Moving from “Bolt-on” to “Build-in” Security Controls

Slides:



Advertisements
Similar presentations
Course: e-Governance Project Lifecycle Day 1
Advertisements

Systems Analysis and Design in a Changing World, 6th Edition
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Chapter 4 Quality Assurance in Context
Approaches to Systems Development
Public March 4, 2013 Head SDLC & ITIL Development and Consulting Peer M. Künstler The Journey to Agile WM IT and UBS Switzerland IT.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SL21 Information Security Board Mission, Goals and Guiding Principles.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 An Overview of Computer Security computer security.
Computer Security: Principles and Practice
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
PCI requirements in business language What can happen with the cardholder data?
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Dillon: CSE470: SE, Process1 Software Engineering Phases l Definition: What? l Development: How? l Maintenance: Managing change l Umbrella Activities:
Software Project Management Introduction to Project Management.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
IS Methodologies. Systems Development Life Cycle - SDLC Planning Planning define the system to be developed define the system to be developed Set the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Approaches to Systems Development
Working with HIT Systems
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 2 –Approaches to Systems Development Method 10/9/15 1.
1 Software Engineering and Security DJPS April 12, 2005 Professor Richard Sinn CMPE 297: Software Security Technologies.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
IS3220 Information Technology Infrastructure Security
The NIST Special Publications for Security Management By: Waylon Coulter.
Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
CMMI Certification - By Global Certification Consultancy.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Advanced Software Engineering Dr. Cheng
Security and resilience for Smart Hospitals Key findings
Software Development - Methodologies
Cybersecurity - What’s Next? June 2017
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Software Quality Engineering
Team 4 – Mack, Josh, Felicia, Kevin and Walter
Information Technology Sector
Chapter 10 Software Quality Assurance& Test Plan Software Testing
Compliance with hardening standards
Software Quality Engineering
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
I have many checklists: how do I get started with cyber security?
Where is Your Organization on the Accessibility Maturity Scale
Secure Coding: SDLC Integration Sixfold Path
Cyber Risk & Cyber Insurance - Overview
Cybersecurity ATD technical
Managing IT Risk in a digital Transformation AGE
Albeado - Enabling Smart Energy
Graduate Thesis GRAD 699 (90)
IT Management Services Infrastructure Services
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Moving from “Bolt-on” to “Build-in” Security Controls Secure SDLC Moving from “Bolt-on” to “Build-in” Security Controls Nitin Kotwal CEO @ Hack2Secure

Easiest Path for Attackers “Insecure Software” Easiest Path for Attackers

Heartland Payment System (HPS) Case Study … Heartland Payment System (HPS) Data Security Breach Quick Fact “Malware” was Injected [SQLi] on Bank’s Website Bypasses Network Security Controls It moves towards (PCI compliant) Payment Network Internally placed Processing Server Steal Account Details for 4 months Active & Passive Loss Stocks dips by 78% Lost 5,000 merchants Delisted by Visa & MasterCard

Heartland Payment System (HPS) Case Study … Heartland Payment System (HPS) Data Security Breach Lessons “Insecure Application” as Easy Entry Point ‘Ensuring’ Compliances vs ‘Effective’ Implementation INTRANET Security

“Insecure Design” Easy Attack Surface

Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Case Study .. Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Impact User Privacy Leak Undetected for a Year Public Apology Privacy Lawsuits

Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Case Study .. Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Lessons Secure Feature Design Security in “Requirement Gathering” Compliance & Standard alignment “Security Feature” vs “Secure Implementation”

Lack of Awareness & Skills Partially Integrated Practices Software Security .. Current Challenges Lack of Awareness & Skills Partially Integrated Practices In-adequate Resources [Documentation, Process, Practices] One Plan Won’t Fit All

So, What can be done.. To Optimize Software Security Needs Ensure in-built Security Attack Resiliency

Integrate Security Controls Across SDLC Phases Security Awareness Security Requirements Secure by Design Secure Implementation Security Testing Security Review & Response Secure Deployment Security Maintenance Secure SDLC

Early Identification & Mitigation of Security Vulnerabilities Secure SDLC .. Benefits Early Identification & Mitigation of Security Vulnerabilities Reduced Security Control Implementation Cost

Secure SDLC .. Benefits “Earlier you Detect, Lesser be Cost of Fixing it” “Relative” Cost of Addressing Security Defect at different SDLC Stages

Informed Security Decision making Secure SDLC .. Benefits Informed Security Decision making Comprehensive Risk Management Awareness of Potential Engineering Challenges

Security Strategies across Development Models Secure SDLC .. Benefits Water Fall Model V Model Incremental Model RAD Model Agile Model Iterative Model Spiral Model Security Strategies across Development Models

Easy Compliance Adoption Secure SDLC .. Benefits Easy Compliance Adoption

Security “Awareness” “There is only one way to keep your product plans safe and that is by having a Trained, Aware and a Conscientious workforce” Kevin Mitnick ‘The Art of Deception’

Define Security ‘Requirements’ Without System Requirements, System will Fail. Without Secure System Requirement, Organizations will. Security Compliance & Standard Needs Security Checklist & Gates Measurable Risk Definition Assurance Methodologies

Attack Surface Analysis Threat Modeling Building Secure “Design” Treat Security as an Integral part of Overall System Design NIST SP 800-27: “Engineering Principles for Information Technology Security” Define Design Measure Attack Surface Analysis Threat Modeling Threats are NOT Vulnerabilities. Threats Live Forever, They are Attackers Goal 

Safeguards and Countermeasures Secure “Implementation” Secure Coding Practices   Code (Security) Review Safeguards and Countermeasures

“Security Testing” is different from “Functional Security Testing” Grey Box Assessment   Risk based Analysis Security Test Plan Best Practices Security Requirements Identified Threats Implemented Safeguards

Audit & Compliance Review Deployment & Procurement Risk Security “Review” & “Response” Final Security Review Audit & Compliance Review Deployment & Procurement Risk Vulnerability Assessment Penetration Testing Incident Handling

Security in “Maintenance” Phase Patch Management 3rd Party Libraries Disposal Policy

Awareness Explore Customize Align Skills according to Role Secure SDLC as a Process .. How to Integrate Awareness Skills according to Role Explore Framework, Practices and Resources Customize Adopt and Integrate Controls Align Standards & Case Studies

Case Study … CISCO adoption of Secure SDLC Aligned with ISO 27034 guidelines Adapted for Agile and Waterfall models Enable Global Sale Ref: http://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle.html

Case Study … MICROSOFT and VMware adoption Ref: https://www.microsoft.com/en-us/sdl/ Ref: https://www.vmware.com/security/sdl.html

E: info@hack2secure.com Thank You www.hack2secure.com E: info@hack2secure.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.