SDLC Maturity Models

Similar documents
OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Certified Information Security Manager (CISM) Course Overview

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Presentation Overview

V Conference on Application Security and Modern Technologies

Embedding GDPR into the SDLC

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Product Security Program

OWASP CISO Survey Report 2015 Tactical Insights for Managers

THE ART OF SECURING 100 PRODUCTS. Nir

Manchester Metropolitan University Information Security Strategy

113 BSIMM Activities at a Glance

falanx Cyber ISO 27001: How and why your organisation should get certified

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

BHConsulting. Your trusted cybersecurity partner

Practical Guide to Securing the SDLC

MIS Week 9 Host Hardening

What every IT professional needs to know about penetration tests

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Information Technology Branch Organization of Cyber Security Technical Standard

locuz.com SOC Services

Building Security Into Applications

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Certified Software Quality Engineer Preparation On Demand, Web-Based Course Offered by The Westfall Team

Quality Assurance and IT Risk Management

Security by Default: Enabling Transformation Through Cyber Resilience

COBIT 5 With COSO 2013

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Development*Process*for*Secure* So2ware

Consolidation Committee Final Report

SECURITY TRAINING SECURITY TRAINING

Will your application be secure enough when Robots produce code for you?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cloud Essentials for Architects using OpenStack

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

CompTIA Cybersecurity Analyst+

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Accelerate Your Enterprise Private Cloud Initiative

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

CISM Certified Information Security Manager

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Cybersecurity Protecting your crown jewels

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

BHConsulting. Your trusted cybersecurity partner

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

Designing and Building a Cybersecurity Program

Information Security Controls Policy

Department of Management Services REQUEST FOR INFORMATION

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Threat and Vulnerability Assessment Tool

CLOUD GOVERNANCE SPECIALIST Certification

Symantec Data Center Migration Service

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Common Controls Framework BY ADOBE

Eoin Autodidact 4 lyfe. Software Security Startups... Fortune 500s Likes Hackers, Brazilian Jiu Jitsu

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Penetration testing.

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Session ID: CISO-W22 Session Classification: General Interest

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Information Security Continuous Monitoring (ISCM) Program Evaluation

Security and Architecture SUZANNE GRAHAM

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

McAfee Product Security Practices

Advanced Security Tester Course Outline

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

QuickBooks Online Security White Paper July 2017

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

In collaborazione con

Reinvent Your 2013 Security Management Strategy

The Building Security In Maturity Model. Quality Assurance Perspective. Sammy Migues Principal Consultant, Cigital. Software Confidence. Achieved.

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Data Sheet The PCI DSS

Nebraska CERT Conference

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

OWASP InfoSec Romania 2013

SIGS AFTERWORK EVENT. Security: which operational model for which scenario. Hotel Warwick - Geneva

Improving Security in the Application Development Life-cycle

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Adaptive & Unified Approach to Risk Management and Compliance via CCF

SECURITY & PRIVACY DOCUMENTATION

SOLUTION BRIEF Virtual CISO

ISACA Arizona May 2016 Chapter Meeting

Transcription:

www.pwc.com SDLC Maturity Models SecAppDev 2017 Bart De Win

Bart De Win? 20 years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications ISC 2 CSSLP certified Senior Manager @ PwC Belgium: Expertise Center Leader Trusted Software (Web) Application tester (pentesting, arch. review, code review,...) Proficiency in Secure Software Development Lifecycle (SDLC) and Software Quality OWASP SAMM co-leader Contact me at bart.de.win@be.pwc.com SDLC Maturity Models SecAppDev 2017 2

Agenda 1. Motivation 2. SAMM At A Glance 3. SAMM Practices 4. Conclusion SecAppDev 2017 3

Typical questions What should we be doing in our SDLC? What are others doing in terms of software assurance? What are good practices for software assurance? Should we focus on threat modelling or code reviews? How much time/effort/cost will this take? SecAppDev 2017 4

Maturity models to the rescue According to Wikipedia: Maturity is a measurement of the ability of an organisation for continuous improvement in a particular discipline. A maturity model is a structure that represents different levels of maturity for one or more domains. SDLC Maturity Models SecAppDev 2017 5

Why Maturity Models for SDLC? An organization s behavior changes slowly over time. Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailored to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non-security-people Overall, must be simple, well-defined, and measurable SDLC Maturity Models SecAppDev 2017 6

Agenda 1. Motivation 2. SAMM At A Glance 3. SAMM Practices 4. Conclusion SecAppDev 2017 7

OWASP SAMM Scope: Entire software lifecycle, rather than just development. https://www.owasp.org/index.php/owasp_samm_project Version 1.1, 2016 SDLC Maturity Models SecAppDev 2017 8

SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager 9

Core Structure SDLC Maturity Models SecAppDev 2017 10

Notion of Maturity Level Interpretation 0 Implicit starting point representing the activities in the practice being unfulfilled 1 Initial understanding and ad-hoc provision of the security practice 2 Increase efficiency and/of effectiveness of the security practice 3 Comprehensive mastery of the security practice at scale Changing in version 1.5! SDLC Maturity Models SecAppDev 2017 11

An example SDLC Maturity Models SecAppDev 2017 12

OpenSAMM also defines Objective Activities Results Success Metrics Costs Personnel Related Levels SDLC Maturity Models SecAppDev 2017 13

Conducting assessments SDLC Maturity Models SecAppDev 2017 14

Assessment process Supports both lightweight and detailed assessments Organizations may fall in between levels (+) 15

Roadmap templates per company type (ISV) SDLC Maturity Models SecAppDev 2017 16

Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place 17

Roadmap templates To make the building blocks usable, SAMM defines Roadmaps templates for typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Organization types chosen because They represent common use-cases Each organization has variations in typical software-induced risk Optimal creation of an assurance program is different for each 18

OpenSAMM Tools Translations of the OpenSAMM model (Spanish, Japanese, German, Ukrainian, ) Assessment questionnaire(s) Roadmap chart template Project plan template OpenSAMM-BSIMM mapping Benchmark Project Mappings to security standards ISO/IEC 27034, PCI, 19

BSIMM7 statistics: summary SDLC Maturity Models SecAppDev 2017 20

BSIMM7 statistics per activity SDLC Maturity Models SecAppDev 2017 21

Agenda 1. Motivation 2. SAMM At A Glance 3. SAMM Practices 4. Conclusion SecAppDev 2017 22

SAMM Security Practices - Governance 23

Strategy & Metrics Goal is to establish a software assurance framework within an organisation Foundation for all other OpenSAMM practices Characteristics: Measurable Aligned with business risk Driver for continuous improvement and financial guidance VS. 24

Strategy & Metrics 25

Policy & Compliance Goal is to understand and adhere to legal and regulatory requirements Typically external in nature This is often a very informal practice in organisations! Characteristics Organisation-wide vs. project-specific Scope Important driver for software security requirements 26

Policy & Compliance 27

Education & Guidance Goal is to disseminate security-oriented information to all stakeholders involved in the software development lifecycle By means of standards, trainings, To be integrated with organisation training curriculum A once-of effort is not sufficient Teach a fisherman to fish 3. Technical guidelines form the basis for several other practices 28

Education & Guidance 29

SAMM Security Practices - Construction 30

Threat Assessment The goal of this practice is to focus on the attacker perspective of things To make sure that security is not only functionality-driven Remember that software security = white + black Very common practice in safety-critical systems Less so in others This is where the magic kicks in Your imagination is the limit 31

Threat Assessment 32

Security Requirements Goal is to make security specification more explicit Turn security into a positively-spaced problem Source of security requirements Compliance Standard Functionality Quality Requirements should be specified in a S.M.A.R.T. way 33

Security Requirements 34

Secure Architecture Key practice for security Poor decisions at this step can have major impact, and are often difficult (or costly) to fix. 2. Characteristics Take into account security principles Risk is a factor of all components (incl. 3rd party) 3. Use proven solutions Don t roll you own crypto Use company standards and best practices 35

Secure Architecture 36

SAMM Security Practices - Verification 37

Design Review security assessment of attack surface, software design and architecture lightweight activities => formal inspection of data flows & security mechanisms enforcement of baseline expectations for conducting design assessments and reviewing findings before releases are accepted. cross-check security design best practices software design security review ensure known risks are covered Assess and validate artifacts to understand protection mechanisms SDLC Maturity Models SecAppDev 2017 38

Design Review 39

Implementation Review Assessment of source code: vulnerability discovery related mitigation activities establish secure coding baseline Will require tool investment: Language specific Basic open source tooling Commercial tools maturing Start Improve Mature lightweight checklists inspect critical software Automation Increase coverage / efficacy Integrate in development Produce audit evidence Test & production release gates Process & education important! SDLC Maturity Models SecAppDev 2017 40

Implementation Review 41

Security Testing Based on security & compliance requirements / checklist of common vulnerabilities Manual testing can be done, scaled with tooling: intercepting proxy and/or scanner Detected defects will require validation, risk analysis & recommendations to fix Automate to repeat tests for each release Introduce security test-driven development penetration testing => automation Dynamic security testing Test results to be reported to & accepted by owner for each deployment Detect vulnerabilities & misconfigurati ons SDLC Maturity Models SecAppDev 2017 42

Security Testing 43

Security Practices - Operations 44

Issue Management Prepare for WHEN, not IF! Symptoms of malfunctioning SDLC handling vulnerability reports and operational incidents lightweight assignment of roles=> formal incident response & communication process Use vulnerability metrics and root-cause analysis to improve SDLC spoc per team & security response team communication & information flow is key! patch release process & responsible/legal disclosure 45

Issue Management 46

Environment Hardening Underlying infrastructure hardening & patching Track (3rd party) libraries & components TOP-10 - A9 Using Known Vulnerable Components Add WAF layer (virtual patching) ModSecurity Malicious web traffic Legitimate web traffic Port 80 Web client (browser) Network Firewall Web Application Firewall Web Server SDLC Maturity Models SecAppDev 2017 47

Environment Hardening 48

Operational Enablement Support users & operators Security documentation! Feed/document application security logs into SIEM Lightweight documentation => operational security guides Change management & end to end deployment integrity Even more important for outsourced development! SDLC Maturity Models SecAppDev 2017 49

Operational Enablement 50

Agenda 1. Motivation 2. SAMM At A Glance 3. SAMM Practices 4. Conclusion SecAppDev 2017 51

Conclusions Maturity models (such as SAMM) provide an excellent framework for reasoning on software assurance, on a strategic level: Evaluate your as-is Define and improve towards your to-be Compare against peers Popular approach for companies today that work on software assurance Different flavours exist, choose one that fits your company s context. The models are easy to start with, but challenging to fully grasp. Don t let this scare you, and get started! SDLC Maturity Models SecAppDev 2017 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback