Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byCarlos Sweeney Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Maturing Beyond Application Security David Harper EMEA Services Director Fortify Software

2 OWASP Outline Why are we here? Network Security is not enough Application Security Initiatives have come of age Security is being embedded in the development life- cycle Securing in-house developments is only part of the solution Systematic prevention of all software risk

3 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Why are we here?

4 OWASP We Spend a Lot of Money on Information Security ($288B) 1 Encryption Firewall Anti Virus Access Control DB Security End Point Security Application Security Data Loss Prevention 1 Gartner Symposium/ITxpo, October 10, 2007

5 OWASP We Would Like to See info-sec spending Business impact (# of incidents & exploits)

6 OWASP We Are Faced With info-sec spending Business impact (# of incidents & exploits)

7 OWASP Applications are the New Frontier Increasingly Accessible Results are Profitable Application Vulnerabilities are the New Entry Point Easy to exploit Opportunities are plentiful Network-Based Security Solutions are ineffective for todays threat Pen Testing confirms the problem but does not provide a solution 7

8 OWASP An Inconvenient Truth Business LogicFlaws SecurityErrors Code Flaws Two weeks of ethical hacking 10 Person-years of development

9 OWASP Another Inconvenient Truth…

10 OWASP Security in the Development Lifecycle

11 OWASP Secure Development Life-Cycle See www.opensamm.orgwww.opensamm.org InitiateDefineImplementDesignDevelopTestOperate Governance Construction Deployment Verification Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement

12 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Application Security Initiatives have come of age

13 OWASP SDL Adoption Curve How can we learn from the early adopters?

14 OWASP OWASP CLASP – Best Practices Institute Awareness Program Perform Application Assessments Capture Security Requirements Implement Secure Development Practices Build Vulnerability Remediation Procedures Define and Monitor Metrics Publish Operational Security Guidelines 14

15 OWASP Fortify SSA - Best Practices Rapid identification and remediation of critical vulnerabilities Dont forget to fix or boil the ocean Prevent introduction of new vulnerabilities Integrate into existing SDLC with minimal process changes Provide flexibility to integrate with new Provide support for the developers Training in the context of their own code base Mentoring as required Monitor and control Automate gathering of statistics and publish Enforcement via security gate Continuous Improvement 15

16 OWASP What has actually been implemented? Building Security In Maturity Model Benchmark based on 9 leading application security initiatives Financial Services ISVs Technology Vendors Produced by security experts Brian Chess Gary McGraw Sammy Migues See www.bsi-mm.com for more detailswww.bsi-mm.com

17 OWASP Key Findings - Roles Executive Sponsorship Critical Drive Cross-Functional Program Accountability and Empowerment Software Security Group (SSG) Enforcement and Mentoring Seed with Software Security Experts Cross-train software people on security not the other way round Size 1-2% of development group Satellite Group Project level security leads

18 OWASP Key Findings - Governance Build Support throughout the organization SSG plays an evangelism role Meet regulatory or internal needs with a unified approach SSG creates a single policy Promote culture of security throughout the organization Provide awareness training See yourself in the problem Create/use material specific to company history

19 OWASP Key Findings - Construction Create proactive security guidance around security features SSG provides reference implementation of security features Understand the organizations history Collect and publish attack stories Meet demand for security features Create security standards

20 OWASP Key Findings – Verification Build internal capability on security architecture Have SSG lead review efforts Drive efficiency/consistency with code review automation Use automated tools along with manual review Use encapsulated attacker perspective Integrate black box security tools into the QA process (including protocol fuzzing)

21 OWASP Key Findings - Deployment Demonstrate that your organization is vulnerable Use external pen testers to find problems Provide a solid host/network foundation for software Ensure host/network security basics in place Use operational data to change developer behaviour Identify software bugs found in operational monitoring and feed back to development

22 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org The Next Step

23 OWASP The Four Pillars of Software The software you build The software you commission others to build The software you buy (and the services you run) The open source software used in your business

24 OWASP Software Security Assurance (SSA) A risk management strategy for all sources of software risk Remediate Vulnerabilities found in software Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Assess Software for security vulnerabilities Prevent Software security vulnerabilities Prevent Software security vulnerabilities

25 OWASP Outsourced Code Approach Leverage vendors SDL or implement an extended SDL Key Pointers Make SDL part of the contract, preferably before you sign Agree roles and responsibilities for all SDL activities Verification activities cannot be done by out-sourcer Demand access to metrics during development to demonstrate Assess – Remediate - Prevent

26 OWASP COTS Code Approach Manage the Supply Chain Implement Software Vendor Management Key Pointers Start with enterprise wide baseline audit of existing COTS apps and assess risk Establish security standards for the approval of new COTS apps as part of the procurement process Approach to addressing security vulnerabilities is key Require access to security audit results

27 OWASP Open Source Software Approach Select In-house, out-sourced or COTS strategy on a per application basis Key Pointers Kill the myth that Open Source Software is inherently secure Maintain inventory of all Open Source components Specify application security approach Assign accountability Contribute security fixes back to the community Utilize Fortify's Open Review Project http://opensource.fortify.com

28 OWASP Software Security Assurance 28 Software Security Assurance Measureable Reduction of Risk Preventing Introduction of New Risks Compliance with Application Security Mandates Risk in Development Lifecycle Risk in Existing Legacy Applications

29 OWASP Summary Why are we here? Network Security is not enough Application Security Initiatives have come of age Security embedded in the development life-cycle Securing in-house developments is only part of the solution Systematic prevention of all software risk

30 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Q&A David Harper dharper@fortify.com +44 118 983 2055

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
Software Assurance Maturity Model

Software Assurance Maturity Model
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Enterprise Architecture

Enterprise Architecture
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Information Technology Audit

Information Technology Audit
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Similar presentations

Ads by Google