THE ART OF SECURING 100 PRODUCTS. Nir

Similar documents
SDLC Maturity Models

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Application Security at Scale

In collaborazione con

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

TRAINING CURRICULUM 2017 Q2

DevOps A How To for Agility with Security

Will your application be secure enough when Robots produce code for you?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Certified Information Security Manager (CISM) Course Overview

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Building a Resilient Security Posture for Effective Breach Prevention

Nathan Desmet. Lead Engineer

Product Security Program

How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

How to Secure Your Cloud with...a Cloud?

Taking Control of Your Application Security

AGILE AND CONTINUOUS THREAT MODELS

TWELVEDOT SECURITY DESIGN.BUILD.SECURE

locuz.com SOC Services

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

CLOUD GOVERNANCE SPECIALIST Certification

The Business Case for Security in the SDLC

Quality Assurance and IT Risk Management

90% of data breaches are caused by software vulnerabilities.

Global Security Consulting Services, compliancy and risk asessment services

Application Security Kung-Fu Competitive Advantage from Threat Modeling

Continuously Discover and Eliminate Security Risk in Production Apps

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Weaving Security into Every Application

Session 408 Tuesday, October 22, 10:00 AM - 11:00 AM Track: Industry Insights

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Adaptive & Unified Approach to Risk Management and Compliance via CCF

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

NEXT GENERATION CLOUD SECURITY

SANS AppSec AppSec what can you learn from small companies? What Works and What Doesn t

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

SECURITY TRAINING SECURITY TRAINING

Robots with Pentest Recipes:

MHA Consulting BCM Metrics Resiliency Through Measurement

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

CISO View: Top 4 Major Imperatives for Enterprise Defense

Run the business. Not the risks.

Threat and Vulnerability Assessment Tool

Cloud Customer Architecture for Securing Workloads on Cloud Services

Best Practices in Securing a Multicloud World

Development. Architecture QA. Operations

A company built on security

Sage Data Security Services Directory

Automating the Top 20 CIS Critical Security Controls

THE POWER OF TECH-SAVVY BOARDS:

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

CLOUD SECURITY SPECIALIST Certification. Cloud Security Specialist

Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Day One Success for DevSecOps and Automation on Azure

Rethinking Product Security: Cloud Demands a New Way

Embedding Privacy by Design

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

Automating Security Practices for the DevOps Revolution

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Digital Service Management (DSM)

Discover Best of Show März 2016, Düsseldorf

Accelerate Your Enterprise Private Cloud Initiative

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Nebraska CERT Conference

A Strategic Approach to Web Application Security

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

10 FOCUS AREAS FOR BREACH PREVENTION

News Flash: Some Things Actually Do Work in Security!!!

Embedding GDPR into the SDLC

Building Security Into Applications

V Conference on Application Security and Modern Technologies

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Evolution of Cyber Attacks

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Survey Results: Virtual Insecurity

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

How to Evaluate a Next Generation Mobile Platform

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

PROTECT AND AUDIT SENSITIVE DATA

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

SYMANTEC DATA CENTER SECURITY

CipherCloud CASB+ Connector for ServiceNow

Is Your Web Application Really Secure? Ken Graf, Watchfire

Cloud Security Whitepaper

Welcome to Staying Ahead Webinar

Training and Certification. Guide to Learning and Certification Paths

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Best practices in IT security co-management

Transcription:

THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir

I work for as the <HEAD> Application Security </HEAD> 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded! But at least I invented few open source tools. SAPIA Lastly I m not a fan of the buzzword Cyber! Cyber Cyber Cyber Arghhh!!!! The trademark specified above is a trademark or a registered trademark of its respective company. This slide is intended for informational purposes only and does not represent any endorsement by this company.

Why Does This Talk Matter? Provides Practical Approaches To Secure 100 Products Why Does It Matter? It's A Big Challenge To Secure 100 Products Why Does It Matter? You May Need To Secure Many Products Why Does It Matter? Someone Will Pay You Lots Of $$$ To Do It Why Does It Matter? You Like Expensive Stuff!

Agenda Plan Reality

Meet The Application Security Lead! Accountable for Product Security Cloud-based, self-hosted or installed on customers premise Part of the products are regulated Needs to keep the company out of the news Got executive leadership to support him * Avatar generated on avatarmaker.com

The Daily Challenges Need to secure a single high-risk product. Who s involved? Legal Internal Audit IT Services Solution Management CISO Hardware Solutions Software R&D Product Management Professional Services

Mapping The Business Owners Product #1 ü Software R&D ü CISO ü Legal ü Product Management ü Internal Audit Product #2 ü Software R&D ü CISO ü Legal ü Product Management ü Solution Management ü Hardware Solutions Product #100 ü Software R&D ü IT ü CISO ü Legal ü Product Management ü Solution Management ü Professional Services 7

Will I Finish This Mapping Soon? Start Date Done!

SCOPING THE ACCOUNTABILITY Cause someone will be blamed eventually

Core vs. Extensions? Core/Vanilla Customer #1 Extensions Customer #2 Extensions Customer #N Extensions

In theory, building a central security library is a best practice. In practice, theory sucks! Multiple code repositories Static Application Security Testing (SAST) should check violations Language/ Framework specific Web vs. Native App

Difficult To Control All Engineering Parties APIs are documented! Application Security Security requirements are documented! Software R&D Who cares? BYOAPI rocks!! Professional Services

RESOURCE DIVERSITY & LIMITATIONS

Distinct Technologies The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement

Diverse Application Security Tools Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis & More Mobile AST Container Security Code Obfuscation The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement.

Labor Limitations 1%-2% What is the Application Security labor percentage of the engineering labor? of engineering org size

APPLICATION SECURITY MATURITY PROGRAM Maturity is knowing when and where to be immature

Governance Easy To Say, Difficult To Control Best Practice Develop an S-SDLC Enforce the S-SDLC Provide Technology-Specific Training Define Risk Management & Risk Acceptance Process Map, Track & Drive Towards Completion Of Trainings Get Executives To Sign On A Security Risk

Construction Relatively Difficult Threat Assessment Documenting risks in agile development lifecycle consumes much resources Security Requirements Should app security be involved in ALL requirements sessions? Security Architecture Providing best practices for various product types

Verification Roadblocks Ahead! Design Review Get a design diagram from engineering teams lots of teams!!! Working with many smart engineering people they know everything! Code Review Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized Scaling automation for 100 products is nearly impossible (technology & labor wise) Building a central security library is a waste of time if technologies are vary! Security Testing Automation = [sophisticated] vulnerability scanning. Manual work = penetration test! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Deployment Only Sounds Easy Shadow -operated IRT Corporate IRT Work w/ every engineering team to QA hardening If I define & It doesn t work, they re responsible

Perspective On 1 Of 100 Products Application Security Maturity Overview Operational Enablement Strategy & Metrics 3.00 2.50 Policy & Compliance 2.60 Environment Hardening 2.35 1.70 2.00 1.50 1.00 1.60 3.00 Education & Guidance 0.50 Issue Management 1.68 0.00 1.00 Threat Assessment 1.67 Security Testing 2.10 1.70 1.35 2.60 Security Requirements Implementation Review Secure Architecture Design Analysis

Perspective On 1 Of 100 Products 25 20 15 10 5 0 Created vs. Resolved Chart: Product X Security Bugs 21 17 14 11 11 9 9 5 5 4 3 2 1 1/17 2/17 3/17 4/17 5/17 6/17 7/17 Additional Considerations Number of items per development lifecycle stage E.g. pending QA, not started, in dev, etc. Average time to mitigate a vulnerability Prioritized list of outstanding Epics/US/Bugs Bugs Created Bugs Resolved

Perspective On 100 Products

Perspective On 100 Products Product names are sanitized

DON T REINVENT THE WHEEL, JUST REALIGN IT (Anthony J. D Angelo)

NCR s App Sec Team s Specialties Application Security Architect Application Security Engineer Application Security Program Manager Application Security Risk & Compliance Manager

NCR s App Sec Team s Specialties Mapping OpenSAMM Domain Activity Security Architecture Program Management Speciality Risk Management & Compliance Application Security Engineering Governance Strategy & Metrics V V Policy & Compliance V Education & Guidance V V V V Construction Threat Assessment V Security Requirements V V V Secure Architecture V Verification Design Review V Code Review V V Security Testing V Deployment Vulnerability Mgmt V V Environment Hardening V Operational Enablement V

Prioritizing Security Product Type Strategy Financial Impact Internal Regulated Internet- Facing & Regulated Investments & Commitments $1M- $5M >$5M Internal Internet- Facing <$500K $500K- $1M 29

Budgeting Labor Correctly The Formula Product Type % Of R&D Product Type % Of AppSec Internet-Facing & Regulated 2% Internet-Facing 1% Internal & Regulated 1% Internal 0.3% R&D Labor Count Program Manager 20% Risk & Compliance 10% Architecture 23% Engineering 47% Example An Internet-facing & regulated product suite that is developed by an org size of 1000 employees needs: 2% X 1000 = 20 App Sec Team Members, consisting of 4 PM, 2 R&C, 4.6 Architects and 9.4 Engineers

A Lesson Learned Even with an aggressive strategy, hiring app sec people is a REAL bottleneck!

A Satellite Program Give a poor man a fish and you feed him for a day. Teach him to fish and you give him an occupation that will feed him for a lifetime. (Chinese proverb.)

A Satellite Program Example Yellow Belt Green Belt Brown Belt Black Belt Online Training Instructor-led or conferences participation Special Interest Static/Dynamic/Interac tive Security Analysis Advanced Foundation app sec classes On-boarding Advanced classes Various advanced topics PII, GDPR, PCI, FFIEC Tool/Process improvement Threat modeling Standards review, reusable IP

Measuring Effectiveness! Ongoing Escalations asking for security resources by the engineering teams are good! Status reports must be balanced Neither too Green nor Red

Measuring Effectiveness! Year Over Year Overall Application Security Maturity rank increases Decreased number of security vulnerability reporting per X (you to define) lines of code Engineers will always make mistakes Use 3 rd parties to assess it

Scaling Out Team s Capabilities Security Questionnaire For Engaging An App Sec Architect 10 Yes/No Questions 36

Scaling Out Team s Capabilities Security Questionnaire For Engaging An App Sec Architect Is Data Classified? 10 Yes/No Questions Do You Follow The S- Security Automation SDLC? Handle Sensitive Data Related To PII/PCI? Integrated Into Pipeline? Data Encryption? Consumer-Facing Mobile App? 37

Scaling Out Team s Capabilities Security Questionnaire For Engaging An App Sec Architect Workflow 10 Yes/No Questions Best Collaboration Page Better File Good 38

Scaling Up Security Application Security Must Fit Into Any Pipeline DEV OPS Plan Code Build Test Release Deploy Operate Continuous Delivery Continuous Integration Agile Development 39

Scaling Up Security Using Release Automation Static App Sec Testing Interactive App Sec Testing (IAST) Binary Signing Code Obfuscation Dynamic App Sec Testing (DAST) Vulnerability Scanning Runtime App Self Protection (RASP) Dynamic App Sec Testing (DAST) Vulnerability Scanning Runtime App Self Protection (RASP) 40

Scaling Up Security When Lacking Automation Identify Quick Wins Code Obfuscation Dynamic App Sec Testing (DAST) Static App Sec Testing Binary Signing Penetration Tests Manual Code Review Vulnerability Scanning Even A Long-Term Plan Is A Viable Plan

Finding The Partnerships Use Cases Customer Needs Industry Trends Regulations Partnerships Security

Additional Tips Securing 100 products takes years. Start by investing 80% of the resources in 20% of the products. Reflect your success! Trending charts of app sec metrics Integration of tools into the build process Share product certifications completion Speak at Black Hat J

44

Apply What You Have Learned Today Next week you should: Generate security engagement questionnaire (10 Yes/No Qs) Identify security tool implementation quick wins In the first three months following this presentation you should: Establish an application security maturity program Develop a product security strategy based on Company s strategy Development methodologies & pipelining tools Product Types Within six months you should: Hopefully map all products & owners J Start executing the strategy

THANK YOU Nir Valtman @ValtmaNir

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback