Security Tsunami SDL Fundamentals and Where to Start

  • Slides: 12
Download presentation
Security Tsunami! SDL Fundamentals and Where to Start Safecode. org Tania Skinner 1

Security Tsunami! SDL Fundamentals and Where to Start Safecode. org Tania Skinner 1

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a global,

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a global, industry‐led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. STEVE LIPNER Executive Director 2

SAFECode Principles SAFECode members have a shared commitment to the organization’s Principles: • Work

SAFECode Principles SAFECode members have a shared commitment to the organization’s Principles: • Work together to advance software security practice • Share our experience and insights with developer community and with policymakers 3

Goals of Secure Development Initiative Transform Culture Seamlessly Integrate Grow & Evolve 4

Goals of Secure Development Initiative Transform Culture Seamlessly Integrate Grow & Evolve 4

Security Development Lifecycle Themes Know what you need to protect and protect it Use

Security Development Lifecycle Themes Know what you need to protect and protect it Use secure code & components Validate protections Manage issues Continuously Improve 5

Know what you need to protect, and protect it What assets do you have

Know what you need to protect, and protect it What assets do you have to protect? Who/what should have access? Threat Modeling Who/what should NOT? How should you protect it? Go to SAFECode. org for fabulous free Threat Modeling training and a paper 6

Use secure code and components Use Secure Code Policy SW BOM Coding Standards SAFE

Use secure code and components Use Secure Code Policy SW BOM Coding Standards SAFE Functions Selection criteria Update requirements Current tools & defenses enabled Automation Dependencies 3 rd Party/Open Source Components Go to SAFECode. org for fabulous paper on Managing Security Risks Inherent in the Use of Third-party Components 7

Validate that protections are successful Security Validation Threat Model Toolbox Static Code Analysis Dynamic

Validate that protections are successful Security Validation Threat Model Toolbox Static Code Analysis Dynamic Analysis Pen Testing Fuzzing Security/Privacy Validation Planning Secure Code Review 8

Manage issues Security defects in Policy development Security defects in shipped/shipping product Severity Impact

Manage issues Security defects in Policy development Security defects in shipped/shipping product Severity Impact Risk Assessment Likelihood Impact PSIRT Comms/ Marketing Risk Acceptance Legal Ability to patch Criteria Authority Remediation https: //www. first. org/education/FIRST_PSIRT_Service_Framework_v 1. 0 9

Continuously improve Requirements Finding What do we need to do differently? Release Architecture/Design Finding

Continuously improve Requirements Finding What do we need to do differently? Release Architecture/Design Finding Validation Development 10

How to plan/roll out secure development Knowledge you need Development process Set of practices

How to plan/roll out secure development Knowledge you need Development process Set of practices Skills Needed & toolchain Organization culture Set of teams Training Scope deployment Skills Mentoring Expertise available Set of projects Champions Past Escapes Go to SAFECode. org for fabulous free training 11

Summary Transform Culture Questions? Seamlessly Integrate Grow & Evolve Join the conversation! SAFECode. org

Summary Transform Culture Questions? Seamlessly Integrate Grow & Evolve Join the conversation! SAFECode. org 12