Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Published byMark Jolles Modified over 9 years ago

Similar presentations

Presentation on theme: "Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions."— Presentation transcript:

1 Using the Cloud and SaaS to Secure the SDLC

2 About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions to commercial and US Fed Past – PM for High Assurance computer system at BAE – Mobile and App Security, multiple jobs – Software Engineer, multiple jobs

3 Agenda Terms and Background Application Security (AppSec) Deployment Models – SaaS / Cloud (On Demand) – On-Premise AppSec Industry Evolution – Relevant Trends – Case for “Hybrid” Implementation Hybrid On-Premise / cloud delivery of S-SDLC

4 Terms and Background Terms – SaaS : Software as a Service – SDLC : Software Development Lifecycle – SSA : Software Security Assurance Background – Focus is static analysis…but many concepts applicable to dynamic – SaaS and (public) cloud somewhat interchangeable, for this session – Caveats: Lots of variety of offerings amongst vendors; many of my statements are necessarily generalities

5 APPSEC DEPLOYMENT MODELS

6 What is SaaS? Software as a Service (SaaS) …or Security as a Service, in the AppSec world SaaS is a delivery model where software, data and services are hosted in the cloud and delivered on demand Application Security SaaS offerings include – Static, dynamic, and manual analyses – Expert review and prioritization of results – Various delivery offerings (web interface, reports, artifacts that integrate with onsite infrastructure)

7 AppSec via SaaS SaaS Web Portal Dev Org Stakeholders AppSec SME - review & triage 1 Analysis SaaS Process, On-Demand 1)Deliver code or bytes 2)Analysis as a Service 3)Expert Review 4)Results made available 2 3 4

8 What is an SDLC? Software Development Lifecycle (SDLC) …or Secure Development Lifecycle …or Secure Software Dev Lifecycle (S-SDLC) S-SDLC incorporates security across all phases of the development lifecycle. Security is built into applications from the start. Result: Software Security Assurance (SSA)

9 Sample Secure SDLC Developers Auditor / Security PM / Tech Lead Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker IDE Plug-in Repeat as Necessary Vulnerability Scan On Premise Deployment Developer Fixes Bug / Security Finding

10 Building Security into an SDLC Build Security in: Activities & Tasks Developer & staff training Vulnerability analysis technologies Technology integrations and automation AppSec processes, procedures and metrics Governance, enforcement of the above …Basically, process reengineering …This is SSA

11 SSA Challenges Challenges to implementing an SSA program Tools “wanted by security, need to be used by development” Developers not security trained. Security doesn’t understand source code Seamless integration of security requires big upfront commitment Expertise is scarce (and expensive in time or $$$) And more…

12 SaaS vs. On-Premise SaaSOn Premise No deployment, no hardware, no training Easy Deployment Involved Requires local installation and supporting hardware Scans executed, results triaged by experts and delivered in easy to read reports Little Expertise Required Significant Requires expertise to set filters and triage results Days, sometimes weeks per scan Days Time to Results Hours Hours per scan Standardized process Less Control More 100% control - instant access to all capabilities at any time Primary results are in report, but can be sent to bug tracking systems and IDEs Less Integration More Tight integration with build systems, bug tracking, revision control, test automation Reports, web sites, web services challenging for use in fixing found issues Less Actionable Results Very Results in-house, consumable & usable in IDEs, development and security infrastructure

13 The Strengths of SaaS and On-Premise Pure SaaS Deployment Easy and cost effective to get started Little to no expertise required Findings make case for future appsec investments Meet compliance and reporting obligations Pure On-Premise Deployment Better model for “The Fix” Addresses the systemic problem Integration and automation maximize efficiency

14 A Solid Plan for SSA Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 2: Pure On-Premise Bring technology and expertise in-house Solve the systemic problem – reduce repeat vulnerabilities Integration and automation maximize efficiency Mature SSA program This could include putting SaaS onsite (private cloud)

15 HOW THINGS ARE EVOLVING

16 Relevant AppSec Trends People Developers are increasingly security trained and aware AppSec SMEs more prevalent, many in the solution providers and security firms Product Applications increasingly complex – Hardware and time to analyze steepening – Increased expertise required to scan accurately SaaS increasingly integrate-able with onsite systems Process Compliance obligations mandating S-SDLC

17 S-SDLC Baseline Deployment Developers Auditor / Security Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan Basic, On Premise

18 S-SDLC Needs Developers Auditor / Security Vulnerability Scan Analysis Needs: Power, processing, memory Multiple servers Expertise to scan accurately Development Needs: Security, vulnerability training IDE integration of results Low impact to current processes Auditor Needs: Deep appsec knowledge Expertise with scanning tool Knowledge of app deployment = SaaS = On Premise

19 SaaS Integration Points Developers Auditor / Security Build Machine or Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan On Premise Infrastructure

20 SaaS Integration Points Developers Auditor / Security PM / Tech Lead Code Repository Bug Tracking On Premise Infrastructure SaaS Point & click Automated Web-based Build Machine or Continuous Integration

21 Bringing it all Together Key Concepts in a Hybrid S-SDLC Deployment – Expertise available via SaaS is typically superior to that found on-premise (they are the experts) – Some tasks require on-site activity (like fixing bugs) – Disruptions to existing processes can slow adoption; start small and build slowly – Integration points can blur the on-premise / on- demand separation, facilitating adoption

22 Hybrid Delivered Secure SDLC Developers Continuous Integration Code Repository Bug Tracking Check in Code Triggered Check-out Download, Prioritize Results Submit Findings to Bug Tracker IDE Plug-in Hybrid Deployment Developer views bugs & findings SaaS Triggered send for Analysis Analyze/Scan Expert Review Auditor / PM Dev loads issues in IDE Plug-in

23 Integration Points Development and Security Technology Deliver Source View/Pull Results Developer IDEYY Continuous Integration ServerYY Code Repository / Version ControlY Web InterfaceYY Web Services / Custom IntegrationsYY Lots of opportunity for customization and fitting the deployment model to the customer environment

24 Plan for SSA, Revisited Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Phase 2: On-Premise Pilot and SaaS Continue SaaS regime Deploy on-premise technology, design and test long term processes Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 3: Hybrid On-Premise and SaaS Deployment Deploy more technology and expertise in-house Difficult apps (for example) are still analyzed, triaged via SaaS Integration and automation max efficiency across deployments Mature SSA program

25 Final Thoughts  Take advantage of expertise where it resides, potentially buying time to bring it in-house  The general maturity curve is still on-demand --> on-premise  Automated or easy integrations are vital to successful hybrid deployment  Plan! Think long term.  Sometimes a pure on-premise or on-demand deployment is still the best answer. The important thing is to fit the solution to the problem and need.

26 Resources http://www.owasp.org http://www.opensamm.org/ …and check out the next session on this track http://bsimm.com/ http://buildsecurityin.us-cert.gov/bsi/ …Many, many others…

Download ppt "Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions."

Similar presentations

Life Science Services and Solutions

Life Science Services and Solutions
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
System Center 2012 R2 Overview

System Center 2012 R2 Overview
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Enterprise Web Content Management Path to developing a Competency Center Presented To: Presented By: Gilbane ConferenceBrian VanDeventer IT Manager, Web.

Enterprise Web Content Management Path to developing a Competency Center Presented To: Presented By: Gilbane ConferenceBrian VanDeventer IT Manager, Web.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.
Chapter 8: Development of Business Intelligence

Chapter 8: Development of Business Intelligence
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.

BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?

Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?
Microsoft Premier Support for Partners Capitalize on cloud potential Receive and deliver end-to-end cloud support Ease customers’ transition to the cloud.

Microsoft Premier Support for Partners Capitalize on cloud potential Receive and deliver end-to-end cloud support Ease customers’ transition to the cloud.
Internet GIS. A vast network connecting computers throughout the world Computers on the Internet are physically connected Computers on the Internet use.

Internet GIS. A vast network connecting computers throughout the world Computers on the Internet are physically connected Computers on the Internet use.
Cloud Computing. 2 A division of Konica Minolta Business Solutions USA Inc. What is Cloud Computing? A model for enabling convenient, on-demand network.

Cloud Computing. 2 A division of Konica Minolta Business Solutions USA Inc. What is Cloud Computing? A model for enabling convenient, on-demand network.
Effectively Explaining the Cloud to Your Colleagues.

Effectively Explaining the Cloud to Your Colleagues.
Application Lifecycle Management and the cloud

Application Lifecycle Management and the cloud
DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC

DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Similar presentations

Ads by Google