(isc)2 securelondon 2009, london, united kingdom this information is not intended, and should not be...
TRANSCRIPT
(ISC)2 SecureLondon 2009, London, United Kingdom
This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation
of an offer to purchase, any securities
Ten Practical Steps to Reducing Software-based Threats
Dr Serdar Cabuk, CISSP
Security Specialist, VISA Europe
Presentation Identifier.2Information Classification as Needed 2 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Outline
• Motivation and scope
• Methodology
– Plan (2)
– Do (5)
– Check (2)
– Act (1)
• The way forward
Presentation Identifier.3Information Classification as Needed 3 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Motivation
• Fact
– You have an SDLC in place
• Reality
– You don’t have a secure SDLC
• Strategic v Tactical
• Drivers
– Budget
– Time to market
– Top down v Bottom up
Presentation Identifier.4Information Classification as Needed 4 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Scope
• What it isn’t
– Strategic
– Certified / Methodical
– Framework based
– Long term
• What it is
– Tactical
– Customised / Hands on
– Process based
– Short term
Presentation Identifier.5Information Classification as Needed 5 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Methodology
PMM
SALC
SDLC
SDLC+ Threat Assessment
PlanningRequirements
AnalysisDesign and
Development
Design
Initiation Analysis Design
Implementation and Testing
Transition
Acceptance and Operation
Closure
Threat Modelling
Design Reviews SCA
Secure Coding Security Education and
Standards
Presentation Identifier.6Information Classification as Needed 6 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
PLAN : Preparation
Goal : Ensure readiness and support prior to process improvement
Prerequisites
• Security policy
• Management buy in
DO
CHECK
ACTPROCESS
PLAN
Presentation Identifier.7Information Classification as Needed 7 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
PLAN : Preparation
1. Segregate software assurance and development functions
Ass
uran
ceD
evel
opm
ent
PlanningRequirements
AnalysisDesign and
Development
Initiation Analysis Design
Implementation and Testing
Transition
Acceptance and Operation
Closure
Threat AssessmentThreat Modelling
Design Reviews SCA
Secure Coding Security Education and
Standards
Presentation Identifier.8Information Classification as Needed 8 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
PLAN : Preparation
2. Engage with all functions including
• Information security
– Compliance specialists and security architects
• Architecture
– Solutions or technical architects
• Development
– Analysts and lead developers
• Engineering
– Infrastructure and network specialists
• Service owner and key stakeholders
• Project and programme management
Presentation Identifier.9Information Classification as Needed 9 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
Goal : Improve software development by introducing targeted additions to the lifecycle
Prerequisites
• Buy in from all teams involved
PLAN
CHECK
ACTPROCESSD
O
Presentation Identifier.10Information Classification as Needed 10 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
3. Perform initial threat assessment to drive the high level design
Input Requirements
Output Improved high level design
Tasks and Roles Security Architect PM
Information gathering R C A
Security requirements analysis RA C I
High level secure design S RA I
Reporting and communication R I A
Presentation Identifier.11Information Classification as Needed 11 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
4. Perform application threat modelling to identify software-based threats
Input Requirements and initial design
Output Application threat model
Tasks and Roles Security Architect Developer PM
Information gathering and planning R C C A
Application decomposition C R SA I
Application threat analysis RA S C I
Scoring and countermeasures R SA I I
Reporting and communication R C I A
Presentation Identifier.12Information Classification as Needed 12 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
5. Perform secure design reviews to ensure secure software architecture
Input High level design and application threat model
Output Application level design
Tasks and Roles Security Architect PM
Information gathering R C A
Security requirements revisited R SA I
Deployment and infrastructure analysis R SA I
Application component analysis R SA I
Reporting and communication R C A
Presentation Identifier.13Information Classification as Needed 13 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
6. Perform source code analysis (SCA) to identify and address code level vulnerabilities
Input Application software and SCA tool
Output Improved application software
Tasks and Roles Security Developer PM
Information gathering R C A
Source code analysis RA C I
Review and scoring RA S I
Code improvement S RA I
Reporting and communication R C A
Presentation Identifier.14Information Classification as Needed 14 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
DO : Transition
7. Employ secure coding principles to reduce software based threats and improve code quality
Input Coding standards
Output Improved application software
Tasks and Roles Security Developer
Information gathering R C
Standards establishment R A
Standards application A R
Presentation Identifier.15Information Classification as Needed 15 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
CHECK : Embedding
Goal : Ensure process implementation and establish security standard
Prerequisites
• Documented process and templates
DO
PLAN
ACTPROCESS
CHECK
Presentation Identifier.16Information Classification as Needed 16 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
CHECK : Embedding
8. Ensure process embedding through SDLC workshops and documentation
9. Establish security standards and raise awareness through security events and training
Presentation Identifier.17Information Classification as Needed 17 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
ACT : Alignment
Goal : Continuous capability maturity improvement using an industry standard framework
10. Introduce an industry standard ISMS framework and align it with the secure SDLC
CHECK
DO
PLAN
PROCESS
ACT
Presentation Identifier.18Information Classification as Needed 18 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Summary
1. Segregate software assurance and development functions
2. Engage with all functions including information security, architecture, development, engineering and project management
3. Perform initial threat assessment to drive the high level design
4. Perform application threat modelling to identify software-based threats
5. Perform secure design reviews to ensure secure software architecture
Presentation Identifier.19Information Classification as Needed 19 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009
Summary
6. Perform source code analysis (SCA) to identify and address code level vulnerabilities
7. Employ secure coding principles to reduce software based threats and improve code quality
8. Ensure process embedding through SDLC workshops and documentation
9. Establish security standards and raise awareness through security events and training
10. Introduce an industry standard process framework and align it with the secure SDLC