ISACA 2016 Application Security RGJ
-
Upload
rene-jaspe-cissp-csslp -
Category
Documents
-
view
118 -
download
1
Transcript of ISACA 2016 Application Security RGJ
![Page 1: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/1.jpg)
ENSURING INFORMATION SECURITY IN THE SYSTEM DEVELOPMENT LIFECYCLE PROCESS
RENE G. JASPE CISSP, CSSLP
![Page 2: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/2.jpg)
Sinag Solutions Founder and CISO Phylasso Corp., Founder and Managing DirectorMobKard, CoFounder and CTO Rene Jaspe CISSP, CSSLP• 13 yrs with Telos Corp., a US Federal Gov’t
Defense Contractor, servicing various US Defense and Intelligence Agencies as well as NATO allies.
• 10 years Software Development and 5 Years Application Security Background.
![Page 3: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/3.jpg)
2015: “We Take It Very Seriously”
IBM Xforce Threat Intelligence Report 2016
![Page 4: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/4.jpg)
HEALTHCARE, EDUCATION & FINANCIAL SERVICES LEADS GLOBALLY.
Source: Ponemon Institute Research Report 2016 Cost of Data Breach
![Page 5: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/5.jpg)
Incident Pattern By Industry
Verizon Data Breach Incident 2016 Report
![Page 6: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/6.jpg)
• Regulatory & Standards Compliance
– eCommerce: PCI-DSS, PA-DSS– Financial Services: GLBA– Energy: NERC / FERC– Government: FISMA– PH: Data Privacy Act, BSP
• 81% of organizations subject to PCI had not been found compliant prior to the breach
Market Drivers
![Page 7: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/7.jpg)
Application security challenges:Security-development disconnect fails to prevent vulnerabilities in production applications
•Developers Lack Security Insights (or Incentives to Address Security)
•Mandate to deliver functionality on-time and on-budget – but not to develop secure applications•Developers rarely educated in secure code practices•Product innovation drives development of increasingly complicated applications
Security Team = SDLC Bottleneck• Security tests executed just before launch
– Adds time and cost to fix vulnerabilities late in the process
• Growing number of web applications but small security staff
– Most enterprises scan ~10% of all applications
• Continuous monitoring of production apps limited or non-existent
– Unidentified vulnerabilities & risk
![Page 8: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/8.jpg)
3 Great Frameworks For Implementing an Enterprise
Software Security Program (MOB)
![Page 9: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/9.jpg)
Application Security Pros Hold These Truths to Be Self Evident
• Software Security is more than a set of security functions.
– Not magic crypto fairy dust– Not silver bullet security mechanisms.
• Non-functional aspects of design are essential• Bugs and flaws are 50/50.• Security is an emergent property of the entire
system (just like quality).• To end up with secure software, deep
integration with the SDLC is necessary.
Source: Cigital on BSIMM VI
![Page 10: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/10.jpg)
Prescriptive vs. Descriptive ModelsPrescriptive Models
• Prescriptive models describe what you should do.
• OpenSAMM• Microsoft SDL
• Every company has a methodology they follow (often a hybrid)
• You need an SSDL.
Descriptive Models
• Descriptive models describe what is actually happening.
• The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.
![Page 11: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/11.jpg)
Microsoft Security Development Lifecycle 5.2 (May 2012)
![Page 12: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/12.jpg)
SDL for Agile
Bucket
Bucket
Bucket
Bucket
One-TimeOne-TimeOne-Time
One-Time
One-Time
Bucket practices:: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.
One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
![Page 13: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/13.jpg)
SDL Practice #7 USE THREAT MODELINGApplying a structure approach to threat scenarios during design helps a team more effectively and less expensive identify security vulnerabilities, determines risks from those threats, and establish appropriate mitigations.
![Page 14: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/14.jpg)
THREAT MODEL SAMPLE
• S – poofing• T – ampering• R – epudiation• I - nformation Disclosure• D – enial of Service• E - levation of Privilege
![Page 15: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/15.jpg)
OpenSAMM 1.1 (March 2016)
![Page 16: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/16.jpg)
OpenSAMM 1.1 (March 2016)
![Page 17: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/17.jpg)
![Page 18: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/18.jpg)
Sample: Construction
![Page 19: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/19.jpg)
FINANCIAL SERVICES ORGANIZATION
![Page 20: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/20.jpg)
FINANCIAL SERVICES ORGANIZATION
![Page 21: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/21.jpg)
Cost: Phase 1(Months 0 – 3) - Awareness & Planning
![Page 22: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/22.jpg)
BSIMM 7 ( October 2016)
The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing contained in the model. You can then identify goals and objectives of your own and refer to the BSIMM to determine which additional activities make sense for you. The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.
![Page 23: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/23.jpg)
BSIMM 7
![Page 24: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/24.jpg)
Standards & Requirements
![Page 25: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/25.jpg)
“EVERYBODY” DOES IT
![Page 26: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/26.jpg)
SAMPLE SPIDER CHART
![Page 27: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/27.jpg)
VERTICAL COMPARISON
![Page 28: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/28.jpg)
![Page 29: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/29.jpg)
• Microsoft Security Development LifeCyclehttps://www.microsoft.com/en-us/sdl/
• OpenSAMMhttp://www.opensamm.org/
• BSIMMhttps://www.bsimm.com/
KEY TAKE AWAY (MOB)
![Page 30: ISACA 2016 Application Security RGJ](https://reader035.fdocuments.net/reader035/viewer/2022062306/58a2faac1a28ab5d1c8b6693/html5/thumbnails/30.jpg)
“Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.”
THANK YOU QUESTIONS???
[email protected]@renejaspe
https://ph.linkedin.com/in/renejaspe