SlideShare ist ein Scribd-Unternehmen logo

Delivering Secure Projects

Als PPTX, PDF herunterladen
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short run through of my experience and advice in delivering security in critical projects. Presented at an internal forum in July 2013.

BusinessTechnologie
1 von 18
Internal Presentation July 2013 Phil Huggins
 I have lead large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Need to know  High threat 2
 By the end of this sessions you should:  Be able to identify delivery projects where security is a critical attribute  Understand the potential issues is secure project delivery  Suggest possible ways of preventing or handling issues Company Confidential 3
4 Governance Risk Management Compliance Requirements Management Security Architecture Threat Analysis Risk Assessment Supplier Selection Procurement Stakeholder Management Design Trade-Offs Build Supply Chain Management Testing Transition to Operation Legacy Estate Management Release Management
 These are the activities that mean there are no surprises during the project. Everyone knows what is happening and when it is happening.  ‘Bringing stakeholders on the journey’  Identify security red flag holders.  Legacy estates always include problems to solve to meet current requirements.  Understand and document the As-Is environments.  Establish fixed requirements review cycle, agree SLA with stakeholders for response  Use reference architecture to assure requirements coverage.  Establish a SecurityWorking Group early.  Include; suppliers, security decision makers, operational management, specialists 5 Requirements Management Stakeholder Management Legacy Estate Management
 Clear sponsorship for security from the project sponsor or his boss.  Who ‘owns’ the security?  Do they control project budgets?  Established escalation paths.  What ‘red lines’ can’t be crossed?  Establish the format for security cases to request risk acceptance.  This is the ‘air cover’ needed for unpopular security decisions. 6 Governance Risk Management Compliance
 This is the core security content of what you are doing.  This is how you measure and plan the security delivery.  This is the basic justification for the security requirements, if this is wrong you will lose credibility in every other activity.  Establish a security documentation framework at project initiation and fill it in as you go  Build a reference architecture  Run a ‘dry-run’ risk assessment against it. 7 Security Architecture Threat Analysis Risk Assessment
 The security principles or maxims  And  The security model of the system  And  The security requirements  And  The security relevant design decisions  And  The security controls as actually implemented 8
 This is your opportunity to identify a partner you can work with.  If you don’t give suppliers explicit security requirements and expectations in procurement you will be fighting them all through the project.  Make sure they ‘get’ security.  Understand who their subcontractors are, where they are buying their hardware, how they expect to ramp up their team and when they expect to start delivering physical kit.  Share explicit security requirements and the reference architecture with suppliers.  Write your testing strategy into the procurement!  Establish a deliverable assurance process with your chosen supplier immediately following contract award. 9 Supplier Selection Procurement Supply Chain Management
10 Supplier Maturity Customer Maturity Needs specified and fulfilled Needs specified but not fulfilled Needs not specified and not fulfilled Needs not specified but fulfilled Over-delivery Under-delivery No-delivery Delivery
 Work hand-in-glove with the suppliers.  Every time they go away and design in isolation you risk rework and delay.  Document design decisions clearly.  Follow your formal deliverable assurance approach.These will start coming thick and fast, they won’t wait for you for long.  Identify impact of design decisions and trade-offs on the requirements. 11 Design Trade-Offs Release Management Local Hero Phenomenon • Lack of requirements • Lack of standards • Reliance on expertise
 Functional Requirement  What a system must do.  Interaction between a component and the environment.  Testable.  Non-Functional Requirement  How the system will do it.  Restricts the manner of operation of the system.  General in scope and concern the whole system  Security Requirement  A manifestation of a high-level security policy into the detailed requirements 12
13 Stakeholder Business Goals Use Cases Functional Requirements Non- Functional Requirements Design External Constraints • Design Decisions • Trade-Offs
 This is where your agreements with your supplier will start to fall apart.  Some designs won’t work in practice.  Mistakes in implementation will be made.  Some will take longer than expected.  Some requirements will change.  Standing up the development team is a major cost to the supplier.  Physical delivery of kit is expensive to reverse.  Be flexible and be prepared to make decisions quickly.  Don’t let suppliers disappear off down theV model with the words ‘See you in test’. 14 Build
 SecurityTest Strategy  What is being tested  When in the project it must happen (Early testing reduces defect rates)  SecurityTest Plans  What sort of tests  What standards or requirements are being tested?  Acceptance criteria  Types of tests to consider:  Automated Static Code Analysis  Manual Source Code Analysis  Risk-BasedTargeted PenetrationTests  Internal penetration tests  Independent Full-Scope PenetrationTests 15 Testing
 Ensure operations team sit on the SecurityWorking Group  Make sure the operations team have been properly introduced to the key stakeholders  Make sure the operations team establish communications channels with key stakeholders.  Give them visibility of design, build and test phase artefacts and risks.  Plan to hang around for a few weeks or months following handover 16 Transition to Operation
 Get to know your key stakeholders very well, they can be your strongest supporters.  If you don’t document it no-one else will  If you don’t tell anyone they won’t do anything  If you’re not paying for it probably won’t happen  Be aware of the time / cost implications of your decisions  Work in partnership with suppliers but make sure you have the documentation to win a fight.  Don’t become irreplaceable! 17
18 http://blog.blackswansecurity.com

Empfohlen

Top 10 Tips
Top 10 TipsTop 10 Tips
Top 10 TipsMike Hodge
 
Importance of test coverage
Importance of test coverage Importance of test coverage
Importance of test coverage RIA RUI Society
 
Operations
OperationsOperations
Operationsdipakshrma
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisPractiTest
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...PractiTest
 
The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam KnightPractiTest
 
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010TEST Huddle
 
Introduction to reliability management webinar
Introduction to reliability management webinarIntroduction to reliability management webinar
Introduction to reliability management webinarAccendo Reliability
 

Empfohlen

Top 10 Tips
Top 10 TipsTop 10 Tips
Top 10 TipsMike Hodge
 
Importance of test coverage
Importance of test coverage Importance of test coverage
Importance of test coverage RIA RUI Society
 
Operations
OperationsOperations
Operationsdipakshrma
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisPractiTest
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...PractiTest
 
The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam KnightPractiTest
 
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010TEST Huddle
 
Introduction to reliability management webinar
Introduction to reliability management webinarIntroduction to reliability management webinar
Introduction to reliability management webinarAccendo Reliability
 
Intro to reliability management
Intro to reliability managementIntro to reliability management
Intro to reliability managementAccendo Reliability
 
Neil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingNeil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingTEST Huddle
 
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Muhammad Jazman
 
Communication skills for testers
Communication skills for testersCommunication skills for testers
Communication skills for testersPractiTest
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like themPractiTest
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...TEST Huddle
 
5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services CompanyAlisha Henderson
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of RiskTEST Huddle
 
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011TEST Huddle
 
Jelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedJelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedTEST Huddle
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsReuben Korngold
 
Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Skillogic Solutions
 
Eric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureEric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureTEST Huddle
 
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctPaula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctTEST Huddle
 
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...TEST Huddle
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
Problem solving terminology
Problem solving terminologyProblem solving terminology
Problem solving terminologyVISHAVJEET THAKUR
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: StrategyTechWell
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Neil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingNeil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingTEST Huddle
 
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Muhammad Jazman
 
Communication skills for testers
Communication skills for testersCommunication skills for testers
Communication skills for testersPractiTest
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like themPractiTest
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...TEST Huddle
 
5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services CompanyAlisha Henderson
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of RiskTEST Huddle
 
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011TEST Huddle
 
Jelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedJelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedTEST Huddle
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsReuben Korngold
 
Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Skillogic Solutions
 
Eric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureEric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureTEST Huddle
 
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctPaula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctTEST Huddle
 
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...TEST Huddle
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: StrategyTechWell
 

Was ist angesagt? (19)

Intro to reliability management
Intro to reliability managementIntro to reliability management
Intro to reliability management
 
Neil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingNeil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration Testing
 
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
 
Communication skills for testers
Communication skills for testersCommunication skills for testers
Communication skills for testers
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
 
5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of Risk
 
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
 
Jelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedJelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revised
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
 
Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8
 
Eric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureEric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the Future
 
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctPaula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
 
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
 
Agile security
Agile securityAgile security
Agile security
 
Problem solving terminology
Problem solving terminologyProblem solving terminology
Problem solving terminology
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
 

Andere mochten auch

First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspectivePhil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 

Andere mochten auch (20)

First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 

Ähnlich wie Delivering Secure Projects

Ensuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote DevelopersEnsuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote DevelopersAcquaint Softtech Private Limited
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxOrlando Trajano
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...Andrew O. Leeth
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...WCapra
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
How to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in IndiaHow to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in IndiaShyamMishra72
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCruzIbarra161
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient PathEmbarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient PathAelum Consulting
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechsMordecai Kraushar
 
Behind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseBehind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseAtlassian
 
Implement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for companyImplement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for companyShyamMishra72
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guideMarie Peters
 

Ähnlich wie Delivering Secure Projects (20)

Ensuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote DevelopersEnsuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote Developers
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
How to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in IndiaHow to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in India
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient PathEmbarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
Behind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseBehind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the Enterprise
 
Implement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for companyImplement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for company
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
 

Kürzlich hochgeladen

Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Salesforce Education Cloud - A Complete Guide.pdf
Salesforce Education Cloud - A Complete Guide.pdfSalesforce Education Cloud - A Complete Guide.pdf
Salesforce Education Cloud - A Complete Guide.pdfHarryJohnson78
 

Kürzlich hochgeladen (20)

Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Salesforce Education Cloud - A Complete Guide.pdf
Salesforce Education Cloud - A Complete Guide.pdfSalesforce Education Cloud - A Complete Guide.pdf
Salesforce Education Cloud - A Complete Guide.pdf
 

Delivering Secure Projects

  • 1. Internal Presentation July 2013 Phil Huggins
  • 2.  I have lead large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Need to know  High threat 2
  • 3.  By the end of this sessions you should:  Be able to identify delivery projects where security is a critical attribute  Understand the potential issues is secure project delivery  Suggest possible ways of preventing or handling issues Company Confidential 3
  • 5.  These are the activities that mean there are no surprises during the project. Everyone knows what is happening and when it is happening.  ‘Bringing stakeholders on the journey’  Identify security red flag holders.  Legacy estates always include problems to solve to meet current requirements.  Understand and document the As-Is environments.  Establish fixed requirements review cycle, agree SLA with stakeholders for response  Use reference architecture to assure requirements coverage.  Establish a SecurityWorking Group early.  Include; suppliers, security decision makers, operational management, specialists 5 Requirements Management Stakeholder Management Legacy Estate Management
  • 6.  Clear sponsorship for security from the project sponsor or his boss.  Who ‘owns’ the security?  Do they control project budgets?  Established escalation paths.  What ‘red lines’ can’t be crossed?  Establish the format for security cases to request risk acceptance.  This is the ‘air cover’ needed for unpopular security decisions. 6 Governance Risk Management Compliance
  • 7.  This is the core security content of what you are doing.  This is how you measure and plan the security delivery.  This is the basic justification for the security requirements, if this is wrong you will lose credibility in every other activity.  Establish a security documentation framework at project initiation and fill it in as you go  Build a reference architecture  Run a ‘dry-run’ risk assessment against it. 7 Security Architecture Threat Analysis Risk Assessment
  • 8.  The security principles or maxims  And  The security model of the system  And  The security requirements  And  The security relevant design decisions  And  The security controls as actually implemented 8
  • 9.  This is your opportunity to identify a partner you can work with.  If you don’t give suppliers explicit security requirements and expectations in procurement you will be fighting them all through the project.  Make sure they ‘get’ security.  Understand who their subcontractors are, where they are buying their hardware, how they expect to ramp up their team and when they expect to start delivering physical kit.  Share explicit security requirements and the reference architecture with suppliers.  Write your testing strategy into the procurement!  Establish a deliverable assurance process with your chosen supplier immediately following contract award. 9 Supplier Selection Procurement Supply Chain Management
  • 10. 10 Supplier Maturity Customer Maturity Needs specified and fulfilled Needs specified but not fulfilled Needs not specified and not fulfilled Needs not specified but fulfilled Over-delivery Under-delivery No-delivery Delivery
  • 11.  Work hand-in-glove with the suppliers.  Every time they go away and design in isolation you risk rework and delay.  Document design decisions clearly.  Follow your formal deliverable assurance approach.These will start coming thick and fast, they won’t wait for you for long.  Identify impact of design decisions and trade-offs on the requirements. 11 Design Trade-Offs Release Management Local Hero Phenomenon • Lack of requirements • Lack of standards • Reliance on expertise
  • 12.  Functional Requirement  What a system must do.  Interaction between a component and the environment.  Testable.  Non-Functional Requirement  How the system will do it.  Restricts the manner of operation of the system.  General in scope and concern the whole system  Security Requirement  A manifestation of a high-level security policy into the detailed requirements 12
  • 14.  This is where your agreements with your supplier will start to fall apart.  Some designs won’t work in practice.  Mistakes in implementation will be made.  Some will take longer than expected.  Some requirements will change.  Standing up the development team is a major cost to the supplier.  Physical delivery of kit is expensive to reverse.  Be flexible and be prepared to make decisions quickly.  Don’t let suppliers disappear off down theV model with the words ‘See you in test’. 14 Build
  • 15.  SecurityTest Strategy  What is being tested  When in the project it must happen (Early testing reduces defect rates)  SecurityTest Plans  What sort of tests  What standards or requirements are being tested?  Acceptance criteria  Types of tests to consider:  Automated Static Code Analysis  Manual Source Code Analysis  Risk-BasedTargeted PenetrationTests  Internal penetration tests  Independent Full-Scope PenetrationTests 15 Testing
  • 16.  Ensure operations team sit on the SecurityWorking Group  Make sure the operations team have been properly introduced to the key stakeholders  Make sure the operations team establish communications channels with key stakeholders.  Give them visibility of design, build and test phase artefacts and risks.  Plan to hang around for a few weeks or months following handover 16 Transition to Operation
  • 17.  Get to know your key stakeholders very well, they can be your strongest supporters.  If you don’t document it no-one else will  If you don’t tell anyone they won’t do anything  If you’re not paying for it probably won’t happen  Be aware of the time / cost implications of your decisions  Work in partnership with suppliers but make sure you have the documentation to win a fight.  Don’t become irreplaceable! 17

Hinweis der Redaktion

  1. Over-delivery & Local Heroes tends to result in domain specific requirements being missed.
  2. Domain specific security requirements are hard, suppliers are much less likely to have expertise in these up front.