1 / 26

Using the Cloud and SaaS to Secure the SDLC

Using the Cloud and SaaS to Secure the SDLC. About Me. Andy Earle HP/Fortify Security Solutions Architect / Presales Engineer Sell, deliver solutions to commercial and US Fed Past PM for High Assurance computer system at BAE Mobile and App Security, multiple jobs

piper
Download Presentation

Using the Cloud and SaaS to Secure the SDLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using the Cloud and SaaS to Secure the SDLC

  2. About Me Andy Earle • HP/Fortify • Security Solutions Architect / Presales Engineer • Sell, deliver solutions to commercial and US Fed • Past • PM for High Assurance computer system at BAE • Mobile and App Security, multiple jobs • Software Engineer, multiple jobs

  3. Agenda • Terms and Background • Application Security (AppSec) Deployment Models • SaaS / Cloud (On Demand) • On-Premise • AppSec Industry Evolution • Relevant Trends • Case for “Hybrid” Implementation • Hybrid On-Premise / cloud delivery of S-SDLC

  4. Terms and Background • Terms • SaaS : Software as a Service • SDLC : Software Development Lifecycle • SSA : Software Security Assurance • Background • Focus is static analysis…but many concepts applicable to dynamic • SaaS and (public) cloud somewhat interchangeable, for this session • Caveats: Lots of variety of offerings amongst vendors; many of my statements are necessarily generalities

  5. AppSec Deployment Models

  6. What is SaaS? Software as a Service (SaaS) …or Security as a Service, in the AppSec world • SaaS is a delivery model where software, data and services are hosted in the cloud and delivered on demand • Application Security SaaS offerings include • Static, dynamic, and manual analyses • Expert review and prioritization of results • Various delivery offerings (web interface, reports, artifacts that integrate with onsite infrastructure)

  7. AppSec via SaaS 1 SaaS Web Portal 4 2 Stakeholders Analysis SaaS Process, On-Demand Deliver code or bytes Analysis as a Service Expert Review Results made available 3 AppSec SME - review & triage Dev Org

  8. What is an SDLC? Software Development Lifecycle (SDLC) …or Secure Development Lifecycle …or Secure Software Dev Lifecycle (S-SDLC) S-SDLC incorporates security across all phases of the development lifecycle. Security is built into applications from the start. Result: Software Security Assurance (SSA)

  9. Sample Secure SDLC Check in Code IDE Plug-in Check-out, Build and Scan Build Machine Developer Fixes Bug / Security Finding Possibly Continuous Integration Repeat as Necessary Bug Tracking Vulnerability Scan Submit Findings to Bug Tracker Auditor / Security PM / Tech Lead Auditor Reviews Results On Premise Deployment Code Repository Developers

  10. Building Security into an SDLC Build Security in: Activities & Tasks • Developer & staff training • Vulnerability analysis technologies • Technology integrations and automation • AppSec processes, procedures and metrics • Governance, enforcement of the above …Basically, process reengineering …This is SSA

  11. SSA Challenges Challenges to implementing an SSA program • Tools “wanted by security, need to be used by development” • Developers not security trained. Security doesn’t understand source code • Seamless integration of security requires big upfront commitment • Expertise is scarce (and expensive in time or $$$) • And more…

  12. SaaS vs. On-Premise

  13. The Strengths ofSaaS and On-Premise Pure SaaS Deployment • Easy and cost effective to get started • Little to no expertise required • Findings make case for future appsec investments • Meet compliance and reporting obligations Pure On-Premise Deployment • Better model for “The Fix” • Addresses the systemic problem • Integration and automation maximize efficiency

  14. A Solid Plan for SSA Phase 1: Pure SaaS • Assess Critical Apps • Prioritize and secure funding for Phase 2 • Train and/or hire resources • Fix critical vulnerabilities, low hanging fruit Phase 2: Pure On-Premise • Bring technology and expertise in-house • Solve the systemic problem – reduce repeat vulnerabilities • Integration and automation maximize efficiency • Mature SSA program • This could include putting SaaS onsite (private cloud)

  15. How things are Evolving

  16. Relevant AppSec Trends People • Developers are increasingly security trained and aware • AppSec SMEs more prevalent, many in the solution providers and security firms Product • Applications increasingly complex • Hardware and time to analyze steepening • Increased expertise required to scan accurately • SaaS increasingly integrate-able with onsite systems Process • Compliance obligations mandating S-SDLC

  17. S-SDLC Baseline Deployment Check in Code Check-out, Build and Scan Developer Fixes Bug / Security Finding Build Machine Possibly Continuous Integration Repeat as Necessary Bug Tracking Vulnerability Scan Submit Findings to Bug Tracker Auditor / Security Auditor Reviews Results Basic, On Premise Code Repository Developers

  18. S-SDLC Needs • Analysis Needs: • Power, processing, memory • Multiple servers • Expertise to scan accurately • Development Needs: • Security, vulnerability training • IDE integration of results • Low impact to current processes Vulnerability Scan • Auditor Needs: • Deep appsec knowledge • Expertise with scanning tool • Knowledge of app deployment = SaaS Auditor / Security = On Premise Developers

  19. SaaS Integration Points Check in Code Check-out, Build and Scan Developer Fixes Bug / Security Finding Build Machine or Continuous Integration Repeat as Necessary Bug Tracking Vulnerability Scan Submit Findings to Bug Tracker Auditor / Security Auditor Reviews Results On Premise Infrastructure Code Repository Developers

  20. SaaS Integration Points Build Machine or Continuous Integration SaaS Bug Tracking • Point & click • Automated • Web-based Auditor / Security PM / Tech Lead On Premise Infrastructure Code Repository Developers

  21. Bringing it all Together • Key Concepts in a Hybrid S-SDLC Deployment • Expertise available via SaaS is typically superior to that found on-premise (they are the experts) • Some tasks require on-site activity (like fixing bugs) • Disruptions to existing processes can slow adoption; start small and build slowly • Integration points can blur the on-premise / on-demand separation, facilitating adoption

  22. Hybrid Delivered Secure SDLC Triggered Check-out Check in Code IDE Plug-in Continuous Integration Developer views bugs & findings Triggered send for Analysis Dev loads issues in IDE Plug-in Bug Tracking SaaS • Analyze/Scan • Expert Review Submit Findings to Bug Tracker Auditor / PM Download, Prioritize Results Hybrid Deployment Code Repository Developers

  23. Integration Points Lots of opportunity for customization and fitting the deployment model to the customer environment

  24. Plan for SSA, Revisited Phase 1: Pure SaaS • Assess Critical Apps • Prioritize and secure funding for Phase 2 Phase 2: On-Premise Pilot and SaaS • Continue SaaS regime • Deploy on-premise technology, design and test long term processes • Train and/or hire resources • Fix critical vulnerabilities, low hanging fruit Phase 3: Hybrid On-Premise and SaaS Deployment • Deploy more technology and expertise in-house • Difficult apps (for example) are still analyzed, triaged via SaaS • Integration and automation max efficiency across deployments • Mature SSA program

  25. Final Thoughts • Take advantage of expertise where it resides, potentially buying time to bring it in-house • The general maturity curve is still on-demand --> on-premise • Automated or easy integrations are vital to successful hybrid deployment • Plan! Think long term. • Sometimes a pure on-premise or on-demand deployment is still the best answer. The important thing is to fit the solution to the problem and need.

  26. Resources http://www.owasp.org http://www.opensamm.org/ …and check out the next session on this track http://bsimm.com/ http://buildsecurityin.us-cert.gov/bsi/ …Many, many others…

More Related