"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
2. A Warrior's Journey: Building a Global AppSec Program
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce
Lee
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and
BSIMM, this session gives actionable guidance on building and advancing a global
application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these
foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software
company, delivering product solutions and cloud services to global Fortune 500 enterprises
and government customers.
3. About Brian Levine
Senior Director Product & Cloud Security
Axway Software
Former Stuff:
• Industrial Engineer, Purdue University
• Systems Engineer, EMC & other places
• Product Manager Security, Syncplicity
8. OWASP SAMM – “Secure Software Center of Excellence (SSCE)”
BSIMM – “Software Security Group (SSG)”
Axway – “Product Security Group (PSG)”
Others – “Product Security Office (PSO)” ...
Centralized Application Security Group
a Rose by any other name...
10. “According to our observations, the first step of a Software Security Initiative (SSI) is to form an SSG.”
“without an SSG, success ... is very unlikely.”
BSIMM – Software Security Group (SSG)
Source: BSIMM11
11. GETTING STARTED
• Secure Executive Sponsorship
• Establish and Publicize the Charter and
Scope
• Define SSDLC goals & product objectives
• Align with PM, Development, and
Operations
• Internal Evangelism
• Selecting security tools, procedures, and
driving adoption
SOFTWARE SECURITY CENTER OF EXCELLENCE (SSCE)
LEVELING UP
• Stay Focused on the Customer (R&D)
• Publish SSDLC Standards, Procedures, and
Best Practices
• Identify promising security champions to
join the SSCE
• External evangelism
• DevSecOps automation, enabling self-
service & continuous security
• Data-driven program management
12. • 42% (55/130) of the firms in BSIMM11 study have a security champions program.
• 65% of the firms that have been assessed more than once have a security champions program.
SECURITY CHAMPIONS
OWASP SAMM
BSIMM
13. BUILDING
• Identify individuals with
interest/passion for security
• 1 champion per development
project
• Provide formal training, workshops,
and sponsorship for conferences,
certifications, etc.
• Executes SSDLC procedures (and
scans)
• Triages findings into product
backlog
• Work with SSG on Threat modeling
and secure architecture
• Reward and Recognize Publicly
SECURITY CHAMPIONS PROGRAM
SCALING
• Multiple full-time champions
per project
• SPOCs push the curve
identifying improvements, new
security tools and procedures
• Performs secure architecture
design and threat models
• Interested SPOCs rotate into
the SSG
“SPOC”
Security Point
of Contact
14. ANTI-PATTERNS
• SPOC is the only member of
the team responsible for
security. All security tasks and
questions assigned to SPOC
• SPOC is responsible to
prioritize security in the
product development cycle
(bottom-up)
• Adversarial or subordinate
relationship to the SSG
SECURITY CHAMPIONS PROGRAM - GOTCHAS
COURSE CORRECTIONS
• All devs are responsible for fixing
security defects. SPOC works with
devops, build managers, etc. to
automate security testing
• Execs, Product Managers,
Engineering Managers are
responsible to prioritize security
(top-down).
• SSG exists to support R&D
success. SSG and SPOC learn from
each other to improve in a
blameless culture.
15.
16. Mandatory Developer
Security Training
EDUCATION & AWARENESS
Structured Training Programs Security Events Recognition & Rewards
Advanced, role-specific
and platform-specific
training, more hands-on
Behavioral achievements
& certifications
•Security Days
•Tournaments & Challenges
•Capture the flag (CTF)
OWASP Security Shepherd
•Security Stars Program
•Public Praise
•SWAG
•Brand your AppSec program
(T-Shirts)
•Hit-up your Vendors
(Hoodies, Stickers, etc.)
19. BSIMM SM1.4,
“defining checks in the process first and enforcing them later is extremely helpful in moving development
toward security without major pain.
Socializing the conditions and then verifying them once most projects already know how to succeed is a
gradual approach that can motivate good behavior without requiring it.”
SECURITY GATES (PRO-TIP)
Merge security into the existing development cycles. First, identify
the gates & collect the results. But don’t enforce them (yet).
“Be shapeless, formless, like water. Water can flow
or water can crash. Be water.” –Bruce Lee
20. Third-party software component analysis
• For Initial Security Review (ISR) and Final Security Review (FSR) the project is scanned using
approved SCA tool(s).
• All results are reviewed by the development team
• All critical, high, and medium issues are resolved prior to release. (*with enforcement at FSR)
EXAMPLE Security Gate / Security Bar
Other Security Bars (gates) to define:
• Threat modeling / Secure design review
• Static Application Security Test (SAST)
• Container Vulnerability Analysis
• Attack surface analysis
• Dynamic Application Security Test (DAST)
21. “I fear not who has practiced
10,000 kicks once, but I fear who
has practiced one kick 10,000
times.”
– Bruce Lee
22. CONTINUOUS SECURITY & DevSecOps
• Initial Security Review (ISR)
• Security Requirements
• Threat Model
• Training
• Dynamic Analysis (DAST)
• Attack Surface Analysis
• Red Team Pentest
• Container Scanning
• Secure Code Review
• Static Analysis (SAST)
• 3rd-party Component Analysis
• Incident/Intrusion Detection
• Incident Response
• Vulnerability Scanning
• Hardening/Config Management
• Infra Vulnerability Scanning
• Verification
• 3rd party pentesting
• Access Control
• Audits
• Change Control
• Vulnerability Management
• Application Security Bar
• Cloud Security Bar
• Final Security Review (FSR)
• Continuous Security Review (CSR)
DEV OPS
24. Dev’s want fast build times and immediate feedback
• Problem: Some security tests cannot be done on every build
• Solution: CI pipeline runs security tests inline in the build (where applicable) and for longer running
tests or manual security tasks (e.g., threat model), it fetches the latest results via API.
Security in CICD
26. • Aggregate security
metrics to communicate
overall risk level.
• Share at the executive
level to show trends and
current security posture.
• Share across all of R&D
so every team can see
how they’re doing
relative to the business
KPI Metrics & Dashboards
27. Released Software (with
security) is our goal.
Conditional Pass Requires:
1. Mitigation Plan
2. Executive Risk Approval
Captured in Ticketing System
and enforced by automation
and orchestration.
SECURITY EXCEPTIONS & RISK APPROVAL