Post on 03-Aug-2020
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Secure Product Lifecycle (SPLC) In PracticeMohit Kalra | Senior Manager, Secure Software Engineering (Adobe)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Introduction
Senior Manager @ Adobe’s Secure Software Engineering Team (ASSET) I lead the proactive security efforts. @adobesecurity / @mohitkalra
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
ADVANCINGSTATE OF THE ART
FOR CONTENT
Adobe’s Strategy
HARNESSINGTHE POWER
OF DATA
DRIVING DIGITALTRANSFORMATION
OF INDUSTRIES
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
ADOBE.IOADOBE.IO
PRIVATE, PUBLIC OR HYBRID CLOUDPRIVATE, PUBLIC OR HYBRID CLOUD
CORE TECHNOLOGIESCORE TECHNOLOGIES
ADOBE CLOUD PLATFORM
CONTENT DATA
Adobe Document Cloud Adobe Creative Cloud Adobe Marketing Cloud
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Secure Product Lifecycle
Credit:http://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle.htmlhttps://technet.microsoft.com/en-us/security/gg622918.aspx
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Does a diagram capture everything?
Secure Product Lifecycle (SPLC) is a set of processes designed to help product teams engineer secure software.
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
For our team, the approach to security is much more complex
7
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security is all about making choices
8
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
… and balance
9
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Implementing security is about providing high ROI and business alignment
10
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
…. while trying to fix the weak links
11
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
The challenges in this complex world.
12
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #1
13
Scaling the security work with a small team.
- Hiring skilled security professionals is difficult.
- Team needs to learn continuously.- Time spent => high premium $$$.
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #2
14
A growing and diverse company product portfolio.
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A central security team’s challenge #3
15
The business critical products vs the legacy applications.
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyVarying
business criticality
The challenges for a security team
16
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
How can a security team overcome these challenges?
17
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyVarying
business criticality
The challenges for a security team
18
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security teams @ Adobe
Product Team
Product Team
EngineeringChampionsResearchers
& PMs
ASSET
(Adobe Secure
Software Engineering
Team)
Products
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Establish the minimum bar
20
- Create a SPLC standard that the product teams need to follow- Standardize the tool chain
SPLC Baseline Tasks for every teamTrainingStatic analysis of codeSecurity testing3rd party component trackingCode reviewsSecurity requirements reviewThreat modellingReview of high risk findings and sign-off
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security is a shared responsibility
21
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Split and share responsibilities
22
Spend premium security skill mindshare where it matters.
SPLC Tasks Product team ownership
Central securityteam driven
Training ✔Static analysis of code ✔Security testing ✔3rd party component tracking ✔Code reviews ✔Security requirements review ✔Threat modelling ✔Review of high risk findings and sign-off
✔
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Set up product teams for security success with their security practices
23
Onboard Team
Review ProductGather intel
Automation onboarding
Train team Routine SPLC tasks
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyBusiness criticality
The challenges for a security team
24
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Implementing Security Measures for a wide technology spectrum
25
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A product may be offered on one or many platforms.
26
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements
27
Baseline SPLC
Services SPLC
Mobile SPLC
Desktop SPLC
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (web)
28
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (mobile)
29
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Extend the baseline SPLC requirements (desktop)
30
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Security team’s
bandwidthDiverse
technologyBusiness criticality
The challenges for a security team
31
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Tune for business criticality
32
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Factor in business criticality for a security engagement
33
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Summary
We presented you with the real world experiences of running a SPLC program at Adobe
At a minimum, a product should get access to a baseline SPLC guidance
A SPLC program : Scales premium security bandwidth through shared
responsibility. Evolves continuously as the company evolves and
innovates. Is flexible and adapts to the business needs of an
organization.
34