Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Published bySibyl Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson."— Presentation transcript:

1 Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency philip.beyer@tea.state.tx.us John B. Dickson - Denim Group john@denimgroup.com 1TASSCC 2011 Annual Conference Copyright 2011 by Texas Education Agency. All rights reserved.

2 Overview Background Trends Essentials Roadmap TASSCC 2011 Annual Conference2 Copyright 2011 by Texas Education Agency. All rights reserved.

3 About Phil Beyer – Information Security Officer – Consulting background John Dickson – Application security industry leader TEA – ~700 employees – ~1200 school districts – ~5 million students TASSCC 2011 Annual Conference3 Copyright 2011 by Texas Education Agency. All rights reserved.

4 Application Security – What? Why? In Brief – Web applications can be attacked – Attacks are different from network or OS levels – Becoming a significant attack vector Impact – Attackers bypass traditional infrastructure security controls – Users are a target as well as data TASSCC 2011 Annual Conference4 Copyright 2011 by Texas Education Agency. All rights reserved.

5 Trends At TEA – Applications created regularly and retired slowly – Ability to outsource remediation decreased due to funding limitations In the Industry – Attacks are increasingly sophisticated and automated – Remediation costs increase in later phases of the development cycle TASSCC 2011 Annual Conference5 Copyright 2011 by Texas Education Agency. All rights reserved.

6 Essentials Where Did TEA Start Application Security Program established – Some policy and procedure – Initial training and exposure to concepts – Historically siloed approach Outsourcing for subject matter expertise – Veracode – Denim Group TASSCC 2011 Annual Conference6 Copyright 2011 by Texas Education Agency. All rights reserved.

7 Essentials The Premise Some things you Don’t Need Some things you Do Need Some things you Just Don’t Need Yet TASSCC 2011 Annual Conference7 Copyright 2011 by Texas Education Agency. All rights reserved.

8 Essentials What You Don’t Need An Expensive Scanner – A Security Process for scanning is more important – Simple (free) scanners will get you started – Buy the software later TASSCC 2011 Annual Conference8 Copyright 2011 by Texas Education Agency. All rights reserved.

9 Essentials What You Don’t Need A Complicated Scoring/Tracking Tool – A Security Process for profiling is more important – Risk ranking doesn’t have to be hard – Keeping track of your applications can be simple – Buy the software later TASSCC 2011 Annual Conference9 Copyright 2011 by Texas Education Agency. All rights reserved.

10 Essentials What You Don’t Need A Dedicated Application Security Team – A Security Process for testing is more important – Leverage your existing QA and Testing team – Simple security testing will get you started – Build and train your testing capability gradually TASSCC 2011 Annual Conference10 Copyright 2011 by Texas Education Agency. All rights reserved.

11 Essentials What You Don’t Need A Perfect SDLC – Get started with what you have now – Update your policies and procedures as you go – Don’t try to drop in “The Secure SDLC” all at once TASSCC 2011 Annual Conference11 Copyright 2011 by Texas Education Agency. All rights reserved.

12 Essentials What You Do Need A Champion – That’s You! – Understand the problem – Communicate the risk – Work with the business TASSCC 2011 Annual Conference12 Copyright 2011 by Texas Education Agency. All rights reserved.

13 Essentials What You Do Need A Team that Gets It – Managers – Developers – Testers – Security TASSCC 2011 Annual Conference13 Copyright 2011 by Texas Education Agency. All rights reserved.

14 Essentials What You Do Need Good Training – Resources exist, some are free – The trainer is important – Attacks evolve, so should your training TASSCC 2011 Annual Conference14 Copyright 2011 by Texas Education Agency. All rights reserved.

15 Essentials What You Do Need Expert Help – Technical questions will arise – Some vendors will dispute vulnerabilities – Be sure your team can consult with experts TASSCC 2011 Annual Conference15 Copyright 2011 by Texas Education Agency. All rights reserved.

16 Essentials What You Do Need A Roadmap to Maturity – Use an established maturity model OpenSAMM BSIMM – Design a roadmap to get to maturity – Don’t try to do it all at once TASSCC 2011 Annual Conference16 Copyright 2011 by Texas Education Agency. All rights reserved.

17 Roadmap Use a Maturity Model OpenSAMM - Software Assurance Maturity Model – Maturity levels 1 thru 4 – Governance Strategy & Metrics (2), Policy & Compliance (3), Education & Guidance (3) – Construction Threat Assessment (3), Security Requirements (3), Secure Architecture (3) – Verification Design Review (2), Code Review (2), Security Testing (3) – Deployment Vulnerability Management (3), Environment Hardening (3), Operational Enablement (3) TASSCC 2011 Annual Conference17 Copyright 2011 by Texas Education Agency. All rights reserved.

18 Roadmap – Phase 1 Governance Estimate overall business risk profile Build and maintain an application security program roadmap Build and maintain compliance guidelines Conduct technical security awareness training Build and maintain technical guidelines TASSCC 2011 Annual Conference18 Copyright 2011 by Texas Education Agency. All rights reserved.

19 Roadmap – Phase 1 Construction Derive security requirements based on business functionality Evaluate security and compliance guidance for requirements TASSCC 2011 Annual Conference19 Copyright 2011 by Texas Education Agency. All rights reserved.

20 Roadmap – Phase 1 Verification Derive test cases from known security requirements Conduct penetration testing on software releases TASSCC 2011 Annual Conference20 Copyright 2011 by Texas Education Agency. All rights reserved.

21 Roadmap – Phase 1 Deployment Identify point of contact for security issues Create informal security response team(s) TASSCC 2011 Annual Conference21 Copyright 2011 by Texas Education Agency. All rights reserved.

22 Resources OWASP – Open Web Application Security Project – http://www.owasp.org/ http://www.owasp.org/ OpenSAMM - Software Assurance Maturity Model – http://www.opensamm.org/ http://www.opensamm.org/ Denim Group – Remediation Resource Center – http://www.denimgroup.com/remediation/ http://www.denimgroup.com/remediation/ TASSCC 2011 Annual Conference22 Copyright 2011 by Texas Education Agency. All rights reserved.

23 Questions? TASSCC 2011 Annual Conference23 Copyright 2011 by Texas Education Agency. All rights reserved.

Download ppt "Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson."

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Implementing a Behavior Based Safety Process at Rockwell Automation
OWASP CLASP Overview.

OWASP CLASP Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.

Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.
Professional Services Overview

Professional Services Overview
TECH Project Company X Documentation Plan Champion/Define Phase

TECH Project Company X Documentation Plan Champion/Define Phase
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Getting to know IRMA ( Integration of Resource Management Applications) - Overview By: Margaret Beer, Brent Frakes, Alison Loar, Simon Kingston National.

Getting to know IRMA ( Integration of Resource Management Applications) - Overview By: Margaret Beer, Brent Frakes, Alison Loar, Simon Kingston National.
IS Management at Chase Holly David February 28 th, 2007.

IS Management at Chase Holly David February 28 th, 2007.
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.

1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.

Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
IS&T Project Management: Project Management 101 June, 2006.

IS&T Project Management: Project Management 101 June, 2006.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition

Similar presentations

Ads by Google