Presentation is loading. Please wait.

Presentation is loading. Please wait.

UISGCON11 December 4 th 2015 Svavar Ingi Hermannsson CISSP, CISA, CISM THE JOURNEY TO A SECURE SOFTWARE DEVELOPMENT LIFE CYCLE.

Published byKristin Powers Modified over 9 years ago

Similar presentations

Presentation on theme: "UISGCON11 December 4 th 2015 Svavar Ingi Hermannsson CISSP, CISA, CISM THE JOURNEY TO A SECURE SOFTWARE DEVELOPMENT LIFE CYCLE."— Presentation transcript:

1 UISGCON11 December 4 th 2015 Svavar Ingi Hermannsson CISSP, CISA, CISM THE JOURNEY TO A SECURE SOFTWARE DEVELOPMENT LIFE CYCLE

2  $whoami  Useful Standards  Building blocks  Adding more security OVERVIEW

3 Svavar has been specializing in IT security and software development for the last 18 years and has held various roles in programming and IT Security consulting with vast experience in penetration testing, vulnerability assessment, code auditing, information security management - including ISO/IEC 27001, PCIDSS and PADSS. These roles include a manager position at KPMG, as well as a CISO position at DH samskipti. Svavar has taught classes on computer security at the University of Iceland and the University of Reykjavik. Svavar was the chairman of the information security focus group at the Icelandic Computer Society from 2007-2012. He has given talks at multiple events in Iceland, the UK, Germany and the US, including OWASP, BSides and Hacker Halted Europe. Svavar holds various certifications, including CISSP, CISA and CISM. WHO AM I?

4 Why do we standardize? USEFUL STANDARDS

5 Security Policy, Access Control, Backups, BCP (more) ISO/IEC 27034 Information technology -- Security techniques -- Application security

6 USEFUL STANDARDS OpenSAMM (Softare Assurance Maturity Model – curtesy of OWASP)

7 How to build a strong foundation? BUILDING BLOCKS

8  Expected implementation time for an SME  2 – 3 years BUILDING BLOCKS

9  Decide on a software development methodology  Agile / SCRUM?  Formalize  Digitize  Source Control System  Pick one  Decide how to use it  Branching?  Release Versioning  Connect the two BUILDING BLOCKS

10  Separate Development / Testing / Production  Separation of duties BUILDING BLOCKS

11  Adding security to the SDLC  Start differentiating between bugs and security bugs.  Secure coding training  Secure coding Practices  Add a design + design review part (assistant from Security Architects)  Add Threat modeling (STRIDE)  Code auditing with focus on IT security  Security testing prior to release ADDING MORE SECURITY

12  CISO  Security notifications  Security portal / vulnerability management  Incident response  Bug bounties ADDING MORE SECURITY

13  Any Questions? svavar@security.is THANK YOU! http://www.xkcd.com/

Download ppt "UISGCON11 December 4 th 2015 Svavar Ingi Hermannsson CISSP, CISA, CISM THE JOURNEY TO A SECURE SOFTWARE DEVELOPMENT LIFE CYCLE."

Similar presentations

Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6, 2007 IRDA – ICAI Round Table Meeting on Insurance Industry.

Ashutosh Pednekar, FCA, CISA, ISA (ICA), LLB (Gen), B.Com. Partner, M P Chitale & Co. November 6, 2007 IRDA – ICAI Round Table Meeting on Insurance Industry.
PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Certification and Training Presented by Sam Jeyandran.

Certification and Training Presented by Sam Jeyandran.
Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.

Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, 12-13 October 2009 Introduction to IT audits PART II IT.

1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
MGS Testing A High Level Overview of Testing in Microsoft Games Studio Joe Djorgee – Test Lead.

MGS Testing A High Level Overview of Testing in Microsoft Games Studio Joe Djorgee – Test Lead.
Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Similar presentations

Ads by Google