Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Maturing Beyond Application Security David Harper EMEA Services Director Fortify Software
OWASP Outline Why are we here? Network Security is not enough Application Security Initiatives have come of age Security is being embedded in the development life- cycle Securing in-house developments is only part of the solution Systematic prevention of all software risk
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Why are we here?
OWASP We Spend a Lot of Money on Information Security ($288B) 1 Encryption Firewall Anti Virus Access Control DB Security End Point Security Application Security Data Loss Prevention 1 Gartner Symposium/ITxpo, October 10, 2007
OWASP We Would Like to See info-sec spending Business impact (# of incidents & exploits)
OWASP We Are Faced With info-sec spending Business impact (# of incidents & exploits)
OWASP Applications are the New Frontier Increasingly Accessible Results are Profitable Application Vulnerabilities are the New Entry Point Easy to exploit Opportunities are plentiful Network-Based Security Solutions are ineffective for todays threat Pen Testing confirms the problem but does not provide a solution 7
OWASP An Inconvenient Truth Business LogicFlaws SecurityErrors Code Flaws Two weeks of ethical hacking 10 Person-years of development
OWASP Another Inconvenient Truth…
OWASP Security in the Development Lifecycle
OWASP Secure Development Life-Cycle See InitiateDefineImplementDesignDevelopTestOperate Governance Construction Deployment Verification Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Application Security Initiatives have come of age
OWASP SDL Adoption Curve How can we learn from the early adopters?
OWASP OWASP CLASP – Best Practices Institute Awareness Program Perform Application Assessments Capture Security Requirements Implement Secure Development Practices Build Vulnerability Remediation Procedures Define and Monitor Metrics Publish Operational Security Guidelines 14
OWASP Fortify SSA - Best Practices Rapid identification and remediation of critical vulnerabilities Dont forget to fix or boil the ocean Prevent introduction of new vulnerabilities Integrate into existing SDLC with minimal process changes Provide flexibility to integrate with new Provide support for the developers Training in the context of their own code base Mentoring as required Monitor and control Automate gathering of statistics and publish Enforcement via security gate Continuous Improvement 15
OWASP What has actually been implemented? Building Security In Maturity Model Benchmark based on 9 leading application security initiatives Financial Services ISVs Technology Vendors Produced by security experts Brian Chess Gary McGraw Sammy Migues See for more detailswww.bsi-mm.com
OWASP Key Findings - Roles Executive Sponsorship Critical Drive Cross-Functional Program Accountability and Empowerment Software Security Group (SSG) Enforcement and Mentoring Seed with Software Security Experts Cross-train software people on security not the other way round Size 1-2% of development group Satellite Group Project level security leads
OWASP Key Findings - Governance Build Support throughout the organization SSG plays an evangelism role Meet regulatory or internal needs with a unified approach SSG creates a single policy Promote culture of security throughout the organization Provide awareness training See yourself in the problem Create/use material specific to company history
OWASP Key Findings - Construction Create proactive security guidance around security features SSG provides reference implementation of security features Understand the organizations history Collect and publish attack stories Meet demand for security features Create security standards
OWASP Key Findings – Verification Build internal capability on security architecture Have SSG lead review efforts Drive efficiency/consistency with code review automation Use automated tools along with manual review Use encapsulated attacker perspective Integrate black box security tools into the QA process (including protocol fuzzing)
OWASP Key Findings - Deployment Demonstrate that your organization is vulnerable Use external pen testers to find problems Provide a solid host/network foundation for software Ensure host/network security basics in place Use operational data to change developer behaviour Identify software bugs found in operational monitoring and feed back to development
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP The Next Step
OWASP The Four Pillars of Software The software you build The software you commission others to build The software you buy (and the services you run) The open source software used in your business
OWASP Software Security Assurance (SSA) A risk management strategy for all sources of software risk Remediate Vulnerabilities found in software Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Assess Software for security vulnerabilities Prevent Software security vulnerabilities Prevent Software security vulnerabilities
OWASP Outsourced Code Approach Leverage vendors SDL or implement an extended SDL Key Pointers Make SDL part of the contract, preferably before you sign Agree roles and responsibilities for all SDL activities Verification activities cannot be done by out-sourcer Demand access to metrics during development to demonstrate Assess – Remediate - Prevent
OWASP COTS Code Approach Manage the Supply Chain Implement Software Vendor Management Key Pointers Start with enterprise wide baseline audit of existing COTS apps and assess risk Establish security standards for the approval of new COTS apps as part of the procurement process Approach to addressing security vulnerabilities is key Require access to security audit results
OWASP Open Source Software Approach Select In-house, out-sourced or COTS strategy on a per application basis Key Pointers Kill the myth that Open Source Software is inherently secure Maintain inventory of all Open Source components Specify application security approach Assign accountability Contribute security fixes back to the community Utilize Fortify's Open Review Project
OWASP Software Security Assurance 28 Software Security Assurance Measureable Reduction of Risk Preventing Introduction of New Risks Compliance with Application Security Mandates Risk in Development Lifecycle Risk in Existing Legacy Applications
OWASP Summary Why are we here? Network Security is not enough Application Security Initiatives have come of age Security embedded in the development life-cycle Securing in-house developments is only part of the solution Systematic prevention of all software risk
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Q&A David Harper