SlideShare uma empresa Scribd logo

Delivering Secure Projects

Transferir como PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short run through of my experience and advice in delivering security in critical projects. Presented at an internal forum in July 2013.

NegóciosTecnologia
1 de 18
Internal Presentation July 2013 Phil Huggins
 I have lead large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Need to know  High threat 2
 By the end of this sessions you should:  Be able to identify delivery projects where security is a critical attribute  Understand the potential issues is secure project delivery  Suggest possible ways of preventing or handling issues Company Confidential 3
4 Governance Risk Management Compliance Requirements Management Security Architecture Threat Analysis Risk Assessment Supplier Selection Procurement Stakeholder Management Design Trade-Offs Build Supply Chain Management Testing Transition to Operation Legacy Estate Management Release Management
 These are the activities that mean there are no surprises during the project. Everyone knows what is happening and when it is happening.  ‘Bringing stakeholders on the journey’  Identify security red flag holders.  Legacy estates always include problems to solve to meet current requirements.  Understand and document the As-Is environments.  Establish fixed requirements review cycle, agree SLA with stakeholders for response  Use reference architecture to assure requirements coverage.  Establish a SecurityWorking Group early.  Include; suppliers, security decision makers, operational management, specialists 5 Requirements Management Stakeholder Management Legacy Estate Management
 Clear sponsorship for security from the project sponsor or his boss.  Who ‘owns’ the security?  Do they control project budgets?  Established escalation paths.  What ‘red lines’ can’t be crossed?  Establish the format for security cases to request risk acceptance.  This is the ‘air cover’ needed for unpopular security decisions. 6 Governance Risk Management Compliance
 This is the core security content of what you are doing.  This is how you measure and plan the security delivery.  This is the basic justification for the security requirements, if this is wrong you will lose credibility in every other activity.  Establish a security documentation framework at project initiation and fill it in as you go  Build a reference architecture  Run a ‘dry-run’ risk assessment against it. 7 Security Architecture Threat Analysis Risk Assessment
 The security principles or maxims  And  The security model of the system  And  The security requirements  And  The security relevant design decisions  And  The security controls as actually implemented 8
 This is your opportunity to identify a partner you can work with.  If you don’t give suppliers explicit security requirements and expectations in procurement you will be fighting them all through the project.  Make sure they ‘get’ security.  Understand who their subcontractors are, where they are buying their hardware, how they expect to ramp up their team and when they expect to start delivering physical kit.  Share explicit security requirements and the reference architecture with suppliers.  Write your testing strategy into the procurement!  Establish a deliverable assurance process with your chosen supplier immediately following contract award. 9 Supplier Selection Procurement Supply Chain Management
10 Supplier Maturity Customer Maturity Needs specified and fulfilled Needs specified but not fulfilled Needs not specified and not fulfilled Needs not specified but fulfilled Over-delivery Under-delivery No-delivery Delivery
 Work hand-in-glove with the suppliers.  Every time they go away and design in isolation you risk rework and delay.  Document design decisions clearly.  Follow your formal deliverable assurance approach.These will start coming thick and fast, they won’t wait for you for long.  Identify impact of design decisions and trade-offs on the requirements. 11 Design Trade-Offs Release Management Local Hero Phenomenon • Lack of requirements • Lack of standards • Reliance on expertise
 Functional Requirement  What a system must do.  Interaction between a component and the environment.  Testable.  Non-Functional Requirement  How the system will do it.  Restricts the manner of operation of the system.  General in scope and concern the whole system  Security Requirement  A manifestation of a high-level security policy into the detailed requirements 12
13 Stakeholder Business Goals Use Cases Functional Requirements Non- Functional Requirements Design External Constraints • Design Decisions • Trade-Offs
 This is where your agreements with your supplier will start to fall apart.  Some designs won’t work in practice.  Mistakes in implementation will be made.  Some will take longer than expected.  Some requirements will change.  Standing up the development team is a major cost to the supplier.  Physical delivery of kit is expensive to reverse.  Be flexible and be prepared to make decisions quickly.  Don’t let suppliers disappear off down theV model with the words ‘See you in test’. 14 Build
 SecurityTest Strategy  What is being tested  When in the project it must happen (Early testing reduces defect rates)  SecurityTest Plans  What sort of tests  What standards or requirements are being tested?  Acceptance criteria  Types of tests to consider:  Automated Static Code Analysis  Manual Source Code Analysis  Risk-BasedTargeted PenetrationTests  Internal penetration tests  Independent Full-Scope PenetrationTests 15 Testing
 Ensure operations team sit on the SecurityWorking Group  Make sure the operations team have been properly introduced to the key stakeholders  Make sure the operations team establish communications channels with key stakeholders.  Give them visibility of design, build and test phase artefacts and risks.  Plan to hang around for a few weeks or months following handover 16 Transition to Operation
 Get to know your key stakeholders very well, they can be your strongest supporters.  If you don’t document it no-one else will  If you don’t tell anyone they won’t do anything  If you’re not paying for it probably won’t happen  Be aware of the time / cost implications of your decisions  Work in partnership with suppliers but make sure you have the documentation to win a fight.  Don’t become irreplaceable! 17
18 http://blog.blackswansecurity.com

Recomendados

Top 10 Tips
Top 10 TipsTop 10 Tips
Top 10 Tips
Mike Hodge
 
Importance of test coverage
Importance of test coverage Importance of test coverage
Importance of test coverage
RIA RUI Society
 
Operations
OperationsOperations
Operations
dipakshrma
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
PractiTest
 
The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight
PractiTest
 
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
TEST Huddle
 
Introduction to reliability management webinar
Introduction to reliability management webinarIntroduction to reliability management webinar
Introduction to reliability management webinar
Accendo Reliability
 

Recomendados

Top 10 Tips
Top 10 TipsTop 10 Tips
Top 10 Tips
Mike Hodge
 
Importance of test coverage
Importance of test coverage Importance of test coverage
Importance of test coverage
RIA RUI Society
 
Operations
OperationsOperations
Operations
dipakshrma
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
PractiTest
 
The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight The Risk Questionnaire - by: Adam Knight
The Risk Questionnaire - by: Adam Knight
PractiTest
 
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
Derk-Jan de Grood - 9 Causes of losing valuable testing time - EuroSTAR 2010
TEST Huddle
 
Introduction to reliability management webinar
Introduction to reliability management webinarIntroduction to reliability management webinar
Introduction to reliability management webinar
Accendo Reliability
 
Intro to reliability management
Intro to reliability managementIntro to reliability management
Intro to reliability management
Accendo Reliability
 
Neil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingNeil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration Testing
TEST Huddle
 
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Muhammad Jazman
 
Communication skills for testers
Communication skills for testersCommunication skills for testers
Communication skills for testers
PractiTest
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
PractiTest
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
TEST Huddle
 
5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company
Alisha Henderson
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of Risk
TEST Huddle
 
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
TEST Huddle
 
Jelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedJelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revised
TEST Huddle
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 
Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8
Skillogic Solutions
 
Eric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureEric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the Future
TEST Huddle
 
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctPaula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
TEST Huddle
 
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
TEST Huddle
 
Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Problem solving terminology
Problem solving terminologyProblem solving terminology
Problem solving terminology
VISHAVJEET THAKUR
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
TechWell
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
Phil Huggins FBCS CITP
 

Mais conteúdo relacionado

Mais procurados

'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
TEST Huddle
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
TechWell
 

Mais procurados (19)

Intro to reliability management
Intro to reliability managementIntro to reliability management
Intro to reliability management
 
Neil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration TestingNeil Pandit - A Visual Approach to Risk Based Integration Testing
Neil Pandit - A Visual Approach to Risk Based Integration Testing
 
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
Graham et.al, 2008, Foundations of Software Testing ISTQB Certification. Chap...
 
Communication skills for testers
Communication skills for testersCommunication skills for testers
Communication skills for testers
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
 
5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company5 Reasons to Choose an Independent Software Testing Services Company
5 Reasons to Choose an Independent Software Testing Services Company
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of Risk
 
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011Torben Hoelgaard - Implementing Change - EuroSTAR 2011
Torben Hoelgaard - Implementing Change - EuroSTAR 2011
 
Jelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revisedJelle Calsbeek - Stay Agile with Model Based Testing revised
Jelle Calsbeek - Stay Agile with Model Based Testing revised
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
 
Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8Six Sigma Green Belt Training Part 8
Six Sigma Green Belt Training Part 8
 
Eric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the FutureEric Jimmink - The Specialized Testers of the Future
Eric Jimmink - The Specialized Testers of the Future
 
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut InstinctPaula O' Grady - Prioritising tests? - Use Your Gut Instinct
Paula O' Grady - Prioritising tests? - Use Your Gut Instinct
 
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
Neil Thompson - Value Inspired Testing: Renovating Risk-Based Testing and Inn...
 
Agile security
Agile securityAgile security
Agile security
 
Problem solving terminology
Problem solving terminologyProblem solving terminology
Problem solving terminology
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
 

Destaque

Destaque (20)

First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 

Semelhante a Delivering Secure Projects

Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
Orlando Trajano
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
Andrew O. Leeth
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
Mordecai Kraushar
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
Marie Peters
 

Semelhante a Delivering Secure Projects (20)

Ensuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote DevelopersEnsuring Security and Confidentiality with Remote Developers
Ensuring Security and Confidentiality with Remote Developers
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
How to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in IndiaHow to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in India
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient PathEmbarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
Embarking on Your ServiceNow SecOps Journey: A Secure and Efficient Path
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
Behind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the EnterpriseBehind the Scenes of Vendor Security Reviews in the Enterprise
Behind the Scenes of Vendor Security Reviews in the Enterprise
 
Implement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for companyImplement SOC 2 Type 2 Requirements for company
Implement SOC 2 Type 2 Requirements for company
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
 

Último

Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
discovermytutordmt
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Delhi Call girls
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
Roland Driesen
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
anilsa9823
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 

Último (20)

Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 

Delivering Secure Projects

  • 1. Internal Presentation July 2013 Phil Huggins
  • 2.  I have lead large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Need to know  High threat 2
  • 3.  By the end of this sessions you should:  Be able to identify delivery projects where security is a critical attribute  Understand the potential issues is secure project delivery  Suggest possible ways of preventing or handling issues Company Confidential 3
  • 5.  These are the activities that mean there are no surprises during the project. Everyone knows what is happening and when it is happening.  ‘Bringing stakeholders on the journey’  Identify security red flag holders.  Legacy estates always include problems to solve to meet current requirements.  Understand and document the As-Is environments.  Establish fixed requirements review cycle, agree SLA with stakeholders for response  Use reference architecture to assure requirements coverage.  Establish a SecurityWorking Group early.  Include; suppliers, security decision makers, operational management, specialists 5 Requirements Management Stakeholder Management Legacy Estate Management
  • 6.  Clear sponsorship for security from the project sponsor or his boss.  Who ‘owns’ the security?  Do they control project budgets?  Established escalation paths.  What ‘red lines’ can’t be crossed?  Establish the format for security cases to request risk acceptance.  This is the ‘air cover’ needed for unpopular security decisions. 6 Governance Risk Management Compliance
  • 7.  This is the core security content of what you are doing.  This is how you measure and plan the security delivery.  This is the basic justification for the security requirements, if this is wrong you will lose credibility in every other activity.  Establish a security documentation framework at project initiation and fill it in as you go  Build a reference architecture  Run a ‘dry-run’ risk assessment against it. 7 Security Architecture Threat Analysis Risk Assessment
  • 8.  The security principles or maxims  And  The security model of the system  And  The security requirements  And  The security relevant design decisions  And  The security controls as actually implemented 8
  • 9.  This is your opportunity to identify a partner you can work with.  If you don’t give suppliers explicit security requirements and expectations in procurement you will be fighting them all through the project.  Make sure they ‘get’ security.  Understand who their subcontractors are, where they are buying their hardware, how they expect to ramp up their team and when they expect to start delivering physical kit.  Share explicit security requirements and the reference architecture with suppliers.  Write your testing strategy into the procurement!  Establish a deliverable assurance process with your chosen supplier immediately following contract award. 9 Supplier Selection Procurement Supply Chain Management
  • 10. 10 Supplier Maturity Customer Maturity Needs specified and fulfilled Needs specified but not fulfilled Needs not specified and not fulfilled Needs not specified but fulfilled Over-delivery Under-delivery No-delivery Delivery
  • 11.  Work hand-in-glove with the suppliers.  Every time they go away and design in isolation you risk rework and delay.  Document design decisions clearly.  Follow your formal deliverable assurance approach.These will start coming thick and fast, they won’t wait for you for long.  Identify impact of design decisions and trade-offs on the requirements. 11 Design Trade-Offs Release Management Local Hero Phenomenon • Lack of requirements • Lack of standards • Reliance on expertise
  • 12.  Functional Requirement  What a system must do.  Interaction between a component and the environment.  Testable.  Non-Functional Requirement  How the system will do it.  Restricts the manner of operation of the system.  General in scope and concern the whole system  Security Requirement  A manifestation of a high-level security policy into the detailed requirements 12
  • 14.  This is where your agreements with your supplier will start to fall apart.  Some designs won’t work in practice.  Mistakes in implementation will be made.  Some will take longer than expected.  Some requirements will change.  Standing up the development team is a major cost to the supplier.  Physical delivery of kit is expensive to reverse.  Be flexible and be prepared to make decisions quickly.  Don’t let suppliers disappear off down theV model with the words ‘See you in test’. 14 Build
  • 15.  SecurityTest Strategy  What is being tested  When in the project it must happen (Early testing reduces defect rates)  SecurityTest Plans  What sort of tests  What standards or requirements are being tested?  Acceptance criteria  Types of tests to consider:  Automated Static Code Analysis  Manual Source Code Analysis  Risk-BasedTargeted PenetrationTests  Internal penetration tests  Independent Full-Scope PenetrationTests 15 Testing
  • 16.  Ensure operations team sit on the SecurityWorking Group  Make sure the operations team have been properly introduced to the key stakeholders  Make sure the operations team establish communications channels with key stakeholders.  Give them visibility of design, build and test phase artefacts and risks.  Plan to hang around for a few weeks or months following handover 16 Transition to Operation
  • 17.  Get to know your key stakeholders very well, they can be your strongest supporters.  If you don’t document it no-one else will  If you don’t tell anyone they won’t do anything  If you’re not paying for it probably won’t happen  Be aware of the time / cost implications of your decisions  Work in partnership with suppliers but make sure you have the documentation to win a fight.  Don’t become irreplaceable! 17

Notas do Editor

  1. Over-delivery & Local Heroes tends to result in domain specific requirements being missed.
  2. Domain specific security requirements are hard, suppliers are much less likely to have expertise in these up front.