SlideShare una empresa de Scribd logo

NTXISSACSC4 - How Not to Build a Trojan Horse

North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

How Not to Build a Trojan Horse

Internet
1 de 30
Descargar para leer sin conexión
ISSA Cyber Security Conference 4 2016 Intel Public 1 How Not To Build A Trojan Horse Harold Toomey, Intel 8 October 2016
ISSA Cyber Security Conference 4 2016 Intel Public 2 Worst Case Scenario Your job is to … 1. Protect the brand 2. Be your customer’s trusted security advisors 3. Build secure software
ISSA Cyber Security Conference 4 2016 Intel Public 3 Table of Contents • Worst case scenario • Building secure software 1. Team 2. Agile Secure Development Lifecycle (SDL) 3. Product Security Maturity Model (PSMM) 4. Product Security Incident Response Team (PSIRT) • Challenges • Experience
ISSA Cyber Security Conference 4 2016 Intel Public 4 Building Secure Software Executive support § 5958 .DAT Engineering support § Development § IT Product security program
ISSA Cyber Security Conference 4 2016 Intel Public 5 Product Security Program 1. Team 2. Agile SDL – Proactive 3. PSMM 4. PSIRT – Reactive
ISSA Cyber Security Conference 4 2016 Intel Public 6 1. Who? – Team 1.1 Product Security Architects (PSAs) 1.2 Product Security Champions (PSCs) 1.3 Others
ISSA Cyber Security Conference 4 2016 Intel Public 7 1.1 Product Security Architects (PSAs) Mentor Technical activities Operational activities
ISSA Cyber Security Conference 4 2016 Intel Public 8 Mentor . Security training Bi-weekly technical roundtables Empower PSC leads
ISSA Cyber Security Conference 4 2016 Intel Public 9 Technical . 16 Technical SDL activities Security architecture reviews Threat modeling Tools Technical 1. Security Requirements Plan / DoD 2. Security Architecture Review 3. Security Design Review 4. Threat Modeling 5. Security Testing 6. Static Analysis 7. Dynamic Analysis (Web Apps) 8. Fuzz Testing 9. Vulnerability Scan 10. Penetration Testing 11. Manual Code Review 12. Secure Coding Standards 13. Open Source and 3rd Party Libraries 14. License and Vendor Management 15. Privacy 16. Operating Environment
ISSA Cyber Security Conference 4 2016 Intel Public 10 Operational . 9 Operational SDL Activities Manage satellite team 1. Program 2. SDL 3. PSIRT 4. Tools and Services 5. Resources 6. Policy and Compliance 7. Process 8. Training 9. Metrics Operational
ISSA Cyber Security Conference 4 2016 Intel Public 11 1.2 Product Security Champions (PSCs) 1 Per Product, Product Group, Solution, and GEO Qualifications Responsibilities SolutionSolution Product Group Product Product Product Product Group Product Product Product Product Group Product Product Product
ISSA Cyber Security Conference 4 2016 Intel Public 12 PSC Qualifications . Enthusiastic 4+ Years experience 20% Time commitment VP Engineering approval
ISSA Cyber Security Conference 4 2016 Intel Public 13 PSC Responsibilities . Agile SDL activities Incident response (PSIRT) Attend meetings and training Collocated in engineering teams
ISSA Cyber Security Conference 4 2016 Intel Public 14 1.3 Other Team Contributors Product Security Evangelists (PSEs) Privacy Extended team § Public Relations (PR) § Technical Support § IT Security § Learning § Legal
ISSA Cyber Security Conference 4 2016 Intel Public 15 2. Agile SDL Activities (What?) Mandatory Conditional Execution Plan of Intent Program Backlog Team Backlog Stories Daily Scrum Release Quality Increment (PSI) Finished Product Release to Customer Sprint Review & Retrospective Development & Test Sprint Planning Release Planning Investment Themes, Epics (Viability, Feasibility, Desirability) Plan-Of-Intent Checkpoint Release Planning Checkpoint Sprint Planning Checkpoint Release Launch Checkpoint Develop on a Cadence, Release on Demand 1-4 Weeks Sprint / Release Readiness Checkpoint
ISSA Cyber Security Conference 4 2016 Intel Public 16 2.1 Mandatory SDL Activities . 1. Static Analysis § Dynamic Analysis TBD 2. Privacy Review 3. Security Definition of Done § Agile storyboard 4. 7 Key questions
ISSA Cyber Security Conference 4 2016 Intel Public 17 2.2 Conditional SDL Activities . 7 Key Questions 1. Release Scope – Major, Minor, Patch, Hotfix 2. Architecture – No change, Some change, Redesign, Greenfield 3. Using 3rd Party / Open Source Software 4. Hosting – By us, By partner (SaaS) 5. Privacy – Collecting customer data (PII) 6. Interfaces – Web, Web Services, Non-Web 7. Releasing with an Operating System 7
ISSA Cyber Security Conference 4 2016 Intel Public 18 2.3 Execution How? § Templates – Tasks – Tools – Resident experts – Resources When? Why?
ISSA Cyber Security Conference 4 2016 Intel Public 19 When? Technical ActivitiesT01 Security Requirements Plan / DoD Code State T06 Static Analysis Mostly Manual or Automatic? T11 Manual Code Review ❷ Have Code ❸ Have Executables Mostly Manual or Automatic? Machine Human T10 Penetration Testing Machine Human T07 Dynamic Analysis (Web inputs) T08 Fuzz Testing (All inputs, anomoly-based) T09 Vulnerability Scan (Signature-based) T02 Security Architecture Review T03 Security Design Review T04 Threat Modeling ❶ Project Started T12 Secure Coding Standards T15 Privacy Review T13 Open Source Licensing T14 3rd Party Libraries (Blacklist) Mostly Manual or Automatic? Human T05 Security Testing
ISSA Cyber Security Conference 4 2016 Intel Public 20 Why? VM Flowchart
ISSA Cyber Security Conference 4 2016 Intel Public 21 3. Product Security Maturity Model (PSMM) . None, Minimal, Good, Better, Best § Maturity levels 0. None 1. Basic 2. Initial 3. Acceptable 4. Mature § Math Set team goal for each SDL activity Measure 2x a year and report (𝟗 + 𝟏𝟔)×𝟒 = 𝟏𝟎𝟎
ISSA Cyber Security Conference 4 2016 Intel Public 22 4. PSIRT (Reactive) Verify vulnerabilities Patch within CVSS SLA Publish security bulletin Product Security Incident Response Team
ISSA Cyber Security Conference 4 2016 Intel Public 23 4.1 Verify Vulnerabilities . False alarms (apache/tomcat) Real vulnerabilities Cutely named vulnerabilities § Heartbleed (OpenSSL)
ISSA Cyber Security Conference 4 2016 Intel Public 24 4.2 Patch Within CVSS SLA . Common Vulnerability Scoring System v3 (CVSS) Service Level Agreement (SLA) Low, Medium, High, Critical severity Severity CVSS Score Max. Fix Time Notification P1 - Critical 8.5-10.0 1-2 Days ALERT P2 - High 7.0-8.4 1 Week Notice P3 - Medium 4.0-6.9 1 Month Notice P4 - Low 0.0-3.9 1-3 Quarters Optional P5 - Info NA NA NA
ISSA Cyber Security Conference 4 2016 Intel Public 25 4.3 Publish Security Bulletin . SB – Security Bulletin KB – KnowledgeBase article SS – Sustaining Statement NN – Not Needed or Release Notes CVSS = 0 0 < CVSS < 4 Low 4 ≤ CVSS < 7 Medium 7 ≤ CVSS ≤ 10 High NN SS KB (if lots of attention) KB SB + TXT Notice SB + TXT Alert
ISSA Cyber Security Conference 4 2016 Intel Public 26 Challenges Waterfall à Agile à Continuous Tools Skill levels Legacy architectures Technical debt Getting to PSMM 4-Mature PSIRT exponential growth
ISSA Cyber Security Conference 4 2016 Intel Public Experience - People Identify the experts – No one person can do it all Trust the Product Security Champions (PSCs) – They are smart and want to do what is right – They balance security with their time, expertise, resources and schedule Collaborate often – Meet as PSCs weekly (business and technical) – Use email PDLs Don’t just train…mentor! – Have an open door policy and help them to mature and grow 27
ISSA Cyber Security Conference 4 2016 Intel Public Experience - Process Keep it flexible – Don’t micro manage – Don’t default to “all activities are mandatory” We don’t need to write a 200 page book on each SDL activity – Instead point engineers to the best material & BKMs Some requirements are simply mandatory – Filing exceptions for incomplete SDL activities or shipping with high severity vulnerabilities – Blacklist for 3rd party components – Security and privacy governance (SDL-Gov) audits The Agile SDL and PSMM go hand-in-hand 28
ISSA Cyber Security Conference 4 2016 Intel Public Experience - Technology Purchase tools as one company – Volume discounts, flexible license terms Human vs. Machine – Some activities require much more human interaction than others – Where possible, automate: “Make the computer do the work” – Automation is required for successful continuous delivery Bring the tools to the engineers – Version One / JIRA Software vs. SharePoint – Provide customized templates and real-world examples Good tools can minimize exceptions – It is hard to do fuzz testing without an easy to use tool with good content 29
ISSA Cyber Security Conference 4 2016 Intel Public 30 Questions? Harold Toomey Sr. Product Security Architect & PSIRT Manager Product Security Group Intel Security (McAfee) Harold.A.Toomey@Intel.com W: (972) 963-7754 M: (801) 830-9987

Recomendados

NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5North Texas Chapter of the ISSA
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNorth Texas Chapter of the ISSA
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JSFestUA
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...North Texas Chapter of the ISSA
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3North Texas Chapter of the ISSA
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNorth Texas Chapter of the ISSA
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 

Recomendados

NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5North Texas Chapter of the ISSA
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNorth Texas Chapter of the ISSA
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JSFestUA
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...North Texas Chapter of the ISSA
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3North Texas Chapter of the ISSA
 
NTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNTXISSACSC4 - The Art of Evading Anti-Virus
NTXISSACSC4 - The Art of Evading Anti-VirusNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNorth Texas Chapter of the ISSA
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttNorth Texas Chapter of the ISSA
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Priyanka Aash
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNorth Texas Chapter of the ISSA
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explainedrtp2009
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert TriageSqrrl
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingDavid Fry
 
Forrester zero trust_dna
Forrester zero trust_dna Forrester zero trust_dna
Forrester zero trust_dnaCristian Garcia G.
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNorth Texas Chapter of the ISSA
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret WeaponNTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret WeaponNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - World of Discovery
NTXISSACSC4 - World of DiscoveryNTXISSACSC4 - World of Discovery
NTXISSACSC4 - World of DiscoveryNorth Texas Chapter of the ISSA
 

Más contenido relacionado

La actualidad más candente

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Priyanka Aash
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNorth Texas Chapter of the ISSA
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explainedrtp2009
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert TriageSqrrl
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingDavid Fry
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNorth Texas Chapter of the ISSA
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNorth Texas Chapter of the ISSA
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 

La actualidad más candente (20)

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic FailuresNTXISSACSC4 - A Brief History of Cryptographic Failures
NTXISSACSC4 - A Brief History of Cryptographic Failures
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
 
Cybersecurity is the Future of Computing
Cybersecurity is the Future of ComputingCybersecurity is the Future of Computing
Cybersecurity is the Future of Computing
 
Forrester zero trust_dna
Forrester zero trust_dna Forrester zero trust_dna
Forrester zero trust_dna
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
 

Destacado

NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret WeaponNTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret WeaponNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdANTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdANorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...North Texas Chapter of the ISSA
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Day in the Life of a Security Solutions Architect
NTXISSACSC4 - Day in the Life of a Security Solutions ArchitectNTXISSACSC4 - Day in the Life of a Security Solutions Architect
NTXISSACSC4 - Day in the Life of a Security Solutions ArchitectNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNorth Texas Chapter of the ISSA
 
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNorth Texas Chapter of the ISSA
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNeha Gupta
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017Ramiro Cid
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 

Destacado (16)

NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret WeaponNTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
 
NTXISSACSC4 - World of Discovery
NTXISSACSC4 - World of DiscoveryNTXISSACSC4 - World of Discovery
NTXISSACSC4 - World of Discovery
 
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdANTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?
 
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
 
NTXISSACSC4 - A Day in the Life of a CISO
NTXISSACSC4 - A Day in the Life of a CISONTXISSACSC4 - A Day in the Life of a CISO
NTXISSACSC4 - A Day in the Life of a CISO
 
NTXISSACSC4 - Day in the Life of a Security Solutions Architect
NTXISSACSC4 - Day in the Life of a Security Solutions ArchitectNTXISSACSC4 - Day in the Life of a Security Solutions Architect
NTXISSACSC4 - Day in the Life of a Security Solutions Architect
 
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human DashboardNTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
 
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and management
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 

Similar a NTXISSACSC4 - How Not to Build a Trojan Horse

First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...Tasktop
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsSplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 

Similar a NTXISSACSC4 - How Not to Build a Trojan Horse (20)

First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior Analytics
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 b
 
Product Security
Product SecurityProduct Security
Product Security
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 

Más de North Texas Chapter of the ISSA

Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNtxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNorth Texas Chapter of the ISSA
 

Más de North Texas Chapter of the ISSA (20)

Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finneyNtxissacsc5 blue 1-nine cybersecurity habits-george_finney
Ntxissacsc5 blue 1-nine cybersecurity habits-george_finney
 

Último

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 

Último (20)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 

NTXISSACSC4 - How Not to Build a Trojan Horse

  • 1. ISSA Cyber Security Conference 4 2016 Intel Public 1 How Not To Build A Trojan Horse Harold Toomey, Intel 8 October 2016
  • 2. ISSA Cyber Security Conference 4 2016 Intel Public 2 Worst Case Scenario Your job is to … 1. Protect the brand 2. Be your customer’s trusted security advisors 3. Build secure software
  • 3. ISSA Cyber Security Conference 4 2016 Intel Public 3 Table of Contents • Worst case scenario • Building secure software 1. Team 2. Agile Secure Development Lifecycle (SDL) 3. Product Security Maturity Model (PSMM) 4. Product Security Incident Response Team (PSIRT) • Challenges • Experience
  • 4. ISSA Cyber Security Conference 4 2016 Intel Public 4 Building Secure Software Executive support § 5958 .DAT Engineering support § Development § IT Product security program
  • 5. ISSA Cyber Security Conference 4 2016 Intel Public 5 Product Security Program 1. Team 2. Agile SDL – Proactive 3. PSMM 4. PSIRT – Reactive
  • 6. ISSA Cyber Security Conference 4 2016 Intel Public 6 1. Who? – Team 1.1 Product Security Architects (PSAs) 1.2 Product Security Champions (PSCs) 1.3 Others
  • 7. ISSA Cyber Security Conference 4 2016 Intel Public 7 1.1 Product Security Architects (PSAs) Mentor Technical activities Operational activities
  • 8. ISSA Cyber Security Conference 4 2016 Intel Public 8 Mentor . Security training Bi-weekly technical roundtables Empower PSC leads
  • 9. ISSA Cyber Security Conference 4 2016 Intel Public 9 Technical . 16 Technical SDL activities Security architecture reviews Threat modeling Tools Technical 1. Security Requirements Plan / DoD 2. Security Architecture Review 3. Security Design Review 4. Threat Modeling 5. Security Testing 6. Static Analysis 7. Dynamic Analysis (Web Apps) 8. Fuzz Testing 9. Vulnerability Scan 10. Penetration Testing 11. Manual Code Review 12. Secure Coding Standards 13. Open Source and 3rd Party Libraries 14. License and Vendor Management 15. Privacy 16. Operating Environment
  • 10. ISSA Cyber Security Conference 4 2016 Intel Public 10 Operational . 9 Operational SDL Activities Manage satellite team 1. Program 2. SDL 3. PSIRT 4. Tools and Services 5. Resources 6. Policy and Compliance 7. Process 8. Training 9. Metrics Operational
  • 11. ISSA Cyber Security Conference 4 2016 Intel Public 11 1.2 Product Security Champions (PSCs) 1 Per Product, Product Group, Solution, and GEO Qualifications Responsibilities SolutionSolution Product Group Product Product Product Product Group Product Product Product Product Group Product Product Product
  • 12. ISSA Cyber Security Conference 4 2016 Intel Public 12 PSC Qualifications . Enthusiastic 4+ Years experience 20% Time commitment VP Engineering approval
  • 13. ISSA Cyber Security Conference 4 2016 Intel Public 13 PSC Responsibilities . Agile SDL activities Incident response (PSIRT) Attend meetings and training Collocated in engineering teams
  • 14. ISSA Cyber Security Conference 4 2016 Intel Public 14 1.3 Other Team Contributors Product Security Evangelists (PSEs) Privacy Extended team § Public Relations (PR) § Technical Support § IT Security § Learning § Legal
  • 15. ISSA Cyber Security Conference 4 2016 Intel Public 15 2. Agile SDL Activities (What?) Mandatory Conditional Execution Plan of Intent Program Backlog Team Backlog Stories Daily Scrum Release Quality Increment (PSI) Finished Product Release to Customer Sprint Review & Retrospective Development & Test Sprint Planning Release Planning Investment Themes, Epics (Viability, Feasibility, Desirability) Plan-Of-Intent Checkpoint Release Planning Checkpoint Sprint Planning Checkpoint Release Launch Checkpoint Develop on a Cadence, Release on Demand 1-4 Weeks Sprint / Release Readiness Checkpoint
  • 16. ISSA Cyber Security Conference 4 2016 Intel Public 16 2.1 Mandatory SDL Activities . 1. Static Analysis § Dynamic Analysis TBD 2. Privacy Review 3. Security Definition of Done § Agile storyboard 4. 7 Key questions
  • 17. ISSA Cyber Security Conference 4 2016 Intel Public 17 2.2 Conditional SDL Activities . 7 Key Questions 1. Release Scope – Major, Minor, Patch, Hotfix 2. Architecture – No change, Some change, Redesign, Greenfield 3. Using 3rd Party / Open Source Software 4. Hosting – By us, By partner (SaaS) 5. Privacy – Collecting customer data (PII) 6. Interfaces – Web, Web Services, Non-Web 7. Releasing with an Operating System 7
  • 18. ISSA Cyber Security Conference 4 2016 Intel Public 18 2.3 Execution How? § Templates – Tasks – Tools – Resident experts – Resources When? Why?
  • 19. ISSA Cyber Security Conference 4 2016 Intel Public 19 When? Technical ActivitiesT01 Security Requirements Plan / DoD Code State T06 Static Analysis Mostly Manual or Automatic? T11 Manual Code Review ❷ Have Code ❸ Have Executables Mostly Manual or Automatic? Machine Human T10 Penetration Testing Machine Human T07 Dynamic Analysis (Web inputs) T08 Fuzz Testing (All inputs, anomoly-based) T09 Vulnerability Scan (Signature-based) T02 Security Architecture Review T03 Security Design Review T04 Threat Modeling ❶ Project Started T12 Secure Coding Standards T15 Privacy Review T13 Open Source Licensing T14 3rd Party Libraries (Blacklist) Mostly Manual or Automatic? Human T05 Security Testing
  • 20. ISSA Cyber Security Conference 4 2016 Intel Public 20 Why? VM Flowchart
  • 21. ISSA Cyber Security Conference 4 2016 Intel Public 21 3. Product Security Maturity Model (PSMM) . None, Minimal, Good, Better, Best § Maturity levels 0. None 1. Basic 2. Initial 3. Acceptable 4. Mature § Math Set team goal for each SDL activity Measure 2x a year and report (𝟗 + 𝟏𝟔)×𝟒 = 𝟏𝟎𝟎
  • 22. ISSA Cyber Security Conference 4 2016 Intel Public 22 4. PSIRT (Reactive) Verify vulnerabilities Patch within CVSS SLA Publish security bulletin Product Security Incident Response Team
  • 23. ISSA Cyber Security Conference 4 2016 Intel Public 23 4.1 Verify Vulnerabilities . False alarms (apache/tomcat) Real vulnerabilities Cutely named vulnerabilities § Heartbleed (OpenSSL)
  • 24. ISSA Cyber Security Conference 4 2016 Intel Public 24 4.2 Patch Within CVSS SLA . Common Vulnerability Scoring System v3 (CVSS) Service Level Agreement (SLA) Low, Medium, High, Critical severity Severity CVSS Score Max. Fix Time Notification P1 - Critical 8.5-10.0 1-2 Days ALERT P2 - High 7.0-8.4 1 Week Notice P3 - Medium 4.0-6.9 1 Month Notice P4 - Low 0.0-3.9 1-3 Quarters Optional P5 - Info NA NA NA
  • 25. ISSA Cyber Security Conference 4 2016 Intel Public 25 4.3 Publish Security Bulletin . SB – Security Bulletin KB – KnowledgeBase article SS – Sustaining Statement NN – Not Needed or Release Notes CVSS = 0 0 < CVSS < 4 Low 4 ≤ CVSS < 7 Medium 7 ≤ CVSS ≤ 10 High NN SS KB (if lots of attention) KB SB + TXT Notice SB + TXT Alert
  • 26. ISSA Cyber Security Conference 4 2016 Intel Public 26 Challenges Waterfall à Agile à Continuous Tools Skill levels Legacy architectures Technical debt Getting to PSMM 4-Mature PSIRT exponential growth
  • 27. ISSA Cyber Security Conference 4 2016 Intel Public Experience - People Identify the experts – No one person can do it all Trust the Product Security Champions (PSCs) – They are smart and want to do what is right – They balance security with their time, expertise, resources and schedule Collaborate often – Meet as PSCs weekly (business and technical) – Use email PDLs Don’t just train…mentor! – Have an open door policy and help them to mature and grow 27
  • 28. ISSA Cyber Security Conference 4 2016 Intel Public Experience - Process Keep it flexible – Don’t micro manage – Don’t default to “all activities are mandatory” We don’t need to write a 200 page book on each SDL activity – Instead point engineers to the best material & BKMs Some requirements are simply mandatory – Filing exceptions for incomplete SDL activities or shipping with high severity vulnerabilities – Blacklist for 3rd party components – Security and privacy governance (SDL-Gov) audits The Agile SDL and PSMM go hand-in-hand 28
  • 29. ISSA Cyber Security Conference 4 2016 Intel Public Experience - Technology Purchase tools as one company – Volume discounts, flexible license terms Human vs. Machine – Some activities require much more human interaction than others – Where possible, automate: “Make the computer do the work” – Automation is required for successful continuous delivery Bring the tools to the engineers – Version One / JIRA Software vs. SharePoint – Provide customized templates and real-world examples Good tools can minimize exceptions – It is hard to do fuzz testing without an easy to use tool with good content 29
  • 30. ISSA Cyber Security Conference 4 2016 Intel Public 30 Questions? Harold Toomey Sr. Product Security Architect & PSIRT Manager Product Security Group Intel Security (McAfee) Harold.A.Toomey@Intel.com W: (972) 963-7754 M: (801) 830-9987