Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moving from “Bolt-on” to “Build-in” Security Controls

Published byJasmin Dunkle Modified over 6 years ago

Similar presentations

Presentation on theme: "Moving from “Bolt-on” to “Build-in” Security Controls"— Presentation transcript:

1 Moving from “Bolt-on” to “Build-in” Security Controls
Secure SDLC Moving from “Bolt-on” to “Build-in” Security Controls Nitin Kotwal Hack2Secure

2 Easiest Path for Attackers
“Insecure Software” Easiest Path for Attackers

3 Heartland Payment System (HPS)
Case Study … Heartland Payment System (HPS) Data Security Breach Quick Fact “Malware” was Injected [SQLi] on Bank’s Website Bypasses Network Security Controls It moves towards (PCI compliant) Payment Network Internally placed Processing Server Steal Account Details for 4 months Active & Passive Loss Stocks dips by 78% Lost 5,000 merchants Delisted by Visa & MasterCard

4 Heartland Payment System (HPS)
Case Study … Heartland Payment System (HPS) Data Security Breach Lessons “Insecure Application” as Easy Entry Point ‘Ensuring’ Compliances vs ‘Effective’ Implementation INTRANET Security

5 “Insecure Design” Easy Attack Surface

6 Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox
Case Study .. Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Impact User Privacy Leak Undetected for a Year Public Apology Privacy Lawsuits

7 Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox
Case Study .. Facebook Incorrectly Implemented ‘Download Your Information’ Toolbox Lessons Secure Feature Design Security in “Requirement Gathering” Compliance & Standard alignment “Security Feature” vs “Secure Implementation”

8 Lack of Awareness & Skills Partially Integrated Practices
Software Security .. Current Challenges Lack of Awareness & Skills Partially Integrated Practices In-adequate Resources [Documentation, Process, Practices] One Plan Won’t Fit All

9 So, What can be done.. To Optimize Software Security Needs
Ensure in-built Security Attack Resiliency

10 Integrate Security Controls Across SDLC Phases
Security Awareness Security Requirements Secure by Design Secure Implementation Security Testing Security Review & Response Secure Deployment Security Maintenance Secure SDLC

11 Early Identification & Mitigation of Security Vulnerabilities
Secure SDLC .. Benefits Early Identification & Mitigation of Security Vulnerabilities Reduced Security Control Implementation Cost

12 Secure SDLC .. Benefits “Earlier you Detect, Lesser be Cost of Fixing it” “Relative” Cost of Addressing Security Defect at different SDLC Stages

13 Informed Security Decision making
Secure SDLC .. Benefits Informed Security Decision making Comprehensive Risk Management Awareness of Potential Engineering Challenges

14 Security Strategies across Development Models
Secure SDLC .. Benefits Water Fall Model V Model Incremental Model RAD Model Agile Model Iterative Model Spiral Model Security Strategies across Development Models

15 Easy Compliance Adoption
Secure SDLC .. Benefits Easy Compliance Adoption

16 Security “Awareness” “There is only one way to keep your product plans safe and that is by having a Trained, Aware and a Conscientious workforce” Kevin Mitnick ‘The Art of Deception’

17 Define Security ‘Requirements’
Without System Requirements, System will Fail. Without Secure System Requirement, Organizations will. Security Compliance & Standard Needs Security Checklist & Gates Measurable Risk Definition Assurance Methodologies

18 Attack Surface Analysis Threat Modeling
Building Secure “Design” Treat Security as an Integral part of Overall System Design NIST SP : “Engineering Principles for Information Technology Security” Define Design Measure Attack Surface Analysis Threat Modeling Threats are NOT Vulnerabilities. Threats Live Forever, They are Attackers Goal 

19 Safeguards and Countermeasures
Secure “Implementation” Secure Coding Practices Code (Security) Review Safeguards and Countermeasures

20 “Security Testing” is different from “Functional Security Testing”
Grey Box Assessment Risk based Analysis Security Test Plan Best Practices Security Requirements Identified Threats Implemented Safeguards

21 Audit & Compliance Review Deployment & Procurement Risk
Security “Review” & “Response” Final Security Review Audit & Compliance Review Deployment & Procurement Risk Vulnerability Assessment Penetration Testing Incident Handling

22 Security in “Maintenance” Phase
Patch Management 3rd Party Libraries Disposal Policy

23 Awareness Explore Customize Align Skills according to Role
Secure SDLC as a Process .. How to Integrate Awareness Skills according to Role Explore Framework, Practices and Resources Customize Adopt and Integrate Controls Align Standards & Case Studies

24 Case Study … CISCO adoption of Secure SDLC
Aligned with ISO guidelines Adapted for Agile and Waterfall models Enable Global Sale Ref:

25 Case Study … MICROSOFT and VMware adoption
Ref: Ref:

26 E: info@hack2secure.com
Thank You E:

Download ppt "Moving from “Bolt-on” to “Build-in” Security Controls"

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Systems Analysis and Design in a Changing World, 6th Edition

Systems Analysis and Design in a Changing World, 6th Edition
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
Approaches to Systems Development

Approaches to Systems Development
Public March 4, 2013 Head SDLC & ITIL Development and Consulting Peer M. Künstler The Journey to Agile WM IT and UBS Switzerland IT.

Public March 4, 2013 Head SDLC & ITIL Development and Consulting Peer M. Künstler The Journey to Agile WM IT and UBS Switzerland IT.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
PCI requirements in business language What can happen with the cardholder data?

PCI requirements in business language What can happen with the cardholder data?
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google