OWASP Top 10 et ISO/IEC 27034 Sécurité des applications par Luc Poulin et Jonathan Marcil

OWASP Top 10 et ISO/IEC 27034 Sécurité des applications par Luc Poulin et Jonathan Marcil

PRÉSENTATEURS PRINCIPAUX: Luc Poulin et Jonathan Marcil

RÉSUMÉ: Cette nouvelle norme propose aux organisations de toutes tailles un modèle pour faciliter l’intégration de la sécurité tout au long du cycle de vie des applications. La norme 27034 est destinée aux gestionnaires, équipes de réalisation et d’exploitation, clients et fournisseurs d’applications et auditeurs qui doivent concevoir, planifier, implanter, gérer et vérifier la sécurité des applications. La conformité à cette norme résulte en la diminution du risque par réduction des vulnérabilités des applications. Suite à la dernière présentation sur le sujet, celle-ci introduira le projet OWASP officiel qui produira des contrôles de sécurité applicatifs (CSA) basé sur le Top 10 d'OWASP sous le format de la norme.

BIO: M. Poulin compte plus de trente années d'expérience en informatique, durant lesquelles il a acquis une solide expertise en technologie des systèmes et en génie logiciel. Il se spécialise en gestion, implantation et évaluation de la sécurité globale de systèmes informatiques, à l'intérieur d'environnements de développement et d’opération d'applications. Il est corédacteur de la norme ISO/IEC 27034 – Sécurité des applications. Jonathan Marcil est consultant en sécurité des applications Web et leader du chapitre de Montréal. Il possède plus de dix ans d'expérience en technologie de l'information et développement Web avec un penchant pour la sécurité. Il est concepteur de défi pour NorthSec, une compétition de sécurité informatique technique et conseiller sur le sujet sécurité de la conférence de technologies Web ConFoo à Montréal.

QUAND: 2 décembre 2013

OÙ: École de technologie supérieure, 1100 rue Notre-Dame ouest, Montréal, Salle: A-1150

WEBCAST: http://youtu.be/ZxrpIvUJ40g

09905cce02942fb076f958f4b69fd8f6?s=128

OWASP Montréal

December 02, 2013
Tweet

Transcript

  1. – Luc Poulin OWASP Project – Start Up Meeting OWASP

    ISO/IEC 27034 Application Security Controls Presented by Luc Poulin and Jonathan Marcil
  2. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting
  3. Buts de la sécurité des applications Protéger l’information des applications

    • Meeting objectives – Define the strategy • SCRUM project management • Step by step approach – Start the project • Design, validate, develop and verify a ASC from the one of the Top 10 • Targeted languages: English, Français, Español… • Build the project team (we will need your emails) 3
  4. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting 4
  5. ISO/IEC 27034 Review 27034 do not… • ISO/IEC 27034 do

    not propose any – Application Security Control – Coding best practices – Tests best practices • That’s why OWASP and 27034 is a good match 5
  6. • Architects, analysts, programmers, testers, IT Team, DBA, Admins, etc.,

    who need to: – know what and when Application Security Controls should be applied; – integrate Application Security Controls in their activities; – meet the requirements of the Application Security Controls associated measurements; – get access to tools and best practices; – facilitate peer review. 6 ISO/IEC 27034 Review Needs from Project and operation teams
  7. • Auditors, who need to: – know the scope and

    process of verification measurements for the corresponding Application Security Controls; – make audit results repeatable; – identify a list of verification measurements which can generate supporting evidence to demonstrate that the application has reached the required level of trust authorized by the management; – standardize the application security verification; 7 ISO/IEC 27034 Review Needs from Auditors
  8. • Security is a requirement • Application security is context-dependent

    • Appropriate investment for application security • Application security must be demonstrated ISO/IEC 27034 Review Key Principles
  9. Application Application • Requirements are used to define and choose

    a functionnality/control implementation that will produce an expected result Security Risk … Need Security Requirement … Requirement … Functionnality Expected Result Expected Result ASC ISO/IEC 27034 Review Requirements process
  10. Critical Information Verification and Control (Conformity) Security Management (Governance) Applications,

    Information System (Development and Evolution) Technology (Acquisition, Maintenance, and Contingency) ISO/IEC 27034 Review The 4 interventions domain
  11. ASC ISO/IEC 27034 Review Application Security Control

  12. • ASCs may have a graph relationship ASC ASC Online

    Payment ASC ISO/IEC 27034 Review Application Security Control
  13. Disposal Layers ISO/IEC 27034 Review Application Security Life Cycle Reference

    Model
  14. 14 ... 0 Organisation ASC Library 1 3 2 9

    10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ISO/IEC 27034 Review Build the OWASP ASC Library The chosen one OWASP Top 10
  15. Technology Application Application Organization Organization ISO/IEC 27034 Review Implement ASCs

    on Application’s elements
  16. • ASC Creation and Maintenance Process • ONF and ASCs

    Validation Process Organisation normative framework ASC Validate, verify, control Verification team Create, update ASC Domain Experts ISO/IEC 27034 Review ASC Management process
  17. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting 17
  18. OWASP Top 10 Introduction • The most visible OWASP flagship

    project • A broad consensus about what the most critical web application security risks are • Educate developers, designers, architects, managers, and organizations
  19. OWASP Top 10 Top 10 Application Security Risks – 2013

  20. OWASP Top 10 Layout for each risk RISK TITLE Risk

    rating and details A# Example Attack Scenarios References Prevention methods Security control ?! Vulnerability assessments
  21. OWASP Top 10 Risk layout and details Risk path Risk

    rating
  22. OWASP Top 10 References • There’s a lot more into

    OWASP than Top 10 • Actually 145 active projects as of 2013-15-11 • Top 10 refers to them • Types – Code – Tool – Documentation
  23. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting 23
  24. • Select one of the OWASP Top 10 risk •

    Do an OWASP Literature review on the subject • Define Security Requirements (SRs) – Who, want what, on which information, when, where • Define ASCs that address SRs – Security activity – Verification & Measurement activity Conversion example to ASC Conversion Process
  25. Conversion example to ASC MindMap

  26. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting 26
  27. • Discussion… – What do you think about this project

    – Who want to come onboard? – Which Risk will be more interresting to begin with? – Please leave us your email address – Next meeting – … Conversion example to ASC Your opinion and interest
  28. 1. Welcome 2. ISO/IEC 27034 ASCs review 3. OWASP Top

    10 Risks & related documents 4. Top 10 conversion to ASC, an example 5. Your opinion and interest 6. Next meeting 28
  29. La sécurité des applications c’est plus que la sécurité dans

    le développement d’appl. • Merci de votre attention, des questions? 29 Jonathan Marcil B.ing OWASP ISO/IEC 27034 ASCs Project Co-Leader Jonathan.Marcil@owasp.org Luc Poulin M.Sc, CISSP-ISSMP, CSSLP, CISA, CISM OWASP ISO/IEC 27034 ASCs Project Co-Leader Éditeur principal de la norme ISO/IEC 27034 Luc.Poulin@Cogentas.ca • Next Meeting: ??? 2014