The OWASP Foundationhttp://www.owasp.org

OWASP AppSecWashington DC 2009The Secure SDLC

PanelReal answers from real experience

Moderated by:

Pravir ChandraDirector of Strategic Services, Fortify Software

OpenSAMM Project LeadOWASP Global Projects Committee

chandra@owasp.org

2

Panelists

•Dan Cornell - Denim Group

•Michael Craigue - Dell Computers

•Dennis Hurst - Hewlett Packard

•Joey Peloquin - FishNet Security

•Keith Turpin - The Boeing Company

3

Agenda

•Introducing the panelists

•Panelist positions

•Moderated question & answer

•Summary & conclusions

Introducing the Panelists

5

Dan Cornell• Background:

• Principal / CTO of Denim Group

• Developer by background – J2EE, .NET, etc

• OWASP:

• San Antonio Chapter Lead

• Open Review Project Co-Lead

• Global Membership Committee

• Experience:

• Coder, architect, trainer, threat modeler, code reviewer, penetration tester

• Building SDLCs as both a consultant and a development organization

6

Michael Craigue• At Dell since 1999

• Lead for application security

• Emphasis on the e-commerce site

• SDL alignment with SDLC

• Prior to joining Dell’s information security team, spent over a decade building Web and database applications

• CISSP- and CSSLP-certified

• Taught Database Management and Business Intelligence/Knowledge Management at St. Edward’s University in their MBA and MS CIS programs

• Ph.D. from the University of Texas at Austin in Higher Education Administration and Finance

7

Dennis Hurst• Dennis Hurst is a Senior Security Engineer for HP Software

where he currently works with customers on Cloud Security and integrating security into Agile development processes.  Prior to HP, Dennis was a Developer Security Evangelist for S.P.I. Dynamics, Inc.. He was the original developer of SPI Dynamics’ flagship web application vulnerability assessment product, WebInspect™, and now works with other development organizations evangelizing the need to integrate security into the Software Development Lifecycle (SDLC).  Dennis is a founding member of the Cloud Security Alliance, and recently co-wrote the application security section of the “Security Guidance for Critical Areas of Focus in Cloud Computing.”. Dennis has over 20 years of development and IT experience and has been working with internet facing applications since the early 90’s.

8

Joey Peloquin• Prior to becoming a consultant;

Application Security Evangelist and Project Lead for Application Security Program at a Fortune 200 retailer

• Strategic Application Security Advisor for large software developer based in CA

• Strategic and tactical application security consulting for financial services, healthcare, and retail organizations

• Frequent speaker on “building security in”

9

Keith Turpin• Keith leads Boeing’s application security assessment

team and is a member of the Boeing enterprise red team.

• He also served two years as the lead IT security advisor for Boeing’s international operations.

• Keith currently represents Boeing on the International IT Standards Committee’s Cyber Security Technical Committee. Keith also served four years as the Director of Communication for the Puget Sound chapter of the Information Systems Security Association.

• Keith has a BA in Mechanical Engineering and MS in Computer Systems.

Panelist Positions

11

Variables

• What does an organization value?• If people: training• If process: SDLC checkpoints• If technology: static or dynamic analysis• More complicated than this, but

understand how decisions are made• Have they been burned?• Top-down versus bottom-up• How much is enough?• Features > Performance > Security

Dan Cornell

on...

12

DOs and DON’Ts

• DO• Identify champions (everyone can’t be a ninja,

but some people want to – so use them)• Use the technologies … but not exclusively• Be iterative (Rome wasn’t built in a day, and

neither was your scary portfolio of applications)• DON’T• Think everyone cares as much (or for the same

reasons) as you• Expect to “finish” anytime soon (improvement

takes time and you are never really done)

Dan Cornell

on...

13

Key decision factors

• Build consensus among developers first; appeal to their love of writing high-quality software

• Take early success stories to executives• Communicate to executives in terms of risk• Create a variety of awareness and education

programs• Face-to-face seminars, celebrities welcome•General courseware, manager courseware,

30-minute refresher courses• Traditional versus Agile development

Mike

Craigue

on...

14

Lessons learned• We’re doing fundamentals, not cutting-edge security work• Added ourselves into an existing SDLC; risk modeling tool was

key touchpoint• Partnered with other groups

• Developers—key allies• Legal—contract templates, muscle• Enterprise Architecture—tools, technology standardization;

SOA• Privacy—global background / EU representation• Compliance—policies/standards

• Leveraged regulatory compliance for adoption• Global staff, time zone / business segment alignment initially• Acquisition challenges• Threat modeling is time-consuming; use sparingly• One step at a time, one org at a time, show metrics, build

momentum• Developer desktop standardization is ideal, but hard to attain• Exception management process, executive escalation, roadmaps

Mike

Craigue

on...

15

Key thoughts• People want "security", whatever that is. The questions is are

they willing to pay for it.• The "level of effort" for security should be proportional to

risk.• Security must be INTEGRATED into the SDLC, not hammered

in with policy, threats, etc• Must require security at appropriate, quantifiable,

attainable levels• Motivate less risky behaviors• Be introduced in stages and be financially appropriate at

each stage.• Creating a secure SDLC is a process that takes time and the

process must be articulated, frequently in the form of a Maturity Model. People need to know where they are and where they are going.

• A Secure SDLC has LOTS of fringe benefits (Quality, repeatability, testability, etc) SELL THEM to get your SDLC!!!!

Dennis

Hurst

on...

16

Decision factors • Gartner’s prediction that 80% of companies

experiencing a web-related breach by 2010 is well on its way to coming true

• Companies lucky enough to have not become a statistic virtually all have Secure SDLC projects on the books for 2010

• Security Testing, Application Security Training, and Threat Modeling seen as “must haves”

• Getting started is the hardest part, but if you have buy-in from all levels, and take baby steps, you have a great chance of succeeding

Joey

Peloquin

on...

17

Lessons Learned• You need more than an executive

champion• Buying tools without clear direction and a

proper plan leads to shelf-ware• Threat Modeling, Risk Analysis… whatever

you want to call it, pays huge dividends when done right

•When I ask if you have a Secure SDLC, AppSec Program, etc., your response should not be, “sure, we’re an Agile shop”

• It’s okay to call for help!

Joey

Peloquin

on...

18

Decision Factors• Determine how to risk model your applications. In a large

environment you may have thousands of applications with various degrees of potential impact and differing threat agents. You may not be able to bring the wisdom of secure software development to the masses all at once, so figure out where to focus your efforts first.

• You must implement an effective training and communication program that will help developers, architects, project managers and management understand the nature of software security vulnerabilities, why they are important and how they can be mitigated during the development lifecycle.

• Like any initiative that is trying to change the practices of a large organization or company, implementing secure software development practices must be supported and sponsored by senior leadership.

Keith

Turpin

on...

19

Lessons Learned• Develop or adopt testing and remediation standards so that

development teams, assessment teams and auditors are on the same page.

• Establish a formal risk acceptance process to address situations where vulnerabilities that can not be sufficiently remediated, but the business wants to move forward anyway.

• Ensure development teams have the tools they need to facilitate testing during development. In some cases this may require policy based guidelines around approved use of these tools, since some may also be used for malicious purposes, set off your IDS or anti-virus systems or cause unintended network disruption.

• Adopt a layer approach. Software firewalls can add an extra layer of defense, but this does not substitute for secure development. It is common practice for servers to be protected by network level firewalls even though the servers themselves are also expected to be hardened. Why treat software level security differently.

• Trust but verify the security of all commercial software supporting critical business functions.

Keith

Turpin

on...

ModeratedQuestion & Answer

21

Ground Rules•Warm up with some prepared

questions

•Panelists should limit responses to 2-3 mins

•Audience participation!!!

•Comments/questions/flames welcomed!

•I’ll try to keep things orderly...

What are the most significant organizational factors in determining if a secure SDLC integration will be successful?

• Top management mandate

• Metrics and dashboards

• Consistent development process

• Corporate culture

• Regulatory drivers

• <Insert here>

??????

??????

Are there any big no-no's that stop a secure SDLC program dead in it’s tracks? If so, what are they?

??????

??????

Rank the following in terms of priority for an organization that wants to do more security assessments in the SDLC:

• Code review (manual or static analysis)

• Security testing (dynamic analysis or ethical hack)

• Design review (inspection of security mechanisms)

• Threat modeling (assessment of what could go wrong)

??????

??????

What's the best method for getting an organization's development, security/risk, and operations groups aligned to roll out a secure SDLC program?

??????

??????

Carrot vs. Stick. Which should you pick when trying to change the process throughout an organization? In what situations might you decide to use the other?

??????

??????

If someone approached you saying they had a little bit of budget for their software security program, but didn’t know what to do next, how would that conversation go? Specifically, where would you steer them?

• Hire consultants

• Get tools/technology

• License training content

• Internal head-count

• <Insert here>

??????

??????

Rank the following in order of importance for a successful secure SDLC initiative

• People

• Process

• Technology

??????

??????

We talk about the importance of measurement and metrics a lot, but does anyone actually use them? If so, what are the most popular ones?

??????

??????

Do you think it is possible to demonstrate return on investment (ROI) for secure SDLC programs? If not, why? If so, how?

??????

??????

How do you pronounce CISO?

• s-EE-so

• s-IH-so

• s-EYE-so

??????

??????

Summary & Conclusions