Lean and (Prepared for) Mean: Application Security Program Essentials
description
Transcript of Lean and (Prepared for) Mean: Application Security Program Essentials
TASSCC 2011 Annual Conference 1
Lean and (Prepared for) Mean:Application Security Program Essentials
Philip J. Beyer - Texas Education [email protected]
John B. Dickson - Denim [email protected]
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 2
Overview
• Background• Trends• Essentials• Roadmap
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 3
About
• Phil Beyer– Information Security Officer– Consulting background
• John Dickson– Application security industry leader
• TEA– ~700 employees– ~1200 school districts– ~5 million students
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 4
Application Security – What? Why?
• In Brief– Web applications can be attacked– Attacks are different from network or OS levels– Becoming a significant attack vector
• Impact– Attackers bypass traditional infrastructure security
controls– Users are a target as well as data
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 5
Trends
• At TEA– Applications created regularly and retired slowly– Ability to outsource remediation decreased due to
funding limitations• In the Industry– Attacks are increasingly sophisticated and
automated– Remediation costs increase in later phases of the
development cycle
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 6
EssentialsWhere Did TEA Start
• Application Security Program established– Some policy and procedure– Initial training and exposure to concepts– Historically siloed approach
• Outsourcing for subject matter expertise– Veracode– Denim Group
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 7
EssentialsThe Premise
• Some things you Don’t Need• Some things you Do Need• Some things you Just Don’t Need Yet
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 8
EssentialsWhat You Don’t Need
• An Expensive Scanner– A Security Process for scanning is more important– Simple (free) scanners will get you started– Buy the software later
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 9
EssentialsWhat You Don’t Need
• A Complicated Scoring/Tracking Tool– A Security Process for profiling is more important– Risk ranking doesn’t have to be hard– Keeping track of your applications can be simple– Buy the software later
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 10
EssentialsWhat You Don’t Need
• A Dedicated Application Security Team– A Security Process for testing is more important– Leverage your existing QA and Testing team– Simple security testing will get you started– Build and train your testing capability gradually
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 11
EssentialsWhat You Don’t Need
• A Perfect SDLC– Get started with what you have now– Update your policies and procedures as you go– Don’t try to drop in “The Secure SDLC” all at once
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 12
EssentialsWhat You Do Need
• A Champion–That’s You!– Understand the problem– Communicate the risk– Work with the business
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 13
EssentialsWhat You Do Need
• A Team that Gets It– Managers– Developers– Testers– Security
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 14
EssentialsWhat You Do Need
• Good Training– Resources exist, some are free– The trainer is important– Attacks evolve, so should your training
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 15
EssentialsWhat You Do Need
• Expert Help– Technical questions will arise– Some vendors will dispute vulnerabilities– Be sure your team can consult with experts
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 16
EssentialsWhat You Do Need
• A Roadmap to Maturity– Use an established maturity model• OpenSAMM• BSIMM
– Design a roadmap to get to maturity– Don’t try to do it all at once
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 17
RoadmapUse a Maturity Model
• OpenSAMM - Software Assurance Maturity Model– Maturity levels 1 thru 4– Governance
• Strategy & Metrics (2), Policy & Compliance (3), Education & Guidance (3)– Construction
• Threat Assessment (3), Security Requirements (3), Secure Architecture (3)– Verification
• Design Review (2), Code Review (2), Security Testing (3)– Deployment
• Vulnerability Management (3), Environment Hardening (3), Operational Enablement (3)
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 18
Roadmap – Phase 1Governance
• Estimate overall business risk profile• Build and maintain an application security
program roadmap• Build and maintain compliance guidelines• Conduct technical security awareness training• Build and maintain technical guidelines
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 19
Roadmap – Phase 1Construction
• Derive security requirements based on business functionality
• Evaluate security and compliance guidance for requirements
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 20
Roadmap – Phase 1Verification
• Derive test cases from known security requirements
• Conduct penetration testing on software releases
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 21
Roadmap – Phase 1Deployment
• Identify point of contact for security issues• Create informal security response team(s)
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 22
Resources
• OWASP – Open Web Application Security Project– http://www.owasp.org/
• OpenSAMM - Software Assurance Maturity Model– http://www.opensamm.org/
• Denim Group – Remediation Resource Center– http://www.denimgroup.com/remediation/
Copyright 2011 by Texas Education Agency. All rights reserved.
TASSCC 2011 Annual Conference 23
Questions?
Copyright 2011 by Texas Education Agency. All rights reserved.