SlideShare ist ein Scribd-Unternehmen logo

OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way

Philip Beyer
Philip Beyer

:: History :: LASCON 2011 - October 28, 2011 (Philip J Beyer and Scott Stevens) - http://lanyrd.com/shgmf :: Summary :: We will present the difficulties and successes involved with realigning the development lifecycle at TEA using OpenSAMM. :: Abstract :: In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OWASP's OpenSAMM in a large organization is kinda like playing that classic game. It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. We will present the hazards he discovered and the treasure he found while playing the game.

TechnologieBildungSport
1 von 20
Downloaden Sie, um offline zu lesen
OpenSAMM in the Real World: Pitfalls Discovered and Treasure Collected Along the Way Philip J. Beyer - Texas Education Agency philip.beyer@tea.state.tx.us @pjbeyer Scott Stevens - Denim Group sstevens@denimgroup.com Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 1
Overview • Background • The Manual • The Premise • Treasures and Pitfalls • Game Over Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 2
About • Phil Beyer – Information Security Officer – Consulting background • Scott Stevens – Project Manager – Application development background • TEA – ~700 employees – ~1200 school districts – ~5 million students Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 3
Where Did TEA Start? • Application Security Program already established – Some policies & procedures – Initial training & exposure to concepts – Historically siloed approach • Outsourcing for subject matter expertise Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 4
Where Do You Start? • Establish your Application Security Program • Be the Champion (or find one) • Make sure your Team Gets It • Have a Roadmap to Maturity Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 5
The Manual Business Functions Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 6
The Manual Security Practices Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 7
The Manual Phases 1. The Early Levels 2. Racking Up Some Points 3. Hitting Your Stride 4. Bigger Treasures, Deeper Pits The End Game Copyright 2011 by Texas Education Agency. All rights reserved.
The Premise • It has already started • Shortcuts don’t exist – No cheat codes – No invincibility – No God mode • There are Pitfalls • There are Treasures Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 9
The Early Levels (Phase 1) Treasures • A Map – Not necessarily THE Map, but something to get started – An organizational roadmap is a powerful thing • Some Running Room – Awareness in the organization is increasing Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 10
The Early Levels (Phase 1) Pitfalls • The Log – You can’t stand still – Move through Phase 1 so you don’t get rolled over • Inertia – Getting started is just plain hard – Determining who should play is also hard Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 11
Racking Up Some Points (Phase 2) Treasures • Silver Bars – Development teams begin to appreciate the security problem • The Ladder – More of the team is involved in practicing security – You’ve found a new way around the alligator-infested pond Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 12
Racking Up Some Points (Phase 2) Pitfalls • The Alligator – There’s a dangerous thing there on the screen – Threats are real, and now they see some of them too • More Players – Other people are going to play your game – They may not play as { nice | carefully | safely } as you Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 13
Hitting Your Stride (Phase 3) Treasures • Gold Bars – Better visibility instills confidence in Management • The Compass – The Program has direction – From requirements to maintenance, a formal process starts to emerge Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 14
Hitting Your Stride (Phase 3) Pitfalls • The Scorpion – Better informed Management may sting • The Wall – A different kind of obstacle will block your path – Developers and Operators may not enjoy working together more closely Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 15
Bigger Treasures, Deeper Pits (Phase 4) Treasures • The Bridge – Get rid of that Rope and jeer at the Alligators as you walk across – The whole Program is working together to build securely and verify aggressively Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 16
Bigger Treasures, Deeper Pits (Phase 4) Pitfalls • The Hole – Compliance is not Security – Don’t let Management fall into the trap at this stage of the game… It can be a pretty deep pit Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 17
The End Game (Phases 5 & 6) Treasures • Shangri-La – You’ve reached the mystical, harmonious valley; a permanently happy land isolated from the outside world – I’d tell you how it feels, but we haven’t gotten there yet Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 18
It’s Time to Play • Build a Mature Software Assurance Program • Measure and Report Your Progress • Have Fun! Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 19
Resources • OWASP – Open Web Application Security Project – http://www.owasp.org/ • OpenSAMM - Software Assurance Maturity Model – http://www.opensamm.org/ • Attribution – All OpenSAMM images are licensed under the Creative Commons Attribution-Share Alike 3.0 License. Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 20

Empfohlen

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
NULL - OpenSAMM
NULL - OpenSAMMNULL - OpenSAMM
NULL - OpenSAMMM S Sripati
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Security Management 101: Practical Techniques They Should've Taught You
Security Management 101: Practical Techniques They Should've Taught YouSecurity Management 101: Practical Techniques They Should've Taught You
Security Management 101: Practical Techniques They Should've Taught YouPhilip Beyer
 
It Takes a Village: Effective Collaboration in Security
It Takes a Village: Effective Collaboration in SecurityIt Takes a Village: Effective Collaboration in Security
It Takes a Village: Effective Collaboration in SecurityPhilip Beyer
 
You Caught Me Monologuing: Effective Communications in Security
You Caught Me Monologuing: Effective Communications in SecurityYou Caught Me Monologuing: Effective Communications in Security
You Caught Me Monologuing: Effective Communications in SecurityPhilip Beyer
 

Empfohlen

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
NULL - OpenSAMM
NULL - OpenSAMMNULL - OpenSAMM
NULL - OpenSAMMM S Sripati
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Security Management 101: Practical Techniques They Should've Taught You
Security Management 101: Practical Techniques They Should've Taught YouSecurity Management 101: Practical Techniques They Should've Taught You
Security Management 101: Practical Techniques They Should've Taught YouPhilip Beyer
 
It Takes a Village: Effective Collaboration in Security
It Takes a Village: Effective Collaboration in SecurityIt Takes a Village: Effective Collaboration in Security
It Takes a Village: Effective Collaboration in SecurityPhilip Beyer
 
You Caught Me Monologuing: Effective Communications in Security
You Caught Me Monologuing: Effective Communications in SecurityYou Caught Me Monologuing: Effective Communications in Security
You Caught Me Monologuing: Effective Communications in SecurityPhilip Beyer
 
Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!Philip Beyer
 
Risk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or LessRisk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or LessPhilip Beyer
 
The Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal LifeThe Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal LifePhilip Beyer
 
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and BeyondPhilip Beyer
 
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...Philip Beyer
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsPhilip Beyer
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Weitere ähnliche Inhalte

Mehr von Philip Beyer

Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!Philip Beyer
 
Risk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or LessRisk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or LessPhilip Beyer
 
The Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal LifeThe Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal LifePhilip Beyer
 
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and BeyondPhilip Beyer
 
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...Philip Beyer
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsPhilip Beyer
 

Mehr von Philip Beyer (6)

Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!Choose to Lead: The Information Security Profession Needs You!
Choose to Lead: The Information Security Profession Needs You!
 
Risk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or LessRisk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or Less
 
The Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal LifeThe Myth of a Perfect Security Program ... The Reality of Eternal Life
The Myth of a Perfect Security Program ... The Reality of Eternal Life
 
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
(Consulting) Couch to CISO: A Security Leader's First 100 Days and Beyond
 
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
Secure SDLC in the Real World: Pitfalls Discovered and Treasure Collected Alo...
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
 

Kürzlich hochgeladen

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Kürzlich hochgeladen (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

OpenSAMM in the Real World: Pitfalls Discovered and Treasures Collected Along the Way

  • 1. OpenSAMM in the Real World: Pitfalls Discovered and Treasure Collected Along the Way Philip J. Beyer - Texas Education Agency philip.beyer@tea.state.tx.us @pjbeyer Scott Stevens - Denim Group sstevens@denimgroup.com Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 1
  • 2. Overview • Background • The Manual • The Premise • Treasures and Pitfalls • Game Over Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 2
  • 3. About • Phil Beyer – Information Security Officer – Consulting background • Scott Stevens – Project Manager – Application development background • TEA – ~700 employees – ~1200 school districts – ~5 million students Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 3
  • 4. Where Did TEA Start? • Application Security Program already established – Some policies & procedures – Initial training & exposure to concepts – Historically siloed approach • Outsourcing for subject matter expertise Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 4
  • 5. Where Do You Start? • Establish your Application Security Program • Be the Champion (or find one) • Make sure your Team Gets It • Have a Roadmap to Maturity Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 5
  • 6. The Manual Business Functions Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 6
  • 7. The Manual Security Practices Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 7
  • 8. The Manual Phases 1. The Early Levels 2. Racking Up Some Points 3. Hitting Your Stride 4. Bigger Treasures, Deeper Pits The End Game Copyright 2011 by Texas Education Agency. All rights reserved.
  • 9. The Premise • It has already started • Shortcuts don’t exist – No cheat codes – No invincibility – No God mode • There are Pitfalls • There are Treasures Copyright 2011 by Texas Education Agency. All rights reserved. LASCON 2011 http://lanyrd.com/shgmf 9
  • 10. The Early Levels (Phase 1) Treasures • A Map – Not necessarily THE Map, but something to get started – An organizational roadmap is a powerful thing • Some Running Room – Awareness in the organization is increasing Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 10
  • 11. The Early Levels (Phase 1) Pitfalls • The Log – You can’t stand still – Move through Phase 1 so you don’t get rolled over • Inertia – Getting started is just plain hard – Determining who should play is also hard Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 11
  • 12. Racking Up Some Points (Phase 2) Treasures • Silver Bars – Development teams begin to appreciate the security problem • The Ladder – More of the team is involved in practicing security – You’ve found a new way around the alligator-infested pond Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 12
  • 13. Racking Up Some Points (Phase 2) Pitfalls • The Alligator – There’s a dangerous thing there on the screen – Threats are real, and now they see some of them too • More Players – Other people are going to play your game – They may not play as { nice | carefully | safely } as you Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 13
  • 14. Hitting Your Stride (Phase 3) Treasures • Gold Bars – Better visibility instills confidence in Management • The Compass – The Program has direction – From requirements to maintenance, a formal process starts to emerge Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 14
  • 15. Hitting Your Stride (Phase 3) Pitfalls • The Scorpion – Better informed Management may sting • The Wall – A different kind of obstacle will block your path – Developers and Operators may not enjoy working together more closely Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 15
  • 16. Bigger Treasures, Deeper Pits (Phase 4) Treasures • The Bridge – Get rid of that Rope and jeer at the Alligators as you walk across – The whole Program is working together to build securely and verify aggressively Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 16
  • 17. Bigger Treasures, Deeper Pits (Phase 4) Pitfalls • The Hole – Compliance is not Security – Don’t let Management fall into the trap at this stage of the game… It can be a pretty deep pit Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 17
  • 18. The End Game (Phases 5 & 6) Treasures • Shangri-La – You’ve reached the mystical, harmonious valley; a permanently happy land isolated from the outside world – I’d tell you how it feels, but we haven’t gotten there yet Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 18
  • 19. It’s Time to Play • Build a Mature Software Assurance Program • Measure and Report Your Progress • Have Fun! Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 19
  • 20. Resources • OWASP – Open Web Application Security Project – http://www.owasp.org/ • OpenSAMM - Software Assurance Maturity Model – http://www.opensamm.org/ • Attribution – All OpenSAMM images are licensed under the Creative Commons Attribution-Share Alike 3.0 License. Copyright 2011 by Texas Education http://lanyrd.com/shgmf LASCON 2011 Agency. All rights reserved. 20