Upload
alaina-johns
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Software Confidence. Achieved.
Deployment of a Code AnalysisMethodology
Critical Discussion Towards a Roadmap for Success
John StevenSoftware Security Principal
Technical Director
Office of the CTO
Cigital Inc.
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Motivation - Common Goals & Challenges
Initial Goals
Introduce lightweight code analysis to SDLC
Inexpensively purchase security expertise
Consistently apply expertise
Subsequent Desires
Scale ‘whitebox’ code analysis Automate checking against
corporate security coding standards
Enable developers to test powerfully
Non-starters
Unwieldy build integration Overwhelming False positive
reduction Inappropriate division of labor:
filtering findings, writing rules
Stumbling Blocks
Unclear process/tool ownership, inability to Shepherd the tool
Overcoming objections to accuracy, alternatives
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Initial Adoption, Pilot Deployment
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Pilot Inception Goal: Introduce lightweight code analysis to SDLC
Define Secure SDLC Palatable to Development
management Sufficient to exercise software
security
Stand up App. Sec. Roles Assure proper support level for roll
out Avoid inadequate skills for tool
support Appropriately assign adoption
tasks
Classify Portfolio’s Risk Apply tools where they count first
Software Security Training Begin to set expectations
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Pilot Requirements Define Tool Pilot
Decide who will pilot tool
Secure Coding Awareness Set expectations about tool’s
capabilities Show tool along side other
software security activities Differentiate tool’s success
criteria from other developer feedback proactively
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Elaboration: Phase I PilotPotential Challenges: Unwieldy build integration Overwhelming False positive
reduction
Tool Deployment Handbook Face & overcome issues before
development sees tool: Integration problems Unnecessary ‘on by default’
rules
Tune, customize rules High-confidence, accurate rules
for desktop Stage rule packs (over time) Leave rules whose findings
require savvy for security personnel
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Subsequent Roll out, Widespread Adoption
Key to avoiding pushback
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Implementation
Baseline all applications Face integration issues all over
again Agreement rule pack essential
to measurement
Deploy Incentives Program Measurement essential to
incentives Enforce adoption as a quality
gate
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
On-going Maintenance
Goals: Scale ‘whitebox’ code
analysis Automate checking
against corporate security coding standards
Enable developers to test powerfully
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Roles and Responsibilities
Essential Roles (by priority)
1. Tool Shepherd 1 FTE, 1+ over time
2. Deployment Manager 1/2 FTE
3. Rules Maven 1 FTE, Later
All report into Application Security Group Appoint Tool Shepherds in B.U.s if:
Build env. differs dramatically B.U. remains very autonomous
Rules maven: a longer-term, lower-priority hire
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tool Shepherd
Allows self-sufficiency w/o Fortify Sales Engineer Tackle ‘other 20%’ of integration issues in teams Finish elaboration and drive implementation
1st year tasks: Integration handbook (HOWTO) F.A.Q. for build failures Results interpretation heuristics: “Blacklist”, other Cull results, participate in determining rule pack
constituency
© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Deployment Manager Delegates Shepherd’s time into teams Broker decisions about rule pack configurations
Security Analyst configuration - Kitchen Sink Build
New Dev - Accurate kitchen sink Maintenance - Reduced rule pack
Desktop New Dev - Accurate, very fast, reduce pack Maintenance - Very accurate, very fast, very reduced
Measurement & Progress Deployment coverage Rule accuracy Findings rates (density) Remediation (rate ,LoE, etc.)