Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGING APPLICATION SECURITY

Published byMerry Reynolds Modified over 6 years ago

Similar presentations

Presentation on theme: "MANAGING APPLICATION SECURITY"— Presentation transcript:

1 MANAGING APPLICATION SECURITY
2017 Application Security Survey by Security Compass Altaz Valani Director of Research LI: linkedin.com/in/altazvalani APRIL 27, 2017 PRESENTED AT:

2 PERSONAL BIO Director of Research at Security Compass ( responsible for managing the overall research vision and team. Previously: Senior Research Director, Application Development at Info-Tech Research Group Senior Manager, KPMG Started a software development company Interests: Secure software development Teaching and learning Research and collaboration MANAGING APPLICATION SECURITY

3 SURVEY DEMOGRAPHIC (BY ANNUAL EARNINGS)
ABOUT THE SURVEY PURPOSE To discover how large, complex organizations manage application security: the drivers, programs, and successes. WHO Most respondents were large multinational companies earning >$1 billion USD. THE RESULT Aggregated insights, industry trends, and best practices that illuminate how large corporations manage application security. SURVEY DEMOGRAPHIC (BY ANNUAL EARNINGS) Security Compass (n=28) MANAGING APPLICATION SECURITY

4 KEY RESEARCH FINDINGS

5 BUSINESS PRESSURE IS NOT GOING AWAY
INCREASING SPEED OF BUSINESS INCREASING SOPHISTICATION OF RISK MANAGEMENT INCREASING PRESSURE ON COST CONTROL MANAGING APPLICATION SECURITY

6 WHAT IS DRIVING APPLICATION SECURITY?
79% of respondents stated that general risk management was the key driver for their organization's application security. Security Compass (n=28) MANAGING APPLICATION SECURITY

7 SOFTWARE PROJECT PROGRESS
CONCLUSION: WE NEED A SYSTEMATIC WAY OF MANAGING APPLICATION SECURITY RISK IDENTIFY CONTROL IMPLEMENT CONTROL VALIDATE CONTROL 79% of respondents stated that general risk management was the key driver for their organization's application security. RISK SOFTWARE PROJECT PROGRESS MANAGING APPLICATION SECURITY

8 HOW IMPORTANT IS APPLICATION SECURITY?
73% of respondents stated that application security is a high or critical priority within their organization. Security Compass (n=26) MANAGING APPLICATION SECURITY

9 ORGANIZATIONAL SUPPORT FOR APPLICATION SECURITY (BY INDUSTRY)
1 = NO SUPPORT 5 = SUPPORT ACROSS THE BOARD Security Compass (n=21) MANAGING APPLICATION SECURITY

10 ADOPTION OF SECURITY AWARENESS TRAINING BY DEVELOPERS
There is resistance to adoption of security awareness training. Many see this as extra work, getting in the way of releasing software. 1 = NO TRAINING 5 = ALL DEVELOPERS ARE TRAINED Security Compass (n=22) MANAGING APPLICATION SECURITY

11 TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM
75% of respondents stated that the number of vulnerabilities found was a key metric used to track the effectiveness of their application security program. ONLY 4% of respondents stated that they used the amount of money spent on remediating vulnerabilities as a key metric to track the effectiveness of their application security program. Security Compass (n=28) MANAGING APPLICATION SECURITY

12 KEY SECURITY ACTIVITIES PERFORMED
Shift-Left Activities Testing Activities Security Compass (n=28) MANAGING APPLICATION SECURITY

13 46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS
Source Code SAST & DAST 54% of risks found* 54% remediation rate* 30% of total risks found & fixed average time to remediation = 316 days* Remediation 24% of risks found, not fixed 46% of risks are not found 70% of risks unaddressed *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”. MANAGING APPLICATION SECURITY

14 46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS
Source Code SAST & DAST 54% of risks found* 54% remediation rate* 30% of total risks found & fixed average time to remediation = 316 days* Remediation 24% of risks found, not fixed 46% of risks are not found Forthcoming SC whitepaper Intent Pointer Reference Manipulation Compiler Optimization Application Boundary Scanner Optimization Side Effects Runtime Class Creation Halting Problem CERT Non-Automation 70% of risks unaddressed *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”. MANAGING APPLICATION SECURITY

15 KEY SECURITY ACTIVITIES PERFORMED
Requirements Management CODE REVIEW (SAST) PEN TESTING (DAST) Software Development Lifecycle MANAGING APPLICATION SECURITY

16 TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM
We have jumped straight to validation without identifying the root cause and implementing the appropriate controls to reduce application security risk. RISK SOFTWARE PROJECT PROGRESS IDENTIFY CONTROL IMPLEMENT CONTROL VALIDATE CONTROL Security Compass (n=28) MANAGING APPLICATION SECURITY

17 DO YOU PRIMARILY BUILD IN-HOUSE OR BUY THIRD-PARTY SOFTWARE?
(ROUGHLY) EQUAL MIX OF IN-HOUSE, COTS, AND OUTSOURCED BUY & CONFIGURE COTS (ROUGHLY) EQUAL MIX OF IN-HOUSE & COTS Security Compass (n=26) MANAGING APPLICATION SECURITY

18 ENSURING THE SECURITY OF THIRD-PARTY VENDORS
MANAGING APPLICATION SECURITY

19 KEY TAKEAWAYS SOFTWARE SECURITY REQUIREMENTS MANAGEMENT
THREAT MODELING REQUIREMENTS GENERATION ALM INTEGRATION TESTING INTEGRATION AND AGGREGATION Bottom line: Develop secure applications to minimize the many risks that arise from exploiting vulnerabilities MANAGING APPLICATION SECURITY

20 KEY TAKEAWAYS Adopt the correct metrics to drive your program. Strive for objective, quantified metrics that measure risk beyond vulnerabilities (e.g. “How to Measure Anything in Cyber Security Risk”). Stop tracking your app sec program by the number of vulnerabilities detected by scanners alone. Use a software security requirements management platform, (e.g. SD Elements, OWASP Knowledge framework) and/or tool-assisted threat modelling (e.g. Microsoft threat modelling tool). Traceable requirements coupled with test cases are more forward looking and comprehensive. Require your vendors to have a higher standard for secure SDLC (e.g. ISO or vBSIMM or Microsoft's SDL). MANAGING APPLICATION SECURITY

21 THANK YOU FOR A COPY OF THE FULL REPORT, PLEASE VISIT: OR US AT:

Download ppt "MANAGING APPLICATION SECURITY"

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© AberdeenGroup 2009 Energy Management: Driving Value in the Industrial Environments Mehul Shah Research Analyst Matthew Littlefield Sr. Research Analyst.

© AberdeenGroup 2009 Energy Management: Driving Value in the Industrial Environments Mehul Shah Research Analyst Matthew Littlefield Sr. Research Analyst.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
© 2013 IBM Corporation Information Management Discovering the Value of IBM InfoSphere Information Analyzer IBM Software Group 1Discovering the Value of.

© 2013 IBM Corporation Information Management Discovering the Value of IBM InfoSphere Information Analyzer IBM Software Group 1Discovering the Value of.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Microsoft Security Development Lifecycle

Microsoft Security Development Lifecycle
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Implementing an Effective Global Anti-Bribery Program Implementing an Effective Global Anti-Bribery Program Elaine Murphy, MBA Director Health Care Compliance.

Implementing an Effective Global Anti-Bribery Program Implementing an Effective Global Anti-Bribery Program Elaine Murphy, MBA Director Health Care Compliance.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.

Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.
Information Security in Laurier Grant Li Wilfrid Laurier University.

Information Security in Laurier Grant Li Wilfrid Laurier University.
Integrated ALM with Cross-Tool Reporting Kovair Marketing Kovair Software Copyright ©

Integrated ALM with Cross-Tool Reporting Kovair Marketing Kovair Software Copyright ©

Similar presentations

Ads by Google