Presentation is loading. Please wait.

Presentation is loading. Please wait.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Published byEverett Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012."— Presentation transcript:

1 Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012

2 Thank you for attending this presentation. My name is Mike, I’m a software assurance professional. This enterprise software developer-focused presentation is about working on secure software development compliance requirements. Welcome!

3 A little bit about software security What “software security” means, in practice:

4 What are software security requirements? Software security requirements: Software security compliance requirements: Technical requirements, Process requirements Things you owe Not things you hope or assume got done or exist

5 “Things you owe” Software security requirements can usually be sorted into three categories: 1.Source code 2.Documentation (of secure software development-related activities) 3.Organization responsibility (for security-related infrastructure services)

6 “Things you owe” continued Usually software security requirements have severities or penalties associated with not meeting them: – E.g., severities: high/medium/low – E.g., penalties: monetary penalties

7 Requirement examples Here is a notional example of a technical requirement: – “[The application shall not contain] Injection flaws, such as SQL, OS, and LDAP injection, [...].” (OWASP Top Ten 2010, A1-Injection) Here is a notional example of a process requirement: – “[The application lifescycle shall] Establish release gates for code review.” (OWASP OpenSAMM, CR3B)

8 What compliance means Achieving and maintaining software security compliance must necessarily be owned by software development teams (i.e. not by information assurance or information security teams).

9 Take compliance seriously Impacts of not taking compliance seriously are not limited to your application’s users. Impacts to your business or organization potentially may include: – Litigation resulting from e.g. breach of contract – Very costly repairs to your application – Very costly repairs to interconnected applications – Damage to your business or organization’s reputation, perhaps mission, etc.

10 Getting started, carefully Looking at compliance from certain different perspectives can help make working on compliance easier. – “Easier” means getting requirements to the point where they can be worked with the same ease and speed as requirements for business functions.

11 Achieving & maintaining compliance Plan work Track progress Enforce secure coding guidelines Report status Track bugs Looking at compliance from three different perspectives, in particular:

12 Roles & responsbilities Tracking progress Enforcing secure coding guidelines Planning work Owner: software development manager. Owner: lead developer & security buddy Owner: software development manager & security buddy

13 Tracking progress Getting started: 1.Establish a compliance target 2.Define compliance requirements based on your compliance target 3.Map requirements to things owed 4.Perform an initial assessment to determine your current compliance posture

14 Example The application shall not have OWASP Top Ten vulnerabilities (these are the notional targeted technical requirements) OWASP OpenSAMM maturity level 3 activities shall be performed before the application is released (these are the notional targeted process requirements) Establish target Define requirements Map requirements Initial assessment Tracking progress

15 Example: T10.A1-Injection SAMM.CR3B Shall perform user input validation. Shall perform safe datbase queries. Shall perform milestone code review before the application is released. Establish target Define requirements Map requirements Initial assessment

16 Establish target Define requirements Map requirements Initial assessment Tracking progress Example: Shall perform user input validation. Shall perform safe datbase queries. Shall perform milestone code review before the application is released. User input validation mechanism Parameterized queries Code review report

17 Establish target Define requirements Map requirements Initial assessment Tracking progress Example: IDSeverityTypeGroupTitleStatusMaturityNotes T10.A1.1HighSource code Input validation (users) Validate all input Potential items to address 50%... Thing owed (i.e. deliverable) Spreadsheet

18 A few words about performing an initial assessment It is strongly advised to perform threat modeling to some extent and then review sampled code, in order to make sure that all security requirements and the overall architecture are considered. Example: – Decompose your system into components, analyze each component for dependencies, then data flows, – Next establish boundaries and determine applicable security controls based on your requirements.

19 Enforcing secure coding guidelines Getting started: 1.Establish security controls 2.Establish security control usage 3.Use and retrofit security controls 4.Repeat steps 1 – 3 as needed.

20 Enforcing secure coding guidelines Rules of thumb: – Don’t build your own controls! – Do work with your security buddy to ensure security control mechanisms are implemented and work according to industry best practices, and meet your technical compliance requirements. Establish security controls Establish security control usage Use and retrofit security controls

21 Enforcing secure coding guidelines Example: Project Secure Coding Cheat Sheet Safe database queries: //TODO put description of SQL injection here Here is an example of how to safely query the database: //TODO put code snippet here Notes: //TODO usage notes, links, regular expressions to use to search for queries to review, etc.... Establish security controls Establish security control usage Use and retrofit security controls Wiki

22 Enforcing secure coding guidelines Rules of thumb: – Do publish secure coding guidelines to your development wiki and provide training as needed – Don’t forget to plan retrofit development cycles for new or changed security controls. – Do automate secure coding guidelines enforcement to the extent practical. Establish security controls Establish security control usage Use and retrofit security controls

23 A little bit more on enforcing secure coding guidelines Enforcing secure coding guidelines doesn’t have to be expensive or hard. Example:

24 Planning work Getting started: 1.Visualize 2.Limit work 3.Manage flow 4.Set policies 5.Improve iteratively

25 Visualize Limit work Manage flow Set policies Improve iteratively Planning work Example: Security Mechansim To doIn development In verificationVerified Input validation mechanisms Threat model document Task board

26 Planning work Rules of thumb: – Do use your task board to make assignments for related work – Do assign compliance security tasks using your existing bug tracking system – Do perform incremental code reviews in between milestone reviews to the extent practical Visualize Limit work Manage flow Set policies Improve iteratively

27 Planning work Rules of thumb: – Do what preparations you can as early as you can to avoid “development team death” (i.e. to avoid development cycles dedicated entirely to retrofitting new or changed security controls). – Work with your security buddy to incrementally role out new or changed controls as needed. – Work with your security buddy to incrementally role out new or changed lifecycle activities. Visualize Limit work Manage flow Set policies Improve iteratively

28 Planning work Rules of thumb: – Do set policies around using security controls and enforcing secure coding standards – Do set policies around timing, depth, and breadth of verification activities – Do work with your security buddy to enhance and maintain common security control library functionality Visualize Limit work Manage flow Set policies Improve iteratively

29 Where to go from here OWASP resources that you may find helpful: – OWASP Contract Annex – OWASP Top Ten – OWASP OpenSAMM – OWASP ESAPI – OWASP ASVS

30 Questions About Me: – Mike Boberski – Booz Allen Software Assurance Team – boberski_michael@bah.com

Download ppt "Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
PROCESS FRAMEWORK Lecture - 3. Topics covered PROCESS FRAMEWORK PROCESS MODELS DIFFERENCE.

PROCESS FRAMEWORK Lecture - 3. Topics covered PROCESS FRAMEWORK PROCESS MODELS DIFFERENCE.
Test Automation Success: Choosing the Right People & Process

Test Automation Success: Choosing the Right People & Process
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Agile Project Management with Scrum

Agile Project Management with Scrum
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)

Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
Stepan Potiyenko ISS Sr.SW Developer.

Stepan Potiyenko ISS Sr.SW Developer.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.

Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR-100205-a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.

Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google