Structuring and Scaling an Application Security Program
-
Upload
denim-group -
Category
Technology
-
view
224 -
download
0
Transcript of Structuring and Scaling an Application Security Program
© 2015 Denim Group – All Rights Reserved
Structuring and Scaling!an Application Security Program!!Dan Cornell!@danielcornell
© 2015 Denim Group – All Rights Reserved
My Background
• Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
2
© 2015 Denim Group – All Rights Reserved
Denim Group Background
• Secure software services and products company • Builds secure software • Helps organizations assess and mitigate risk of in-house developed and third party
software • Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security • Application security experts are practicing developers • Development pedigree translates to rapport with development managers • Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution • Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix • OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI • World class alliance partners accelerate innovation to solve client problems
3
© 2015 Denim Group – All Rights Reserved
So You Want To Roll Out a Software Security Program?
• Great!
• What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ”
• What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software
4
© 2015 Denim Group – All Rights Reserved
Challenges Rolling Out Software Security Programs
• Resources • Raw budget and cost issues • Level of effort issues
• Resistance: requires organizational change • Apparently people hate this
• Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort
• View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change
5
© 2015 Denim Group – All Rights Reserved
6
You can’t defend unknown attack surface
If everything is important then nothing is important
© 2015 Denim Group – All Rights Reserved
[Translation]
Find out what applications you have in your organization
Decide the relative importance of
applications and treat them differently based on this
7
© 2015 Denim Group – All Rights Reserved
What Is Your Software Attack Surface?
8
Software You Currently Know About
Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an
incident (oops)
What? • Critical legacy systems • Notable web applications
© 2015 Denim Group – All Rights Reserved
What Is Your Software Attack Surface?
9
Add In the Rest of the Web Applications You Actually Develop and Maintain
Why Did You Miss Them? • Forgot it was there • Line of business procured through non-
standard channels • Picked it up through a merger /
acquisition
What? • Line of business applications • Event-specific applications
© 2015 Denim Group – All Rights Reserved
What Is Your Software Attack Surface?
10
Add In the Software You Bought from Somewhere
Why Did You Miss Them? • Most scanner only really work on web
applications so no vendors pester you about your non-web applications
• Assume the application vendor is handling security
What? • More line of business applications • Support applications • Infrastructure applications
© 2015 Denim Group – All Rights Reserved
What Is Your Software Attack Surface?
11
MOBILE! THE CLOUD!
Why Did You Miss Them? • Any jerk with a credit card and the ability
to submit an expense report is now runs their own private procurement office
What? • Support for line of business functions • Marketing and promotion
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets
12
Perception
Insi
ght
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
13
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
14
Perception
Insi
ght
Web Applications
Client-Server Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
15
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
16
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• As perception of the problem of attack surface widens the scope of the problem increases
17
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
18
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
19
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Discovery activities increase insight
20
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
21
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
22
Perception
Insi
ght
Web Applications
Client-Server Applications
© 2015 Denim Group – All Rights Reserved
Desktop Applications
Client-Server Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
23
Perception
Insi
ght
Web Applications
© 2015 Denim Group – All Rights Reserved
Desktop Applications
Client-Server Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
24
Perception
Insi
ght
Web Applications
Cloud Applications and Services
© 2015 Denim Group – All Rights Reserved
Desktop Applications
Client-Server Applications
Attack Surface: The Security Officer’s Journey
• Over time you end up with a progression
25
Perception
Insi
ght
Web Applications
Cloud Applications and Services
Mobile Applications
© 2015 Denim Group – All Rights Reserved
Attack Surface: The Security Officer’s Journey
• When you reach this point it is called “enlightenment” • You won’t reach this point
26
Perception
Insi
ght
Web Applications
Client-Server Applications
Desktop Applications
Cloud Applications and Services
Mobile Applications
© 2015 Denim Group – All Rights Reserved
Value and Risk Are Not Equally Distributed
• Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches
• Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements
27
© 2015 Denim Group – All Rights Reserved
Do Not Treat All Applications the Same
• Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities
• Also Must Often Address Compliance and Regulatory Requirements
28
© 2015 Denim Group – All Rights Reserved
Dynamic Analysis
What Goes Into An Application Test?
30
Static Analysis
© 2015 Denim Group – All Rights Reserved
Automated Application Scanning
What Goes Into An Application Test?
31
Static Analysis
Manual Application Testing
© 2015 Denim Group – All Rights Reserved
Automated Application Scanning
What Goes Into An Application Test?
32
Automated Static Analysis
Manual Application Testing
Manual Static Analysis
© 2015 Denim Group – All Rights Reserved
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An Application Test?
33
Automated Static Analysis
Blin
d
Pene
trat
ion
Test
ing
Manual Static Analysis
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
© 2015 Denim Group – All Rights Reserved
Una
uthe
ntic
ated
A
utom
ated
Sca
n
What Goes Into An Application Test?
34
Aut
omat
ed
Sour
ce C
ode
Scan
ning
Blin
d
Pene
trat
ion
Test
ing
Man
ual S
ourc
e C
ode
Rev
iew
Aut
hent
icat
ed
Aut
omat
ed S
can
Info
rmed
M
anua
l Tes
ting
Aut
omat
ed
Bin
ary
Ana
lysi
s M
anua
l Bin
ary
Ana
lysi
s
© 2015 Denim Group – All Rights Reserved
How To Allocate Scarce Resources?
• What Do You HAVE To Do? • What discretion do you have within these constraints?
• What Is Left Over?
• Strategies • Breadth-first • Depth-first • Hybrid
35
© 2015 Denim Group – All Rights Reserved
Breadth-First
• Do Base-level Security Testing of Everything • Well, everything you can find • And everything you test with automation
• Automation is key
• Understand the limitations • Some applications cannot be effectively scanned • Often scans are unauthenticated • Whole classes of vulnerabilities are out of testing scope
36
© 2015 Denim Group – All Rights Reserved
Depth-First
• Do Deeper Testing of Critical Applications
• Typically Combination of Automation and Manual Testing
• Understand the Limitations • Some applications remain unexamined • And breaches to those applications put shared resources and infrastructure at
risk
37
© 2015 Denim Group – All Rights Reserved
Hybrid
• Combination of Automation and Manual Testing Across Portfolio
• This is where most organizations end up • Often because regulatory and compliance mandates
• Know Your Gaps
38
© 2015 Denim Group – All Rights Reserved
39
You can’t defend unknown attack surface
If everything is important then nothing is important
© 2015 Denim Group – All Rights Reserved
[Translation]
Find out what applications you have in your organization
Decide the relative importance of
applications and treat them differently based on this
40
© 2015 Denim Group – All Rights Reserved
Software Assurance Maturity Model (OpenSAMM) • Open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks facing the organization
• Useful for: • Evaluating an organization’s existing software security practices • Building a balanced software security program in well-defined iterations • Demonstrating concrete improvements to a security assurance program • Defining and measuring security-related activities within an organization
• Main website:
• http://www.opensamm.org/
41
© 2015 Denim Group – All Rights Reserved
Using OpenSAMM You Can…
• Evaluate an organization’s existing software security practices • Build a balanced software security assurance program in well-
defined iterations • Demonstrate concrete improvements to a security assurance
program • Define and measure security-related activities throughout an
organization
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Review of Existing Secure SDLC Efforts
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
CLASP
• Comprehensive, Lightweight Application Security Process
• Centered around 7 AppSec Best Practices
• Cover the entire software lifecycle (not just development)
• Adaptable to any development process
• Defines roles across the SDLC
• 24 role-based process components
• Start small and dial-in to your needs
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Microsoft SDL
• Built internally for MS software • Extended and made public for others • MS-only versions since public release
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Touchpoints
• Gary McGraw’s and Cigital’s model
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Lessons Learned
• Microsoft SDL
• Heavyweight, good for large ISVs
• Touchpoints
• High-level, not enough details to execute against
• CLASP
• Large collection of activities, but no priority ordering
• ALL: Good for experts to use as a guide, but hard for non-security folks to use off the shelf
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Drivers for a Maturity Model
• An organization’s behavior changes slowly over time
• Changes must be iterative while working toward long-term goals
• There is no single recipe that works for all organizations
• A solution must enable risk-based choices tailor to the organization
• Guidance related to security activities must be prescriptive
• A solution must provide enough details for non-security-people
• Overall, must be simple, well-defined, and measurable
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Therefore, a Viable Model Must...
• Define building blocks for an assurance program
• Delineate all functions within an organization that could be improved over time
• Define how building blocks should be combined
• Make creating change in iterations a no-brainer
• Define details for each building block clearly
• Clarify the security-relevant parts in a widely applicable way (for any org doing software dev)
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Understanding the Model
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Under Each Security Practice
• Three successive Objectives under each Practice define how it can be improved over time
• This establishes a notion of a Level at which an organization fulfills a given Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Check Out This One...
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Per Level, SAMM Defines...
• Objective
• Activities
• Results
• Success Metrics
• Costs
• Personnel
• Related Levels
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Approach to Iterative Improvement
• Since the twelve Practices are each a maturity area, the successive Objectives represent the “building blocks” for any assurance program
• Simply put, improve an assurance program in phases by:
1. Select security Practices to improve in next phase of assurance program
2. Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Conducting Assessments
• SAMM includes assessment worksheets for each Security Practice
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Assessment Process
• Supports both lightweight and detailed assessments
• Organizations may fall in between levels (+)
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Creating Scorecards
• Gap analysis
• Capturing scores from detailed assessments versus expected performance levels
• Demonstrating improvement
• Capturing scores from before and after an iteration of assurance program build-out
• Ongoing measurement
• Capturing scores over consistent time frames for an assurance program that is already in place
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Roadmap Templates
• To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Organization types chosen because
• They represent common use-cases
• Each organization has variations in typical software-induced risk
• Optimal creation of an assurance program is different for each
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Building Assurance Programs
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Case Studies
• A full walkthrough with prose explanations of decision-making as an organization improves
• Each Phase described in detail
• Organizational constraints
• Build/buy choices
• One case study exists today, several more in progress using industry partners
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Exploring the Model’s Levels and Activities
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM and the Real World
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM History
• Beta released August 2008 • 1.0 released March 2009
• Originally funded by Fortify
• Still actively involved and using this model • Released under a Creative Commons Attribution
Share-Alike license • Donated to OWASP and is currently an OWASP
project
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Expert Contributions
• Built based on collected experiences with 100’s of organizations
• Including security experts, developers, architects, development managers, IT managers
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Industry Support
• Several more case studies underway
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
The OpenSAMM Project
• http://www.opensamm.org
• Dedicated to defining, improving, and testing the SAMM framework
• Always vendor-neutral, but lots of industry participation
• Open and community driven
• Targeting new releases every 6-12 months
• Change management process
• SAMM Enhancement Proposals (SEP)
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
OpenSAMM Resources
• Nick Coblentz - SAMM Assessment Interview Template (xls/googledoc)
• Christian Frichot - SAMM Assessment Spreadsheet (xls)
• Colin Watson - Roadmap Chart Template (xls)
• Jim Weiler - MS Project Plan Template (mpp) • Denim Group – ThreadFix (web application)
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Quick Recap on Using SAMM
• Evaluate an organization’s existing software security practices • Build a balanced software security assurance program in well-
defined iterations • Demonstrate concrete improvements to a security assurance
program • Define and measure security-related activities throughout an
organization
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
The Problems of Scale
• Too many applications
• Too many developers
• Not enough security professionals
• Everything moves too fast: • Releases • New technologies (ie mobile, cloud)
© 2015 Denim Group – All Rights Reserved
Some Approaches to Scale
• Automate everything you possibly can • But realize you can’t automate everything
• Asymmetric warfare • Identify security champions on development teams and have them spread the
word
• Track metrics • Learn what works and what does not • Put your self in a position to better characterize application security risks
alongside network/infrastructure security risks (and all the other risks in a scary and ever-changing world)
© 2015 Denim Group – All Rights Reserved
Questions / Contact Information
Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (844) 572-4400
www.denimgroup.com www.threadfix.org
75