? 1 9 Cooperative culture among depts such as IT/Risk/InfoSec/Audit/Compliance? 1 9 Process oriented culture for IT and Information Security? 2 8 Formal process for InfoSecurity team to conduct security accreditation? 4 6 For in-house software development, is security well-embedded in the SDLC? 2 8 Organization demonstrates management commitment? 2 8 InfoSec staff is atleast 15-20% of IT staff? 1 9 Do you have a formal incident management and change management process? 2 8 AVERAGE SCORE = 2.5/10

Information Security: Ground Realities InfoSec Audit IT Complianc e Risk

IT Challenges Summary IT is complex and difficult to manage IT under pressure from business groups Lack of sufficient (competent) resources Lack of process culture IT IS CLEARLY NOT ALIGNED TO PERFORM DILIGENT SECURITY WORK

Information Security Challenges Silos and lack of coherent Information Security ownership Lot of time and energy wasted in traversing departmental boundaries Information Security is tough work enabling environment missing Fundamental security hardening of IT assets (including software) in the trenches is glaringly absent

Industry Characteristics Wavering management commitment Superficial dressing security Reactive to regulator, audit/compliance, or International customer mandate Security hardening remains largely untouched Industry in denial

Network Mobile Systems (OS) Security Physical DB Application

The Solution Software Security Transformation

Building-In Security Into The SDLC

Design Flaws

1. Educate personnel on software security SDLC Phase: Requirements Gathering TRAINING https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

2. Formally assign responsibility for software security SDLC Phase: Requirements Gathering SOFTWARE SECURITY GROUP (SSG) https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

3. Perform security focused requirements gathering SDLC Phase: Requirements Gathering -ABUSE CASES -INITIAL RISK ANALYSIS https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

Abuse Cases

4. Establish comprehensive risk management process SDLC Phase: Requirements Gathering -IDENTIFY MAJOR RISKS & EXECUTE A MITIGATION PLAN -ENSURE PROPER SECURITY DESIGN https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

5. Perform architecture reviews & threat modelling SDLC Phase: Design ARCHITECTURE RISK ANALYSIS 1. Analyzing fundamental design principles 2. Assessing the attack surface 3. Enumerating various threat agents 4. Identifying weaknesses and gaps in security controls https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

6. Carry out code reviews during implementation SDLC Phase: Implementation -ABUSE & MISUSE CASES -INITIAL RISK ANALYSIS https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

7. Execute test plans and perform penetration tests SDLC Phase: Verification -Malformed input handling -Business logic flaws -Authentication/authorization bypass attempts -Overall security posture https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

8.Deploy software product SDLC Phase: Deployment/Maintenance -Deployment plan -Change management plan -Roll-back plan -DR & IR plans https://www.synopsys.com/blogs/software-security/infuse-security-into-your-softwaredevelopment-life-cycle/

Software Security Benchmarks & Standards

OWASP Source Code Flaws Top 10

OWASP PROJECTS

OWASP PROJECTS

OWASP PROJECTS

OWASP PROJECTS

32 WORKING GROUPS

SECURITY, TRUST & ASSURANCE REGISTRY (STAR) CSA STAR is the industry s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available in late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

CLOUD CONTROLS MATRIX (CCM)

Other Security Benchmarks & Standards

Conclusion

Conclusion Security implementation is generally weak in Pakistan s IT sector Security is hard work, and requires cooperation from all stakeholders Security to be linked with annual performance appraisals for best results For software security, build-in security into all phases of the sec-sdlc QA Depts must offer an integrated QA+Security quality gate for developers Software security eco-system to be addressed by improving software security awareness and training in Universities & industry Role of Pakistan Cyber Security Association (PCSA)

Software Quality [Includes Security] LETS OWN SECURITY!

Thank you Questions? nahil@deltatechglobal.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback