Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Similar presentations


Presentation on theme: "Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions."— Presentation transcript:

1 Using the Cloud and SaaS to Secure the SDLC

2 About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions to commercial and US Fed Past – PM for High Assurance computer system at BAE – Mobile and App Security, multiple jobs – Software Engineer, multiple jobs

3 Agenda Terms and Background Application Security (AppSec) Deployment Models – SaaS / Cloud (On Demand) – On-Premise AppSec Industry Evolution – Relevant Trends – Case for “Hybrid” Implementation Hybrid On-Premise / cloud delivery of S-SDLC

4 Terms and Background Terms – SaaS : Software as a Service – SDLC : Software Development Lifecycle – SSA : Software Security Assurance Background – Focus is static analysis…but many concepts applicable to dynamic – SaaS and (public) cloud somewhat interchangeable, for this session – Caveats: Lots of variety of offerings amongst vendors; many of my statements are necessarily generalities

5 APPSEC DEPLOYMENT MODELS

6 What is SaaS? Software as a Service (SaaS) …or Security as a Service, in the AppSec world SaaS is a delivery model where software, data and services are hosted in the cloud and delivered on demand Application Security SaaS offerings include – Static, dynamic, and manual analyses – Expert review and prioritization of results – Various delivery offerings (web interface, reports, artifacts that integrate with onsite infrastructure)

7 AppSec via SaaS SaaS Web Portal Dev Org Stakeholders AppSec SME - review & triage 1 Analysis SaaS Process, On-Demand 1)Deliver code or bytes 2)Analysis as a Service 3)Expert Review 4)Results made available 2 3 4

8 What is an SDLC? Software Development Lifecycle (SDLC) …or Secure Development Lifecycle …or Secure Software Dev Lifecycle (S-SDLC) S-SDLC incorporates security across all phases of the development lifecycle. Security is built into applications from the start. Result: Software Security Assurance (SSA)

9 Sample Secure SDLC Developers Auditor / Security PM / Tech Lead Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker IDE Plug-in Repeat as Necessary Vulnerability Scan On Premise Deployment Developer Fixes Bug / Security Finding

10 Building Security into an SDLC Build Security in: Activities & Tasks Developer & staff training Vulnerability analysis technologies Technology integrations and automation AppSec processes, procedures and metrics Governance, enforcement of the above …Basically, process reengineering …This is SSA

11 SSA Challenges Challenges to implementing an SSA program Tools “wanted by security, need to be used by development” Developers not security trained. Security doesn’t understand source code Seamless integration of security requires big upfront commitment Expertise is scarce (and expensive in time or $$$) And more…

12 SaaS vs. On-Premise SaaSOn Premise No deployment, no hardware, no training Easy Deployment Involved Requires local installation and supporting hardware Scans executed, results triaged by experts and delivered in easy to read reports Little Expertise Required Significant Requires expertise to set filters and triage results Days, sometimes weeks per scan Days Time to Results Hours Hours per scan Standardized process Less Control More 100% control - instant access to all capabilities at any time Primary results are in report, but can be sent to bug tracking systems and IDEs Less Integration More Tight integration with build systems, bug tracking, revision control, test automation Reports, web sites, web services challenging for use in fixing found issues Less Actionable Results Very Results in-house, consumable & usable in IDEs, development and security infrastructure

13 The Strengths of SaaS and On-Premise Pure SaaS Deployment Easy and cost effective to get started Little to no expertise required Findings make case for future appsec investments Meet compliance and reporting obligations Pure On-Premise Deployment Better model for “The Fix” Addresses the systemic problem Integration and automation maximize efficiency

14 A Solid Plan for SSA Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 2: Pure On-Premise Bring technology and expertise in-house Solve the systemic problem – reduce repeat vulnerabilities Integration and automation maximize efficiency Mature SSA program This could include putting SaaS onsite (private cloud)

15 HOW THINGS ARE EVOLVING

16 Relevant AppSec Trends People Developers are increasingly security trained and aware AppSec SMEs more prevalent, many in the solution providers and security firms Product Applications increasingly complex – Hardware and time to analyze steepening – Increased expertise required to scan accurately SaaS increasingly integrate-able with onsite systems Process Compliance obligations mandating S-SDLC

17 S-SDLC Baseline Deployment Developers Auditor / Security Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan Basic, On Premise

18 S-SDLC Needs Developers Auditor / Security Vulnerability Scan Analysis Needs: Power, processing, memory Multiple servers Expertise to scan accurately Development Needs: Security, vulnerability training IDE integration of results Low impact to current processes Auditor Needs: Deep appsec knowledge Expertise with scanning tool Knowledge of app deployment = SaaS = On Premise

19 SaaS Integration Points Developers Auditor / Security Build Machine or Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan On Premise Infrastructure

20 SaaS Integration Points Developers Auditor / Security PM / Tech Lead Code Repository Bug Tracking On Premise Infrastructure SaaS Point & click Automated Web-based Build Machine or Continuous Integration

21 Bringing it all Together Key Concepts in a Hybrid S-SDLC Deployment – Expertise available via SaaS is typically superior to that found on-premise (they are the experts) – Some tasks require on-site activity (like fixing bugs) – Disruptions to existing processes can slow adoption; start small and build slowly – Integration points can blur the on-premise / on- demand separation, facilitating adoption

22 Hybrid Delivered Secure SDLC Developers Continuous Integration Code Repository Bug Tracking Check in Code Triggered Check-out Download, Prioritize Results Submit Findings to Bug Tracker IDE Plug-in Hybrid Deployment Developer views bugs & findings SaaS Triggered send for Analysis Analyze/Scan Expert Review Auditor / PM Dev loads issues in IDE Plug-in

23 Integration Points Development and Security Technology Deliver Source View/Pull Results Developer IDEYY Continuous Integration ServerYY Code Repository / Version ControlY Web InterfaceYY Web Services / Custom IntegrationsYY Lots of opportunity for customization and fitting the deployment model to the customer environment

24 Plan for SSA, Revisited Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Phase 2: On-Premise Pilot and SaaS Continue SaaS regime Deploy on-premise technology, design and test long term processes Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 3: Hybrid On-Premise and SaaS Deployment Deploy more technology and expertise in-house Difficult apps (for example) are still analyzed, triaged via SaaS Integration and automation max efficiency across deployments Mature SSA program

25 Final Thoughts  Take advantage of expertise where it resides, potentially buying time to bring it in-house  The general maturity curve is still on-demand --> on-premise  Automated or easy integrations are vital to successful hybrid deployment  Plan! Think long term.  Sometimes a pure on-premise or on-demand deployment is still the best answer. The important thing is to fit the solution to the problem and need.

26 Resources …and check out the next session on this track …Many, many others…


Download ppt "Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions."

Similar presentations


Ads by Google