Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP AppSec Washington DC 2009 The Secure SDLC Panel Real answers from real experience Moderated by: Pravir.

Published byDwight Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP AppSec Washington DC 2009 The Secure SDLC Panel Real answers from real experience Moderated by: Pravir."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP AppSec Washington DC 2009 The Secure SDLC Panel Real answers from real experience Moderated by: Pravir Chandra Director of Strategic Services, Fortify Software OpenSAMM Project Lead OWASP Global Projects Committee chandra@owasp.org

2 2 Panelists Dan Cornell - Denim Group Michael Craigue - Dell Computers Dennis Hurst - Hewlett Packard Joey Peloquin - FishNet Security Keith Turpin - The Boeing Company

3 3 Agenda Introducing the panelists Panelist positions Moderated question & answer Summary & conclusions

4 Introducing the Panelists

5 5 Dan Cornell Background: Principal / CTO of Denim Group Developer by background – J2EE,.NET, etc OWASP: San Antonio Chapter Lead Open Review Project Co-Lead Global Membership Committee Experience: Coder, architect, trainer, threat modeler, code reviewer, penetration tester Building SDLCs as both a consultant and a development organization

6 6 Michael Craigue At Dell since 1999 Lead for application security Emphasis on the e-commerce site SDL alignment with SDLC Prior to joining Dell’s information security team, spent over a decade building Web and database applications CISSP- and CSSLP-certified Taught Database Management and Business Intelligence/Knowledge Management at St. Edward’s University in their MBA and MS CIS programs Ph.D. from the University of Texas at Austin in Higher Education Administration and Finance

7 7 Dennis Hurst Dennis Hurst is a Senior Security Engineer for HP Software where he currently works with customers on Cloud Security and integrating security into Agile development processes. Prior to HP, Dennis was a Developer Security Evangelist for S.P.I. Dynamics, Inc.. He was the original developer of SPI Dynamics’ flagship web application vulnerability assessment product, WebInspect™, and now works with other development organizations evangelizing the need to integrate security into the Software Development Lifecycle (SDLC). Dennis is a founding member of the Cloud Security Alliance, and recently co-wrote the application security section of the “Security Guidance for Critical Areas of Focus in Cloud Computing.”. Dennis has over 20 years of development and IT experience and has been working with internet facing applications since the early 90’s.

8 8 Joey Peloquin Prior to becoming a consultant; Application Security Evangelist and Project Lead for Application Security Program at a Fortune 200 retailer Strategic Application Security Advisor for large software developer based in CA Strategic and tactical application security consulting for financial services, healthcare, and retail organizations Frequent speaker on “building security in”

9 9 Keith Turpin Keith leads Boeing’s application security assessment team and is a member of the Boeing enterprise red team. He also served two years as the lead IT security advisor for Boeing’s international operations. Keith currently represents Boeing on the International IT Standards Committee’s Cyber Security Technical Committee. Keith also served four years as the Director of Communication for the Puget Sound chapter of the Information Systems Security Association. Keith has a BA in Mechanical Engineering and MS in Computer Systems.

10 Panelist Positions

11 11 Variables What does an organization value? If people: training If process: SDLC checkpoints If technology: static or dynamic analysis More complicated than this, but understand how decisions are made Have they been burned? Top-down versus bottom-up How much is enough? Features > Performance > Security Dan Cornell on...

12 12 DOs and DON’Ts DO Identify champions (everyone can’t be a ninja, but some people want to – so use them) Use the technologies … but not exclusively Be iterative (Rome wasn’t built in a day, and neither was your scary portfolio of applications) DON’T Think everyone cares as much (or for the same reasons) as you Expect to “finish” anytime soon (improvement takes time and you are never really done) Dan Cornell on...

13 13 Key decision factors Build consensus among developers first; appeal to their love of writing high-quality software Take early success stories to executives Communicate to executives in terms of risk Create a variety of awareness and education programs Face-to-face seminars, celebrities welcome General courseware, manager courseware, 30-minute refresher courses Traditional versus Agile development Mike Craigue on...

14 14 Lessons learned We’re doing fundamentals, not cutting-edge security work Added ourselves into an existing SDLC; risk modeling tool was key touchpoint Partnered with other groups Developers—key allies Legal—contract templates, muscle Enterprise Architecture—tools, technology standardization; SOA Privacy—global background / EU representation Compliance—policies/standards Leveraged regulatory compliance for adoption Global staff, time zone / business segment alignment initially Acquisition challenges Threat modeling is time-consuming; use sparingly One step at a time, one org at a time, show metrics, build momentum Developer desktop standardization is ideal, but hard to attain Exception management process, executive escalation, roadmaps Mike Craigue on...

15 15 Key thoughts People want "security", whatever that is. The questions is are they willing to pay for it. The "level of effort" for security should be proportional to risk. Security must be INTEGRATED into the SDLC, not hammered in with policy, threats, etc Must require security at appropriate, quantifiable, attainable levels Motivate less risky behaviors Be introduced in stages and be financially appropriate at each stage. Creating a secure SDLC is a process that takes time and the process must be articulated, frequently in the form of a Maturity Model. People need to know where they are and where they are going. A Secure SDLC has LOTS of fringe benefits (Quality, repeatability, testability, etc) SELL THEM to get your SDLC!!!! Dennis Hurst on...

16 16 Decision factors Gartner’s prediction that 80% of companies experiencing a web-related breach by 2010 is well on its way to coming true Companies lucky enough to have not become a statistic virtually all have Secure SDLC projects on the books for 2010 Security Testing, Application Security Training, and Threat Modeling seen as “must haves” Getting started is the hardest part, but if you have buy-in from all levels, and take baby steps, you have a great chance of succeeding Joey Peloquin on...

17 17 Lessons Learned You need more than an executive champion Buying tools without clear direction and a proper plan leads to shelf-ware Threat Modeling, Risk Analysis… whatever you want to call it, pays huge dividends when done right When I ask if you have a Secure SDLC, AppSec Program, etc., your response should not be, “sure, we’re an Agile shop” It’s okay to call for help! Joey Peloquin on...

18 18 Decision Factors Determine how to risk model your applications. In a large environment you may have thousands of applications with various degrees of potential impact and differing threat agents. You may not be able to bring the wisdom of secure software development to the masses all at once, so figure out where to focus your efforts first. You must implement an effective training and communication program that will help developers, architects, project managers and management understand the nature of software security vulnerabilities, why they are important and how they can be mitigated during the development lifecycle. Like any initiative that is trying to change the practices of a large organization or company, implementing secure software development practices must be supported and sponsored by senior leadership. Keith Turpin on...

19 19 Lessons Learned Develop or adopt testing and remediation standards so that development teams, assessment teams and auditors are on the same page. Establish a formal risk acceptance process to address situations where vulnerabilities that can not be sufficiently remediated, but the business wants to move forward anyway. Ensure development teams have the tools they need to facilitate testing during development. In some cases this may require policy based guidelines around approved use of these tools, since some may also be used for malicious purposes, set off your IDS or anti- virus systems or cause unintended network disruption. Adopt a layer approach. Software firewalls can add an extra layer of defense, but this does not substitute for secure development. It is common practice for servers to be protected by network level firewalls even though the servers themselves are also expected to be hardened. Why treat software level security differently. Trust but verify the security of all commercial software supporting critical business functions. Keith Turpin on...

20 Moderated Question & Answer

21 21 Ground Rules Warm up with some prepared questions Panelists should limit responses to 2-3 mins Audience participation!!! Comments/questions/flames welcomed! I’ll try to keep things orderly...

22 What are the most significant organizational factors in determining if a secure SDLC integration will be successful? Top management mandate Metrics and dashboards Consistent development process Corporate culture Regulatory drivers ?? ?

23 Are there any big no-no's that stop a secure SDLC program dead in it’s tracks? If so, what are they? ?? ?

24 Rank the following in terms of priority for an organization that wants to do more security assessments in the SDLC: Code review (manual or static analysis) Security testing (dynamic analysis or ethical hack) Design review (inspection of security mechanisms) Threat modeling (assessment of what could go wrong) ?? ?

25 What's the best method for getting an organization's development, security/risk, and operations groups aligned to roll out a secure SDLC program? ?? ?

26 Carrot vs. Stick. Which should you pick when trying to change the process throughout an organization? In what situations might you decide to use the other? ?? ?

27 If someone approached you saying they had a little bit of budget for their software security program, but didn’t know what to do next, how would that conversation go? Specifically, where would you steer them? Hire consultants Get tools/technology License training content Internal head-count ?? ?

28 Rank the following in order of importance for a successful secure SDLC initiative People Process Technology ?? ?

29 We talk about the importance of measurement and metrics a lot, but does anyone actually use them? If so, what are the most popular ones? ?? ?

30 Do you think it is possible to demonstrate return on investment (ROI) for secure SDLC programs? If not, why? If so, how? ?? ?

31 How do you pronounce CISO? s-EE-so s-IH-so s-EYE-so ?? ?

32 Summary & Conclusions

Download ppt "The OWASP Foundation OWASP AppSec Washington DC 2009 The Secure SDLC Panel Real answers from real experience Moderated by: Pravir."

Similar presentations

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
Team 1: Aaron, Austin, Dan, Don, Glenn, Mike, Patrick.

Team 1: Aaron, Austin, Dan, Don, Glenn, Mike, Patrick.
12 August 2004 Strategic Alignment By Maria Rojas.

12 August 2004 Strategic Alignment By Maria Rojas.
Human Capital Management Checklist for Success. It’s All About People!

Human Capital Management Checklist for Success. It’s All About People!
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Building a SOA roadmap for your enterprise Presented by Sanjeev Batta Architect, Cayzen Technologies.

Building a SOA roadmap for your enterprise Presented by Sanjeev Batta Architect, Cayzen Technologies.
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.

IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IT Planning.

IT Planning.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
July 8-9, 2014 | Ronald Reagan Building | Washington, DC Federal Cloud Computing Summit Dr. Barry C. West Cloud Tools and Integration.

July 8-9, 2014 | Ronald Reagan Building | Washington, DC Federal Cloud Computing Summit Dr. Barry C. West Cloud Tools and Integration.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google