Playbook Round Tables across 3 major cities to collaborate and measure security programs against 2018 application attacks

1. (Notes) Playbook Round Table –
Measuring Your Security Program
Against 2018’s Application Attacks
Mumbai, Bangalore, Delhi
Technology Partner

2. Common Challenges
• Tackling legacy application
• Measuring security through automation
• Reducing turn around time in secure SDLC
• Testing Agile / Fast releases
• Handling insecure APIs & newer technologies like Notejs etc.
• Handling hybrid applications
• Layer 3 to 7 protections
• How to make business more aware and responsible?

3. Common Challenges
• OSS and 3rd party risks
• Shadow IT: Online applications which are unknown (1st + 3rd party)
• Resource augmentation (Internal + external)
• Serialization in Appsec
• Handling privacy
• Secure architecture

4. Application Security Metrics
• Key Metrics:
• # Vulnerability / Defects by Criticality (SAST/DAST)
• MTD/MTR (Mean Time to Detect / Remediate )
• Repeated vulnerability findings
• Defects ageing & Escaped defects
• Coverage by Stage (Stages covered/Total stages*100)
• Application Risk Profile (OWASP) map it to security requirement
• % people trained (measuring awareness)
• % projects with security champions
• Problem: Too many metrics

5. Frameworks To Measure Appsec Maturity
• Open SAMM / OWASP SAMM
• BSIMM
• NIST CSF
• Other related frameworks
• OWASP
• FFIEC
• BIAN A2A (Banking architecture)
• OSSTMM

6. Creating An Appsec Program Architecture

7. OWASP SAMM (AppSec)
1.48
0.90
1.05
1.10
1.55
1.45
1.85
1.05
1.12
1.93
1.70 0.95
0.00
0.50
1.00
1.50
2.00
2.50
3.00
Strategy &
Metrics
Policy &
Compliance
Education &
Guidance
Threat
Assessment
Security
Requirements
Secure
Architecture
Design Analysis
Implementation
Review
Security Testing
Issue
Management
Environment
Hardening
Operational
Enablement

8. CDM Mapping
Credit: Sounil Yu

9. FireCompass Security Portfolio Score
Identify Protect Detect Respond Recover
Endpoints 3 5 1 1 1
Applications 2 3 1 1 2
Networks 4 5 3 1 1
Data 1 3 1 1
Users 3 3 1

10. Creating Appsec Program Architecture
• Identify
• SAST/DAST/IAST
• SCA
• API Testing
• Architecture Review
• Threat Intel
• Threat Modeling
• Application grouping and risk category
• Scoreboard

11. Creating Appsec Program Architecture
• Protect
• RASP
• Secure Software Development, Patching/Fixing
• Infra hardening
• WAF
• PCI DSS, Live system/cannot patch easily, WAF feedback to developers, Integration with
DAST, Integrate with SIEM & SSL offloading
• Application layer DDOS
• Behavior based analytics, Device and User fingerprinting, Multi stage verification (WAF)
& Captcha farm identification

12. Creating Appsec Program Architecture
• Detect
• WAF
• Layer 7 DDOS protection
• SIEM
• UBA
• Deception
• Sinkholes
• Bot Security

13. Creating Appsec Program Architecture
• Respond/Recovery
• WAF, DDOS, Deception/Honeypots, Bot
• Hot/Backups/Physical
• RASP
• Logging for forensics
• Communication playbook (internal and external)
• Maintaining chain of custody from legal perspectives
• Response playbooks
• BCM/DR
• Deception/Honeypot

14. Critical Capabilities of WAF & DDOS
• WAF Critical Capabilities
• TI integration
• Behavior analytics/fingerprinting
• Bot mitigation
• Handling legacy applications
• Quick response team
• Self learning
• Training with non production
• Application layer DDOS
• Architecture (E.g. Logged in users can access expensive DB queries, horizontal scaling
through dockers)
• SSL Offloading
• Handling latency

15. Technology Partner
THANK YOU !
Priyanka, CISO Platform
Mail: priyanka@cisoplatform.com
Call: +91 89718 75069