1 / 32

Addressing Security Across Vertical Market Segments

Addressing Security Across Vertical Market Segments. Danny Allan Strategic Research Analyst Watchfire Corporation. Agenda. Security across Verticals Differences & Commonalities Regulatory Matrices Enterprise Risk Management People Process Technology Sample ERM Model Summary.

isha
Download Presentation

Addressing Security Across Vertical Market Segments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Addressing Security Across Vertical Market Segments Danny Allan Strategic Research Analyst Watchfire Corporation

  2. Agenda • Security across Verticals • Differences & Commonalities • Regulatory Matrices • Enterprise Risk Management • People • Process • Technology • Sample ERM Model • Summary

  3. Security Across Verticals • Key differences • Regulatory Bodies, regulations, standards & guidelines • Secure development lifecycle adoption • Commonalities across verticals • Security is expected and assumed • Consumers • Governing bodies • Executives

  4. The Myth: “Our Site Is Safe” We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use Network Vulnerability Scanners

  5. Web Applications Security Spending Network Server 75% of All Attacks on Information SecurityAre Directed to the Web Application Layer 2/3 of All Web Applications Are Vulnerable The Reality: Security and Spending Are Unbalanced % of Attacks % of Dollars 10% 75% 90% 25% Sources: Gartner, Watchfire

  6. Security Desktop Transport Network Our World Info Security Landscape Web Applications Antivirus Protection Encryption (SSL) Firewalls / Advanced Routers Application Servers Backend Server Firewall Databases Web Servers

  7. Security Spending Survey • Survey of 172 Fortune 1000 Security Executives • Top Security Projects for 2006 • Web Application Security: 15% listed it has #1 • Status of Web Application Projects • 40% started • 35% near term • Change in spending from 2005-2006 • 75% spend more • 20% spend the same * InfoPro

  8. Wait a second … • Application deployments are “highly” time critical • Application deployments are often late • Application deployments are often over-budget • “Won’t this add time, cost and resources?”

  9. Basic Premise • Implementing security saves time, money and resources • What do the following have in common? • PDA • Mobile phone • Printer • Web server • Do you see a trend? • Today: web application • Tomorrow: web service • Next week: Web 2.0 AJAX • Next year: Web 10.0 NLGT

  10. Regulatory Matrix - Accessibility

  11. Regulatory Matrix – Anti-Money Laundering

  12. Regulatory Matrix – Privacy & Security

  13. Regulatory Matrix –Security

  14. Regulatory Matrix – Security International

  15. Regulatory Matrices - Summation • Understanding the regulations an organization falls under is a difficult (and moving) target • Some stakeholders will require compliance • All stakeholders will “expect” security • Let’s get started … • Implementation of a security program • Metrics & measurement • Mapping against regulations, standards & guidelines • Security category • Cause • Outcome

  16. Enterprise Risk Management People Process Technology

  17. People Process People Technology • Developer training • Security features ≠ secure programming • Security principles • Application threat classification

  18. People Process Security Principles Technology • Use least privilege • Defense in depth • Don’t trust user input • Check at the gate • Fail securely • Secure the weakest link • Create secure defaults • Reduce your attack surface

  19. People Process Application Threat Classification Technology • Authentication • Authorization • Client-side attacks • Command execution • Information disclosure • Logical attacks

  20. People Process Threat Modeling Technology • Structured approach to identifying, quantifying and addressing threats • Allows security personnel to communicate potential risks and prioritize remediation efforts in a tangible form

  21. People Process Threat Modeling Activities Technology

  22. People Process Enterprise Risk Mgmt Process Technology • Structured approach to designing, building and delivering web applications • Allows an organization to measure and communicate trustworthy computing in a tangible form

  23. People Process Definitions Technology • Proc·ess: a series of actions directed toward a specific aim • Tan·gi·ble: capable of being given a physical existence

  24. People Process Security as a Quality Vector Technology • Maps well to Software Development Lifecycle model

  25. People Process Automated & Manual Testing Technology • Automated Testing • White box (static code analysis) • Black box (web app scanners) • Strengths • Technical vulnerabilities • Scale and cost • Manual Testing • Strengths • Logical vulnerabilities • Human intelligence

  26. Entry Criteria Business requirements/objectives Constraints & assumptions Project plans High level architecture Activities Engage Security Expert Determine Predictive Threat Index Determine if application is a candidate for SDL process Identify key compliance objectives Define secure integration with external systems Define application security test process & deliverables Adjust project plan to include security resources Contract needed resources Review test process/strategy Review project plan & budget Deliverables Security Expert/Consultant assigned Preliminary security requirements defined Security test strategy Security integrated into the development process Predictive Threat Index (Asset Value, Attack Surface) Tools Security consultant Design Review Checklist Roles and Responsibilities Matrix Predictive Threat Index calculator Security Knowledge Portal Exit Test strategy approved Project plan approved People Process Phase: Requirements Technology

  27. Entry Criteria Security requirements Functional requirements Use cases Project plan & budget Activities Identify components responsible for security functions Identify secure design techniques Document attack surface Create threat model Review/modify security requirements Identify components for Secure Code Review Define security test requirements Determine authorization requirements model Update Security Master Test Plan Update test schedule and budget Deliverables Minimized application attack surface Application security test roles Threat model Security requirements in well defined components Test plans application security Certified components identified Tools Threat Model Checklist Threat Model Platform dependent coding checklist Certified Components Exit Baseline established for requirements, test schedule and test budget People Process Phase: Design Technology

  28. Entry Criteria Threat model Master test plan Security test plans Use cases/roles Activities Code Certified components Security development/coding guidelines Test / Verify Security Code Review Static code analyzer Deliverables Working application Tools Static Code Analyzer Certified Components Security Development Guidelines Exit Code verified using code review Code verified using static code analysis tool People Process Phase: Implementation Technology

  29. Entry Criteria Build from source code repository Test documents Unit & integration test results (no severity 1 defects) Activities Integrate Formal Secure Code Review Automated Application Assessment Final Security Review Review of all bugs for possible security vulnerabilities Review threat model for possible late developing threats Manual penetration testing Deliverables Problems, defects, enhancements logged Detailed test results Validated requirements Updated test results in centralized location Certification Tools Secure Code Review Automated security tool Manual Penetration Test Final Review Checklist Exit No high severity security defects People Process Phase: Integrate / Release Technology

  30. Summary • Security across the verticals requires: • Executive buy-in • A tangible SDLC process • Metrics & measurement • Security cooperation and guidance • Application developer buy-in

  31. Thanks Questions? Danny Allan Office: 781.547.7833 Dannya@watchfire.com www.watchfire.com/securityzone

More Related