s ecurity and r isk m anagement
play

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT - PowerPoint PPT Presentation

Sep 03, 2022 •171 likes •505 views

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 # WHOAMI Security Architect @ Financial Services Organization Location: Austin, TX Certified

  1. S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12

  2. # WHOAMI  Security Architect @ Financial Services Organization  Location: Austin, TX  Certified Scrum Master  TOGAF 9 Certified Architect  Co- Author: “Spring Roo in Action” Book  Editor (InfoQ.com) 2

  3. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 3

  4. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 4

  5. P ROGRAM  Goals:  Security & Risk Management at Enterprise level  Build Security In  Sustainable Compliance  Risk based Security Architecture Strategy  Architecture Framework  Process 5

  6. O RGANIZATIONAL A GILITY  Vertical:  Strategy  Portfolio  Project  Release  Iteration/Sprint  Daily Sprints  Horizontal:  Process  People  Tools/Technologies 6 Source: VersionOne

  7. S ECURITY ARCHITECTURE P ROGRAM Strategy Communication Initiatives / Framework Process Plan / Metrics Engagements Stakeholder Disciplines Projects Matrix CoE Team Components R&D 7 Activities

  8. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 8

  9. F RAMEWORK  Defines “Structure” and “Lifecycle” of the Architecture Strategy  Structure: Framework Components  Structure:  Disciplines  Components  Activities  Lifecycle: Process Activities  Components’ mapping with Process Activities 9

  10. R EFERENCE F RAMEWORKS NIST 800-53 FISMA TOGAF 9 Microsoft Secure Development BSIMM SAFECode Lifecycle (SDL) OWASP Standards 10

  11. D ISCIPLINES Identity and Security Security Access Assessment & Architecture & Management Authorization Design (IAM) System & Systems & Information Communications SIEM Integrity Protection Technologies Governance and Tools 11

  12. C OMPONENTS Identification Risk Threat and Assessment Modeling Authentication Application Technologies Data Security Security and Tools Standards and R&D Best Practices 12

  13. D ISCIPLINES V . C OMPONENTS Security Assessment • Risk Assessment & Authorization • Regulatory Compliance • Threat Modeling Architecture and • Reference Architecture and RI Design • Model Driven Security • Identification and Authentication Identity and Access • Access Control Management • ESSO • Data Security System and • Encryption Information Integrity • Application Security • Standards and Best Practices Governance • Reviews (Architecture, Design and Code) 13 • R&D

  14. S TANDARDS  Standards at all levels of product development  Architecture  Design & Coding (based on OWASP Standards)  Technologies & Tools  Standards Enforcement  Automatic scans  Manual Reviews  Lifecycle:  Identify exceptions/waivers at beginning of project  Continuous feedback to refine standards (via Agile retrospectives) 14

  15. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 15

  16. A RCHITECTURE L IFECYCLE P ROCESS  Integrate security risk assessment and management into all phases of product development  Security touch-points with PMLC & SDLC processes  Reviews to ensure architecture compliance  Reviews v. Sign-offs 16

  17. P RODUCT LIFECYCLE (PMLC) Product Vision Support & Inception Maintenan ce Implemen Architectu tation re Design & Testing Developme 17 nt

  18. PMLC W/ S ECURITY TOUCHPOINTS Product Vision Support Risk & Assessme Maintena nt nce Inceptio Security Sign-off n Security Architect Impleme ure ntation Assessme nt Security Architect Architect ure ure Review Design & 18 Developm ent

  19. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 19

  20. A SSESSMENTS AND R EVIEWS Product Vision Risk Assessment Initial Check Privacy/ Info Security Initial Check Product Initiation Assessment Security Architecture Architecture Design & Development Review Design & Development Security Code Review Functional Testing Security Architecture Functional Testing Performance Testing Impl Review Final Security Review Performance Testing Implementation and Sign-off 20

  21. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 21

  22. C ENTERS OF E XCELLENCE  Cross-team Security Architecture and Risk Management group  Champion the management and governance of all aspects of security architecture program  Core and Extended Teams  Application, Security and Data  Business and Technology 22

  23. C O E C HARTER  Risk Assessments  Security Architecture and Design Consulting  Communicate architecture decisions & guidelines to project teams  Review & present security architecture related proposals to ARB  Escalate critical security issues  Awareness & Education (via Newsletters, Wiki, Brown Bag sessions)  Security Training  Security Reviews (Architecture, Design, and Development)  Threat Modeling (Future)  Guidance on Code Scans, Pre-deployment Scans & Penetration Testing  Assist in product development and product acquisition 23

  24. E NGAGEMENTS  Collaboration between team members  Communication at the right places in the process  Security requirements & test cases during Sprint Planning  Security architecture walk-throughs  Architecture retrospectives (end of sprint)  Projects, Initiatives, Ad-Hoc Consulting  Governance Model  Research Labs (for R&D) 24

  25. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 25

  26. T RAINING AND A WARENESS  Education focused - Learning v. Teaching  Stakeholder specific  Business Analyst, Product / Project Manager  QA Testing Engineer  Technical Lead, Developer  DBA, Network Admin  Topic/Module Specific  Requirements Management  Testing and Validation  Development: User Interface, Services, Data, SQL Injection, XSS  Internal & External; Online & Classroom based 26

  27. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 27

  28. L ESSONS L EARNED  Manual architecture, design and code reviews  Solution: Automated Static & Dynamic Code Analysis Tool  Skill set challenges  Solution: Enhancements to training program  Assessments overhead  Solution: Refinements based on project experience 28

  29. R OADMAP  Current State: 2+ yrs since the start (3 yrs effort at the previous organization)  Threat Modeling (Agile Version)  Security & risk management aspects in:  Social Computing *  Mobile Development *  Cloud Computing  NoSQL Databases 29 * In progress

  30. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 30

  31. C ONCLUSIONS  Get commitment from Senior Mgmt. team  Get involved in the strategic planning process  Process and Standards are critical  Automate the process as much as possible  Agile governance model  Community of best practices (CoE)  “Agile or Security” v. “Agile and Security”  “One Size Fits All” fits nothing 31

  32. R ESOURCES  Agile Threat Modeling (http://www.infoq.com/articles/threat-modeling-express)  TOGAF  SABSA  The Building Security In Maturity Model (BSIMM) (http://bsimm.com)  Software Security: Building Security In by Gary McGraw  Secure Programming with Static Analysis by Brian Chess and Jacob West  Security Metrics (http://www.securitymetrics.org/content/Wiki.jsp) 32

  33. T HANK Y OU  Contact Information  http://www.infoq.com/author/Srini-Penchikala  srinipenchikala@gmail.com  @srinip  http://srinip2007.blogspot.com  Spring Roo in Action Book  Questions? 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Clean Stream What is Stormwater? M anagement Stormwater is water runoff after a rain storm

1 Clean Stream What is Stormwater? M anagement Stormwater is water runoff after a rain storm

Agenda Camp Hill 1) Introductions Borough 2) Role of Stormwater M anagement Stormwater 101 History of Stormwater M anagement Common Stormwater Problems / Best Stormw ater Utility Implementation M anagement Practices (BM

451 views • 9 slides
I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and Management Engineering Antonio Ruberti Sapienza University of Rome WHY W EB S ECURITY April 2013 recent studies conform a trend that has been

958 views • 62 slides
R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC RISC ) ) ( Bio: Bio: Antonios Atlasis Antonios Atlasis An IT engineer for more than 20 years, developer and instructor in several Computer

1.3k views • 80 slides
Investment Arbitration Investors enforce treaty rights directly against host States

Investment Arbitration Investors enforce treaty rights directly against host States

E FFECTIVE M ANAGEMENT OF I NVESTMENT D ISPUTES R AHUL D ONDE S ENIOR A SSOCIATE , L VY K AUFMANN -K OHLER G ENEVA , S WITZERLAND 1 I NTRODUCTION I. I NTRODUCTION TO ISDS II. R EASONS FOR E FFECTIVE M ANAGEMENT OF ISDS III. IV. M ANAGEMENT T

414 views • 30 slides
S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @

S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @

S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @ philippedorman Obj ectives Define S ubj ect Environment Information S ecurity The Individual Existing Resources Who am I? ~10 years

521 views • 23 slides
T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S

T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S

S ESSION 9 T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S ECURITY war-making & national security increasing state power The State of Siege Karl Marx, the state of siege Vesting

258 views • 8 slides
S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE ,

S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE ,

S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE , G. M ACARIO -R AT , B. R ICHARD M E , MYSELF , AND EMSEC BSc. & MSc. Mathematics, TU Eindhoven Master thesis on multiparty

748 views • 53 slides
Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement

Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement

Coor ordi dinated nated Bo Bord rder er Man anagement agement Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement agement Border Management 4 October 2013 Theo Hesselink Toshihiko Osawa

349 views • 11 slides
Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES AND M ORE E FFICIENT C ONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED

535 views • 34 slides
M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED

M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED

T HE F EDERAL G RANTS M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED BY M ONICA A NDERSON O FFICE OF A CQUISITIONS & G RANTS M ANAGEMENT A GENDA Overview of the Center for Medicare &

543 views • 16 slides
W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

D IRECT A NONYMOUS A TTESTATION Essam Ghadafi ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol Brown Univeristy 14 th March - 2013 D IRECT A NONYMOUS A TTESTATION O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA

1.06k views • 71 slides
Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A

Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A

Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A GRICULTURE P RESENTATION A UDIO T RANSCRIPT N OVEMBER 10, 2016 P RESENTERS Claudia Ringler, International Food Policy Research Institute (IFPRI)

384 views • 19 slides
Higher ( S ecurity) Social disruptions International relations Land rights 1

Higher ( S ecurity) Social disruptions International relations Land rights 1

Willingness to 1.4 billion people lack utilize political safe water access collateral 2.4 billion people lack adequate sanitation 80% of diseases Lower ( s ecurity) carried by water killing 5-7 million people annually

482 views • 29 slides
Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M

Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M

Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M ANAGEMENT & H OMELAND S ECURITY Montgomery County Office of Emergency Management & Homeland Security 1 1 http://www.montgomerycountymd.gov/OEMHS/

731 views • 35 slides
E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P

E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P

E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P REPAREDNESS ? W HAT IS E MERGENCY M ANAGEMENT ? E MERGENCY P REPAREDNESS U PDATE AND WRITE PLANS FOR C ITIES AND C OUNTIES W RITE , COORDINATE , AND P

459 views • 12 slides
USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 B LIND S IGNATURES S ECURITY M

USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 B LIND S IGNATURES S ECURITY M

B LIND S IGNATURES S ECURITY M ODEL R ELATED W ORK O UR C ONSTRUCTION E FFICIENCY C OMPARISON O PEN P ROBLEMS E FFICIENT T WO -M OVE B LIND S IGNATURES IN THE C OMMON R EFERENCE S TRING M ODEL E. Ghadafi N.P. Smart Department of Computer Science,

1.17k views • 32 slides
Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST

Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST

Cyber Security Resources For County Government September 21, 2017 September 21, 2017 2 NIST Cybersecurity Framework September 21, 2017 3 Resources Available to NYS Counties Funding (State Homeland Security and UASI Grants) Free

231 views • 22 slides
CAREER AND COLLEGE READINESS & CTE IN BETHEL Ron Mayberry, Director Michelle Chaney,

CAREER AND COLLEGE READINESS & CTE IN BETHEL Ron Mayberry, Director Michelle Chaney,

CAREER AND COLLEGE READINESS & CTE IN BETHEL Ron Mayberry, Director Michelle Chaney, Assistant Director https://www.facebook.com/BethelCTE/ CTE in BSD: The Facts Approx. 1,146 AAFTE for 2018-19 HS 866, MS 238, CHS 42 69 CTE

164 views • 15 slides
Using Data Science to deliver Workforce & Labour Market Insights Gary Gan Co-Founder,

Using Data Science to deliver Workforce & Labour Market Insights Gary Gan Co-Founder,

Using Data Science to deliver Workforce & Labour Market Insights Gary Gan Co-Founder, JobKred Colle llectio ion of of D Data Online Sources AI-powered Career Development Platform Skills, Education, Experience Labour Market

379 views • 17 slides
Standard Deviations of the Average System Administrator Alva L. Couch Tufts

Standard Deviations of the Average System Administrator Alva L. Couch Tufts

Standard Deviations of the Average System Administrator Alva L. Couch Tufts University USENIX Board couch@cs.tufts.edu alva@usenix.org Goals of this talk Challenge mores of the profession. Make established

693 views • 21 slides
Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 www.isalliance.org Are we thinking about this all wrong? Breaches and perimeter defense Hackers and kids in basements

565 views • 30 slides
EU CYBERSECURITY PUBLIC-PRIVATE PARTNERSHIP and ECSO (European Cyber Security Organisation)

EU CYBERSECURITY PUBLIC-PRIVATE PARTNERSHIP and ECSO (European Cyber Security Organisation)

EU CYBERSECURITY PUBLIC-PRIVATE PARTNERSHIP and ECSO (European Cyber Security Organisation) Laurent Manteau - Gemalto, Chair SWG1.1 ECSO AIOTI / ARMOUR workshop, ETSI Sophia-Antipolis, September 2017 ABOUT THE EUROPEAN CYBERSECURITY PPP A

406 views • 22 slides
Video Games Attack of the Microtransaction Lets get on the same page. Microtransaction:

Video Games Attack of the Microtransaction Lets get on the same page. Microtransaction:

Video Games Attack of the Microtransaction Lets get on the same page. Microtransaction: Purchase of virtual content in a video game using real money. Loot Box: A random assortment of in game items, often offered for purchase through

352 views • 21 slides
Ethical MicrotranSaction plan Fea turing Jake Merle Giovanna Passos Novello Haidar Hage

Ethical MicrotranSaction plan Fea turing Jake Merle Giovanna Passos Novello Haidar Hage

Ethical MicrotranSaction plan Fea turing Jake Merle Giovanna Passos Novello Haidar Hage Marcial Roman Andre Cambell Why now ? Audience Action Role-Playing TPS Gamer Starter Pack 18 - 28 years old North American male middle to upper

181 views • 17 slides

More recommend