SlideShare una empresa de Scribd logo

ASFWS 2012 - Theory vs Practice in implementing Software Security related activities par Simon Blanchet

Cyber Security Alliance
Cyber Security Alliance

This talk will discuss some key Software Security related activities and highlight some challenges in implementing them in real life (theory vs practice). Some of the topics covered: - Application Security vs Software Security - Project-driven vs Application-driven approaches - From IT Security to Information Security to Software Security (evolution in our field) - Coping with the demand / prioritization - OpenSAMM / BSIMM / Security Touchpoints - Post pentesting - IT stakeholders (Project Managers, Developers, …) vs Software Security Specialists

Tecnología
1 de 50
Descargar para leer sin conexión
Theory vs Practice in implementing Software Security related activities Simon Blanchet, CISSP, PMP Head of Application Security / {Undisclosed} Private Bank Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
2 Agenda Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
3 Bio I’m Simon Blanchet, CISSP, PMP Head of Application Security in a Private Bank Where I’m coming from? – Computer Science – Security Software Designer 12+ years of Information System Security 7+ years in Private Banking
4 Bio I’m Managing an “AppSec” team responsible for – Security Eng. / Risk Assessment / Security Testing I love Cryptography, Software (In)Security, … Fun facts – Own (too) many books… – Foodies, Beer, Urban Traveler, Bachata, … I did this and that – ASF-WS 2011 “Harmonizing Identity & Privacy…” – BSIMM Europe Community Conference 2012
5 Agenda – transition milestone… Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
6 Application Security? - Semantics Application Security – a process? “protects an organization’s critical data from external threats by ensuring the security of all of the software used to run the business. AppSec is the operational solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application…”i Software Security – a attribute? “the ability of software to resist, tolerate, and recover from events that intentionally threaten its dependability. The main objective of software security is to build more-robust, higher- quality, defect-free software that continues to function correctly under malicious attack”ii
7 Application Security? - Semantics Pushing to the extreme the definitions (for fun) ;-) – AppSec: Integrating External Software, Protecting them from External Threats – SoftSec: Building Software Internally, Protecting them… My own take on it / personal definition – Building “secure” Software – Securing existing Applications – Acquiring & Integrating “securely” 3rd party Software – Evolving “securely” existing Applications
8 IT Security InfoSec AppSec Once upon a time … ITSec: looking back in 95-05* Perimeter security: Firewalls – Erecting fences to keep them (bad guys) out – ITSec essentially meant protecting the network (networks segregation, IDS, monitor, alert, …) or installing AV and keeping them updated… IT Security Practitioners? – Telecom background: Network guys – Operating System background: Admin guys
9 InfoSec Application Security Obvious fact: attacks are climbing up the OSI stack Software Data App Host Network
10 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
11 The Actors Software Manufacturing aka “The Builders” – Architects (Functional, Software, IT) – Designers & Developers Project Management Security Specialist – Security Consultants / Engineers / Architects – Security Testers
12 Actors – Designers & Developers Have to deal with 3 trends “Trinity of Trouble”iii making the software security problem bigger – Connectivity – Extensibility – Complexity Connectivity Extensibility Complexity
13 Actors – Project Managers Project Constraint Model (3 key constraints) – Cost – Time – Scope Cost Time Scope
14 Actors – Security Specialists Protect the CIA attributes of the Information System and its underlying applications & data – Confidentiality – Integrity – Availability Confidenti ality Integrity Availability
15 The Stage (1/4) Software C Manufacturing X C C Project Impact Security C Q Managers Specialists T S I A
16 The Stage (2/4) – PM style Initiating Planning Executing Controlling Closing
17 The Stage (3/4) – Soft Dev style
18 The Stage (4/4) – AppSec style
19 The Scripts Software Manufacturing / Project Management see Security Specialists as: – Tax to pay – Threat to Project (impact on time, cost, scope) – Police officers: control & block – “Inspecteur des travaux finis”: someone not helping but criticizing other people's work after it is done
20 The Scripts Security Specialists see: – Software Manufacturing (Architects & Developers) • Security vulnerabilities (flaws / defects) introducers • Privileging features over overall security / integrity • Business slave or End-user pleaser – Project Management • “Don’t impact my Scope / Time / Cost” • (Original Scope, Time & Cost estimate) >> Quality + Scope’ • Business slave or End-user pleaser
21 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
22 Theory – ISV vs Others Independent Software Vendor (ISV) – 1st activity = Software Development – Revenue ($) = Software – Methodology = SDLC – Software is your business Others (Financial / Banking / …) – 1st activity != developing software – Revenue ($) don’t come from SW – Methodology = Project Management – Software supports your business processes
23 Theory – ISV (start AppSec) Step 1 – Take your existing SDLC methodology Step 2 – Embed security “touchpoints” into it – Increase the number of them T1 T2 T3 – Increase the deepness of them
24 Theory – Others (start AppSec) 1 Step 1 - ??? Now it gets tricky… Developing software isn’t you 1st activity Most likely software supports business processes Most likely software are being – Developed, Acquired, Integrated & Modified … through Projects Most likely you work on Projects
25 Theory – Others (start AppSec) 2 Let’s try this again… Naïve approach (in theory) Project Touch Software? Sec SDLC What can go wrong??
26 Theory vs Practice In Theory … In the “Best World” – Unlimited resources (time, money, people, …) – PM, Soft Dev & AppSec resources work “hand in hand” together toward the same objectives (bonus) – Covering all the applications – All projects systematically engage AppSec Are you ready to take the red pill? You wanna see how deep the rabbit-hole goes?
27 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
28 Practice – Reality = Constraints! Real world Limited resources Must get the most for our bucks (ROI) People are selfish (no kidding?!) $$$ is everything – “If we build this feature in the app we’ll get $$ more” Time to Market (feature, service, product, …) People different skills speak different languages
29 Practice – Sounds familiar to you? Mr. “Pain in the …” Ms. “Not in my Scope” Mr. “I’m smart” CSRF, Reflected XSS, Cross- something Privilege Escalation, Scope Creep Buffer Overflow, Blah, blah, … Blah, blah, blah… Not in my scope Scope Creep, Deployment Re-Baseline, Descriptor, Earned Value, APIs, Blah, blah, … Library, Blah, Blah, … It works, you’re not supposed to do that! WTF! Blah, Blah, …
30 Practice – How to “crash” Theory – Too many projects touching “software” • How to keep track on these projects? • Too many applications to keep track of • How to keep track on your applications (inventory)? – Reluctance of PM / SoftDev to engage AppSec team – How can you perform ARA or Detailed Risk Assessment if the input artefacts don’t exist? – What about late engagement? – What about Software Acquisition?
31 Practice – (New?) Needs Need to track & enforce AppSec engagements – Who? / Where? Need to prioritize – What? & How? Need to evaluate risk while acquiring software – How?
32 Practice – Let’s step back a lil’ bit What is the primary objective of your AppSec team? Making sure that your organization is – Building Secure Software – Integrating Securely COTS Software that are Secure – Modifying legacy Software without impacting the Security of the whole Information System Protecting the information assets of the org
33 Practice – Security 101 (data) Back to the basics… CIA triad CIA is about Data / Information We need an Information Classification Scheme! – Hope you got one… – Hope you have a process to deal with new “data” • Own Information Asset Owner • Classify Repository Is Information Classification enough??
34 Practice – Security 101 (system) What about System Classification Scheme? How to classify systems? – Based on their priority in term of supporting a business process owned by the business…. We need – Business Process owner – Product / Service owner
35 Practice – System & Business We need to assess Impact on their business process(es) if this particular software fails – Not available – Data is disclosed – Data / System is being tampered with Need for criteria – if we want to prioritize, we need a methodology…
36 Practice – Toward solution We need to prioritize AppSec engagement – Criteria • Information Classification • Business Impact if System CIA compromised We need a project inventory We need application inventory We need to enforce & monitor engagement for the projects / application falling under our scope
37 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
38 Challenges - Inventory Prioritize, Enforce & Monitor Engagements Know your Applications Know their “importance” in the eyes of the Business Owner & underlying Business Processes Have Incentives for PM & Soft Dev to Engage your AppSec team & “be friend” with them Perform ARA when input material isn't available Software acquisition (pen testing vs making sure the ISV have a well defined SSF)
39 Challenges – Elements of solution Prioritizing Engagements – Know the project portfolio – Define Engagement criteria with thresholds based on • Information Classification • Business Impact Assessment Enforcing & Monitoring Engagements – Define tollgates in the Project Management methodology – Make sure someone is empowered to enforce these tollgates and escalade
40 Challenges – Elements of solution Knowing your Applications – Have an Application Inventory – Keep the relevant information in it – Maintain it (have a process to update it) Knowing their “importance” in the eyes of the Business Owner & Business Processes they support – Assess your existing legacy applications by performing some kind of Business Impact Analysis – Know and understand the business process they support – Update your Application Inventory accordingly
41 A Picture is worth a 1000 of words Project Portfolio App Inventory Project 1 Application 1 BI • Business Impact rating IC Project 2 Application 2 criteria • Business impact rating Project 3 Engagement Application 3 Project 4 • Business impact rating
42 Challenges – Elements of solution Have Incentives for PM & Soft Dev to Engage your AppSec team & “be friend” with them – Have management support to provide feedback on PM / Soft Dev performance – Identify the talented (trusted) individuals and teach them more about Application Security (offensive security & defensive programming) create satellite
43 Practice – How about this instead? Mr. “Security Specialist” Ms. “Project Manager” Mr. “Developer” Risk, Mitigation, Engage with our Control, Security Specialist, Change Request, Business Lost I’ll add it to my Risk Register, Obviously I’ll initiate a now I know, Change Request I’ve put these mitigation in place. Oh I get it wow! Look at this, you can use this API. I’ve seen something similar there, I’ll fix it.
44 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
45 Conclusion Learn about the other actors’ languages & skills Know & understand business you’re working in Risk Based approach for AppSec practices Building bridges between them (PM & Soft Dev) with you (AppSec) – Gain their respect Show your skills – Empower them Use tools
46 Final Thought – Quoting BSIMM’ “If you must create software security types from scratch, start with developers and teach them about security and (project management). Do not attempt to start with network security people and teach them about software, compilers, SDLCs, bug tracking, and everything else in the software universe. No amount of traditional security knowledge can overcome software cluelessness.”viii
47 Questions?
48 Merci / Thank you! Contact: Simon Blanchet simon.blanchet@gmail.com http://www.linkedin.com/in/sblanchet Slides: http://slideshare.net/ASF-WS/presentations
49 About the author Simon Blanchet, CISSP, PMP Simon Blanchet is an Associate Director and Head of Application Security for a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon’s team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, application security risk analysis, threat modeling, security testing and raising awareness about application security best practices. Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. Simon has written his first lines of code in GW-BASIC on a TRS-80 at the age of 6 and spent most of his teenage years hooked on North American BBSes when he became fascinated with the so-called “underground hacking scene”. He started his professional career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands’ Digital Credential upon which is now built Microsoft U-Prove. Simon’s career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP) and a Project Management Professional (PMP).
50 References i. A CISO's Guide To Application Security - Part 1: Defining AppSec ii. Software Security: Building Security In, Gary McGraw, 2006 iii. Software Security: The Trinity of Trouble, Gary McGraw, 2006 iv. Software Security Engineering: A Guide for Project Managers v. Application Security (Wikipedia entry) vi. CISM Review Manual 2012 vii. Project Management Body of Knowledge (PMBOK Guide) viii. Build Security In Maturity Model (BSIMM3), p.5 - The Software Security Group (SSG)

Recomendados

Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps LifecycleDevOps Indonesia
 
Four ways dev ops benefits your enterprise in 2022 min
Four ways dev ops benefits your enterprise in 2022 minFour ways dev ops benefits your enterprise in 2022 min
Four ways dev ops benefits your enterprise in 2022 minSolution Analysts
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 

Recomendados

Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps LifecycleDevOps Indonesia
 
Four ways dev ops benefits your enterprise in 2022 min
Four ways dev ops benefits your enterprise in 2022 minFour ways dev ops benefits your enterprise in 2022 min
Four ways dev ops benefits your enterprise in 2022 minSolution Analysts
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
DevSecOps at the GSA
DevSecOps at the GSADevSecOps at the GSA
DevSecOps at the GSAChris Downey
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...AgileNetwork
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 

Más contenido relacionado

La actualidad más candente

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
DevSecOps at the GSA
DevSecOps at the GSADevSecOps at the GSA
DevSecOps at the GSAChris Downey
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...AgileNetwork
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 

La actualidad más candente (20)

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
DevSecOps at the GSA
DevSecOps at the GSADevSecOps at the GSA
DevSecOps at the GSA
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Similar a ASFWS 2012 - Theory vs Practice in implementing Software Security related activities par Simon Blanchet

Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Introduction_Software Security.pptx
Introduction_Software Security.pptxIntroduction_Software Security.pptx
Introduction_Software Security.pptxssuser6e5862
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.pptssuserfb92ae
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdfssuserfb92ae
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxEoin Keary
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 

Similar a ASFWS 2012 - Theory vs Practice in implementing Software Security related activities par Simon Blanchet (20)

Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Introduction_Software Security.pptx
Introduction_Software Security.pptxIntroduction_Software Security.pptx
Introduction_Software Security.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.ppt
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 

Más de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Más de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

ASFWS 2012 - Theory vs Practice in implementing Software Security related activities par Simon Blanchet

  • 1. Theory vs Practice in implementing Software Security related activities Simon Blanchet, CISSP, PMP Head of Application Security / {Undisclosed} Private Bank Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  • 2. 2 Agenda Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 3. 3 Bio I’m Simon Blanchet, CISSP, PMP Head of Application Security in a Private Bank Where I’m coming from? – Computer Science – Security Software Designer 12+ years of Information System Security 7+ years in Private Banking
  • 4. 4 Bio I’m Managing an “AppSec” team responsible for – Security Eng. / Risk Assessment / Security Testing I love Cryptography, Software (In)Security, … Fun facts – Own (too) many books… – Foodies, Beer, Urban Traveler, Bachata, … I did this and that – ASF-WS 2011 “Harmonizing Identity & Privacy…” – BSIMM Europe Community Conference 2012
  • 5. 5 Agenda – transition milestone… Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 6. 6 Application Security? - Semantics Application Security – a process? “protects an organization’s critical data from external threats by ensuring the security of all of the software used to run the business. AppSec is the operational solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application…”i Software Security – a attribute? “the ability of software to resist, tolerate, and recover from events that intentionally threaten its dependability. The main objective of software security is to build more-robust, higher- quality, defect-free software that continues to function correctly under malicious attack”ii
  • 7. 7 Application Security? - Semantics Pushing to the extreme the definitions (for fun) ;-) – AppSec: Integrating External Software, Protecting them from External Threats – SoftSec: Building Software Internally, Protecting them… My own take on it / personal definition – Building “secure” Software – Securing existing Applications – Acquiring & Integrating “securely” 3rd party Software – Evolving “securely” existing Applications
  • 8. 8 IT Security InfoSec AppSec Once upon a time … ITSec: looking back in 95-05* Perimeter security: Firewalls – Erecting fences to keep them (bad guys) out – ITSec essentially meant protecting the network (networks segregation, IDS, monitor, alert, …) or installing AV and keeping them updated… IT Security Practitioners? – Telecom background: Network guys – Operating System background: Admin guys
  • 9. 9 InfoSec Application Security Obvious fact: attacks are climbing up the OSI stack Software Data App Host Network
  • 10. 10 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 11. 11 The Actors Software Manufacturing aka “The Builders” – Architects (Functional, Software, IT) – Designers & Developers Project Management Security Specialist – Security Consultants / Engineers / Architects – Security Testers
  • 12. 12 Actors – Designers & Developers Have to deal with 3 trends “Trinity of Trouble”iii making the software security problem bigger – Connectivity – Extensibility – Complexity Connectivity Extensibility Complexity
  • 13. 13 Actors – Project Managers Project Constraint Model (3 key constraints) – Cost – Time – Scope Cost Time Scope
  • 14. 14 Actors – Security Specialists Protect the CIA attributes of the Information System and its underlying applications & data – Confidentiality – Integrity – Availability Confidenti ality Integrity Availability
  • 15. 15 The Stage (1/4) Software C Manufacturing X C C Project Impact Security C Q Managers Specialists T S I A
  • 16. 16 The Stage (2/4) – PM style Initiating Planning Executing Controlling Closing
  • 17. 17 The Stage (3/4) – Soft Dev style
  • 18. 18 The Stage (4/4) – AppSec style
  • 19. 19 The Scripts Software Manufacturing / Project Management see Security Specialists as: – Tax to pay – Threat to Project (impact on time, cost, scope) – Police officers: control & block – “Inspecteur des travaux finis”: someone not helping but criticizing other people's work after it is done
  • 20. 20 The Scripts Security Specialists see: – Software Manufacturing (Architects & Developers) • Security vulnerabilities (flaws / defects) introducers • Privileging features over overall security / integrity • Business slave or End-user pleaser – Project Management • “Don’t impact my Scope / Time / Cost” • (Original Scope, Time & Cost estimate) >> Quality + Scope’ • Business slave or End-user pleaser
  • 21. 21 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 22. 22 Theory – ISV vs Others Independent Software Vendor (ISV) – 1st activity = Software Development – Revenue ($) = Software – Methodology = SDLC – Software is your business Others (Financial / Banking / …) – 1st activity != developing software – Revenue ($) don’t come from SW – Methodology = Project Management – Software supports your business processes
  • 23. 23 Theory – ISV (start AppSec) Step 1 – Take your existing SDLC methodology Step 2 – Embed security “touchpoints” into it – Increase the number of them T1 T2 T3 – Increase the deepness of them
  • 24. 24 Theory – Others (start AppSec) 1 Step 1 - ??? Now it gets tricky… Developing software isn’t you 1st activity Most likely software supports business processes Most likely software are being – Developed, Acquired, Integrated & Modified … through Projects Most likely you work on Projects
  • 25. 25 Theory – Others (start AppSec) 2 Let’s try this again… Naïve approach (in theory) Project Touch Software? Sec SDLC What can go wrong??
  • 26. 26 Theory vs Practice In Theory … In the “Best World” – Unlimited resources (time, money, people, …) – PM, Soft Dev & AppSec resources work “hand in hand” together toward the same objectives (bonus) – Covering all the applications – All projects systematically engage AppSec Are you ready to take the red pill? You wanna see how deep the rabbit-hole goes?
  • 27. 27 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 28. 28 Practice – Reality = Constraints! Real world Limited resources Must get the most for our bucks (ROI) People are selfish (no kidding?!) $$$ is everything – “If we build this feature in the app we’ll get $$ more” Time to Market (feature, service, product, …) People different skills speak different languages
  • 29. 29 Practice – Sounds familiar to you? Mr. “Pain in the …” Ms. “Not in my Scope” Mr. “I’m smart” CSRF, Reflected XSS, Cross- something Privilege Escalation, Scope Creep Buffer Overflow, Blah, blah, … Blah, blah, blah… Not in my scope Scope Creep, Deployment Re-Baseline, Descriptor, Earned Value, APIs, Blah, blah, … Library, Blah, Blah, … It works, you’re not supposed to do that! WTF! Blah, Blah, …
  • 30. 30 Practice – How to “crash” Theory – Too many projects touching “software” • How to keep track on these projects? • Too many applications to keep track of • How to keep track on your applications (inventory)? – Reluctance of PM / SoftDev to engage AppSec team – How can you perform ARA or Detailed Risk Assessment if the input artefacts don’t exist? – What about late engagement? – What about Software Acquisition?
  • 31. 31 Practice – (New?) Needs Need to track & enforce AppSec engagements – Who? / Where? Need to prioritize – What? & How? Need to evaluate risk while acquiring software – How?
  • 32. 32 Practice – Let’s step back a lil’ bit What is the primary objective of your AppSec team? Making sure that your organization is – Building Secure Software – Integrating Securely COTS Software that are Secure – Modifying legacy Software without impacting the Security of the whole Information System Protecting the information assets of the org
  • 33. 33 Practice – Security 101 (data) Back to the basics… CIA triad CIA is about Data / Information We need an Information Classification Scheme! – Hope you got one… – Hope you have a process to deal with new “data” • Own Information Asset Owner • Classify Repository Is Information Classification enough??
  • 34. 34 Practice – Security 101 (system) What about System Classification Scheme? How to classify systems? – Based on their priority in term of supporting a business process owned by the business…. We need – Business Process owner – Product / Service owner
  • 35. 35 Practice – System & Business We need to assess Impact on their business process(es) if this particular software fails – Not available – Data is disclosed – Data / System is being tampered with Need for criteria – if we want to prioritize, we need a methodology…
  • 36. 36 Practice – Toward solution We need to prioritize AppSec engagement – Criteria • Information Classification • Business Impact if System CIA compromised We need a project inventory We need application inventory We need to enforce & monitor engagement for the projects / application falling under our scope
  • 37. 37 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 38. 38 Challenges - Inventory Prioritize, Enforce & Monitor Engagements Know your Applications Know their “importance” in the eyes of the Business Owner & underlying Business Processes Have Incentives for PM & Soft Dev to Engage your AppSec team & “be friend” with them Perform ARA when input material isn't available Software acquisition (pen testing vs making sure the ISV have a well defined SSF)
  • 39. 39 Challenges – Elements of solution Prioritizing Engagements – Know the project portfolio – Define Engagement criteria with thresholds based on • Information Classification • Business Impact Assessment Enforcing & Monitoring Engagements – Define tollgates in the Project Management methodology – Make sure someone is empowered to enforce these tollgates and escalade
  • 40. 40 Challenges – Elements of solution Knowing your Applications – Have an Application Inventory – Keep the relevant information in it – Maintain it (have a process to update it) Knowing their “importance” in the eyes of the Business Owner & Business Processes they support – Assess your existing legacy applications by performing some kind of Business Impact Analysis – Know and understand the business process they support – Update your Application Inventory accordingly
  • 41. 41 A Picture is worth a 1000 of words Project Portfolio App Inventory Project 1 Application 1 BI • Business Impact rating IC Project 2 Application 2 criteria • Business impact rating Project 3 Engagement Application 3 Project 4 • Business impact rating
  • 42. 42 Challenges – Elements of solution Have Incentives for PM & Soft Dev to Engage your AppSec team & “be friend” with them – Have management support to provide feedback on PM / Soft Dev performance – Identify the talented (trusted) individuals and teach them more about Application Security (offensive security & defensive programming) create satellite
  • 43. 43 Practice – How about this instead? Mr. “Security Specialist” Ms. “Project Manager” Mr. “Developer” Risk, Mitigation, Engage with our Control, Security Specialist, Change Request, Business Lost I’ll add it to my Risk Register, Obviously I’ll initiate a now I know, Change Request I’ve put these mitigation in place. Oh I get it wow! Look at this, you can use this API. I’ve seen something similar there, I’ll fix it.
  • 44. 44 Agenda – transition milestone Application Security? / Software Security? The actors, the stage, the script, … The theory or “the sky is blue” The practice or “let’s take the red pill” The challenges & how to overcome them Conclusion
  • 45. 45 Conclusion Learn about the other actors’ languages & skills Know & understand business you’re working in Risk Based approach for AppSec practices Building bridges between them (PM & Soft Dev) with you (AppSec) – Gain their respect Show your skills – Empower them Use tools
  • 46. 46 Final Thought – Quoting BSIMM’ “If you must create software security types from scratch, start with developers and teach them about security and (project management). Do not attempt to start with network security people and teach them about software, compilers, SDLCs, bug tracking, and everything else in the software universe. No amount of traditional security knowledge can overcome software cluelessness.”viii
  • 48. 48 Merci / Thank you! Contact: Simon Blanchet simon.blanchet@gmail.com http://www.linkedin.com/in/sblanchet Slides: http://slideshare.net/ASF-WS/presentations
  • 49. 49 About the author Simon Blanchet, CISSP, PMP Simon Blanchet is an Associate Director and Head of Application Security for a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon’s team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, application security risk analysis, threat modeling, security testing and raising awareness about application security best practices. Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. Simon has written his first lines of code in GW-BASIC on a TRS-80 at the age of 6 and spent most of his teenage years hooked on North American BBSes when he became fascinated with the so-called “underground hacking scene”. He started his professional career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands’ Digital Credential upon which is now built Microsoft U-Prove. Simon’s career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP) and a Project Management Professional (PMP).
  • 50. 50 References i. A CISO's Guide To Application Security - Part 1: Defining AppSec ii. Software Security: Building Security In, Gary McGraw, 2006 iii. Software Security: The Trinity of Trouble, Gary McGraw, 2006 iv. Software Security Engineering: A Guide for Project Managers v. Application Security (Wikipedia entry) vi. CISM Review Manual 2012 vii. Project Management Body of Knowledge (PMBOK Guide) viii. Build Security In Maturity Model (BSIMM3), p.5 - The Software Security Group (SSG)