The Business Case for Security in the SDLC

Similar documents
SECURITY TRAINING SECURITY TRAINING

CSWAE Certified Secure Web Application Engineer

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

HP Fortify Software Security Center

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

Product Security Program

OWASP InfoSec Romania 2013

Certified Secure Web Application Engineer

Simplifying Application Security and Compliance with the OWASP Top 10

90% of data breaches are caused by software vulnerabilities.

Accelerate Your Enterprise Private Cloud Initiative

Training and Certifying Security Testers Beyond Penetration Testing

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

Micro Focus Security Fortify Audit Assistant

Application Security Approach

Education Brochure. Education. Accelerate your path to business discovery. qlik.com

CA Services Partner. Implementation Enablement. Eugene Banks FY18

TRAINING CURRICULUM 2017 Q2

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

CyberVista Certify cybervista.net

Sage Data Security Services Directory

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

THE ART OF SECURING 100 PRODUCTS. Nir

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Continuously Discover and Eliminate Security Risk in Production Apps

ISACA MOSCOW CHAPTER Chapter meeting 22 September 2016

CAPABILITY. Managed testing services. Strong test managers experienced in working with business and technology stakeholders

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Securing Your Digital Transformation

V Conference on Application Security and Modern Technologies

The Center for Internet Security

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

DATACENTER SERVICES DATACENTER

RISK MANAGEMENT FRAMEWORK COURSE

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

IoT & SCADA Cyber Security Services

Trustwave Managed Security Testing

Security Communications and Awareness

You knew the job was dangerous when you took it! Defending against CS malware

Development*Process*for*Secure* So2ware

CLOUD GOVERNANCE SPECIALIST Certification

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Security Communications and Awareness

Trend Micro Professional Services Partner Program

Vulnerability Assessments and Penetration Testing

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Matt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.

SALESFORCE CERTIFIED SALES CLOUD CONSULTANT

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

SIEMLESS THREAT MANAGEMENT

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Global Security Consulting Services, compliancy and risk asessment services

Automating the Top 20 CIS Critical Security Controls

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

MARCH Secure Software Development WHAT TO CONSIDER

Larry Maccherone Carnegie Mellon CyLab

Background FAST FACTS

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Security Management Models And Practices Feb 5, 2008

Building Security Into Applications

deep (i) the most advanced solution for managed security services

Advanced Security Tester Course Outline

SALESFORCE CERTIFIED SALES CLOUD CONSULTANT

Data Virtualization Implementation Methodology and Best Practices

Practical Guide to Securing the SDLC

IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Secure Development Lifecycle

Dell helps you simplify IT

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

Certification Report

Security. Made Smarter.

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Ingram Micro Cyber Security Portfolio

PTC Employs Its Own Arbortext Software to Improve Delivery of PTC University Learning Content Materials

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Web 2.0, Consumerization, and Application Security

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

SDLC Maturity Models

CLOUD SECURITY SPECIALIST Certification. Cloud Security Specialist

Accelerate Your Cloud Journey

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

TEL2813/IS2820 Security Management

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

IASA CONTINUING EDUCATION UNITS

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Adobe Analytics Architect Adobe Certified Expert Exam Guide. Exam number: 9A0-386

Free Cissp Official Isc2 Practice Tests By Mike Chapple

Better skilled workforce

RiskSense Attack Surface Validation for IoT Systems

Certification Exam Outline Effective Date: September 2013

Transcription:

The Business Case for Security in the SDLC

Make Security Part of your Application Quality Program Otherwise, Development Teams Don t View it is Part of their Job The notion of application quality, which has traditionally focused on functionality and performance, must be expanded to include security Neil McDonald Sr. VP, Gartner 2 Confidential

Security Engineering doesn t Require Changing your Existing Process Just augment it with a set of high-impact security activities

Secure, Repeatable Development Works: the Microsoft SDL Major Challenges: Needed to roll out the Microsoft Security Development Lifecycle (SDL) to hundreds of development teams Internal instructor-led training was effective, but not scalable and couldn t be re-purposed for new employees Needed a way to train vendors on the Microsoft SDL to ensure software consumed by Microsoft had security considered Security Innovation Solution: Customized 14 elearning courses specific to the Microsoft SDL Same content base as current courses in our elearning library In 24 months, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)

The Microsoft SDL: Reduction in Vulnerabilities Total Vulnerabilities Disclosed 12 Months After Release 400 Total Vulnerabilities Disclosed 36 Months After Release 187 242 119 66 157 34 3 Windows XP Before SDL Windows Vista After SDL OS I OS II OS III SQL Server 2000 SQL Server 2005 Competing Before SDL After SDL commercial DB 45% reduction in Vulnerabilities 91% reduction in Vulnerabilities Consistent use of sound security practices during all phases of development will result in fewer vulnerabilities and facilitate compliance

While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Source: National Institute of Standards & Technology (NIST)

Cost While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Relative cost of fixing security flaws during the different development phases 70 60 Post Release 60 50 40 30 20 10 0 Design 1 Implementation 6.5 Testing 15 Time Source: IBM Systems Sciences Institute

While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Source: IEE Computer Society

Does Application Security Pay? Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal secure SDLC program Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 days Observed that repeat vulnerabilities dropped from 80% to 20% Operational improvements led to expense benefits valued at more than $2 million per team over the course of 2 years Improvements AFTER secure SDLC Program Rollout Source: Mainstay Partners/HP Does Application Security Pay?

Other Data Points Forrester Effective developer education program can reduce vulnerabilities by ~25% Organizations implementing an SDL showed better ROI than the overall population (Consulting State of Application Security study) Gartner Finding bugs at operations time costs you up to 100 percent effort Aberdeen Adopting an SDL process increases security and reduces severity and cost of vulnerability incidents while generating a stronger return on investment (four-times higher) than other application security approaches DHS: Estimating Benefits from Investing in Secure Development Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment Provides Cost and Benefit Calculators for investments in Secure Software Development https://buildsecurityin.us-cert.gov/articles/knowledge/business-case-models/estimating-benefits-frominvesting-in-secure-software-development Sources: available upon request

Lack of Effective Security Often Impedes Development Speed One bad design choice can lead to hundreds of security bugs Failure to sanitize user input SQL injection in dozens of modules Reflecting user input back on confirmation page Cross-site scripting (XSS) 80% of software flaws are introduced in requirements and design* Before a single line of code is even written Design vulnerabilities most expensive and time consuming to fix Insecure libraries, frameworks, and 3 rd party components introduce problems PHP is widely known as being insecure Java frameworks littered with security flaws Adobe Flash vulnerabilities have been exploited numerous times Developers often don t understand how what they are NOT doing is putting their application at risk Failure to encode input XSS bugs Failure to protect login credentials or session tokens session ID/hijacking attack All this leads to increased re-work and vulnerability remediation time (cost sink) *source: McConnell Code Complete

Inclusion of Effective Security Accelerates Development Speed Reduce risk with even MINIMUM best practice adoption 80% of attacks exploit known vulnerabilities and are conducted by Script Kiddies ; should be easy to defend against Design Security In Solid architecture reduces the mistakes developers can make A developer can implement a design spec perfectly and still create vulnerabilities Threat Models ensure developers and testers aren t wasting time in low-risk areas of your application; also create a de facto security test plan Avoid duplicate and recurring vulnerabilities Most vulnerabilities are the result of same coding error being made repeatedly Find and remediate vulnerabilities faster Testers can provide intelligence back to developers and shorten fix time Make tools smarter and reduce time spent on false positive It doesn t take any longer to write a line of secure code vs. a line of insecure code you just need to know the difference

International Secure Software Engineering Council (ISSECO) Non-profit organization founded by former SAP CSO ISQI is certifying body: exams administered by Pearson Vue Offers Certified Professional for Secure Software Engineering (CPSSE) certification for architects, developers, and test/qa SI is an accredited training provider for ISSECO Offers 2 hour test prep course that includes comprehensive practice exam Collaborated directly with ISSECO on course content and exam Course and Exam Content Module 1: The View of the Attacker, The View of the Customer Module 2: Methodologies for Secure Software Engineering Security Requirements Secure Design Threat Modeling Secure Coding Security Testing Secure Deployment Security Response Module 3: Security Metrics Module 4: Code and Resource Protection

How Security Innovation Europe can help

About Security Innovation Authority in Application Security 10+ years research on vulnerabilities First publicly published security testing methodology, adopted by Microsoft, Adobe, Symantec, SAP Authors of 14 books, 6 co-written with Microsoft Application Security partner for Microsoft, Cisco, HP, IBM and Trustwave Helping Organizations Reduce Risk by Securing Applications at the Source Integrate security at each phase of the SDLC Build internal expertise and competency Find, remediate and prevent vulnerabilities

Security Innovation Solutions 3 Pillars of Success for a Secure SDLC Standards Align development activities with policies, compliance, requirements Set expectations for your teams (in/outsource) Education Build the knowledge needed to implement standards and adhere to policies Instructor-led, elearning, virtual classroom Role-, Technology-, platform-based programs Assessment Match the depth of testing with the criticality of applications Assessment range from automated scans, to deep manual pen tests with specialized tools, techniques and threat models

Security Innovation Learning Platform The TeamProfessor/TeamMentor Relationship Foundational Training Security Testing Methodologies Defensive Coding Best Practices Understanding Threats and Vulnerabilities Tools & Technologies Risk Analysis Methodologies Principles Guidelines Attack Techniques How to s On-the-Job Guidance Conducting Attacks Code Snippets Checklists Inspection Questions Full search capabilities

Security Innovation Learning Platform Role, Platform & Technology-Based Training Role Architect Developer Tester/QA PM Release Manager Platform Web/Web Service Thick Client Mobile Embedded Technology Java.NET C/C++ PHP Etc.

TeamProfessor Training Minimize Off-the-Bench Time Glossary of all Terms Written transcript for all voice-over Printable version of entire course Nested navigation for related topics Navigable TOC Start, pause, scroll

TeamMentor Learning at the Time of Need Search Box for text searching Click the [+] to see a preview of the content Filters allows users to isolate all or selected assets for a specific technology, category, p hase or type. Guidance Views allow users to quickly locate all items of a specific genre Clicking the title opens the full document

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback