A successful application security program - Envision build and scale
1 like849 views
The document summarizes a learning lab on building a successful application security program, highlighting key challenges such as aligning organizational measures and integrating security within the software development lifecycle (SDLC). It emphasizes the importance of a strategic roadmap, leadership involvement, and team empowerment to enhance application security. Participants gained insights to improve their security programs and overall enterprise security posture during the RSA Conference 2017.
A successful application security program - Envision build and scale
- 4. A successful application security program: Envision, build and scale Lab Summary Key Takeaways HERE ARE THE TOP 3 CHALLENGES WE HAVE COME ACROSS 1. Alignment of organization measures and incentives – how do lessen the gap of grief between the business and IT Security risk? 2. Typically, within organizations, we have a Build Culture vs Measure Culture. Software development teams have a build culture. They focus on features, functionality and timelines. Security has a measure culture to ensure secure services are being deployed. How do you bridge this gap? 3. Integration of security across SDLC – think of security up front and make it inherent and not an afterthought. THE SOLUTION IS TO INTEGRATE SECURITY WITHIN SDLC: Top five maxims for a successful application security program: 1. Program roadmap 2. Leadership mandate 3. Team empowerment 4. Secure SDLC 5. Governance For a detailed explanation, please review the presentation at the Learning Lab.
- 10. SESSION ID:SESSION ID: #RSAC Jyothi Charyulu A Successful Application Security Program: Envision, Build and Scale LAB3-R12 Sr. Principal application security architect Sabre @sg02411 Jaya Chilakamarri Director, Enterprise governance Sabre @JayChil4
- 11. #RSAC Agenda
- 12. #RSAC 40% of attacks via public facing web apps Point-of-sale attacks continue Insider threat remains strong Malware automation Hacking, malware distribution, phishing, with social engineering attacks Ransomware on the riseTargeting credential theft Source: 2016 Verizon data breach report summary 89% of breaches had a financial or espionage motive SIGNIFICANT RISK Why application security?
- 13. #RSAC Web applications – front door of corporations1 Apps are top attack vector2 Breaches are VERY expensive3 Why application security?
- 14. #RSAC Application security program – top 3 questions to ask 5 What is your current status? What is your application security strategy? What is your proactive security program?
- 15. #RSAC Application security – current state 6 • Have ‘maturing’ app sec programs38% • Have partially integrated app sec into overall security67% • Have documented practices for 3rd party vendors40 % • Report that applications are the source of breaches, attacks and sensitive data leak23% • Name public facing web applications as leading cause of breaches41 % Source: Veracode.com
- 16. #RSAC How do you solve the top 3 challenges in security? 7 Alignment of organizational measures and incentives Prioritization of competitive landscape versus secure services Integration of security across SDLC/PLC
- 17. #RSAC By integrating security across organization… Portfolio management Security checkpoints in product lifecycle from ideation to retirement Operations Concept definition and validation Market and business strategy Operations and support Architecture, design and elaboration Development and testing Release and deployment (DevOps) Retirement Security checkpoints across development, quality assurance, metrics, reporting, training Security Integration Plan Launch Enterprise portfolio management and governance • Integration training • Security awareness • Capture and scope security requirements • Risk assessment IT service management • Ongoing security monitoring and support • Manual penetration checks • Continuous training
- 18. #RSAC Application security program – top five maxims 9 Maxim 1: Application security program roadmap
- 19. #RSAC Application security program – top five maxims 10 Maxim 2: Leadership mandate
- 20. #RSAC Application security program – top five maxims 11 Maxim 3: Team empowerment
- 21. #RSAC Application security program – top five maxims 12 Maxim 4: Secure SDLC
- 22. #RSAC Application security program – top five maxims 13 Maxim 5: Governance
- 23. #RSAC Application security program – top five maxims 14 Program roadmap Leadership mandate Team empowerment Secure SDLC Governance Envision . . . Build . . . Scale
- 24. #RSAC Application security program roadmap 15 Application security program roadmap
- 25. #RSAC Envision your P E R F E C T application security program Application security program components Things to consider when creating your vision What problem are you trying to solve? What applications? What components – third party/open source/vendors? Product lines? Extent of impact? Which people? Other constraints?
- 26. #RSAC Application security program - activity 17 In & out of the frame exercise Define YOUR security program definition in 140 characters (Tweet it!) • Roles: • Facilitator: • Ensures all participate • Promote discussion • Provide feedback at the end of the exercise • Timekeeper: • Monitors time • Draw a large rectangle on your whiteboard • Each member can individually brainstorm on sticky notes – one idea per note that you consider ‘in’ scope for the application security program.
- 27. #RSAC Application security program definition Help teams create secure code and reduce the number of vulnerabilities by building sustainable proactive security practices embedded within our PLC and SDLC 134 characters!
- 28. #RSAC Application security program vision SDLC integration Security integrated in design/architecture phase Threat modeled and risk ranked applications Application security inventory: Applications — Web applications (tier 1) / Client Server (tier 2, tier 3, tierN) — Mobile applications / Cloud deployment Components — 3rd party — Vendor — Open source
- 29. #RSAC Application security program vision Multiple testing techniques: Static Testing (SAST) Dynamic Testing (DAST) Manual Penetration Testing (MPT) Risk-based policies Training and security awareness Remediation
- 30. #RSAC Envision Application security program roadmap Know what you need to protect – define scope Strategic roadmap - aligned with organizational goals Application risk ranking Execution - people, process and technology SAST, DAST, WAF, OSS and penetration testing Governance – policies, guidelines, standards SAST: Static Application Security Testing DAST: Dynamic Application Security Testing WAF: Web Application Firewalls OSS: Open Source Software
- 31. #RSAC Application security program – leadership mandate 22 Leadership mandate
- 32. #RSAC Leadership mandate Find innovators and early adopters Start small – pilot groups Establish success in pilots
- 33. #RSAC Leadership mandate Top down + bottom up collaboration Technical + cultural strategy + leadership 15-word program definition
- 34. #RSAC Application security program - activity 25 Why app sec? Payoff matrix Low/High High/High Low/Low High/Low Cost Benefit
- 35. #RSAC Leadership mandate Techies Pragmatists Conservatives Skeptics Early majority Late majority Adapted from The adoption life cycle by Geoffrey A. Moore in ‘Crossing the Chasm’
- 36. #RSAC Crossing the Chasm Leadership mandate Between early adopters and early majority – there is a large chasm Most innovation fails to cross the chasm So how do you cross the chasm?
- 37. #RSAC How do you cross the chasm? Team empowerment Secure SDLC Governance
- 39. #RSAC Build Value Proposition Team empowerment Build matrix of champions Change culture not just technology Empower development teams Define E2E process pipeline Drive ownership, accountability Continuous training tied with performance measures ‘Little fish learn to be big fish in little ponds’ – Peter Drucker
- 40. #RSAC Security is everyone’s job Empowerment Culture Collaboration – generalists, no specialists Autonomous teams and leader boards Build Security in day to day job – not just for the app sec team
- 42. #RSAC Application security program - activity 33 Roles and responsibilities Role play Upon successful implementation: Behaviors: More of/Less of • More of: • What will we hear and see more? • Less of: • What will we hear and see less?
- 43. #RSAC SSDLC – Secure Software Development Lifecycle 34 Secure SDLC
- 44. #RSAC Security that is I N V I S I B L E Secure SDLC Security checklists at SDLC gates Architecture and code reviews Automate security + build Integrate with release management Automate security + bug tracking Continuous communication with metrics
- 45. #RSAC Secure SDLC Key Takeaways Security, operations and development teams share accountability Create a comprehensive set of governance rules and uniform policies Conduct assessments throughout the SDLC Automate testing Integrate remediation of vulnerabilities into the development process
- 46. #RSAC Security that is I N V I S I B L E Secure SDLC – recommendations Download and read OWASP ASVS Standard Utilize security checks to test applications against OWASP top 10 flaws PCI DSS vulnerabilities Complete a OpenSAMM maturity assessment to identify program improvement areas Look up games: OWASP cornucopia Elevation of privilege (Microsoft)
- 48. #RSAC You are what you measure Governance Implement Governance Framework Policy definition Education Metrics Feedback Set clear expectations and ground rules to cross-functional teams
- 49. #RSAC Governance Create standards and policies based on Cross-functional requirements Industry Standards: OWASP Top 10/PCI/SANS 25/HIPAA Weigh remediation versus mitigation Measure results Dashboards, leaderboards, reports and audits/assessments Update polices as needed Continuous training and awareness
- 50. #RSAC Grow to new heights of success Secure Applications
- 51. #RSAC Application security program - activity 42 Socialize YOUR app sec program: What is your program about? Why is it important? What does success look like? What do we need from you?
- 52. #RSAC S E C U R I T Y t h a t i s I N V I S I B L E Apply the maxims Short term goals: 15-word project definition Collaborate with leadership and build enablement strategy Mid term goals: Risk-rank applications Build a roadmap for enterprise application security program Long term goals: Pilot a small subset of applications Integrate with SDLC – toll gates, metrics, portal and communication
- 53. #RSAC Parting wisdom 44 “Change is hardest at the beginning, messiest in the middle and best at the end“ - Robin Sharma No idea works until YOU do the work See problems as opportunities for growth Caliber of your practice = quality of your performance Now – go and conquer your app sec world!
- 54. #RSAC Thank you! Questions? Jyothi Charyulu: [email protected] Jaya Chilakamarri: [email protected]
- 55. #RSAC Secure design principles Plan the application architecture, technology stack, and investigate requirements including: External dependencies: Interfaces, libraries, frameworks, hardware, and software that the application is dependent upon Entry Points: The services through which an attacker can interact with the application or supply it with data Assets: Physical and abstract data and information Trust levels: The level of access/permissions granted by the application to external entities
- 56. #RSAC Secure design principles Plan security requirements based on: Authentication and session management Access control Input validation and output encoding Cryptography and data protection Error handling and logging Communication and HTTP Security Files and resources
- 57. #RSAC NIST 500-269 For more information, visit https://samate.nist.gov/docs/webapp_scanner_spec_sp500-269.pdf
- 58. #RSAC Additional resources for secure code 49 PCI SSC (Payment Card Industry Security Standards Council) OWASP (Open Web Application Security Project) OWASP ASVS: Application Security Verification Standard 3.0.1 OWASPGuidelines: Top 10 2013 A1 - Injection OWASP Guidelines – cheat sheet on SQL Injection Prevention OWASP Code Review Guide: Reviewing code for OS Injection OWASP Development Guide: Buffer Overflows OWASP Cryptographic Storage Cheat Sheet OWASP Guide to Cryptography OWASP Transport Layer Protection Cheat Sheet
- 59. #RSAC Additional resources for secure code 50 OpenSAMM WASC (Web Application Security Consortium) SANS institute CWE/SANS top 25 most dangerous software errors The Security Content Automation Protocol (SCAP) iOS mobile development guidelines Android mobile development guidelines Heartbleed bug ShellShock bug