Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security...
Transcript of Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security...
![Page 1: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/1.jpg)
| Information Security
Application Security Kung-FuCompetitive Advantage from Threat Modeling
Akshay AggarwalPractice Manager (North America & LATAM)
Akshaya AT Microsoft Dot comACE Team
Microsoft Information Security
![Page 2: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/2.jpg)
| Information Security
Agenda
Background
Information Security (InfoSec) challenges
Driving security into development
Threat Modeling
Bringing it all together
Conclusion
![Page 3: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/3.jpg)
| Information Security
Trend of Security Breaches
![Page 4: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/4.jpg)
| Information Security
WHAT ASSETS DOES YOUR ORGCARE ABOUT?
![Page 5: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/5.jpg)
| Information Security
Scenario
![Page 6: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/6.jpg)
| Information Security
Business as Usual
![Page 7: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/7.jpg)
| Information Security
InfoSec Challenges – Where’s the Data
In Transit
In databases
In spreadsheets
On a network share
On my Phone
On my Laptop
Through Webapplications
Outsourced3rd Party
Data
![Page 8: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/8.jpg)
| Information Security
Process Complexities
DataClassification Industry
Regulation
Shadow Process/
Apps
Risk Management
![Page 9: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/9.jpg)
| Information Security
InfoSec Priority
Valuable data
must be protected
The business must
remain enabled
Global regulations must be
followed
![Page 10: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/10.jpg)
| Information Security
IS THERE A PROCESS DRIVING APPLICATION SECURITY?
![Page 11: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/11.jpg)
| Information Security
Driving Security Into Development
DevelopDesign TestEnvision Release
Internal
Review
Threat
Modeling
Pre-
Production
Assessment
App Entry/
Risk
Assessment
Post-
Production
Assessment
TAM Enterprise SPIDER StingrayCAT.NET
Catalog &
Classify
Identify
Controls
Implement
Controls
Verify
Controls
Monitor
Controls
Software Development
Lifecycle
IT SecurityDevelopment
Lifecycle
![Page 12: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/12.jpg)
| Information Security
DO YOU ANALYZE YOUR THREATS?HOW?
![Page 13: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/13.jpg)
| Information Security
ACE Security
http://go.microsoft.com/fwlink?linkid=77002
![Page 14: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/14.jpg)
| Information Security
Key ControlKey Control
Primary Actor
•Business Owners
•Security Experts
Threat Modeling
Key Exit Criteria
• Threat Model
• Functional Security Requirements
• GAP Analysis Report
Key Entry Criteria• Software Requirements• Business Requirements• Non Function Security Requirements
Roles
• Business Owners
• System Architects
• Developers
• Security Experts
• Testers
• The process of proactive identification and enumeration of threats to an application
Threat ModelingEnvision Design Develop Test Release
Activities and Role Participation
Security Design Requirements
This activity primarily focuses on creating the security architecture of the system
System Architects 100%
Threat Modeling
• Threat modeling allows system security personnel to communicate the potential damage of security flaws and prioritize remediation efforts
Business Owners 10%
System Architects 30%
Developers 30%
Security Experts 20%
Testers 10%
Security Design Review
A security design review aims to find any gaps in the design of an application from a secure by design prospective
Security Experts 100%
![Page 15: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/15.jpg)
| Information Security
Proactive approaches save $$ & time
Design flaws identified early in lifecycle
Focus on business rules rather than technical implementation
Build security into plan rather than being reactive
Evaluating feature set at ISV
Purpose
Reason
Advantages of TM
Example
Kung Fu 1: Proactive Security
![Page 16: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/16.jpg)
| Information Security
Compliance is among top CSO/CIO priorities
Corporate security spend maps to compliance concerns
No one wants to set the precedence for non-compliance
Most tangibly quantifiable downside
Documented security plan
Ahead of the curve
Hospital CISO demonstrated due diligence to board after attack
Purpose
Reason
Advantages of TM
Example
Kung Fu 2: Due Diligence
![Page 17: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/17.jpg)
| Information Security
Security becoming increasingly relevant in competitive situations
Clients want solution secure by design
Reduce risk profile from app portfolio
Demonstrate sophistication of approach
Clearly documented roadmap& standards
Utility RFP process re-engineered to evaluate vendor security maturity
Purpose
Reason
Advantages of TM
Example
Kung Fu 3: Competitive Differentiator
![Page 18: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/18.jpg)
| Information Security
Security comes from incremental changes
Most organizations struggle with setting a security mindset
Culture change is difficult
Standards and best practices keep changing
Education is difficult and has lag
Changes to best practice can percolate down
Teams have just in time info
Microsoft IT Business Units use TM to drive change
Purpose
Reason
Advantages of TM
Example
Kung Fu 4: Security Process Agility
![Page 19: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/19.jpg)
| Information Security
ACE Services
http://blogs.msdn.com/ace_team
http://buildsecurityin.uscert.gov/daisy/bsi/resources/published/articles/932.html
![Page 20: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/20.jpg)
| Information Security
Lessons Learned
http://en.wikipedia.org/wiki/Image:The_Thinker_close.jpg
![Page 21: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/21.jpg)
| Information Security
Microsoft Solution OfferingsConsulting offerings
• Application Security
– Security Code Reviews
– Enterprise Threat Modeling
– Security Guidance Development
– Application Security Program development
– Security Training – Threat Modeling/ Secure Application Dev
• Infrastructure Services
– Technical Compliance Management using TCM tool
– PKI, ISA, RMS security architecture/deployments
• Performance Services
– Application Performance Testing
– Building Performance Test Frameworks
– Active Performance Monitoring
![Page 22: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/22.jpg)
| Information Security
ProactiveSecurity
Due Diligence
Security Process Agility
Competitive Differentiator
ConclusionWhat did we talk about?
![Page 23: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/23.jpg)
| Information Security
ContactHow do I find out more?
• Contact info for Microsoft ACE [email protected]
• Talk to your Microsoft Technical Account Manager or Services Executive
• Akshay blogs at:http://blogs.msdn.com/akshay_aggarwal
http://noFUD.org
![Page 24: Application Security Kung-Fu · 2020. 1. 17. · Kung Fu 2: Due Diligence | Information Security Security becoming increasingly relevant in competitive situations Clients want solution](https://reader035.fdocuments.in/reader035/viewer/2022071302/60affa16528a90150c75052e/html5/thumbnails/24.jpg)
| Information Security© 2008 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.