Meeting the Demands of Break Neck Speed Secure Software ... App Sec... · Jeff Sauntry [email protected] Managing Principal, Synopsys Member of Tampa ISACA Chapter Certified Information

Jeff Sauntry

[email protected] Principal, Synopsys

Member of Tampa ISACA Chapter

Certified Information Systems Security Professional (CISSP)

Certified Information Security Manager (CISM)

Payment Card Industry Professional (PCIP)

Certified Computer Forensics Examiner (CCFE)

Certified Fraud Examiner (CFE)

Certifying BSIMM Assessor

NA PCI – Special Interest Group - eCommerce

Meeting the Demands of Break Neck Speed

Secure Software Development

Tricia Rupp – Sales Director

[email protected]

Andrew Thompson – Sr

Consultant

[email protected]

mailto:[email protected]

mailto:[email protected]

Cloud Adoption

Migration to Continuous Integration Continuous Delivery (CI\CD)

Vendor Management in the Cyber Supply Chain

Maturity Action Plans

Practice Like You Play – Professional Dev for the Software Security Group

New Kids on the Block – Integrating newly acquired business

Accelerants and Catalyst

© 2017 Synopsys, Inc. 3 Confidential

The Evolving Landscape of Software Security

Evolving development

environments require

new approaches

Changing

deployment

landscapes change

testing demands

Embedded devices

Cloud (private,

hybrid, public)

Languages and

frameworks

New tech stacks

and attack surfaces

Agile

DevOps

CI/CD

Open Source

New development

philosophies

and approaches


I love the waterfall SDLC

Plenty of time for testing

Plenty of time for fixing defects

My world is wonderful

IT Security Spokesman

FY 2016


Dear developer:

Good luck getting

through my security

gates your not even

tall enough to reach

the latch.

TTYL

IT Security Team


The App Sec

Defect Marshal

is NOT a

happy camper!


Agile application

development catches

on like wild fire

Waterfall testing

procedures, SLAs

and lead times are

viewed as

impractical

impediments


Information Security

Representative

Application Developers coming up with a

Game of Thrones plot to lock out Info Sec

from the New World Order


Dev Ops and CI\CD

accelerate the pace

and frequency of

applications release

schedules Software

Security

Groups that

don’t adapt

and integrate

with the new

paradigms

often lost their

seat at the

governance

table


Continuous Delivery \Continuous Integration

•Many teams are taking this challenge head on in 2017

•One size SDLC doesn’t fit all, so stop insisting on a single

one

•Establish core requirements & capability that each team

must demonstrate

•Consider accrediting processes for dev teams

•Rethink the way, how and when you test

•Not everything fits into a two week sprint

•Leverage ‘out of band’ task to solve the hardest problems

Page 10 10


High Level Workflow



Observations on Current State


Secure CI/CD2 Stack

Consider Training Impact- Look for trends that suggest additional

training or SSG guidance is required

- Mandatory micro courses for High & Critical

defects


Out-of Band Activities


Security continues to be

the most commonly cited

reason for avoiding the use

of the public cloud.

Source:

Hype Cycle for Cloud Security, 2015

Published: 17 July 2015


Cloud adoption is accelerating which represents AppSec

and CloudSec opportunity

50% of the applications running in public cloud environments will be considered mission-critical by the organizations that use them.

By 2018 Over 30% of the 100

largest vendors' new software investments will have shifted from cloud-first to cloud-only.

By 2019

A corporate "no-cloud" policy will be as rare as a "no-Internet" policy is today.

By 2020 95% of cloud security

failures will be the customer's fault.

Thru 2020

Source:

Predicts 2016: Cloud Computing to Drive Digital Business

08 December 2015 G00292047


History is repeating itself

Developers lacking AppSec and CloudSec experience as they create applications causes SSG

owners pain.

DevelopersMobile

5 yrs. ago

The time to

engage SSG

owners is now,

during early

stages of projects.

Copyright © 2016, Cigital

Cloud

now

Web

10 yrs. ago


Ice Breakers and Cocktail Party Topics

Does your organization have a cloud adoption strategy/roadmap? If so, how does security factor into this roadmap?

What portion of your application portfolio is currently in the cloud?

What portion of your application portfolio is planned to migrate to the cloud?

What cloud risks are you most concerned about?

What cloudSec topics are you interested in training your people on? Which audiences are interested in which topics?


Key cloud characteristics deliver efficiency and flexibility

CloudOn-

demand service

Measured service

Rapid elasticity

Broad network access

Resource Pooling


Cloud service models represent ways a cloud-based

service is consumed and utilized

Cloud

Infrastructure as-a-Service

(IaaS)

Platform as-a-Service (PaaS)

Software as-a-Service (SaaS)


Cloud deployment models

22

Cloud

Public

Hybrid

Private


Security is a shared responsibility

People

IaaS

Data

Applications

Runtime

Middleware

Operating system

Virtual networks

Hypervisors

Servers

Storage

Physical networks

People

PaaS

Data

Applications

Runtime

Middleware

Operating system

Virtual networks

Hypervisors

Servers

Storage

Physical networks

People

SaaS

Data

Applications

Runtime

Middleware

Operating system

Virtual networks

Hypervisors

Servers

Storage

Physical networks

People

Hosted/ On-prem

Data

Applications

Runtime

Middleware

Operating system

Virtual networks

Hypervisors

Servers

Storage

Physical networks

Customer responsibility CSP responsibility

Customers and CSPs share control of applications and resources, and hence

security responsibilities.


Different cloud scenarios impact security posture

“Lift-and-shift”

• Move an existing application within the cloud as-is.

• Commonly uses IaaS.

• Relatively little reliance on CSP platform-layer controls.

Hybrid

• Update an existing application to take advantage of cloud services.

• Commonly uses PaaS/SaaS CSP services, but a significant portion of the

application is on-prem or IaaS.

• Some reliance on CSP platform-layer controls.

“Cloud-native”

• Develop new applications built specifically for the cloud.

• Commonly uses PaaS, SaaS.

• Heavy reliance on CSP platform-layer controls.


Leveraging cloud services may introduce risk

Cloud context = provide visibility into which cloud services are

leveraged and the potential introduction of security risks.

APIs

• Mechanism to process data, share data, across modules/applications; cross

application/module communication.

• CSPs expose APIs for the management plane to the public internet.

• CSPs continually release new and updated services accessible via APIs

Software/Hardware supply chain security

• Use of open-source components, containers and infrastructure-as-code sourced

from public repositories


Leveraging cloud services may introduce risk

Shared tenancy

• Isolating cloud service users (CSUs) from one another

• Isolating SaaS application users from one another

Infrastructure as code

• Code is written to rapidly provision, configure and release virtualized resources;

the ways in which this code is written significantly impacts the security posture of a

cloud computing environment.


Deliver solution to enable Cloud migration

Encourage your organizations to “build security in” with a mix of services for both CSPs

and CSUs such as:

Integrate security into all phases of the SDLC without impeding development's

ability to meet its deliverables.

CategoriesExisting services with cloud

specialization

System design

analysis

• Architectural risk analysis

• Threat modeling

Vulnerability

assessment

• Penetration testing

• Source code review (Cloud Context)

DevOps / Agile• Software delivery (CI/CD)

Training

• Amazon Web Services DevOps

Workshop

Cloud Service Users

CategoriesExisting services with cloud

specialization

System design

analysis

Architectural review of cloud service

components

1. Architectural risk analysis

2. Threat modeling

Vulnerability

assessment

Advanced penetration testing:

1. Penetration testing of software

found within cloud stack ( Physical

networks, hypervisor reviews

Applications, APIs etc.)

2. Source code review

Cloud Service Provider


Deliver design-level analysis

Apply sound security practices

• Eliminate up to 50% of the vulnerabilities at the source.

• Identify missing or weak security controls, understand secure design best practices, and

mitigate security flaws that increase your risk of a breach through…

– Threat Modeling

– Architecture Risk Analysis

• Provide architectural review

– Cloud applications for cloud service

users

– Cloud service components for cloud

service providers


Provide security penetration testing at scale

• Provide the right level of penetration testing of cloud applications

• Test adjacent technologies.

• Provide assessments without compromising human/manual involvement.

• Gain access to the top Cloud security experts.


Tying it all together

Deployment Models & Security Implications

Challenge: as organizations

embrace DevOps culture and

technologies, increasing usage of

cloud services often goes hand-in-

hand. The nature of cloud services

brings novel risks.

Different combinations of

isolation, service, and

deployment models imply

different types of risk.

Source:

http://blogs.msdn.com/b/johnalioto/archive/2010/08/16/10050822.aspx

BSIMM BASICS

We Hold These Truths to Be Self-Evident

• Software security is more than a set of security functions.– Not magic crypto fairy dust

– Not silver-bullet security mechanisms

• Non-functional aspects of design are essential.

• Bugs and flaws are 50/50.

• Security is an emergent property of the entire system (just like quality).

• To end up with secure software, deep integration with the SDLC is necessary.

Building BSIMM (2008)• BIG idea: Build a maturity model from actual data gathered from 9

well-known large-scale software security initiatives.

– Create a software security framework.

– Interview 9 firms in-person.

– Discover 110 activities through observation (1 removed, 4 added later).

– Organize the activities in 3 levels.

– Build a scorecard.

• The model has been validated with datafrom 129 firms (95 in BSIMM7).

• There is no special snowflake.

BSIMM7 MEASUREMENTS

95 Firms in BSIMM7 Community

Example Activity – Focus on Activity Description

[AA1.2] Perform design review for high-risk applications.

The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing detailed design review and breaking the architecture being considered, especially for new platforms or environments. In all cases, design review produces a set of architecture flaws and a plan to mitigate them. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise can be used here, though in the long run they do not scale. A review focused only on whether a software project has performed the right process steps will not generate expected results.

A Software Security Framework

See informIT article on BSIMM website http://bsimm.com

4 Domains 12 Practices

The Twelve Most Common BSIMM ActivitiesThese twelve activities were observed in 64% of measured firms:

1. Identify Gate locations; gather necessary artifacts2. Identify PII obligations3. Provide awareness training on software security4. Create data classification scheme and inventory5. Build and publish security features6. Create security standards7. Perform security feature review8. Use automated tools along with manual code review9. Drive tests with security requirements and security features10. Use external penetration testers to find problems11. Ensure host and network security basics are in place12. Identify software bugs found in operations monitoring and feed

them back to development

38

BSIMM7 AS A MEASURING STICK

BSIMM7 as a Measuring Stick

Top 12 activities– purple = good?

– red = bad?

“Blue shift” = practices to emphasize

The objective is to spark a conversation that leads to a business decision related to software security priorities

COMPARING GROUPS OF FIRMS

We Are a Special Snowflake (NOT)

BSIMM Longitudinal: Improvement Over Time

• 30 firms measured twice (an average of 25 months apart)

• We know how firms improve– An average of 34.6% activity increase

VBSIMM – QUALITY ASSURANCE AS PART OF THE SOFTWARE/CYBER SUPPLY CHAIN

The Vendor BSIMM (vBSIMM)• Measure the software security capability of third-party

vendors• Five practice areas, fifteen activities (subset of BSIMM)

• Adopted as a control by the FS-ISAC Third Party Software Security Working Group (*M&A Cover Reference)

BSIMM practice Identification & Response Process Integration Process Automation

Arch. Analysis AA1.4 critical apps AA1.1 sec features AA1.2 ARA for high

Code Review CR1.1 top bugs CR1.2 ad hoc SSG CR1.4 tool

Security Testing ST1.1 boundary/edge ST1.3 sec req tests ST2.1 tool

Pen Testing PT1.1 externals PT1.2 mitigate loop PT1.3 internal tool

Config Mgmt. & Vuln Mgmt

CMVM1.1 incident CMVM1.2 sec à dev CMVM2.2 track defects

MATURITY ACTION PLAN (MAP)

What is a BSIMM MAP?• The BSIMM MAP adds a process level dimension to the program

level view provided by the BSIMM

• The BSIMM answers the “what do I do” and the BSIMM MAP answers the “what else should I be doing” and “how can I improve the things I am doing”

• The BSIMM MAP is the catalyst to the implementation to mature or establish a software security program

• Without the BSIMM MAP organizations struggle or procrastinate with SSG implementations

So what are the benefits of the BSIMM MAP?

• Gives management a detailed assessment on how to mature a software

security program

• Helps management prioritize and plan the rollout of its software security

program

• Allows effective use of budget by performing high-impact activities earlier in the

implementation phase

• Allows organizations to leverage our experience and knowledge of

implementing components of software security programs

• Allows management to evaluate the dependencies and impacts of other related

initiatives in the organization (i.e., GRC, SEIM, metrics, etc.)

Implementation Plan Description Timeline

SDLC TOUCHPOINTS – Security Architecture ReviewEnhance the Security Architecture Review Process (SARP)

Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8

Key Activities Key Considerations Dimensions

Preparation for Threat Modeling (TM) and Architecture Risk Analysis (ARA)

Work with Dave and Buster to identify architects and possible consultants interested in and able to perform advanced SARs using TM and ARA techniques to detect design flaws in applications.

Identify two to three high risk applications to be put through the advanced SARP pilots.

Identify criteria for using TM and ARA in the existing SARP process.

TM and ARA Training

Conduct instructor led training (ILT) on TM and ARA for selected personnel.

TM and ARA Pilot Execution

Conduct TM and ARA against the designs of the selected applications. This can be part of a normal SARC process or stand-alone for the pilot efforts.

Submit findings to defect tracking system.

Help application teams redesign the applications to remediate findings.

Share the findings and success stories with the development community.

Use external consultants to lead early pilot efforts. Allow internal personnel to shadow and gain experience under their guidance.

Integrate TM and ARA Into Regular SARC Process

Integrate TM and ARA in the an enterprise-wide SARP process.

HR: Internal or external resources with security architecture skills. Outsourcing may be a solution to consider.

Technical: Integrate TM and ARA findings into defect tracking system.

Business: To familiarize with this SSDLC activity. Determine resources, time and cost to successfully complete this activity.

Operations: Adopt the expanded SARC methodology; build and publish run book on the SARC process to include the new capabilities.

Key Dependencies Drivers

Application risk ranking methodology to identify correct pilot applications to take through the TR and ARA process

Consider integrating with existing defect tracking systems.

Availability of developer and architect resources to participate in the review processes.

Implementation Risks Expected Improvement

Internal resources may not be able to take on these type of assessments due to time required to develop and maintain the required skillset.

Allocation of inappropriate resources for the implementation can affect quality of output and duration to complete specific artifacts/deliverables.

Lack of buy-in from application owners and developer mangers will make it difficult to have appropriate time with the teams to conduct the reviews.

Initial Cost Driver Analysis Key Stakeholders

Cost Category Internal External Ongoing Assumptions SSG leads the activity with purpose of identifying and tracking defects.

Application Owners and development managers provide the application designs and appropriate personnel to discuss the designs.

Resources

Pilot program will involve several internal and external resources during training and pilot efforts. Once established the process will become a routine task as part of the existing SARP and not require dedicated personnel.

Expenditure

Training and the use of external consultants to enable internal staff to shadow some of the pilot programs will require funding.

Governance

SDLC Touchpoints

Developer Enablement

< 100K

Internal

External

Activity milestone using external providers

Activity Progress

Ongoing Refinement

Activity milestone using internal resourcesFull-time resource

Pre

p

51

IL

T

Pilot

Reviews

IL

T

Pilot Review

Quarter 1 Quarter 2 Quarter 3 Quarter 4 Quarter 5 Quarter 6 Quarter 7 Quarter 8

Year 1 Year 2

il

Create the SSG

Create Relationships

Purchase and Pilot

SAST Tool

Identify Goals and

Dev Team for SM&L

ID Required Metrics Gather and refine metrics

Pilot Satellite ProgramDefine roles for

satellites and Identify

Candidates

Use the SAST toolDeploy SAST Tool

Identify candidates

for ARA and TM

reviews

ILT for ARA & TM

and ShadowingARA and TM Piloting

Design

QA NFR

& Fuzz

Testing

Operationalize NFR Verification and Fuzz TestingPilot

NFR and

Fuzz

Testing

Design, implement and Test SM&L

Create Standards

Review Board for Code

Level Standards

Define Incident Response and Development

Information Feed and Response Process

Resolve Existing WAF Management Issues

Secure Development

Training of SM&L

Team

52

Train

Satellite

sTrain Developers on SAST Tool Use the SAST Tool as Desktop As-You-Develop Secure Development Training

Define Feeding Pen

Test Results to

Defect Tracking

Systems

Pilot Feeding Pen

Test Results to

Defect Tracking

Systems

GO

VE

RN

AN

CE

SS

DL

C T

OU

CH

PO

INT

SD

ep

loym

en

tIn

tellig

en

ce

Socialize a Program Roadmap - Example

09 10 11 12 01 02 03 04 05 06

2017

Static Analysis

Dynamic Analysis

Threat Modeling

Training

Complete all

curriculum

courses

10 Security

Champions

Complete

Foundations

CBTConduct

SecureAssist

pilot – 12 apps

Launch self-

service satellite

SecureAssist

training

program

75%

application

portfolio

coverage

Require

SecureAssist as

part of SDLC

Launch new

dynamic

scanning

capability

Scale dynamic

scanning

during QA

Launch threat-

driven capability

SSG mentors

architects as

part of high

risk SDLC

projects

Conduct ILT

Ethical Hacking

Practice Like You Play

Evolution of Software Security Group

Professional Development

54

55

Page ‹#› 56

Page ‹#› 57

Page ‹#› 58

If Great Whites

had to report to

executives……

this might be the

only KPI or

metric that really

matters

How we train SSG needs to evolve• Role based training for all members of the Software Security Group

(SSG)– Developers, QA Engineers, Architects, Business Analyst, Project Mgrs

• Global teams that are geographically dispersed

• On-demand solutions so staff can learn when it is convenient– Micro courses, searchable knowledge bases

– Pre-approved components to improve efficiency (e.g. libraries and open source)

– Integrate training aids into the developers IDE

• Practical hands on exercises via virtual classrooms

• Continual reinforcement while teams are developing code

• Examples of best practices and suggested code snippetsPage 59 59

Vulnerability Cost Impact - Time of Detect vs. Time of Fix

% Bugs introduced in this phase

% Bugs found in this phase

$ Cost to repair bug in this phase

$16,000

$1,000

$100

$250

$25

85%

Perc

en

tag

e o

f Bu

gs a

nd

Fla

ws

Code Build Test Release

Plan PenTest Everyone wants to create more

secure software, but:

developers aren’t security experts and

security teams find flaws too late in

the SDLC

Secure Code Reviewhelps developers find and fix software

security defects

early in the SDLC

SCR

• Integrating corrective action

into the developers native

environment is key (today)

• Real world example in the

language they are coding in is

the BEST… fixing it for them is

coming

Training for Every Role – eLearning (CBT)

Building the Business Case – Training vs Coding

• Establish baselines of key applications• Track the hygiene of the code base • Establish a control group & fully train an comparable team• Metrics to capture

– Defect Density– Defect frequency– Time to resolve defects

• Well trained teams will – Introduced fewer defects into the code base– They are often 50% faster at resolving defects

• Consider formalizing into a ‘Satellite’ or ‘Security Maven’ program

Page 62 62

Expand Team with Satellites & Maven Programs

Yellow Belt

eLearning (CBT)

Activity

1. Foundations of

Software Security

2. OWASP Top 10

Advanced Training (ILT)

Static Analysis• Application On-

Boarding (1 app)

Advanced Practices

Green Belt

4. Defensive

Programming (for

relevant language)

5. Software Security

Requirements

6. Attack & Defense

7. Threat Modeling

8. Security Testing

• Defensive Programming

ILT

• Threat Modeling ILT

Brown Belt

• Contribute to Threat

Models

Black Belt

• Serve on standards

review board

• Build re-usable IP

to prevent risk

• Teach and

influence peers

Certification Level Progression

• Implement static

analysis coverage

enhancements

Combining CBT, ILT, and practice adoption within a progressive program is an effective implementation strategy


Complete Support Across Your Secure SDLC

REQUIREMENTS

& DESIGN

Architecture Risk

Analysis

Security Code

Design Analysis

Threat Modeling

TRAINING

Core Security

Training

Secure Coding

Training

eLearning

SAST (IDE)

SAST (Build)

SCA (Source)

IAST

IMPLEMENTATION

SAST (Managed)

Fuzz Testing

SCA (Binary)

Mobile Testing

VERIFICATION

DAST (Managed)

Pen Testing

Network Pen Testing

RELEASE

COMPREHENSIVE SOFTWARE INTEGRITY PORTFOLIO


Our Portfolio: The Best Stuff and The Right Stuff

Program Design and Development

+27

Products

• Static Code Analysis

• Software Composition

Analysis

• Intelligent Fuzz Testing

• Interactive Application

Security Testing (IAST)

• eLearning

+27

Managed Services

• Web Application Testing

• Mobile Application Testing

• Network Penetration Testing

• Source Code Review

+27

Professional Services

• Architecture and Design

• CI/CD & Cloud Enablement

• Embedded Software Testing

• Insider Threat Detection

• Red Teaming

• Thick Client Testing

• Building Security In

Maturity Model (BSIMM)

• Maturity Action Plan

• Metrics Development

• Software Security Initiative

In-a-Box

Q&A

© 2017 Synopsys, Inc. 67 ConfidentialConfidential

1 Microsoft

2 Oracle

3 SAP

4 Symantec

5 VMware

6 Salesforce

7 Intuit

8 CA Technologies

9 Adobe

10 Teradata

11 Amdocs

12 Cerner

13 Citrix

14 Autodesk

15 Sage Group

16 Synopsys

17 Akamai Technologies

18 Nuance

19 Open Text

20 F5 Networks

Top 20 Global

Software Companies

Financial Snapshot

2016 Revenue:

$2.42B3-Yr Backlog:

$3.6B

Engineering Culture

Total Employees: ~11,000

Engineers: 50%

Software Integrity Group: ~1,000

Global Reach


SIG History at a Glance

2014

BIRTH

OF SIG

SAST

Test Optimization

Seeker

IAST

Composition Analysis

SAST Rules

Consulting

Training

Fuzzing

20162015


Mobile / Consumer

Devices

Enterprise Networking

and Software

High Reliability

SystemsFinancial Services

Synopsys works with 1,500 industry-leading companies across all sectors…

and has deep experience in software testing for many industries

Thank You

Documents

Meeting the Demands of Break Neck Speed Secure Software ... App Sec... · Jeff Sauntry [email protected] Managing Principal, Synopsys Member of Tampa ISACA Chapter Certified Information