(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

Slides:

Advertisements

Similar presentations

Draft Change Management Strategy Framework and Toolkit An Overview TAU Workshop: Vulindlela Academy (DBSA) 12 April 2012 Presenter: Dr Patrick Sokhela.

Advertisements

PhoenixPro Procurement. technology. contracts. projects.

Program Management Office (PMO) Design

<<replace with Customer Logo>>

Security and Personnel

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)

Acquiring Information Systems and Applications

A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect

Security Controls – What Works

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

ISS IT Assessment Framework

The Transforming Power of the ITIL Framework for the Project Manager Patrick von Schlag Deep Creek Center November 10, 2010.

Viewpoint Consulting – Committed to your success.

CATEGORIES OF INFORMATION There are three main categories of business information,and these are related to the purpose for which the information is utilized.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Business Transformation Health Check

Software Engineering Institute Capability Maturity Model (CMM)

Fraud Prevention and Risk Management

> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.

Robert Fullagar CISSP CISM CRISC Clas CEH “Security is everyone’s responsibility”

W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director.

Process-based IT Organisation at Statistics New Zealand Prepared by Matjaž Jug.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

SEC835 Database and Web application security Information Security Architecture.

QAD's Customer Engagement Dan Blake Consultancy Development Director, QAD QAD Explore 2012.

Continual Service Improvement Process

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Engineering, Operations & Technology | Information TechnologyAPEX | 1 Copyright © 2009 Boeing. All rights reserved. Architecture Concept UG D- DOC UG D-

-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.

Information Systems Development. Outline  Information System  Systems Development Project  Systems Development Life Cycle.

Engineering Management From The Top Power Behind the Storage.

The Challenge of IT-Business Alignment

Roles and Responsibilities

Deakin Richard Tan Head, Information Technology Services Division DEAKIN UNIVERSITY 14 th October 2003.

Holistic Approach to Security

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Microsoft Office Project 2003: Selling EPM in your Organization Matt Wilson Business Solutions Specialist LMR Solutions.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Enterprise Service Management (ESM) An Approach for Adopting and Adapting Best Practice Programs to Manage, Secure and Improve an Organizations Information.

Software Engineering Lecture # 1.

IS2210: Systems Analysis and Systems Design and Change Twitter:

ARCH-04 Before You Begin Your Transformation Project… Phillip Magnay Architect – Applied Technology.

33 3. IS Planning Issues Scope of IS planning Barriers in IS planning Overview of IS planning Inputs to IS planning Process of IS planning Outputs from.

Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 Click to edit Master title style What is Business Analysis Body of Knowledge?

1 I.U. Professional Opportunities Orientation Program Kristin Gaines Manager, Global Financial Support & Services.

Castlebridge associates | | Castlebridge changing how people think about information How to Implement the.

Community-Based Coastal Adaptation Planning Presenter Name Date.

Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.

Provisional view of the Procurement Strategy Phil Bennett Commercial Director.

Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.

International Safety Rating System

© 2015 IHS. ALL RIGHTS RESERVED. Genstar Capital Acquires IHS Operational Excellence & Risk Management Business Ensuring the Success of Global EMIS Projects.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

PMO Processes & Procedures

Security Development Lifecycle (SDL) Overview

Michael J. Novak ASQ Section 0511 Meeting, February 8, 2017

Sample Fit-Gap Kick-off

Rapid Launch Workshop ©CC BY-SA.

Data Architecture World Class Operations - Impact Workshop.

Dumps Questions

2018 Real Cisco Dumps IT-Dumps

Engineering Processes

Data Governance & Management Skills and Experience

Awareness and Auditor training kit

DSC Contract Management Committee Meeting

Organisation av Integrations- & Informationsarbete

Presentation transcript:

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Ten Practical Steps to Reducing Software-based Threats Dr Serdar Cabuk, CISSP Security Specialist, VISA Europe

Presentation Identifier.2 Information Classification as Needed 2 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Outline Motivation and scope Methodology –Plan (2) –Do (5) –Check (2) –Act (1) The way forward

Presentation Identifier.3 Information Classification as Needed 3 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Motivation Fact –You have an SDLC in place Reality –You don’t have a secure SDLC Strategic v Tactical Drivers –Budget –Time to market –Top down v Bottom up

Presentation Identifier.4 Information Classification as Needed 4 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Scope What it isn’t –Strategic –Certified / Methodical –Framework based –Long term What it is –Tactical –Customised / Hands on –Process based –Short term

Presentation Identifier.5 Information Classification as Needed 5 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Methodology PMM SALC SDLC SDLC+

Presentation Identifier.6 Information Classification as Needed 6 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation Goal : Ensure readiness and support prior to process improvement Prerequisites Security policy Management buy in

Presentation Identifier.7 Information Classification as Needed 7 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation 1.Segregate software assurance and development functions Assurance Development

Presentation Identifier.8 Information Classification as Needed 8 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation 2.Engage with all functions including Information security –Compliance specialists and security architects Architecture –Solutions or technical architects Development –Analysts and lead developers Engineering –Infrastructure and network specialists Service owner and key stakeholders Project and programme management

Presentation Identifier.9 Information Classification as Needed 9 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition Goal : Improve software development by introducing targeted additions to the lifecycle Prerequisites Buy in from all teams involved

Presentation Identifier.10 Information Classification as Needed 10 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 3.Perform initial threat assessment to drive the high level design Input Requirements Output Improved high level design Tasks and RolesSecurityArchitectPM Information gatheringRCA Security requirements analysisRACI High level secure designSRAI Reporting and communicationRIA

Presentation Identifier.11 Information Classification as Needed 11 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 4.Perform application threat modelling to identify software- based threats Input Requirements and initial design Output Application threat model Tasks and RolesSecurityArchitectDeveloperPM Information gathering and planningRCCA Application decompositionCRSAI Application threat analysisRASCI Scoring and countermeasuresRSAII Reporting and communicationRCIA

Presentation Identifier.12 Information Classification as Needed 12 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 5.Perform secure design reviews to ensure secure software architecture Input High level design and application threat model Output Application level design Tasks and RolesSecurityArchitectPM Information gatheringRCA Security requirements revisitedRSAI Deployment and infrastructure analysisRSAI Application component analysisRSAI Reporting and communicationRCA

Presentation Identifier.13 Information Classification as Needed 13 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 6.Perform source code analysis (SCA) to identify and address code level vulnerabilities Input Application software and SCA tool Output Improved application software Tasks and RolesSecurityDeveloperPM Information gatheringRCA Source code analysisRACI Review and scoringRASI Code improvementSRAI Reporting and communicationRCA

Presentation Identifier.14 Information Classification as Needed 14 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 7.Employ secure coding principles to reduce software based threats and improve code quality Input Coding standards Output Improved application software Tasks and RolesSecurityDeveloper Information gatheringRC Standards establishmentRA Standards applicationAR

Presentation Identifier.15 Information Classification as Needed 15 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 CHECK : Embedding Goal : Ensure process implementation and establish security standard Prerequisites Documented process and templates

Presentation Identifier.16 Information Classification as Needed 16 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 CHECK : Embedding 8.Ensure process embedding through SDLC workshops and documentation 9.Establish security standards and raise awareness through security events and training

Presentation Identifier.17 Information Classification as Needed 17 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 ACT : Alignment Goal : Continuous capability maturity improvement using an industry standard framework 10. Introduce an industry standard ISMS framework and align it with the secure SDLC

Presentation Identifier.18 Information Classification as Needed 18 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Summary 1.Segregate software assurance and development functions 2.Engage with all functions including information security, architecture, development, engineering and project management 3.Perform initial threat assessment to drive the high level design 4.Perform application threat modelling to identify software- based threats 5.Perform secure design reviews to ensure secure software architecture

Presentation Identifier.19 Information Classification as Needed 19 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Summary 6.Perform source code analysis (SCA) to identify and address code level vulnerabilities 7.Employ secure coding principles to reduce software based threats and improve code quality 8.Ensure process embedding through SDLC workshops and documentation 9.Establish security standards and raise awareness through security events and training 10.Introduce an industry standard process framework and align it with the secure SDLC

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Thank you