1. Building Secure Application
• Application Security Governance
• Application Security Framework
• Application Security Process & Procedure
• Application Security in All Layers of Computing
Environment
• Integrated Secure Coding Environment

2. Evolving Threats
Source : Cisco

3. Application Secure development
Development
Tools
Source
control
Bug tracking Test Manager Code
verification

4. Desktop Transport Network Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls /
IDS / IPS
Firewall
Web Servers
Databases
Backend
Server
Application
Servers
Info Security Landscape
Application Security -
Understanding the Problem
Secure Infrastructure
Weakest link

5. Building Security Into the
Development Process
*Graphics from OWASP.com
• Test existing deployed apps
• Eliminate security exposure in
live applications
Production
• Test apps before going to production
• Deploy secure web applications
Deploy
• Test apps for security issues in QA
organization along with performance and
functional testing
• Reduce costs of security testing
Test
• Test apps for security issues in
Development identifying issues
at their earliest point
• Realize optimum security
testing efficiencies (cost
reduction)
Development• Security requirements, architecture,
threat modeling, etc
Define/Design

6. Application Security Adoption
Within the SDLC
Difficulty &
Cost of
Test
% Applications Tested
High
Low
Low High
Security
Team
Security Team
Security Team
QA Team
QA Team
Development Team
Phase 1 Phase 2 Phase 3
Criticality
& Risk of
App.
Development
Team

7. Educating Developers and Getting
“Buy in”
• Establish security accountability and stds for shipping
• Create a “security architect” role
• Create a security community of practice
• Create a secure development portal or wiki
• Conduct hacking demos to demonstrate risks
• Online & offline courses for secure coding
• Put developers through secure coding exams
• Security reviews of real applications
• Pay premiums for security architects

8. Security Framework
Security Governance, Risk Management
and Compliance
WorleyParsons Security Framework
External Representation
Network, Server, and End-point
Physical Infrastructure
People and Identity
Data and Information
Application and Process
Managed
Security
Services
Security
Hardware and
Software
Professional
Services
Physical Security Solutions
Security Governance, Risk & Compliance Solutions
Threat and Vulnerability Mgmt & Monitoring Solutions
Application Security Lifecycle Mgmt Solutions
Identity and Access Management Solutions
Information Security Solutions

9. Application Security
Process Framework
Verify In Production Applications
Design, Develop, Test, and Verify Secure Apps
Educate IT Professionals
Maintain and Publish Policies and Guidelines
Respond to Security Exposure Incidents
ApplyLessonsLearned

10. Application Management – Secure
Infrastructure
NETWORK HOST APPLICATION ACCOUNT TRUST
 Architecture
 Transport
 Network device
 Access control
list (ACL)
permission
settings
 Operating
system
 Services
 Internet
Information
Services (IIS)
 Simple Mail
Transfer
Protocol
(SMTP)
 File Transfer
Protocol (FTP)
 NetBIOS/Remo
te procedure
call (RPC)
 Terminal
Services
 Microsoft
SQL Server
 Input validation
 Clear text
protocol
 Authentication
 Authorization
 Cryptography
 Auditing and
logging
 Unused
accounts
 Weak or blank
passwords
 Shared
accounts
 Access
privileges
 Rogue trusts

11. Application Layer Requirements
• Input validation
• Session management
• Authentication and authorization
• Design and code review
• Application and server error handling
• Application auditing and logging
• Application backup and restore
• Private data encryption

12. Common Application Development
Issues
• User input validation
• Cookies, authentication, and access
• Passwords
• Access control lists
• COM+ application configuration
• Auditing and logging