The Business Case for Security in the SDLC
Make Security Part of your Application Quality Program Otherwise, Development Teams Don t View it is Part of their Job The notion of application quality, which has traditionally focused on functionality and performance, must be expanded to include security Neil McDonald Sr. VP, Gartner 2 Confidential
Security Engineering doesn t Require Changing your Existing Process Just augment it with a set of high-impact security activities
Secure, Repeatable Development Works: the Microsoft SDL Major Challenges: Needed to roll out the Microsoft Security Development Lifecycle (SDL) to hundreds of development teams Internal instructor-led training was effective, but not scalable and couldn t be re-purposed for new employees Needed a way to train vendors on the Microsoft SDL to ensure software consumed by Microsoft had security considered Security Innovation Solution: Customized 14 elearning courses specific to the Microsoft SDL Same content base as current courses in our elearning library In 24 months, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)
The Microsoft SDL: Reduction in Vulnerabilities Total Vulnerabilities Disclosed 12 Months After Release 400 Total Vulnerabilities Disclosed 36 Months After Release 187 242 119 66 157 34 3 Windows XP Before SDL Windows Vista After SDL OS I OS II OS III SQL Server 2000 SQL Server 2005 Competing Before SDL After SDL commercial DB 45% reduction in Vulnerabilities 91% reduction in Vulnerabilities Consistent use of sound security practices during all phases of development will result in fewer vulnerabilities and facilitate compliance
While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Source: National Institute of Standards & Technology (NIST)
Cost While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Relative cost of fixing security flaws during the different development phases 70 60 Post Release 60 50 40 30 20 10 0 Design 1 Implementation 6.5 Testing 15 Time Source: IBM Systems Sciences Institute
While Estimates Vary Slightly, all Research confirms that Cost/Time to fix vulnerabilities grows exponentially during SDLC Source: IEE Computer Society
Does Application Security Pay? Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal secure SDLC program Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 days Observed that repeat vulnerabilities dropped from 80% to 20% Operational improvements led to expense benefits valued at more than $2 million per team over the course of 2 years Improvements AFTER secure SDLC Program Rollout Source: Mainstay Partners/HP Does Application Security Pay?
Other Data Points Forrester Effective developer education program can reduce vulnerabilities by ~25% Organizations implementing an SDL showed better ROI than the overall population (Consulting State of Application Security study) Gartner Finding bugs at operations time costs you up to 100 percent effort Aberdeen Adopting an SDL process increases security and reduces severity and cost of vulnerability incidents while generating a stronger return on investment (four-times higher) than other application security approaches DHS: Estimating Benefits from Investing in Secure Development Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment Provides Cost and Benefit Calculators for investments in Secure Software Development https://buildsecurityin.us-cert.gov/articles/knowledge/business-case-models/estimating-benefits-frominvesting-in-secure-software-development Sources: available upon request
Lack of Effective Security Often Impedes Development Speed One bad design choice can lead to hundreds of security bugs Failure to sanitize user input SQL injection in dozens of modules Reflecting user input back on confirmation page Cross-site scripting (XSS) 80% of software flaws are introduced in requirements and design* Before a single line of code is even written Design vulnerabilities most expensive and time consuming to fix Insecure libraries, frameworks, and 3 rd party components introduce problems PHP is widely known as being insecure Java frameworks littered with security flaws Adobe Flash vulnerabilities have been exploited numerous times Developers often don t understand how what they are NOT doing is putting their application at risk Failure to encode input XSS bugs Failure to protect login credentials or session tokens session ID/hijacking attack All this leads to increased re-work and vulnerability remediation time (cost sink) *source: McConnell Code Complete
Inclusion of Effective Security Accelerates Development Speed Reduce risk with even MINIMUM best practice adoption 80% of attacks exploit known vulnerabilities and are conducted by Script Kiddies ; should be easy to defend against Design Security In Solid architecture reduces the mistakes developers can make A developer can implement a design spec perfectly and still create vulnerabilities Threat Models ensure developers and testers aren t wasting time in low-risk areas of your application; also create a de facto security test plan Avoid duplicate and recurring vulnerabilities Most vulnerabilities are the result of same coding error being made repeatedly Find and remediate vulnerabilities faster Testers can provide intelligence back to developers and shorten fix time Make tools smarter and reduce time spent on false positive It doesn t take any longer to write a line of secure code vs. a line of insecure code you just need to know the difference
International Secure Software Engineering Council (ISSECO) Non-profit organization founded by former SAP CSO ISQI is certifying body: exams administered by Pearson Vue Offers Certified Professional for Secure Software Engineering (CPSSE) certification for architects, developers, and test/qa SI is an accredited training provider for ISSECO Offers 2 hour test prep course that includes comprehensive practice exam Collaborated directly with ISSECO on course content and exam Course and Exam Content Module 1: The View of the Attacker, The View of the Customer Module 2: Methodologies for Secure Software Engineering Security Requirements Secure Design Threat Modeling Secure Coding Security Testing Secure Deployment Security Response Module 3: Security Metrics Module 4: Code and Resource Protection
How Security Innovation Europe can help
About Security Innovation Authority in Application Security 10+ years research on vulnerabilities First publicly published security testing methodology, adopted by Microsoft, Adobe, Symantec, SAP Authors of 14 books, 6 co-written with Microsoft Application Security partner for Microsoft, Cisco, HP, IBM and Trustwave Helping Organizations Reduce Risk by Securing Applications at the Source Integrate security at each phase of the SDLC Build internal expertise and competency Find, remediate and prevent vulnerabilities
Security Innovation Solutions 3 Pillars of Success for a Secure SDLC Standards Align development activities with policies, compliance, requirements Set expectations for your teams (in/outsource) Education Build the knowledge needed to implement standards and adhere to policies Instructor-led, elearning, virtual classroom Role-, Technology-, platform-based programs Assessment Match the depth of testing with the criticality of applications Assessment range from automated scans, to deep manual pen tests with specialized tools, techniques and threat models
Security Innovation Learning Platform The TeamProfessor/TeamMentor Relationship Foundational Training Security Testing Methodologies Defensive Coding Best Practices Understanding Threats and Vulnerabilities Tools & Technologies Risk Analysis Methodologies Principles Guidelines Attack Techniques How to s On-the-Job Guidance Conducting Attacks Code Snippets Checklists Inspection Questions Full search capabilities
Security Innovation Learning Platform Role, Platform & Technology-Based Training Role Architect Developer Tester/QA PM Release Manager Platform Web/Web Service Thick Client Mobile Embedded Technology Java.NET C/C++ PHP Etc.
TeamProfessor Training Minimize Off-the-Bench Time Glossary of all Terms Written transcript for all voice-over Printable version of entire course Nested navigation for related topics Navigable TOC Start, pause, scroll
TeamMentor Learning at the Time of Need Search Box for text searching Click the [+] to see a preview of the content Filters allows users to isolate all or selected assets for a specific technology, category, p hase or type. Guidance Views allow users to quickly locate all items of a specific genre Clicking the title opens the full document