SlideShare une entreprise Scribd logo

Software Security Initiative And Capability Maturity Models

Marco Morana
Marco Morana
Technologie
1  sur  37
Télécharger pour lire hors ligne
How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP Italy Day 2, 2008 March 31th, 2008 Marco.Morana@OWASP.ORG OWASP Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
Agenda 1. Software Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 2
Software Security Awareness : Threats On-line fraud overtakes viruses as the greatest source of financial loss (Symantec) 93.8% of all phishing attacks in 2007 are targeting financial institutions (Anti- Phishing Group) Phishing attacks soar in 2007 (Gartner) 3.6 Million victims, $ 3.2 Billion Loss (2007) 2.3 Million victims, $ 0.5 Billion Loss (2006) OWASP 3
Software Security Awareness : Threats OWASP 4
Software Security Awareness: Software Security Vs. Application Security Security built Security applied into each phase of by catch and the SDLC patches Look at root Look at problem external causes symptoms Proactive, Reactive, Threat Analysis, Incident Response, Risk Management Compliance OWASP 5
Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 6
Tactical Responses: Initial Security Assessment The symptoms: are the clues that lead to potential vulnerabilities and exploits The root causes: security design flaws, security bugs (coding errors), insecure- configuration The risk factors: how much damage can be done, how easy is to reproduce the exploits, how many users are exposed and how easy is to discover the vulnerabilities OWASP 7
Tactical Responses: Finding Vulnerabilities Manual Manual Penetration Code Testing Review Automated Automated Vulnerability Static Code Scanning Analysis OWASP 8
Tactical Responses: Risk Analysis Risk terminology: Threat (e.g. the cause) Vulnerability (e.g. the application weakness) Impact (e.g. the loss of data) Risk (e.g. The rating, likelihood x exposure) Risk models: STRIDE/DREAD Threat X Vulnerability X Impact (OWASP) ALE = SLE X ARO OWASP 9
Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 10
Software Security Strategy: First Approaches Be Realistic Organization is not yet ready (e.g. mature) Engineers are not trained in software security There are no tools available Make up strategy Based upon your company strenghts With stakeholders buy in (CIOs, ISOs, PM, Developers, Architects) With achieveable goals: reduce 30% of vulnerabilities found through ethical hacking via source code analysys OWASP 11
Software Security Strategy: Initial Business Cases Not fixing security bugs early is expensive: $9,000 per defect after system tests (90X factor @ 100 dollars / hour x 1 hour= 9000 dollars) (NIST, Economic Impact of In- secure Testing) $100,000 per security bulletin (M. Howard and D. LeBlanc in Writing Secure Software book) OWASP 12
Software Security Strategy: Create a Roadmap 1. Assess software maturity of the organization software security development processes, people and tools 2. Document the software security process: security enhanced SDLCs and checkpoints 3. Implement a framework: software engineering and risk management processes 4. Create business cases and set objectives 5. Collect metrics and measurements 6. Gain stakeholders commitments OWASP 13
Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 14
Software Security Initiative: People, Process, Technology People: Who manages software security risks Process: What where and how security can be build in the SDLC Tools: How processes can be automated Security = Commitment *(People+Tools +Process^2) OWASP 15
Software Security Initiative :Maturity Levels OWASP 16
Software Security Initiative: Maturity Levels Maturity Innocence (CMM 0-1) No formal security requirements Issues addressed with penetration testing and incidents Penetrate and patch and reactive approach Maturity Awareness (CMM 2-3) All applications have penetration tests done before going into production Secure coding standards are adopted as well as source code reviews OWASP 17
Software Security Initiative: Maturity Levels Maturity Enlightenment (CCM 4-5) Threat analysis in each phase of the SDLC Risk metrics and vulnerability measurements are used for security activity decision making (money for the bang) OWASP 18
Software Security Initiative: Maturity Adoption Curve (OWASP-CLASP) OWASP 19
Software Security Initiative: People What not to look for: Ethical hackers that cannot tell how to build applications securely Security engineers with no experience in software engineering, design, coding Information security professionals that only know how security auditing What to look for: Security professionals that understand both coding and security Software security consultants OWASP 20
Software Security Initiative: Frameworks OWASP 21
Software Security Initiative: SDLC Metrics OWASP 22
Software Security Initiative: Trailing Metrics OWASP 23
Software Security Initiative: Defending the case Fight common misconceptions that software security impacts: performance costs/budget development Make the case for each role Developers that are tired to rebuild software Project managers that worry about missing deadlines Information Security Officers worry about compliance CIOs worry about budget,ROSI OWASP 24
Software Security Initiative: Commitment Top Down Two months freeze on development Every developer on training SDL delivered across projects Bottom up Project Managers commit resources to training and demand secure code reviews Architects and engineering leads test and address security issues as early as are found in the source code and the application CISO address compliance with information security policies as well secure coding standards OWASP 25
Concluding Remarks Remember Rome was not build in a day! You need time to mature you processes, train your employees and implement the right process, tools and technologies OWASP 26
Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers……..? OWASP 27
Thanks for listening, further references Symantec threat report http://www.symantec.com/business/theme.jsp?th emeid=threatreport ) Gartner study on phising: http://www.gartner.com/it/page.jsp?id=565125) UC Berkeley Center for Law and Technology on identity theft http://repositories.cdlib.org/cgi/viewcontent.cgi?a rticle=1045&context=bclt OWASP 28
Appendix: Cost of Defects, NIST Study OWASP 29
Appendix: Location of Defects OWASP 30
Appendix: Location of Defects OWASP 31
Appendix: Insecure Shopping Cart http://www.coolcart.com/jewelrystore.html The price charged for the “Two Stone Feather Ring” is now 99 cents OWASP 32
Appendix: XFS Vulnerabilities OWASP 33
Appendix: Reactive Approach Go Fix Security Bugs! ? ? OWASP 34
Appendix: Tie Attacks To Vulnerabilities Phishing A1, A4, A7, A10 Privacy violations A2, A4, A6, A7, A10 Identity theft A3, A7, A8, A9, A10 System compromise, data alteration or data destruction A2, A3 Financial loss A4, A5, A7, A10 Reputation loss A1, A2, A3, A4, A5, A6 ,A7, A8, A9, A10 OWASP 35
Appendix: The Motto “If your software security practices are not yet mature be pragmatic and start making software security a responsibility for who builds software in your organization OWASP 36
Appendix: About Me Graduated from University of Padua, Italy in 1987 (Dr. Ing, Laurea Ingegneria Meccanica) Worked as Aerospace engineer in Italy between 1990-1994 Got a Master in Computer System Engineering from Northwestern Polytechnic University in 1996 Worked as Software Eng. in silicon valley between 1996-1998 While working at NASA as Sterling Software contractor, developed the first e-mail S/MIME and got a patent in 1997 Founded CerbTech LLC in 2003 and I worked at a security project for VISA Developed commercial security tools/products for ISS (Safesuite Decisions) and Sybase (Security Manager) (1998-2004) As Sr. Security Consultant with Foundstone/McAfee (2004-2006) and consulted for major banks and telco in USA Joined Citigroup in 2006 as Technology Information Security Officer (Sr. Director/VP) Founded the OWASP Cincinnati USA chapter in 2007 OWASP 37

Recommandé

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecurityThomas Malmberg
 

Recommandé

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecurityThomas Malmberg
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 

Contenu connexe

Tendances

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 

Tendances (18)

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl[CB16] Keynote: How much security is too much? by Karsten Nohl
[CB16] Keynote: How much security is too much? by Karsten Nohl
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 

En vedette

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsSTAG Software Private Limited
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk AssessmentLeanleaders.org
 

En vedette (20)

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related Measurements
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & Qualifcation
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk Assessment
 

Similaire à Software Security Initiative And Capability Maturity Models

Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...South Tyrol Free Software Conference
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 

Similaire à Software Security Initiative And Capability Maturity Models (20)

Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 

Plus de Marco Morana

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfMarco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalMarco Morana
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011Marco Morana
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsMarco Morana
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 

Plus de Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 

Dernier

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Dernier (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Software Security Initiative And Capability Maturity Models

  • 1. How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP Italy Day 2, 2008 March 31th, 2008 Marco.Morana@OWASP.ORG OWASP Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda 1. Software Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 2
  • 3. Software Security Awareness : Threats On-line fraud overtakes viruses as the greatest source of financial loss (Symantec) 93.8% of all phishing attacks in 2007 are targeting financial institutions (Anti- Phishing Group) Phishing attacks soar in 2007 (Gartner) 3.6 Million victims, $ 3.2 Billion Loss (2007) 2.3 Million victims, $ 0.5 Billion Loss (2006) OWASP 3
  • 4. Software Security Awareness : Threats OWASP 4
  • 5. Software Security Awareness: Software Security Vs. Application Security Security built Security applied into each phase of by catch and the SDLC patches Look at root Look at problem external causes symptoms Proactive, Reactive, Threat Analysis, Incident Response, Risk Management Compliance OWASP 5
  • 6. Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 6
  • 7. Tactical Responses: Initial Security Assessment The symptoms: are the clues that lead to potential vulnerabilities and exploits The root causes: security design flaws, security bugs (coding errors), insecure- configuration The risk factors: how much damage can be done, how easy is to reproduce the exploits, how many users are exposed and how easy is to discover the vulnerabilities OWASP 7
  • 8. Tactical Responses: Finding Vulnerabilities Manual Manual Penetration Code Testing Review Automated Automated Vulnerability Static Code Scanning Analysis OWASP 8
  • 9. Tactical Responses: Risk Analysis Risk terminology: Threat (e.g. the cause) Vulnerability (e.g. the application weakness) Impact (e.g. the loss of data) Risk (e.g. The rating, likelihood x exposure) Risk models: STRIDE/DREAD Threat X Vulnerability X Impact (OWASP) ALE = SLE X ARO OWASP 9
  • 10. Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 10
  • 11. Software Security Strategy: First Approaches Be Realistic Organization is not yet ready (e.g. mature) Engineers are not trained in software security There are no tools available Make up strategy Based upon your company strenghts With stakeholders buy in (CIOs, ISOs, PM, Developers, Architects) With achieveable goals: reduce 30% of vulnerabilities found through ethical hacking via source code analysys OWASP 11
  • 12. Software Security Strategy: Initial Business Cases Not fixing security bugs early is expensive: $9,000 per defect after system tests (90X factor @ 100 dollars / hour x 1 hour= 9000 dollars) (NIST, Economic Impact of In- secure Testing) $100,000 per security bulletin (M. Howard and D. LeBlanc in Writing Secure Software book) OWASP 12
  • 13. Software Security Strategy: Create a Roadmap 1. Assess software maturity of the organization software security development processes, people and tools 2. Document the software security process: security enhanced SDLCs and checkpoints 3. Implement a framework: software engineering and risk management processes 4. Create business cases and set objectives 5. Collect metrics and measurements 6. Gain stakeholders commitments OWASP 13
  • 14. Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers OWASP 14
  • 15. Software Security Initiative: People, Process, Technology People: Who manages software security risks Process: What where and how security can be build in the SDLC Tools: How processes can be automated Security = Commitment *(People+Tools +Process^2) OWASP 15
  • 16. Software Security Initiative :Maturity Levels OWASP 16
  • 17. Software Security Initiative: Maturity Levels Maturity Innocence (CMM 0-1) No formal security requirements Issues addressed with penetration testing and incidents Penetrate and patch and reactive approach Maturity Awareness (CMM 2-3) All applications have penetration tests done before going into production Secure coding standards are adopted as well as source code reviews OWASP 17
  • 18. Software Security Initiative: Maturity Levels Maturity Enlightenment (CCM 4-5) Threat analysis in each phase of the SDLC Risk metrics and vulnerability measurements are used for security activity decision making (money for the bang) OWASP 18
  • 19. Software Security Initiative: Maturity Adoption Curve (OWASP-CLASP) OWASP 19
  • 20. Software Security Initiative: People What not to look for: Ethical hackers that cannot tell how to build applications securely Security engineers with no experience in software engineering, design, coding Information security professionals that only know how security auditing What to look for: Security professionals that understand both coding and security Software security consultants OWASP 20
  • 21. Software Security Initiative: Frameworks OWASP 21
  • 22. Software Security Initiative: SDLC Metrics OWASP 22
  • 23. Software Security Initiative: Trailing Metrics OWASP 23
  • 24. Software Security Initiative: Defending the case Fight common misconceptions that software security impacts: performance costs/budget development Make the case for each role Developers that are tired to rebuild software Project managers that worry about missing deadlines Information Security Officers worry about compliance CIOs worry about budget,ROSI OWASP 24
  • 25. Software Security Initiative: Commitment Top Down Two months freeze on development Every developer on training SDL delivered across projects Bottom up Project Managers commit resources to training and demand secure code reviews Architects and engineering leads test and address security issues as early as are found in the source code and the application CISO address compliance with information security policies as well secure coding standards OWASP 25
  • 26. Concluding Remarks Remember Rome was not build in a day! You need time to mature you processes, train your employees and implement the right process, tools and technologies OWASP 26
  • 27. Agenda Update 1. Security Awareness 2. Tactical Responses 3. Software Security Strategy 4. Software Security Initiative 5. Questions & Answers……..? OWASP 27
  • 28. Thanks for listening, further references Symantec threat report http://www.symantec.com/business/theme.jsp?th emeid=threatreport ) Gartner study on phising: http://www.gartner.com/it/page.jsp?id=565125) UC Berkeley Center for Law and Technology on identity theft http://repositories.cdlib.org/cgi/viewcontent.cgi?a rticle=1045&context=bclt OWASP 28
  • 29. Appendix: Cost of Defects, NIST Study OWASP 29
  • 30. Appendix: Location of Defects OWASP 30
  • 31. Appendix: Location of Defects OWASP 31
  • 32. Appendix: Insecure Shopping Cart http://www.coolcart.com/jewelrystore.html The price charged for the “Two Stone Feather Ring” is now 99 cents OWASP 32
  • 34. Appendix: Reactive Approach Go Fix Security Bugs! ? ? OWASP 34
  • 35. Appendix: Tie Attacks To Vulnerabilities Phishing A1, A4, A7, A10 Privacy violations A2, A4, A6, A7, A10 Identity theft A3, A7, A8, A9, A10 System compromise, data alteration or data destruction A2, A3 Financial loss A4, A5, A7, A10 Reputation loss A1, A2, A3, A4, A5, A6 ,A7, A8, A9, A10 OWASP 35
  • 36. Appendix: The Motto “If your software security practices are not yet mature be pragmatic and start making software security a responsibility for who builds software in your organization OWASP 36
  • 37. Appendix: About Me Graduated from University of Padua, Italy in 1987 (Dr. Ing, Laurea Ingegneria Meccanica) Worked as Aerospace engineer in Italy between 1990-1994 Got a Master in Computer System Engineering from Northwestern Polytechnic University in 1996 Worked as Software Eng. in silicon valley between 1996-1998 While working at NASA as Sterling Software contractor, developed the first e-mail S/MIME and got a patent in 1997 Founded CerbTech LLC in 2003 and I worked at a security project for VISA Developed commercial security tools/products for ISS (Safesuite Decisions) and Sybase (Security Manager) (1998-2004) As Sr. Security Consultant with Foundstone/McAfee (2004-2006) and consulted for major banks and telco in USA Joined Citigroup in 2006 as Technology Information Security Officer (Sr. Director/VP) Founded the OWASP Cincinnati USA chapter in 2007 OWASP 37