secure product lifecycle (splc) in practice© 2016 adobe systems incorporated. all rights reserved....

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Secure Product Lifecycle (SPLC) In PracticeMohit Kalra | Senior Manager, Secure Software Engineering (Adobe)

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Introduction

Senior Manager @ Adobe’s Secure Software Engineering Team (ASSET) I lead the proactive security efforts. @adobesecurity / @mohitkalra

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

ADVANCINGSTATE OF THE ART

FOR CONTENT

Adobe’s Strategy

HARNESSINGTHE POWER

OF DATA

DRIVING DIGITALTRANSFORMATION

OF INDUSTRIES

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

ADOBE.IOADOBE.IO

PRIVATE, PUBLIC OR HYBRID CLOUDPRIVATE, PUBLIC OR HYBRID CLOUD

CORE TECHNOLOGIESCORE TECHNOLOGIES

ADOBE CLOUD PLATFORM

CONTENT DATA

Adobe Document Cloud Adobe Creative Cloud Adobe Marketing Cloud

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Secure Product Lifecycle

Credit:http://www.cisco.com/c/en/us/about/security-center/security-programs/secure-development-lifecycle.htmlhttps://technet.microsoft.com/en-us/security/gg622918.aspx

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Does a diagram capture everything?

Secure Product Lifecycle (SPLC) is a set of processes designed to help product teams engineer secure software.

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

For our team, the approach to security is much more complex

7

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security is all about making choices

8

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

… and balance

9

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Implementing security is about providing high ROI and business alignment

10

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

…. while trying to fix the weak links

11

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

The challenges in this complex world.

12

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #1

13

Scaling the security work with a small team.

- Hiring skilled security professionals is difficult.

- Team needs to learn continuously.- Time spent => high premium $$$.

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #2

14

A growing and diverse company product portfolio.

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A central security team’s challenge #3

15

The business critical products vs the legacy applications.

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyVarying

business criticality

The challenges for a security team

16

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

How can a security team overcome these challenges?

17

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyVarying

business criticality

The challenges for a security team

18

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security teams @ Adobe

Product Team

Product Team

EngineeringChampionsResearchers

& PMs

ASSET

(Adobe Secure

Software Engineering

Team)

Products

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Establish the minimum bar

20

- Create a SPLC standard that the product teams need to follow- Standardize the tool chain

SPLC Baseline Tasks for every teamTrainingStatic analysis of codeSecurity testing3rd party component trackingCode reviewsSecurity requirements reviewThreat modellingReview of high risk findings and sign-off

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security is a shared responsibility

21

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Split and share responsibilities

22

Spend premium security skill mindshare where it matters.

SPLC Tasks Product team ownership

Central securityteam driven

Training ✔Static analysis of code ✔Security testing ✔3rd party component tracking ✔Code reviews ✔Security requirements review ✔Threat modelling ✔Review of high risk findings and sign-off

✔

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Set up product teams for security success with their security practices

23

Onboard Team

Review ProductGather intel

Automation onboarding

Train team Routine SPLC tasks

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyBusiness criticality

The challenges for a security team

24

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Implementing Security Measures for a wide technology spectrum

25

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

A product may be offered on one or many platforms.

26

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements

27

Baseline SPLC

Services SPLC

Mobile SPLC

Desktop SPLC

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (web)

28

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (mobile)

29

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Extend the baseline SPLC requirements (desktop)

30

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Security team’s

bandwidthDiverse

technologyBusiness criticality

The challenges for a security team

31

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Tune for business criticality

32

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Factor in business criticality for a security engagement

33

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Summary

We presented you with the real world experiences of running a SPLC program at Adobe

At a minimum, a product should get access to a baseline SPLC guidance

A SPLC program : Scales premium security bandwidth through shared

responsibility. Evolves continuously as the company evolves and

innovates. Is flexible and adapts to the business needs of an

organization.

34