Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CISQ Quality Standard Overview and Integrating Security into your Systems Development Lifecycle (SDLC)

CISQ Quality Standard Overview and Integrating Security into your Systems Development Lifecycle (SDLC)

Security cannot be bolted on at the end of a project; instead, it must be considered throughout the process. It’s better, faster, and cheaper to integrate security into your system development lifecycle. All the tools and approaches you need are readily available, most for free.

Key takeaways:

* Security is an emergent property of the overall quality of a system. CISQ, led by OMG, does a great job of explaining how security and quality are tightly integrated.

* Security must be fully integrated in to the SDLC. Microsoft’s SDL is a great approach to doing so but you can roll your own approach as well.

Shahid N. Shah

February 24, 2015
Tweet

More Decks by Shahid N. Shah

Other Decks in Technology

Transcript

  1. CISQ Quality Standard Overview
    and Integrating Security into SDLC
    By Shahid N. Shah

    View full-size slide

  2. NETSPECTIVE
    www.netspective.com 3
    Who is Shahid?
    • 25+ years of software engineering and
    multi-discipline complex IT
    implementations (Gov., defense, health,
    finance, insurance)
    • 12+ years of high-security, regulated IT
    and safety-critical medical devices
    experience (blog at
    http://healthcareguy.com)
    • 15+ years of technology management
    experience (government, non-profit,
    commercial)

    View full-size slide

  3. NETSPECTIVE
    www.netspective.com 4
    What’s this talk about?
    Theme
    Security cannot be bolted on
    at the end of the system
    development lifecycle (SDLC)
    Key Takeaways
    • Security is an emergent
    property of the overall quality
    of a system. The Consortium
    for IT Software Quality (CISQ),
    led by Object Management
    Group (OMG), does a great job
    of explaining how security and
    quality are tightly integrated.
    • Security must be fully
    integrated in to the SDLC.
    Microsoft’s SDL is a great
    approach to doing so.

    View full-size slide

  4. NETSPECTIVE
    www.netspective.com 5
    What is SDL?
    • Security Development Lifecycle (SDL) is a
    system development process introduced by
    Microsoft in 2004 for improving Security in
    their products
    • Can be used with any software development
    model

    View full-size slide

  5. NETSPECTIVE
    www.netspective.com 6
    What is CISQ, where does SDL fit?
    Consortium for IT Software
    Quality produces
    computable metrics
    standards for software
    quality and focuses on
    establishing standards for
    • Software Quality
    • Functional Sizing
    Software quality
    characteristics selection
    include:
    • Reliability
    • Performance Efficiency
    • Security
    • Maintainability
    More info: http://it-cisq.org/standards-page/

    View full-size slide

  6. NETSPECTIVE
    www.netspective.com 7
    CISQ Quality Characteristics
    SDL
    Software Product Quality Characteristics from ISO/IEC 25010.

    View full-size slide

  7. NETSPECTIVE
    www.netspective.com 13
    SDL and Regulatory Compliance
    Security & compliance
    contribute significantly to
    an enterprise's reputation.
    Risk management is the
    approach an organization
    uses to remove or reduce
    harm to its assets and
    personnel.
    • FISMA
    • FedRAMP (FISMA for
    Cloud)
    • HIPAA & Omnibus
    • PCI
    • FDA Regulations
    • etc…

    View full-size slide

  8. NETSPECTIVE
    www.netspective.com 14
    Injecting a security lifecycle into any SDLC
    Source: Microsoft

    View full-size slide

  9. www.netspective.com 15

    View full-size slide

  10. NETSPECTIVE
    www.netspective.com 16
    SDL into SDLC benefit: Security
    • Microsoft SQL Server: 91% Fewer
    Vulnerabilities in SQL Server
    2005
    • Removal of 50% of Security
    Vulnerabilities during
    development would reduce
    Configuration Management,
    Support costs by 75% each –
    Gartner Research
    • Fixing security post development
    costs roughly 3 times more than
    the cost of built-in security

    View full-size slide

  11. NETSPECTIVE
    www.netspective.com 17
    SDL into SDLC benefit: Compliance
    • Improves compliance with a holistic,
    multidisciplinary approach.
    • Enables organizations to take a
    proactive vs. reactive stance.
    • Eliminates redundancies and
    coordinates processes.

    View full-size slide

  12. NETSPECTIVE
    www.netspective.com 18
    SDL into SDLC benefit: Lower Costs
    • NIST: code fixes after release
    can result in 30 times the cost of
    fixes performed during design
    phase.
    • The Forrester Consulting State
    of Application Security study
    reported that organizations
    implementing an SDL process
    showed better ROI results than
    the overall surveyed population.
    • Aberdeen Group demonstrated
    adopting an SDL process
    generates a stronger return on
    investment (four-times higher).

    View full-size slide

  13. NETSPECTIVE
    www.netspective.com 19
    SDLC methodology is no excuse
    Security and compliance
    can be injected into any
    type of development
    methodology

    View full-size slide

  14. NETSPECTIVE
    www.netspective.com 21
    Creating your own “Secure SDLC”
    Requirements
    Security
    Requirements
    Privacy
    Requirements
    Design
    Threat
    Modelling
    Security
    Design
    Review
    Development
    Static Code
    Analysis
    Peer Code
    Review
    Testing
    Security Test
    Plan
    Security Test
    Cases
    Deployment
    Final Security
    Review
    Security
    Monitoring,
    POA&Ms

    View full-size slide

  15. NETSPECTIVE
    www.netspective.com 22
    Injecting Security into Requirements
    • Key phase
    • Establish Security requirements
    • Establish Security Quality requirements
    • Establish Security Code review process
    requirements
    • Establish Privacy and Compliance
    requirements

    View full-size slide

  16. NETSPECTIVE
    www.netspective.com 23
    Injecting Security into Design
    • Prepare Security Design requirements
    – Like Cryptographic, validate design with
    requirements
    • Identify attack surfaces and design system
    • Identify data flows
    • Perform Threat Modelling using Tools like MS
    Threat Modelling Tool
    – MS Tool

    View full-size slide

  17. www.netspective.com 24

    View full-size slide

  18. NETSPECTIVE
    www.netspective.com 25
    Injecting Security into Implementation
    • Use approved tools and compiler and linker settings
    • Deprecate un-safe functions
    • Remove dead code
    • Perform static code analysis
    • Integrate security scanners in to continuous
    integration (CI) tools such as Jenkins, Cruise Control
    • Provide reports of the tool runs, including unit tests,
    integration test results visibly to stake holders

    View full-size slide

  19. NETSPECTIVE
    www.netspective.com 26
    Injecting Security into Testing
    • Run Dynamic Security Scanners
    – App Scan, Skipfish, Veracode etc…
    – CSX Tool, MS Starter Kit
    • Perform Fuzz Testing
    – OWASP Fuzz Testing guide
    • Perform Attack Surface Vector review
    – MS Attack Surface Analyzer

    View full-size slide

  20. NETSPECTIVE
    www.netspective.com 27
    Injecting Security into Deployment
    • Create an Incident Response Plan
    • Perform Continuous Monitoring of the
    Security Controls
    • Conduct Final Security Review
    • Certify Release and Archive

    View full-size slide

  21. NETSPECTIVE
    www.netspective.com 28
    Who’s responsible for all this?
    • Follow the practices recommended in the NIST’s RMF Framework for better effective integration of security in to SDLC
    • Follow the guidelines in the NIST SP 800-53 for Security Controls to get an overview on security requirements
    Phase Primary Participants
    Requirements/Initiation • AO (Authorizing Official)/Business Owner
    • CIO, Requirements Manager, Configuration Management Manager
    • Product and Program Management Team
    • Operations Team, Information System Security Officer
    • Enterprise Architect
    Design • System Architect
    • Developers
    Development • Director of Development
    • Developers
    Testing • Test Director
    • Testers
    Deployment • Operations Head
    • DevOps

    View full-size slide

  22. NETSPECTIVE
    www.netspective.com 29
    Our experience
    • Difficult to start, easier to adopt if
    management buys off, training is done, right
    roles are incorporate, and project estimation
    includes all the required work.
    • If you don’t get more time, at least start with
    OWASP Top 10 security flaws and
    recommendations to address them.

    View full-size slide

  23. NETSPECTIVE
    www.netspective.com 30
    What do we do at Netspective?
    • Institute Security in to SDLC using NUP (Netspective
    Unified Process)
    • Identify Security Controls (NIST SP 800-53) and assess
    them as the changes occur in system assets with tools
    such as Netspective Opsfolio
    • Track compliance as the changes occur to assets
    using Netspective Opsfolio
    • Monitor the system reliability with tools such as
    Netspective Watchtower

    View full-size slide

  24. NETSPECTIVE
    www.netspective.com 31
    Tools
    • OWASP ESAPI
    (https://www.owasp.org/index.php/Category:OWASP_Java_Project)
    • Microsoft SDL Tool (http://www.microsoft.com/en-
    us/download/details.aspx?id=42518)
    • Server scanning tools (Nessus)
    • Application scanning tools ( IBM App Scan, OWASP ZAP Proxy,
    Veracode, Skipfish etc…)
    • Network scanning tools (IDS, Intrusion detection)
    • Pen testing tools
    • Netspective NUP
    • Netspective Opsfolio
    • Netspective Watchtower

    View full-size slide

  25. NETSPECTIVE
    www.netspective.com 32
    Summary
    Major lesson
    It’s better, faster, and cheaper
    to integrate security into your
    system development lifecycle.
    All the tools and approaches
    you need are readily available,
    most for free.
    Key Takeaways
    • Security is an emergent
    property of the overall quality
    of a system. CISQ, led by OMG,
    does a great job of explaining
    how security and quality are
    tightly integrated.
    • Security must be fully
    integrated in to the SDLC.
    Microsoft’s SDL is a great
    approach to doing so but you
    can roll your own approach as
    well.

    View full-size slide

  26. Thank You
    Visit
    http://www.netspective.com
    http://www.healthcareguy.com
    E-mail [email protected]
    Follow @ShahidNShah
    Call 202-713-5409

    View full-size slide