An overview of the Secure Software Development Life Cycle (SSDLC) process, along with some simple tools and techniques that can help application hardening and data protection.
Every week there are new stories about information data breaches, hacker service disruptions, ransomware blackmailing, government spying, and disgruntled employee sabotage.
And yet most start-up software and mobile applications are rushed to market using the āCode, Release, and Hopeā approach; which unfortunately leaves them vulnerable to malicious attackers and legal actions as a result of inadequate personal, financial, and health information protection.
This session will provide an overview of the Secure Software Development Life Cycle (SSDLC) process, along with some simple tools and techniques that can help improve application hardening and data protection.
Bio
From Fortune 100 to start-up companies, Robert Grupe is an international professional with practitioner, leader, and consultant experience in information security, market strategy, development, and support for global leaders in information technology, health care, high tech industries.
Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and Project Management Professional (PMP).
2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute
Source: Verizon 2013 Data Breach Investigations Report
Praetorian Study Attacks 2016-08-22
- http://www.theregister.co.uk/2016/08/22/hacker_playbook/
NIST 2002 study - http://www.abeacha.com/NIST_press_release_bugs_cost.htm
Source: IBM Global Business Services industry standards
Broken Auth and Session Management moved up, we believe, because more consulting organizations were included in this data set, and they can find this better than automated tools can. We donāt believe the actual prevalence of this issue increased, just the measured prevalence.
CSRF dropped we believe because organizations are getting a handle on this new issue that was first added to the Top 10 in 2007. The awareness the Top 10 raised, has helped reduce the prevalence of this issue (we believe).
Policy (objectives)
Principles to guide decisions and achieve acceptable outcomes.
Minimizing profit loss (government fines, customer trust, etc.)
SSDLC (Secure Software Development Life Cycle)
Protocol/procedure for implementing policy
Standards (ways of doing things)
Governments, industry organizations
Requirements (acceptance criteria: what and why)
Compliance with policy and standards
Training (how, what, why)
Check Lists (reminders)
Auditor
Government (HIPAA)
Industry (PCI)
Customer (DoD)
Legal (lawsuit discovery)
Internal (Quality Improvement)
https://en.wikipedia.org/wiki/DevOps
https://en.wikipedia.org/wiki/DevOps_toolchain
Plan Tools: Atlassian (JIRA/Confluence), CA Technologies, iRise and Jama Software
Create Tools: Bitbucket, GitLab, GitHub, Electric Cloud, and CFEngine
Verify Tools: * Test automation (ThoughtWorks, IBM, HP), * Static analysis (Parasoft, Microsoft, SonarSource), * Test Lab (Skytap, Microsoft, Delphix), and * Security (HP, IBM, Trustwave, FlawCheck).
Packaging Tools: Jfrogās Artifactory, SonaType Nexus repository, and Inedoās ProGet.
Release Tools: Automic, Inedo, VMware, and XebiaLabs* application release automation* deployment automation* release management
Configure Tools: Ansible, Chef, Puppet, Otter, and Salt* Continuous Configuration Automation, * configuration management, and * Infrastructure as Code tools.
Monitoring Tools: BigPanda, Ganglia, New Relic, Wireshark
http://www.microsoft.com/en-us/sdl/default.aspx
enisa European Network and Information Security Agency Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools June 2006. sec 3.1.1