SlideShare ist ein Scribd-Unternehmen logo
1 von 31
Downloaden Sie, um offline zu lesen
Best Practices for a Mature
Application Security Program
About the Presenter
Ed Adams, CEO of Security Innovation
• Ponemon Institute Distinguished Research Fellow
• Privacy by Design Ambassador
• CEO by trade; engineer by heart
• In younger days, built non-lethal weapons systems for
Federal Government
About Security Innovation
Specialization
• 15 years research on software vulnerabilities
• Security testing methodology adopted by SAP,
Symantec, Microsoft, and McAfee
• Authors of 19 books; 10 co-authored with Microsoft
Products & Services
• STANDARDS: best practices adoption
• TRAINING: eLearning & instructor-led
• ASSESSMENT: software and SDLC
Reducing Application Security Risk
• Uncover critical vulnerabilities
• Roll out a secure, repeatable SDLC
• Build internal competency
Agenda
• Industry Research & Insight: Where do Companies Struggle?
• Understanding Threats and Attacks to Software Applications as well as
Various Platforms and Languages
• Optimizing your Software Development Lifecycle (SDLC)
Understanding Root Cause of Vulnerabilities
• Failure to set requirements and standards
• Not enough training and education
• Lack of process
• Vulnerabilities are unintended functionality
Disconnect Between Security and Software Teams
Ponemon Application Security Research Study:
36%
40%
41%
42%
46%
48%
50%
53%
54%
58%
34%
35%
35%
31%
33%
41%
39%
37%
44%
38%
0% 10% 20% 30% 40% 50% 60% 70%
There are ample resources to ensure all IT security requirements are accomplished
IT security can hire and retain knowledgeable and experienced security practitioners
The IT security leader is a member of the executive team
IT security responds quickly to new challenges and issues
The IT security function is able to prevent serious cyber attacks such as advanced persistent threats
Appropriate steps are taken to comply with the leading IT security standards
IT security strategy is fully aligned with the business strategy
Security & data protection policies are well-defined and fully understood by employees
Security technologies are adequate in protecting our information assets and IT infrastructure
Application security is a top priority in my organization
Developers Security
Cisco report indicates that Applications
(32.6%) and Infrastructure (41.9%) were
the top categories exploited.*
*Cisco 2015 Annual Security Report
The Organizational Disconnect
IT/GRC/InfoSec historically focused on network/endpoint security
• Developers and SDLC are now “in scope”
Tools are a typical first step
• Both have different perspective on what policies and procedures are in place
How did we handle performance, reliability?
• Security needs to be a standard part of the process
Implications: Aligning Management & Staff
Developers don’t always understand policies
o “Ensure applications are coded so as not to be susceptible to OWASP Top 10”
what does this mean to a an ObjectiveC iOS developer?
Lack of policy enforcement renders mandate invisible
Management, security and engineers all speak different languages
o “Confidential data must be protected”
 Protected from what?
 How do I protect it?
• Architecture guidance?
• Coding standards?
• Remediation specifics once vulnerabilities are found?
• e.g., user input sanitation…. how do I do that in ASP.NET 3.5?
Organizations Don’t Have a Defined SDLC
SDLC Still Lacking
o Tools aren’t integrated into the SDLC
o Security automation often used after deployment (too late?)
o Policies and standards are still rare
Forrester
“Organizations implementing an SDLC showed better ROI than the overall population”
Aberdeen
Adopting a formal SDLC process increases security and reduces severity and cost
of vulnerability incidents while generating a 4x ROI than other application security
approaches
There are well-known and widely
adopted secure SDLC practices –
it’s a matter of pulling it all together
Building Security In
Department of Homeland Security
“Regardless of which statistic is used, there is a substantial cost savings for fixing
security flaws during requirements gathering than deployment*”
Gartner
“Finding bugs at operations time costs you up to 100 percent effort”
Source: National Institute of Standards & Technology (NIST)
*DHS: Estimating Benefits from Investing in Secure Development
Relative cost of fixing security flaws during the different
development phases
Implementation
6.5
Testing
15
Post Release
60
Design
1
0
10
20
30
40
50
60
70
Time
Cost
Comprehensive & Specialized Skills
Mature organizations have application security training programs
in place for their developers to focus on:
o Specific role-based responsibilities
o Offensive and defensive tactics
o Applications security policies
o Areas of vulnerability
o Best practices for standards to be followed
o Various platforms and languages
19% of
developers believe
their organizations
training program is
up-to-date
- Ponemon Institute
An effective training
program can reduce
vulnerabilities by
25%
- Forrester
Does Application Security Pay?
Companies reported substantial efficiency gains and risk reduction
even BEFORE implementing a formal SDLC program:
o Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 days
o Observed that repeat vulnerabilities dropped from 80% to 0%
o Operational improvements led to expense benefits valued at more than $2 million
per team over the course of 2 years
Source: Mainstay Partners/HP – Does Application Security Pay?
Agenda
• Industry Research & Insight: Where do Companies Struggle?
• Understanding Threats and Attacks to Software Applications as
well as Various Platforms and Languages
• Optimizing your Software Development Lifecycle (SDLC)
The Connected World
Connected homes, medical equipment, transportation are ALL
vulnerable to software attacks
Language, Platform & Framework Nuances
Each language has unique idiosyncrasies and syntax issues
• C++ developers need to worry about memory-usage vulnerabilities
• Java and .NET have different security architectures and libraries
• Scripting languages such as Python can be difficult to secure
Each platform is unique
• Mobile – rogue client/server issues; data caching on device
• Cloud/Web – Authorization issues; web services particularly vulnerable
• Embedded – breach hardware root of trust and game over
Security policies are not enough
• Follow through with architecture and development standards
• Must explain “how” and “why,” not just “what”
• Must tie to specific roles and technologies
All software-born exploits
Network boundary plays key role in “defense-in-depth”, but….
o Misses the majority of security vulnerabilities
o Ineffective when applications are internet facing
o Attackers can/will break through
With Internet, applications become the perimeter
We still invest exponentially more in network defenses
Security is Ultimately a Software Problem
* source: Gartner and NIST
70-92%
of vulnerabilities exist in the application, not network layer*
* source: Gartner and NIST
…. and a Human Problem
Vulnerabilities are frequently the result of a failure in the
engineering process
Developers have an implicit trust in the user
o Often think of functionality rather than security
o Not common to consider abuse cases
Education tailored to each environment is required
o Particularly in requirements and design phase where few tools available
o Wide range of technologies and platforms is overwhelming
Agenda
• Industry Research & Insight: Where do Companies Struggle?
• Understanding Threats and Attacks to Software Applications as well as
Various Platforms and Languages
• Optimizing your Software Development Lifecycle (SDLC)
Typical Maturity Progression
Tools are an important part of an AppSec program
Tools SUPPORT a solid FOUNDATION of people and process
Investment in people
and process yields
the most leverage
The Pitfalls of Automation
First instinct is “what tool can we buy”?
It can do a lot of heavy lifting faster than humans; but they….
o Only find KNOWN vulnerabilities/patterns and can miss important issues
o Don't teach you how to fix vulnerabilities or prevent them in the future
o Useful as part of an assessment program, but shouldn’t be your sole solution
Analyzing results is time consuming and requires skill
Results:
o Tools often become shelf-ware
o Dev team pushes back against vulnerability management
in the SDLC
Secure at the
Source Find & Fix Protect in Play
 InfoSec Standards
 Secure Coding Standards
 Key activities
 Know-how
 Web Application Firewalls
 Application Whitelisting
 RASP
 DLP
 Vulnerability Scanning
 Penetration Testing
 Manual or Automated
 Code or in Production
Skills Development Skills and Tools Tools for Defense in Depth
Securing at the Source Cannot be Driven by Technology
Reducing Application Security Risk at the Source
Standards & Policies: set goals and be explicit
o Create security requirements for your teams (insource or outsource)
o Align development activities with policies, compliance mandates, and
requirements
Education: equip teams to make good decisions
o Technical and awareness training
o By roles, technology, and platform
o Training drives effective assessments and help meet standards
Assessment: understand the gaps
o Audit your team against standards and policies
o Results drive policy, standards, education and tools usage improvements
Rolling Out a Secure SDLC
A mature SDLC has formal
requirements, designs,
implementations and
testing procedures in place
View security as yet
another aspect of software
quality
You Don’t Have to Change Your Process
Simply augment it with a set of high-impact security activities and the
knowledge to execute
Activities Work Together
Design review
Sets team up for success and finds problems before they propagate into difficult
and expensive problems
Threat Modeling
Ensures key threats are considered during design, coding and testing
Code Review
One of the highest impact activities, but doesn’t consider as-deployed state
Manual penetration testing
Requires deep knowledge of application and technologies in the environment
Scanning tools
Provides broad coverage quickly to augment these activities
Secure, Repeatable Development Works
Major Challenges
• Needed to roll out the Microsoft Security Development Lifecycle
(SDL) to hundreds of dev teams
• Internal instructor-lead training was effective, but not
scalable and couldn’t be repurposed for new employees
• Needed a way to train vendors to ensure software was
built with security in mind
Security Innovation Solution
• Customized 14 eLearning courses specific to the Microsoft SDL
Within 2 years, Microsoft was able to go from having 30% of its
product teams trained on the SDL to 70% (over 3,000 users)
Investing in Your SDLC Works!
Consistent application of sound security practices
during all phases of development will facilitate
compliance and result in fewer vulnerabilities
Secure Software Development Principles
Executives & Managers
• The importance of building secure applications from the start
• Equip dev teams with the necessary tools, training and resources scalable and
couldn’t be repurposed for new employees
Architects
• Threat modeling, architecture risk analysis and attack surface reduction
Developers
• How to code securely, avoid vulnerabilities and find and fix security defects in code
Testers
• Vulnerability classes, attack techniques and secure coding principles
In Summary
Application security know-how is the foundation of a mature AppSec
program
o You can’t operate tools or conduct key activities effectively otherwise
Vulnerabilities are a human created problem
o Fill the skills gap and you fill the vulnerabilities gap
Remember the 3 Pillars of Success for secure development
o Standards & Process
o Education
o Assessments
Let tools, technology & humans do what they do best
Questions?
Thank You!
Ed Adams, eadams@securityinnovation.com
Additional educational webinars :
https://www.securityinnovation.com/knowledge-center/webinars
Free reports and guides:
https://www.securityinnovation.com/knowledge-center/reports-guides

Weitere ähnliche Inhalte

Mehr von Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 

Mehr von Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 

Kürzlich hochgeladen

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Kürzlich hochgeladen (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

CSE June 2016: Best Practices for a Mature Appsec Program

  • 1. Best Practices for a Mature Application Security Program
  • 2. About the Presenter Ed Adams, CEO of Security Innovation • Ponemon Institute Distinguished Research Fellow • Privacy by Design Ambassador • CEO by trade; engineer by heart • In younger days, built non-lethal weapons systems for Federal Government
  • 3. About Security Innovation Specialization • 15 years research on software vulnerabilities • Security testing methodology adopted by SAP, Symantec, Microsoft, and McAfee • Authors of 19 books; 10 co-authored with Microsoft Products & Services • STANDARDS: best practices adoption • TRAINING: eLearning & instructor-led • ASSESSMENT: software and SDLC Reducing Application Security Risk • Uncover critical vulnerabilities • Roll out a secure, repeatable SDLC • Build internal competency
  • 4. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  • 5. Understanding Root Cause of Vulnerabilities • Failure to set requirements and standards • Not enough training and education • Lack of process • Vulnerabilities are unintended functionality
  • 6. Disconnect Between Security and Software Teams Ponemon Application Security Research Study: 36% 40% 41% 42% 46% 48% 50% 53% 54% 58% 34% 35% 35% 31% 33% 41% 39% 37% 44% 38% 0% 10% 20% 30% 40% 50% 60% 70% There are ample resources to ensure all IT security requirements are accomplished IT security can hire and retain knowledgeable and experienced security practitioners The IT security leader is a member of the executive team IT security responds quickly to new challenges and issues The IT security function is able to prevent serious cyber attacks such as advanced persistent threats Appropriate steps are taken to comply with the leading IT security standards IT security strategy is fully aligned with the business strategy Security & data protection policies are well-defined and fully understood by employees Security technologies are adequate in protecting our information assets and IT infrastructure Application security is a top priority in my organization Developers Security Cisco report indicates that Applications (32.6%) and Infrastructure (41.9%) were the top categories exploited.* *Cisco 2015 Annual Security Report
  • 7. The Organizational Disconnect IT/GRC/InfoSec historically focused on network/endpoint security • Developers and SDLC are now “in scope” Tools are a typical first step • Both have different perspective on what policies and procedures are in place How did we handle performance, reliability? • Security needs to be a standard part of the process
  • 8. Implications: Aligning Management & Staff Developers don’t always understand policies o “Ensure applications are coded so as not to be susceptible to OWASP Top 10” what does this mean to a an ObjectiveC iOS developer? Lack of policy enforcement renders mandate invisible Management, security and engineers all speak different languages o “Confidential data must be protected”  Protected from what?  How do I protect it? • Architecture guidance? • Coding standards? • Remediation specifics once vulnerabilities are found? • e.g., user input sanitation…. how do I do that in ASP.NET 3.5?
  • 9. Organizations Don’t Have a Defined SDLC SDLC Still Lacking o Tools aren’t integrated into the SDLC o Security automation often used after deployment (too late?) o Policies and standards are still rare Forrester “Organizations implementing an SDLC showed better ROI than the overall population” Aberdeen Adopting a formal SDLC process increases security and reduces severity and cost of vulnerability incidents while generating a 4x ROI than other application security approaches There are well-known and widely adopted secure SDLC practices – it’s a matter of pulling it all together
  • 10. Building Security In Department of Homeland Security “Regardless of which statistic is used, there is a substantial cost savings for fixing security flaws during requirements gathering than deployment*” Gartner “Finding bugs at operations time costs you up to 100 percent effort” Source: National Institute of Standards & Technology (NIST) *DHS: Estimating Benefits from Investing in Secure Development Relative cost of fixing security flaws during the different development phases Implementation 6.5 Testing 15 Post Release 60 Design 1 0 10 20 30 40 50 60 70 Time Cost
  • 11. Comprehensive & Specialized Skills Mature organizations have application security training programs in place for their developers to focus on: o Specific role-based responsibilities o Offensive and defensive tactics o Applications security policies o Areas of vulnerability o Best practices for standards to be followed o Various platforms and languages 19% of developers believe their organizations training program is up-to-date - Ponemon Institute An effective training program can reduce vulnerabilities by 25% - Forrester
  • 12. Does Application Security Pay? Companies reported substantial efficiency gains and risk reduction even BEFORE implementing a formal SDLC program: o Cut vulnerability fix times from 1 to 2 weeks to about 1 to 2 days o Observed that repeat vulnerabilities dropped from 80% to 0% o Operational improvements led to expense benefits valued at more than $2 million per team over the course of 2 years Source: Mainstay Partners/HP – Does Application Security Pay?
  • 13. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  • 14. The Connected World Connected homes, medical equipment, transportation are ALL vulnerable to software attacks
  • 15. Language, Platform & Framework Nuances Each language has unique idiosyncrasies and syntax issues • C++ developers need to worry about memory-usage vulnerabilities • Java and .NET have different security architectures and libraries • Scripting languages such as Python can be difficult to secure Each platform is unique • Mobile – rogue client/server issues; data caching on device • Cloud/Web – Authorization issues; web services particularly vulnerable • Embedded – breach hardware root of trust and game over Security policies are not enough • Follow through with architecture and development standards • Must explain “how” and “why,” not just “what” • Must tie to specific roles and technologies All software-born exploits
  • 16. Network boundary plays key role in “defense-in-depth”, but…. o Misses the majority of security vulnerabilities o Ineffective when applications are internet facing o Attackers can/will break through With Internet, applications become the perimeter We still invest exponentially more in network defenses Security is Ultimately a Software Problem * source: Gartner and NIST 70-92% of vulnerabilities exist in the application, not network layer*
  • 17. * source: Gartner and NIST …. and a Human Problem Vulnerabilities are frequently the result of a failure in the engineering process Developers have an implicit trust in the user o Often think of functionality rather than security o Not common to consider abuse cases Education tailored to each environment is required o Particularly in requirements and design phase where few tools available o Wide range of technologies and platforms is overwhelming
  • 18. Agenda • Industry Research & Insight: Where do Companies Struggle? • Understanding Threats and Attacks to Software Applications as well as Various Platforms and Languages • Optimizing your Software Development Lifecycle (SDLC)
  • 19. Typical Maturity Progression Tools are an important part of an AppSec program Tools SUPPORT a solid FOUNDATION of people and process Investment in people and process yields the most leverage
  • 20. The Pitfalls of Automation First instinct is “what tool can we buy”? It can do a lot of heavy lifting faster than humans; but they…. o Only find KNOWN vulnerabilities/patterns and can miss important issues o Don't teach you how to fix vulnerabilities or prevent them in the future o Useful as part of an assessment program, but shouldn’t be your sole solution Analyzing results is time consuming and requires skill Results: o Tools often become shelf-ware o Dev team pushes back against vulnerability management in the SDLC
  • 21. Secure at the Source Find & Fix Protect in Play  InfoSec Standards  Secure Coding Standards  Key activities  Know-how  Web Application Firewalls  Application Whitelisting  RASP  DLP  Vulnerability Scanning  Penetration Testing  Manual or Automated  Code or in Production Skills Development Skills and Tools Tools for Defense in Depth Securing at the Source Cannot be Driven by Technology
  • 22. Reducing Application Security Risk at the Source Standards & Policies: set goals and be explicit o Create security requirements for your teams (insource or outsource) o Align development activities with policies, compliance mandates, and requirements Education: equip teams to make good decisions o Technical and awareness training o By roles, technology, and platform o Training drives effective assessments and help meet standards Assessment: understand the gaps o Audit your team against standards and policies o Results drive policy, standards, education and tools usage improvements
  • 23. Rolling Out a Secure SDLC A mature SDLC has formal requirements, designs, implementations and testing procedures in place View security as yet another aspect of software quality
  • 24. You Don’t Have to Change Your Process Simply augment it with a set of high-impact security activities and the knowledge to execute
  • 25. Activities Work Together Design review Sets team up for success and finds problems before they propagate into difficult and expensive problems Threat Modeling Ensures key threats are considered during design, coding and testing Code Review One of the highest impact activities, but doesn’t consider as-deployed state Manual penetration testing Requires deep knowledge of application and technologies in the environment Scanning tools Provides broad coverage quickly to augment these activities
  • 26. Secure, Repeatable Development Works Major Challenges • Needed to roll out the Microsoft Security Development Lifecycle (SDL) to hundreds of dev teams • Internal instructor-lead training was effective, but not scalable and couldn’t be repurposed for new employees • Needed a way to train vendors to ensure software was built with security in mind Security Innovation Solution • Customized 14 eLearning courses specific to the Microsoft SDL Within 2 years, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)
  • 27. Investing in Your SDLC Works! Consistent application of sound security practices during all phases of development will facilitate compliance and result in fewer vulnerabilities
  • 28. Secure Software Development Principles Executives & Managers • The importance of building secure applications from the start • Equip dev teams with the necessary tools, training and resources scalable and couldn’t be repurposed for new employees Architects • Threat modeling, architecture risk analysis and attack surface reduction Developers • How to code securely, avoid vulnerabilities and find and fix security defects in code Testers • Vulnerability classes, attack techniques and secure coding principles
  • 29. In Summary Application security know-how is the foundation of a mature AppSec program o You can’t operate tools or conduct key activities effectively otherwise Vulnerabilities are a human created problem o Fill the skills gap and you fill the vulnerabilities gap Remember the 3 Pillars of Success for secure development o Standards & Process o Education o Assessments Let tools, technology & humans do what they do best
  • 31. Thank You! Ed Adams, eadams@securityinnovation.com Additional educational webinars : https://www.securityinnovation.com/knowledge-center/webinars Free reports and guides: https://www.securityinnovation.com/knowledge-center/reports-guides

Hinweis der Redaktion

  1. Failure to set requirements and standards How can you be secure if you don't know what you're aiming for? Not enough Training and Education Without security knowledge developers will continue to make coding errors that result in vulnerabilities Understanding tool output is difficult Fixing found vulnerabilities is risky and hard to get right Lack of Process Most organizations do not adopt SDLC “best practices” to reduce risk Majority of attacks exploit known vulnerabilities or un-patched software – avoidable issues Lack of assessment means you don't know what risk you are living with Vulnerabilities are unintended functionality How do you look for and prevent something that you don’t know exists?
  2. IT/GRC/InfoSec historically focused on network/endpoint security Developers and SDLC are now “in scope” Tools are a typical first step Security Teams conduct scanning; send problems to developers to fix Security Teams don’t typically have a development background Developers often don’t know how to properly address problems Both have different perspective on what policies and procedures are in place How did we handle performance, reliability? Dedicated champion/group, but within the development team Over time, activities got absorbed by the rest of development team Security needs to be a standard part of the process
  3. Developers don’t always understand InfoSec and security policies “Ensure applications are coded so as not to be susceptible to OWASP Top 10”  what does this mean to a an objectiveC iOS developer? Policy may be “in place”, but lack of enforcements renders mandate invisible Management, security, engineers speak different languages “Confidential data must be protected” Protected from what? How do I protect it? Architecture guidance? Coding standards? Remediation specifics once vulnerabilities are found? e.g., user input sanitation…. how do I do that in ASP.NET 3.5?
  4. Ponemon research: 19% of developers believe their organizations keep training programs up to date for development teams Mature organizations have application security training programs in place for their developers that focus on: Specific role-based responsibilities Offensive and defensive tactics Application security policies Areas of vulnerability Best practices and standards to be followed Various platforms and languages they are developing in/on Forrester “Effective developer education program can reduce vulnerabilities by ~25%”
  5. Even before companies adopted a formal SDLC program, and only rolled out a few key activities, they witnessed a reduction in vulnerability remediation time from 1 to 2 weeks to 1 to 2 days After companies rolled out a more formal program, they had a reduction in average remediation time from 1 to 2 weeks to 1 to 2 hours
  6. Security Policies are not enough Follow through with Architecture and Development standards Must explain How and Why not just What Must tie to specific roles and technologies Each language has unique idiosyncrasies and syntax issues: C++ developers need to worry about memory-usage vulnerabilities Java and .NET have different security architectures and libraries Scripting languages such as Python can be difficult to secure Each platform is unique: Mobile – rogue client/server issues; data caching on device Cloud & Web – Authorization issues; web services particularly vulnerable Embedded – breach hardware root of trust and game over Security policies are not enough: Follow through with architecture and development standards Must explain “how” and “why,” not just “what” Must tie to specific roles and technologies
  7. Network boundary plays key role in “defense-in-depth”, but…. Misses the majority of security vulnerabilities Ineffective when applications are internet facing Attackers can/will break through   With Internet, applications become the perimeter 70-92% of vulnerabilities exist in the application, not network layer* Attackers target applications because they are easy pickings Network insecurities usually result from flaws in applications running on system or poor configurations We still invest exponentially more in network defenses “Easier” to automate or roll out a technology; Less expertise required
  8. Vulnerabilities are frequently the result of a failure in the engineering process While usually not intentional, vulnerabilities are often people or process flaws Developers have an implicit trust in the user Often think of functionality (practical) rather than security Not common to consider abuse cases Education that is tailored to each environment Particularly in requirements and design phase where few tools available Wide range of technologies and platforms overwhelming
  9. First instinct is “what tool can we buy”? Often bought prior to “do we know how to use it properly?” Typically operated by security team, and not integrated into SDLC It can do a lot of heavy lifting faster than humans; but they…. Only find KNOWN vulnerabilities/patterns and can miss important issues Don't teach you how to fix vulnerabilities or prevent them in the future Useful as part of an assessment program, but shouldn’t be your sole solution Analyzing results is time consuming and requires skill Team still needs knowledge to determine if it’s an actual vulnerability and remediate Result Tools often become shelf-ware Dev team pushes back against vulnerability management in the SDLC
  10. We’ve seen three major approaches to application security: At one end of the continuum you have “Find and Fix.” This is where a lot of organizations are. Here it’s all about scanning, ID’ing security holes in application, and fixing them. This doesn’t help you get any better or improve your maturity. It’s more like “Whack A Mole.” You run a scan (often done by a central security team that isn’t part of software development), throw the results back to the developers, and hope they fix the problems (and don’t introduce new ones) by the time you get the app back and run the next scan. In the middle, you have “Protect in Play (Production).” This is where you have a vulnerable app and you’re trying to put _some_ kind of defense in place while you work to fix the root cause problems, i.e., re-write the code so it’s secure. This is often a band-aid and doesn’t address the core issues. At the other end of the continuum we have “Secure at the Source.” This where you’re actually trying to fix the core issue of insecure code. This is the most challenging to get right and it requires all three pillars of a successful program including standards, education/training and assessments to make progress. --- SECURE AT THE SOURCE - the integration of secure application development tools and practices into the software development lifecycle - increases the elimination of security vulnerabilities before applications are deployed - Focuses on fixing process and vulnerabilities (different than FIND & FIX) - Absorbs FIND & FIX into the SDLC - the only technique that can PREVENT vulnerabilities PROTECT IN PLAY - enhancing the security of applications currently in production through the use of web application firewalls, application whitelisting or application-level proxies. - reduces or defers the need for security vulnerabilities to be addressed by the developers - can be used as a compensating control for security vulnerabilities and anti-virus Find & FIX - the use of application vulnerability scanning and penetration testing solutions to identify the security vulnerabilities in the applications currently in production, to be addressed subsequently by the application developers. - most common technique…..easy to adopt as tools and techniques are readily available - focusing on fixing vulnerabilities
  11. Standards & Policies – Show me the gaps Create security requirements for your team (insource or outsource) Align development activities with policies, compliance mandates, requirements Education - Enable me to make the right decisions Technical and awareness training for your various roles, technologies and platforms Skills help drive effective assessments and meet standards The more skilled your team is, the less explicit you need to be with policies Assessment - Set goals and make it easy Audit your team against standards and policies Results drive policy, standards, education and tools usage improvements
  12. A mature SDLC has formal requirements, designs, implementation and testing procedures in place Mature organizations also have security procedures defined at each phase Organizations are not adequately emphasizing process, let alone security, during development View security as yet another aspect of software quality Treat vulnerabilities as bugs…just a different kind of one Integrate security bugs with your defect triage and management process Also will help align the nomenclature between Security and Development teams, e.g., vulns=bugs
  13. Security Engineering Doesn’t Require Changing Your Process This diagram does a good job of showing how the security engineering activities can be layered into a normal software development process. Whether you use waterfall or agile, you probably already perform many of the core activities shown in this diagram. To add security engineering you simply add security activities at the appropriate times. For instance when you would normally determine your functional requirements you would also determine your security objectives. When you would normally apply design best practices you now apply security design best practices as well. Security engineering does not require that you change your existing process, just augment it with a set of high-impact security activities.
  14. When your application is ready for a penetration test, be sure to use your Threat Model to improve your test planning. One of the goals of the threat model is to enumerate and classify risks to your application – this is a perfect starting place for a penetration test. You can use the threat model to determine attack vectors as well as the conditions under which your attacks may be successful. Test each of these vectors and attack conditions and you will have already achieved good coverage of your application.
  15. Major Challenges: Needed to roll out the Microsoft Security Development Lifecycle (SDL) to hundreds of development teams Internal instructor-led training was effective, but not scalable and couldn’t be re-purposed for new employees Needed a way to train vendors on the Microsoft SDL to ensure software consumed by Microsoft had security considered Security Innovation Solution = Customized 14 eLearning courses specific to the Microsoft SDL - Same content base as current courses in our eLearning library In 24 months, Microsoft was able to go from having 30% of its product teams trained on the SDL to 70% (over 3,000 users)
  16. Microsoft SDL = Microsoft Security Development Lifecycle Industry leading software assurance development process All development team members are required to take 14 courses on the Microsoft SDL (of which we built for Microsoft) 12 months after the Microsoft SDL was rolled out internally to all Microsoft Development Teams, there was a 45% reduction in vulnerabilities in Windows 36 Months after the SDL was rolled out, there was a 91% reduction in SQL server Consistent application of sound security practices during all phases of development will facilitate compliance and result in fewer vulnerabilities
  17. Executives & Managers need to understand the importance of building secure applications from the start and equip their development teams with the necessary tools, training, and resources to ensure this Architects need to understand topics like threat modeling, architecture risk analysis, and attack surface reduction so they can develop blueprints that set the rest of the team up for success Developers need to understand how to code securely to avoid vulnerabilities and how to find security defects found in their code Testers need to understand vulnerability classes, attack techniques and secure coding principles so they can successfully exploit vulnerabilities and provide useful feedback on vulnerabilities We recognized that the recommendations could not be successful without training. In order to enable the recommended changes, we outlined a training program that would improve the security knowledge and expertise for each member of the development team.
  18. Application Security know-how is the foundation of a mature AppSec program You can’t operate tools or conduct key activities effectively otherwise Vulnerabilities are a human created problem Fill the skills gap, fill the vulnerabilities gap Make sure you focus on all 3 “pillars of success” for secure development: Standards Education Assessments Let tools, technology and humans do what they each do best Tools are great at automating non critical activities, flagging potential issues, and getting broad coverage fast Technology can provide another layer of defense for deployed applications, but can’t be only defense Humans can build security in, create a repeatable secure SDLC, and find problems tools can’t
  19. We would like to thank you again for attending today's session. Everyone will receive the recording and presentation via email. We will also be posting today's session, along with our other on-demand webcasts here: https://www.securityinnovation.com/knowledge-center/webinars/ If you have any questions or would like to be informed of future Security Innovation webinars, please contact us at marketing@securityinnovation.com. Thanks again and have a great day!