3. Today’s Agenda way to identify,
Development and Security are looking for a better
verify,
What are the challenges?
prioritize and fix software vulnerabilities.
What’s the best approach?
What process can I apply
for better/repeatable
results?
How do I select my
applications? My tools?
Visual
Studio/TeamMentor/CAT.N
ET demonstration
4. Who We Are
Application Security Experts
•10+ Years vulnerability research
•Security Testing Methodology adopted
by SAP, Microsoft, Symantec
•Authors of 8+ books
Products and Services
•Standards - Best Practices
•Education - CBT & Instructor-Led
•Assessment - Software and SDLC
Reducing Application Security Risk
•Critical Vulnerability Discovery
•Secure SDLC Rollout
•Internal Competency Development
5. Our Approach
• Standards: Create security
policies, align dev activities
with standards and
compliance requirements, fix
vulnerabilities.
• Education: Create internal
expertise through eLearning,
Instructor-led and virtual
classroom training.
• Assessment: Audit software
apps against policies and
compliance requirements and
recommend remediation
techniques.
6. Life is a Breach
Companies who suffered 1-10 breaches over the past 2 years,
as a result of a software app being compromised.
7. A Process is Lacking
State they either have no process (like an SDLC) at all, or an
inefficient ad-hoc process for building security into their
applications.
8. What Motivates Action?
State there is no formal state that there is no formal mandate in
place to remediate vulnerable application code.
9. Common Use Cases
1. Development teams don’t know
where to go for best practices
guidance on software
vulnerabilities.
2. There’s a need to communicate
and share intelligence around
specific vulnerabilities with your
team.
3. Teams need to fix vulnerabilities
and map to internal policies.
4. There’s a market need for making
more sense of static analysis
results to get to full-circle
10. Where can developers go?
Use Case 1- Security Team
• A software vulnerability
has been identified.
• You need to verify it and
need more information
about it.
• What do you do, and
where do you go for
guidance?
11. How can you share the
information?
Use Case 1I - Security Team
• You’ve verified a
software vulnerability.
• You need to
communicate the
details of that
vulnerability or set of
vulnerabilities to your
team.
• How is this
accomplished most
effectively?
12. Integrating with what you already
have
Use Case III - Development Team
• You’ve verified a given
vulnerability, and can
now prioritize it.
• You have knowledge
internally, or security
policies you need to map
to.
• How can I do this in a
streamlined way?
13. Doing more with test results
Use Case IV - Development Team with Tools
• The tool reports findings.
• You need to make more
sense of the results.
• The findings point to
guidance specific to the
findings.
• Fix what you’ve found.
Re-scan.
14. Determine your first. Determine your apps
Understand your level of risk
risk tolerance
second.
•Take an inventory of your high-risk
applications.
•Determine the business criticality of
those applications.
•What’syour attack probability and
how do you define your attack
surface?
•Consider the overall business
impact, security threats and
compliance mandates.
•Rank your applications accordingly.
•Startthinking about the most
effective set of testing tools.
15. Define data and applications
Classify sensitive data. Then, prioritize your applications.
•How sensitive is your data in a
given application(s)?
•Does
that data pertain to internal
mandates or federal regulations?
•Threat modeling can determine
threats, attacks, and the frequency
and severity they are executed with.
•Rankand prioritize your applications
accordingly.
•Compile the most effective set of
testing tools.
16. Prioritize your applications
Rank your applications using a formulaic approach to measuring
risk.
Application Criteria
Sensitive Compliance Customer-
Threat Rating Lifespan
Data Stringency Facing
Tier 1 Restricted Long High Yes
Tier 2 Private Mid Medium Yes
Tier 3 Public Short N/A No
17. Map activity to your criteria
Implement your security testing strategy.
Depth, Breadth, Frequency
Static Dynamic Manual Pen Threat
Threat Rating
Analysis Analysis Test Modeling
Complete/Fre Complete/Fre Complete/Fre Complete/Fre
quency quency quency quency
Required/Majo Required/Majo
Required/Per Required/Per
Tier 1 r code r code
Milestone Release
changes changes
Suggested/Mo Required/Quar Required/Per Suggested/Per
Tier 2
nthly terly Release Release
Optional/Quart Required/Ann Optional/As Optional/As
Tier 3
erly ually Needed Needed
18. Select your tools
Selecting your tool(s) should be the final step before you start
testing.
•Apply your rankings to your tools
selection.
•Determineyour combination of
automated vs manual tools.
-Consider
how many applications,
how much code and time-to-result.
-Do you need them to run on their
own, or are they better used for a
singular, manual purpose?
-Assume that automated tools
cannot target business logic
attacks.
•Interpret your scan results with
remediation in mind
19. Secure Development Guidance
A Real-Time In-Practice Companion Containing 4500+
Articles of Prescriptive Guidance and Code
20. Take the TeamMentor Challenge!
ign up for a TeamMentor account:
• Go to: https://tm-msft.azurewebites.net/
• This is the web version – a 2-week trial.
• Solve the challenge question and submit.
The winner will receive a new Microsoft Surface RT tablet.
TeamMentor for the individual, enterprise or
• Full guidance library contains 4,500+ articles
partners:
• Prescriptive guidance across technologies (.NET, Java, iOS, Android
• Single user, cloud instance, business unit, enterprise-wide licensing
• Partner organization licensing available also.
• Contact us: getsecure@securityinnovation.com