intro to security in sdlc
DESCRIPTION
TRANSCRIPT
![Page 1: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/1.jpg)
Secure SDLC
![Page 2: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/2.jpg)
Because the question is not IFThe Question is WHEN
![Page 3: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/3.jpg)
Protecting software is much easier if the software is
built with security in mind
![Page 4: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/4.jpg)
Design Build Test Production
GENERIC APPROACH FOR SECURITY
security requirements / risk and threat
analysis
coding guidelines
/code reviews/ static analysis
security testing / dynamic analysis
vulnerability scanning / WAF
Reactive ApproachProactive Approach
Secure SDLC
![Page 5: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/5.jpg)
SECURE SDLC Re
quire
men
ts Security RequirementsCompliance AnalysisGovernance Definition
Des
ign Risk
AssessmentSecure Architecture
Impl
emen
tatio
n Code ReviewsCode Analysis
Verifi
catio
n Security TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan Re
spon
se Incident ForensicsSecurity Monitoring
Security Awareness Trainings
Ensure the Best Practices are integral to the development program and applied
over the lifecycle of the Application
![Page 6: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/6.jpg)
SOFTWARE SECURITY IS EVERYONE’S JOB
![Page 7: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/7.jpg)
PRIMARY BENEFITS
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current state of the project
![Page 8: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/8.jpg)
ORGANIZATION CHALLENGES
An organization’s behavior changes slowly over time• Changes must be iterative
while working toward long-term goals
There is no single recipe that works for all organizations• A solution must enable risk-
based choices tailored to the organization
Guidance related to security activities must be prescriptive• A solution must provide
enough details for non-security-people
Overall, must be simple, well-defined, and measurable• Understandable
measurement can be used
8
![Page 9: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/9.jpg)
IMPLEMENTATION CHALLENGES
Team Pushback
Security Ownership
The “Security is Special” problem
“Official/Actual Adoption Dilemma”
Benefits Measurement
![Page 10: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/10.jpg)
Typical Engagement Models
![Page 11: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/11.jpg)
AUTOMATED CODE ANALYSIS
![Page 12: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/12.jpg)
LINEAR INTEGRATION APPROACH
![Page 13: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/13.jpg)
• After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-weekDevelopment cycle (iteration) will addressthe highest ranked items
• Upon delivery of completed code, securitytesting is performed both manually and using automated testing tools
• Results from manual and automatedscans end up in the same backlogrepository, to be reviewed and prioritized by Development Management
ITERATION BASED TEST ONLY APPROACH
![Page 14: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/14.jpg)
Analyze Current
Practices
Define Goals
Define Roadmap
Execute /Oversee /Adjust
HOW TO GET STARTED
Discovery
![Page 15: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/15.jpg)
Case Study
![Page 16: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/16.jpg)
BUSINESS ISSUEDrivers: Customer Request, Potential IssuesRequestor: Security Department
Client knows they have an issues and requested a team to address them
![Page 17: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/17.jpg)
SOLUTION
• Tactical Goals: address existing local finding (tool generated)
• Strategic Goals: address security design flaws, prevent issues reappear in the future
Issues Root Cause Analysis
• Team structure to Addressing and Remediation teams, achieving Tactical and Strategic Goals correspondingly
• Prioritized roadmap for the Remediation Team• Security Risk Assessment• Security Architecture Analysis• Security Awareness Trainings for the Team
• Roadmap for the Secure SDLC practices adoption
Solution for the Strategic Goals
![Page 18: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/18.jpg)
SOLUTIONR
equir
em
ents Security
RequirementsCompliance AnalysisGovernance Definition
Desi
gn Risk
AssessmentSecure Architecture
Imple
menta
tion Code ReviewsCode Analysis
Veri
fica
tion Security
TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan R
esp
onse Incident
ForensicsSecurity Monitoring
Security Awareness Trainings
Phase 1: 1 – 2 MonthTeam: FTE Security Analyst
![Page 19: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/19.jpg)
SOLUTIONR
equir
em
ents Security
RequirementsCompliance AnalysisGovernance Definition
Desi
gn Risk
AssessmentSecure Architecture
Imple
menta
tion Code ReviewsCode Analysis
Veri
fica
tion Security
TestingRisk Assessment ReviewPenetration Testing
Rele
ase Security
ReviewIncident Response Plan R
esp
onse Incident
ForensicsSecurity Monitoring
Phase 2: 2 – 3 MonthTeam: Part Time Security Analyst
Security Awareness Trainings
![Page 20: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/20.jpg)
VALUE
Approach addressing both Tactical and Strategic Goals
Decrease number of the Security issues on Project
Minimize potential Security issues that might be introduced in the future
Improve Security Expertise/Practices for current Team
Experience Sharing with Client Security Program
POC Remediation Approach for other Products in Client Portfolio
![Page 21: Intro to Security in SDLC](https://reader034.vdocument.in/reader034/viewer/2022042502/54c265e64a795974748b45dc/html5/thumbnails/21.jpg)
Thank You
Questions?