achieving visible security at scale with the nist cybersecurity framework
TRANSCRIPT
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
SRCE Workshop Atlanta, GA Nov 17, 2015
Application security that just works
ABOUT US
KEVIN FEALEY Principal Consultant & Practice Lead
Automation & Integration Services 7 years Cybersec experience, @secfealz
©2015 Aspect Security. All Rights Reserved 2
TONY MILLER Principal Consultant & Practice Lead
Application Program Services 10 years Cybersec experience, @tjmmgd
Application security that just works
ABOUT YOU
Government, Private Sector? AppSec Team, Risk Managers? Used Cybersecurity Framework?
©2015 Aspect Security. All Rights Reserved 3
Application security that just works
APPLICATION SECURITY VS. NETWORK SECURITY
©2015 Aspect Security. All Rights Reserved 4
Application Layer – Attacker sends attacks inside
valid HTTP requests. – Custom code is tricked into
doing something it should not. – Security requires software
development expertise, not signatures.
Network Layer – Firewall, hardening, patching,
IDS, and SSL/TLS cannot detect or stop attacks inside HTTP requests.
– Security relies on signature databases.
Fire
wal
l
Fire
wal
l
Dat
abas
es
Lega
cy S
yste
ms
Web
Ser
vice
s D
irect
orie
s H
uman
Res
rcs
Bill
ing
Custom Code
APPLICATION ATTACK
Net
wor
k La
yer
Appl
icat
ion
Laye
r
Acco
unts
Fi
nanc
e Ad
min
istr
atio
n Tr
ansa
ctio
ns
Com
mun
icat
ion
Kno
wle
dge
Mgm
t E-
Com
mer
ce
Bus
. Fun
ctio
ns
Hardened OS
Web Server
App Server
Application security that just works
OWASP TOP TEN: COMMON VULNERABILITIES
©2015 Aspect Security. All Rights Reserved 5
1. Injection Flaws 2. Broken Account and
Session Management 3. Cross-Site Scripting Flaws 4. Direct Object References 5. Web/Application Server
Misconfigurations
6. Sensitive Data Exposure 7. Broken Access Control 8. Cross-Site Request Forgery 9. Using Components with
Known Vulnerabilities 10. Unvalidated Redirects and
Forwards
Application security that just works
STANDARD SDLC
Requirements
Design
Develop Test
Maintain
©2015 Aspect Security. All Rights Reserved 6
Security Testing
Application security that just works
CURRENT PIPELINE
©2015 Aspect Security. All Rights Reserved 7
Development Pipeline Security Pipeline Production Pipeline
Manual Security Activities
1-2 week duration
Prone to human error
Late in the SDLC
Application security that just works
MANUAL SECURITY REVIEWS
©2015 Aspect Security. All Rights Reserved 8
Development
Security Testing
Production
Business Stakeholders
Risks
Application security that just works
FUTURE PIPELINE (IE. WHAT IS APPSEC AUTOMATION?)
Automate:
©2015 Aspect Security. All Rights Reserved 9
Development Pipeline Security Pipeline Production Pipeline
Tasks that do not require security intelligence Verification of security policies/requirements Vulnerability testing Correlation and reporting
Development, Security, and Operations collaborate early and often
Application security that just works
APPSEC AUTOMATION PROGRAM DEPENDENCIES
•What are our assets? Application Inventory
•When is automated detection insufficient? Identify Risk Thresholds
•What do we expect from our assets? Standard Security Requirements
•How can we maximize our automation capabilities and mitigate risk?
Common Security Controls
•How will we support our developers? Developer Training and Support
•How will we prioritize and fix issues we identify? Vulnerability Management Program
•How will feedback be generated and integrated back? Continuous Improvement Process
©2015 Aspect Security. All Rights Reserved 10
Application security that just works
APPSEC AUTOMATION PROGRAM DEPENDENCIES
•What are our assets? Application Inventory
•When is automated detection insufficient? Identify Risk Thresholds
•What do we expect from our assets? Standard Security Requirements
•How can we maximize our automation capabilities and mitigate risk?
Common Security Controls
•How will we support our developers? Developer Training and Support
•How will we prioritize and fix issues we identify? Vulnerability Management Program
•How will feedback be generated and integrated back? Continuous Improvement Process
©2015 Aspect Security. All Rights Reserved 11
• How can we effectively scale our security program to achieve business goals at a more rapid pace?
AppSec Automation
Program
Application security that just works
CYBERSECURITY FRAMEWORK 3.2
Software Security Program Review
©2015 Aspect Security. All Rights Reserved 12
Define the Scope
Analyze Threats
Current Capability
Assess Risks and Gaps
Capability Goals
Improvement Initiatives
Execute Initiatives
1 2
3 4 5
6 7
Application security that just works
TRADITIONAL SDLC
Requirements
Design
Develop Test
Maintain
©2015 Aspect Security. All Rights Reserved 13
Dynamic Application
Testing
Threat Modeling
Architecture/Design Reviews
Static Code Reviews
Periodic Retesting
Application security that just works
CHALLENGES OF DEV-OPS/AGILE
Requirements & Design Phases Hardly accommodated Development to Deployment Highly compressed timeframes Traditional Testing Cycles Can’t accommodate stunning speed
So, how do we integrate security?
©2015 Aspect Security. All Rights Reserved 14
Application security that just works
SECURE DEV-OPS/AGILE MODEL
Proactive Lifecycle Continuous Monitoring
Developer Training Local Security SME Program
Operational Security Team
Secure Code & Architecture Standards
Targeted Security Activities (small scope)
Risk-Based Security Assurance Model
Standardized Security Controls Components
Self-Service Model Utilizing Automation
Feedback Loop Via Stories/Features
©2015 Aspect Security. All Rights Reserved 15
Thank you!
©2015 Aspect Security. All Rights Reserved
Kevin Fealey & Tony Miller [email protected] [email protected]