1 / 20

Ten Practical Steps to Reducing Software-based Threats

Ten Practical Steps to Reducing Software-based Threats. Dr Serdar Cabuk , CISSP Security Specialist, VISA Europe. Outline. Motivation and scope Methodology Plan (2) Do (5) Check (2) Act (1) The way forward. Motivation. Fact You have an SDLC in place Reality

tamyra
Télécharger la présentation

Ten Practical Steps to Reducing Software-based Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ten Practical Steps to Reducing Software-based Threats Dr Serdar Cabuk, CISSP Security Specialist, VISA Europe (ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities

  2. Outline Motivation and scope Methodology Plan (2) Do (5) Check (2) Act (1) The way forward

  3. Motivation Fact You have an SDLC in place Reality You don’t have a secure SDLC Strategic v Tactical Drivers Budget Time to market Top down v Bottom up

  4. Scope What it isn’t Strategic Certified / Methodical Framework based Long term What it is Tactical Customised / Hands on Process based Short term

  5. Methodology PMM SALC SDLC SDLC+

  6. PLAN : Preparation Goal : Ensure readiness and support prior to process improvement Prerequisites Security policy Management buy in

  7. PLAN : Preparation Segregate software assurance and development functions Assurance Development

  8. PLAN : Preparation Engage with all functions including Information security Compliance specialists and security architects Architecture Solutions or technical architects Development Analysts and lead developers Engineering Infrastructure and network specialists Service owner and key stakeholders Project and programme management

  9. DO : Transition Goal : Improve software development by introducing targeted additions to the lifecycle Prerequisites Buy in from all teams involved

  10. DO : Transition Perform initial threat assessment to drive the high level design Input Requirements OutputImproved high level design

  11. DO : Transition Perform application threat modelling to identify software-based threats Input Requirements and initial design Output Application threat model

  12. DO : Transition Perform secure design reviews to ensure secure software architecture Input High level design and application threat model Output Application level design

  13. DO : Transition Perform source code analysis (SCA) to identify and address code level vulnerabilities Input Application software and SCA tool Output Improved application software

  14. DO : Transition Employ secure coding principles to reduce software based threats and improve code quality Input Coding standards Output Improved application software

  15. CHECK : Embedding Goal : Ensure process implementation and establish security standard Prerequisites Documented process and templates

  16. CHECK : Embedding Ensure process embedding through SDLC workshops and documentation Establish security standards and raise awareness through security events and training

  17. ACT : Alignment Goal : Continuous capability maturity improvement using an industry standard framework Introduce an industry standard ISMS framework and align it with the secure SDLC

  18. Summary Segregate software assurance and development functions Engage with all functions including information security, architecture, development, engineering and project management Perform initial threat assessment to drive the high level design Perform application threat modelling to identify software-based threats Perform secure design reviews to ensure secure software architecture

  19. Summary Perform source code analysis (SCA) to identify and address code level vulnerabilities Employ secure coding principles to reduce software based threats and improve code quality Ensure process embedding through SDLC workshops and documentation Establish security standards and raise awareness through security events and training Introduce an industry standard process framework and align it with the secure SDLC

  20. Thank you (ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities

More Related