Upload
doanbao
View
215
Download
2
Embed Size (px)
Citation preview
Jeff Sauntry
[email protected] Principal, Synopsys
Member of Tampa ISACA Chapter
Certified Information Systems Security Professional (CISSP)
Certified Information Security Manager (CISM)
Payment Card Industry Professional (PCIP)
Certified Computer Forensics Examiner (CCFE)
Certified Fraud Examiner (CFE)
Certifying BSIMM Assessor
NA PCI – Special Interest Group - eCommerce
Meeting the Demands of Break Neck Speed
Secure Software Development
Tricia Rupp – Sales Director
Andrew Thompson – Sr
Consultant
Cloud Adoption
Migration to Continuous Integration Continuous Delivery (CI\CD)
Vendor Management in the Cyber Supply Chain
Maturity Action Plans
Practice Like You Play – Professional Dev for the Software Security Group
New Kids on the Block – Integrating newly acquired business
Accelerants and Catalyst
© 2017 Synopsys, Inc. 3 Confidential
The Evolving Landscape of Software Security
Evolving development
environments require
new approaches
Changing
deployment
landscapes change
testing demands
Embedded devices
Cloud (private,
hybrid, public)
Languages and
frameworks
New tech stacks
and attack surfaces
Agile
DevOps
CI/CD
Open Source
New development
philosophies
and approaches
© 2017 Synopsys, Inc. 4 Confidential
I love the waterfall SDLC
Plenty of time for testing
Plenty of time for fixing defects
My world is wonderful
IT Security Spokesman
FY 2016
© 2017 Synopsys, Inc. 5 Confidential
Dear developer:
Good luck getting
through my security
gates your not even
tall enough to reach
the latch.
TTYL
IT Security Team
© 2017 Synopsys, Inc. 7 Confidential
Agile application
development catches
on like wild fire
Waterfall testing
procedures, SLAs
and lead times are
viewed as
impractical
impediments
© 2017 Synopsys, Inc. 8 Confidential
Information Security
Representative
Application Developers coming up with a
Game of Thrones plot to lock out Info Sec
from the New World Order
© 2017 Synopsys, Inc. 9 Confidential
Dev Ops and CI\CD
accelerate the pace
and frequency of
applications release
schedules Software
Security
Groups that
don’t adapt
and integrate
with the new
paradigms
often lost their
seat at the
governance
table
© 2017 Synopsys, Inc. 10 Confidential
Continuous Delivery \Continuous Integration
•Many teams are taking this challenge head on in 2017
•One size SDLC doesn’t fit all, so stop insisting on a single
one
•Establish core requirements & capability that each team
must demonstrate
•Consider accrediting processes for dev teams
•Rethink the way, how and when you test
•Not everything fits into a two week sprint
•Leverage ‘out of band’ task to solve the hardest problems
Page 10 10
© 2017 Synopsys, Inc. 14 Confidential
Secure CI/CD2 Stack
Consider Training Impact- Look for trends that suggest additional
training or SSG guidance is required
- Mandatory micro courses for High & Critical
defects
© 2017 Synopsys, Inc. 16 Confidential
Security continues to be
the most commonly cited
reason for avoiding the use
of the public cloud.
Source:
Hype Cycle for Cloud Security, 2015
Published: 17 July 2015
© 2017 Synopsys, Inc. 17 Confidential
Cloud adoption is accelerating which represents AppSec
and CloudSec opportunity
50% of the applications running in public cloud environments will be considered mission-critical by the organizations that use them.
By 2018 Over 30% of the 100
largest vendors' new software investments will have shifted from cloud-first to cloud-only.
By 2019
A corporate "no-cloud" policy will be as rare as a "no-Internet" policy is today.
By 2020 95% of cloud security
failures will be the customer's fault.
Thru 2020
Source:
Predicts 2016: Cloud Computing to Drive Digital Business
08 December 2015 G00292047
© 2017 Synopsys, Inc. 18 Confidential
History is repeating itself
Developers lacking AppSec and CloudSec experience as they create applications causes SSG
owners pain.
DevelopersMobile
5 yrs. ago
The time to
engage SSG
owners is now,
during early
stages of projects.
Copyright © 2016, Cigital
Cloud
now
Web
10 yrs. ago
© 2017 Synopsys, Inc. 19 Confidential
Ice Breakers and Cocktail Party Topics
Does your organization have a cloud adoption strategy/roadmap? If so, how does security factor into this roadmap?
What portion of your application portfolio is currently in the cloud?
What portion of your application portfolio is planned to migrate to the cloud?
What cloud risks are you most concerned about?
What cloudSec topics are you interested in training your people on? Which audiences are interested in which topics?
© 2017 Synopsys, Inc. 20 Confidential
Key cloud characteristics deliver efficiency and flexibility
CloudOn-
demand service
Measured service
Rapid elasticity
Broad network access
Resource Pooling
© 2017 Synopsys, Inc. 21 Confidential
Cloud service models represent ways a cloud-based
service is consumed and utilized
Cloud
Infrastructure as-a-Service
(IaaS)
Platform as-a-Service (PaaS)
Software as-a-Service (SaaS)
© 2017 Synopsys, Inc. 23 Confidential
Security is a shared responsibility
People
IaaS
Data
Applications
Runtime
Middleware
Operating system
Virtual networks
Hypervisors
Servers
Storage
Physical networks
People
PaaS
Data
Applications
Runtime
Middleware
Operating system
Virtual networks
Hypervisors
Servers
Storage
Physical networks
People
SaaS
Data
Applications
Runtime
Middleware
Operating system
Virtual networks
Hypervisors
Servers
Storage
Physical networks
People
Hosted/ On-prem
Data
Applications
Runtime
Middleware
Operating system
Virtual networks
Hypervisors
Servers
Storage
Physical networks
Customer responsibility CSP responsibility
Customers and CSPs share control of applications and resources, and hence
security responsibilities.
© 2017 Synopsys, Inc. 24 Confidential
Different cloud scenarios impact security posture
“Lift-and-shift”
• Move an existing application within the cloud as-is.
• Commonly uses IaaS.
• Relatively little reliance on CSP platform-layer controls.
Hybrid
• Update an existing application to take advantage of cloud services.
• Commonly uses PaaS/SaaS CSP services, but a significant portion of the
application is on-prem or IaaS.
• Some reliance on CSP platform-layer controls.
“Cloud-native”
• Develop new applications built specifically for the cloud.
• Commonly uses PaaS, SaaS.
• Heavy reliance on CSP platform-layer controls.
© 2017 Synopsys, Inc. 25 Confidential
Leveraging cloud services may introduce risk
Cloud context = provide visibility into which cloud services are
leveraged and the potential introduction of security risks.
APIs
• Mechanism to process data, share data, across modules/applications; cross
application/module communication.
• CSPs expose APIs for the management plane to the public internet.
• CSPs continually release new and updated services accessible via APIs
Software/Hardware supply chain security
• Use of open-source components, containers and infrastructure-as-code sourced
from public repositories
© 2017 Synopsys, Inc. 26 Confidential
Leveraging cloud services may introduce risk
Shared tenancy
• Isolating cloud service users (CSUs) from one another
• Isolating SaaS application users from one another
Infrastructure as code
• Code is written to rapidly provision, configure and release virtualized resources;
the ways in which this code is written significantly impacts the security posture of a
cloud computing environment.
© 2017 Synopsys, Inc. 27 Confidential
Deliver solution to enable Cloud migration
Encourage your organizations to “build security in” with a mix of services for both CSPs
and CSUs such as:
Integrate security into all phases of the SDLC without impeding development's
ability to meet its deliverables.
CategoriesExisting services with cloud
specialization
System design
analysis
• Architectural risk analysis
• Threat modeling
Vulnerability
assessment
• Penetration testing
• Source code review (Cloud Context)
DevOps / Agile• Software delivery (CI/CD)
Training
• Amazon Web Services DevOps
Workshop
Cloud Service Users
CategoriesExisting services with cloud
specialization
System design
analysis
Architectural review of cloud service
components
1. Architectural risk analysis
2. Threat modeling
Vulnerability
assessment
Advanced penetration testing:
1. Penetration testing of software
found within cloud stack ( Physical
networks, hypervisor reviews
Applications, APIs etc.)
2. Source code review
Cloud Service Provider
© 2017 Synopsys, Inc. 28 Confidential
Deliver design-level analysis
Apply sound security practices
• Eliminate up to 50% of the vulnerabilities at the source.
• Identify missing or weak security controls, understand secure design best practices, and
mitigate security flaws that increase your risk of a breach through…
– Threat Modeling
– Architecture Risk Analysis
• Provide architectural review
– Cloud applications for cloud service
users
– Cloud service components for cloud
service providers
© 2017 Synopsys, Inc. 29 Confidential
Provide security penetration testing at scale
• Provide the right level of penetration testing of cloud applications
• Test adjacent technologies.
• Provide assessments without compromising human/manual involvement.
• Gain access to the top Cloud security experts.
© 2017 Synopsys, Inc. 30 Confidential
Tying it all together
Deployment Models & Security Implications
Challenge: as organizations
embrace DevOps culture and
technologies, increasing usage of
cloud services often goes hand-in-
hand. The nature of cloud services
brings novel risks.
Different combinations of
isolation, service, and
deployment models imply
different types of risk.
Source:
http://blogs.msdn.com/b/johnalioto/archive/2010/08/16/10050822.aspx
We Hold These Truths to Be Self-Evident
• Software security is more than a set of security functions.– Not magic crypto fairy dust
– Not silver-bullet security mechanisms
• Non-functional aspects of design are essential.
• Bugs and flaws are 50/50.
• Security is an emergent property of the entire system (just like quality).
• To end up with secure software, deep integration with the SDLC is necessary.
Building BSIMM (2008)• BIG idea: Build a maturity model from actual data gathered from 9
well-known large-scale software security initiatives.
– Create a software security framework.
– Interview 9 firms in-person.
– Discover 110 activities through observation (1 removed, 4 added later).
– Organize the activities in 3 levels.
– Build a scorecard.
• The model has been validated with datafrom 129 firms (95 in BSIMM7).
• There is no special snowflake.
Example Activity – Focus on Activity Description
[AA1.2] Perform design review for high-risk applications.
The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing detailed design review and breaking the architecture being considered, especially for new platforms or environments. In all cases, design review produces a set of architecture flaws and a plan to mitigate them. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise can be used here, though in the long run they do not scale. A review focused only on whether a software project has performed the right process steps will not generate expected results.
A Software Security Framework
See informIT article on BSIMM website http://bsimm.com
4 Domains 12 Practices
The Twelve Most Common BSIMM ActivitiesThese twelve activities were observed in 64% of measured firms:
1. Identify Gate locations; gather necessary artifacts2. Identify PII obligations3. Provide awareness training on software security4. Create data classification scheme and inventory5. Build and publish security features6. Create security standards7. Perform security feature review8. Use automated tools along with manual code review9. Drive tests with security requirements and security features10. Use external penetration testers to find problems11. Ensure host and network security basics are in place12. Identify software bugs found in operations monitoring and feed
them back to development
38
Top 12 activities– purple = good?
– red = bad?
“Blue shift” = practices to emphasize
The objective is to spark a conversation that leads to a business decision related to software security priorities
BSIMM Longitudinal: Improvement Over Time
• 30 firms measured twice (an average of 25 months apart)
• We know how firms improve– An average of 34.6% activity increase
The Vendor BSIMM (vBSIMM)• Measure the software security capability of third-party
vendors• Five practice areas, fifteen activities (subset of BSIMM)
• Adopted as a control by the FS-ISAC Third Party Software Security Working Group (*M&A Cover Reference)
BSIMM practice Identification & Response Process Integration Process Automation
Arch. Analysis AA1.4 critical apps AA1.1 sec features AA1.2 ARA for high
Code Review CR1.1 top bugs CR1.2 ad hoc SSG CR1.4 tool
Security Testing ST1.1 boundary/edge ST1.3 sec req tests ST2.1 tool
Pen Testing PT1.1 externals PT1.2 mitigate loop PT1.3 internal tool
Config Mgmt. & Vuln Mgmt
CMVM1.1 incident CMVM1.2 sec à dev CMVM2.2 track defects
What is a BSIMM MAP?• The BSIMM MAP adds a process level dimension to the program
level view provided by the BSIMM
• The BSIMM answers the “what do I do” and the BSIMM MAP answers the “what else should I be doing” and “how can I improve the things I am doing”
• The BSIMM MAP is the catalyst to the implementation to mature or establish a software security program
• Without the BSIMM MAP organizations struggle or procrastinate with SSG implementations
So what are the benefits of the BSIMM MAP?
• Gives management a detailed assessment on how to mature a software
security program
• Helps management prioritize and plan the rollout of its software security
program
• Allows effective use of budget by performing high-impact activities earlier in the
implementation phase
• Allows organizations to leverage our experience and knowledge of
implementing components of software security programs
• Allows management to evaluate the dependencies and impacts of other related
initiatives in the organization (i.e., GRC, SEIM, metrics, etc.)
Implementation Plan Description Timeline
SDLC TOUCHPOINTS – Security Architecture ReviewEnhance the Security Architecture Review Process (SARP)
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8
Key Activities Key Considerations Dimensions
Preparation for Threat Modeling (TM) and Architecture Risk Analysis (ARA)
Work with Dave and Buster to identify architects and possible consultants interested in and able to perform advanced SARs using TM and ARA techniques to detect design flaws in applications.
Identify two to three high risk applications to be put through the advanced SARP pilots.
Identify criteria for using TM and ARA in the existing SARP process.
TM and ARA Training
Conduct instructor led training (ILT) on TM and ARA for selected personnel.
TM and ARA Pilot Execution
Conduct TM and ARA against the designs of the selected applications. This can be part of a normal SARC process or stand-alone for the pilot efforts.
Submit findings to defect tracking system.
Help application teams redesign the applications to remediate findings.
Share the findings and success stories with the development community.
Use external consultants to lead early pilot efforts. Allow internal personnel to shadow and gain experience under their guidance.
Integrate TM and ARA Into Regular SARC Process
Integrate TM and ARA in the an enterprise-wide SARP process.
HR: Internal or external resources with security architecture skills. Outsourcing may be a solution to consider.
Technical: Integrate TM and ARA findings into defect tracking system.
Business: To familiarize with this SSDLC activity. Determine resources, time and cost to successfully complete this activity.
Operations: Adopt the expanded SARC methodology; build and publish run book on the SARC process to include the new capabilities.
Key Dependencies Drivers
Application risk ranking methodology to identify correct pilot applications to take through the TR and ARA process
Consider integrating with existing defect tracking systems.
Availability of developer and architect resources to participate in the review processes.
Implementation Risks Expected Improvement
Internal resources may not be able to take on these type of assessments due to time required to develop and maintain the required skillset.
Allocation of inappropriate resources for the implementation can affect quality of output and duration to complete specific artifacts/deliverables.
Lack of buy-in from application owners and developer mangers will make it difficult to have appropriate time with the teams to conduct the reviews.
Initial Cost Driver Analysis Key Stakeholders
Cost Category Internal External Ongoing Assumptions SSG leads the activity with purpose of identifying and tracking defects.
Application Owners and development managers provide the application designs and appropriate personnel to discuss the designs.
Resources
Pilot program will involve several internal and external resources during training and pilot efforts. Once established the process will become a routine task as part of the existing SARP and not require dedicated personnel.
Expenditure
Training and the use of external consultants to enable internal staff to shadow some of the pilot programs will require funding.
Governance
SDLC Touchpoints
Developer Enablement
< 100K
Internal
External
Activity milestone using external providers
Activity Progress
Ongoing Refinement
Activity milestone using internal resourcesFull-time resource
Pre
p
51
IL
T
Pilot
Reviews
IL
T
Pilot Review
Quarter 1 Quarter 2 Quarter 3 Quarter 4 Quarter 5 Quarter 6 Quarter 7 Quarter 8
Year 1 Year 2
il
Create the SSG
Create Relationships
Purchase and Pilot
SAST Tool
Identify Goals and
Dev Team for SM&L
ID Required Metrics Gather and refine metrics
Pilot Satellite ProgramDefine roles for
satellites and Identify
Candidates
Use the SAST toolDeploy SAST Tool
Identify candidates
for ARA and TM
reviews
ILT for ARA & TM
and ShadowingARA and TM Piloting
Design
QA NFR
& Fuzz
Testing
Operationalize NFR Verification and Fuzz TestingPilot
NFR and
Fuzz
Testing
Design, implement and Test SM&L
Create Standards
Review Board for Code
Level Standards
Define Incident Response and Development
Information Feed and Response Process
Resolve Existing WAF Management Issues
Secure Development
Training of SM&L
Team
52
Train
Satellite
sTrain Developers on SAST Tool Use the SAST Tool as Desktop As-You-Develop Secure Development Training
Define Feeding Pen
Test Results to
Defect Tracking
Systems
Pilot Feeding Pen
Test Results to
Defect Tracking
Systems
GO
VE
RN
AN
CE
SS
DL
C T
OU
CH
PO
INT
SD
ep
loym
en
tIn
tellig
en
ce
Socialize a Program Roadmap - Example
09 10 11 12 01 02 03 04 05 06
2017
Static Analysis
Dynamic Analysis
Threat Modeling
Training
Complete all
curriculum
courses
10 Security
Champions
Complete
Foundations
CBTConduct
SecureAssist
pilot – 12 apps
Launch self-
service satellite
SecureAssist
training
program
75%
application
portfolio
coverage
Require
SecureAssist as
part of SDLC
Launch new
dynamic
scanning
capability
Scale dynamic
scanning
during QA
Launch threat-
driven capability
SSG mentors
architects as
part of high
risk SDLC
projects
Conduct ILT
Ethical Hacking
Page ‹#› 58
If Great Whites
had to report to
executives……
this might be the
only KPI or
metric that really
matters
How we train SSG needs to evolve• Role based training for all members of the Software Security Group
(SSG)– Developers, QA Engineers, Architects, Business Analyst, Project Mgrs
• Global teams that are geographically dispersed
• On-demand solutions so staff can learn when it is convenient– Micro courses, searchable knowledge bases
– Pre-approved components to improve efficiency (e.g. libraries and open source)
– Integrate training aids into the developers IDE
• Practical hands on exercises via virtual classrooms
• Continual reinforcement while teams are developing code
• Examples of best practices and suggested code snippetsPage 59 59
Vulnerability Cost Impact - Time of Detect vs. Time of Fix
% Bugs introduced in this phase
% Bugs found in this phase
$ Cost to repair bug in this phase
$16,000
$1,000
$100
$250
$25
85%
Perc
en
tag
e o
f Bu
gs a
nd
Fla
ws
Code Build Test Release
Plan PenTest Everyone wants to create more
secure software, but:
developers aren’t security experts and
security teams find flaws too late in
the SDLC
Secure Code Reviewhelps developers find and fix software
security defects
early in the SDLC
SCR
• Integrating corrective action
into the developers native
environment is key (today)
• Real world example in the
language they are coding in is
the BEST… fixing it for them is
coming
Building the Business Case – Training vs Coding
• Establish baselines of key applications• Track the hygiene of the code base • Establish a control group & fully train an comparable team• Metrics to capture
– Defect Density– Defect frequency– Time to resolve defects
• Well trained teams will – Introduced fewer defects into the code base– They are often 50% faster at resolving defects
• Consider formalizing into a ‘Satellite’ or ‘Security Maven’ program
Page 62 62
Expand Team with Satellites & Maven Programs
Yellow Belt
eLearning (CBT)
Activity
1. Foundations of
Software Security
2. OWASP Top 10
Advanced Training (ILT)
Static Analysis• Application On-
Boarding (1 app)
Advanced Practices
Green Belt
4. Defensive
Programming (for
relevant language)
5. Software Security
Requirements
6. Attack & Defense
7. Threat Modeling
8. Security Testing
• Defensive Programming
ILT
• Threat Modeling ILT
Brown Belt
• Contribute to Threat
Models
Black Belt
• Serve on standards
review board
• Build re-usable IP
to prevent risk
• Teach and
influence peers
Certification Level Progression
• Implement static
analysis coverage
enhancements
Combining CBT, ILT, and practice adoption within a progressive program is an effective implementation strategy
© 2017 Synopsys, Inc. 64 Confidential
Complete Support Across Your Secure SDLC
REQUIREMENTS
& DESIGN
Architecture Risk
Analysis
Security Code
Design Analysis
Threat Modeling
TRAINING
Core Security
Training
Secure Coding
Training
eLearning
SAST (IDE)
SAST (Build)
SCA (Source)
IAST
IMPLEMENTATION
SAST (Managed)
Fuzz Testing
SCA (Binary)
Mobile Testing
VERIFICATION
DAST (Managed)
Pen Testing
Network Pen Testing
RELEASE
COMPREHENSIVE SOFTWARE INTEGRITY PORTFOLIO
© 2017 Synopsys, Inc. 65 Confidential
Our Portfolio: The Best Stuff and The Right Stuff
Program Design and Development
+27
Products
• Static Code Analysis
• Software Composition
Analysis
• Intelligent Fuzz Testing
• Interactive Application
Security Testing (IAST)
• eLearning
+27
Managed Services
• Web Application Testing
• Mobile Application Testing
• Network Penetration Testing
• Source Code Review
+27
Professional Services
• Architecture and Design
• CI/CD & Cloud Enablement
• Embedded Software Testing
• Insider Threat Detection
• Red Teaming
• Thick Client Testing
• Building Security In
Maturity Model (BSIMM)
• Maturity Action Plan
• Metrics Development
• Software Security Initiative
In-a-Box
© 2017 Synopsys, Inc. 67 ConfidentialConfidential
1 Microsoft
2 Oracle
3 SAP
4 Symantec
5 VMware
6 Salesforce
7 Intuit
8 CA Technologies
9 Adobe
10 Teradata
11 Amdocs
12 Cerner
13 Citrix
14 Autodesk
15 Sage Group
16 Synopsys
17 Akamai Technologies
18 Nuance
19 Open Text
20 F5 Networks
Top 20 Global
Software Companies
Financial Snapshot
2016 Revenue:
$2.42B3-Yr Backlog:
$3.6B
Engineering Culture
Total Employees: ~11,000
Engineers: 50%
Software Integrity Group: ~1,000
Global Reach
© 2017 Synopsys, Inc. 68 Confidential
SIG History at a Glance
2014
BIRTH
OF SIG
SAST
Test Optimization
Seeker
IAST
Composition Analysis
SAST Rules
Consulting
Training
Fuzzing
20162015
© 2017 Synopsys, Inc. 69 Confidential
Mobile / Consumer
Devices
Enterprise Networking
and Software
High Reliability
SystemsFinancial Services
Synopsys works with 1,500 industry-leading companies across all sectors…
and has deep experience in software testing for many industries