Building an AppSec Program from Scratch. Chris Pfoutz, CISSP, GWAPT Manager Application Security

Similar documents
The Deloitte CFO Transition TM Lab

Deloitte Legal Department Health Review Approach to Strategic Planning

Barry Robinson. Forensic Accountant, Deloitte

Turn to Business Planning and Consolidation to Run Your Global Firm SAPPHIRE NOW

Audit quality Independent Audit

Making yourself irresistible for M&A 7 tips to get you ready to sell your business

The digital fund lifecycle

Corporate Governance Board Effectiveness Reviews

Digital era: technologies & strategy

Deloitte impact Recognition and Rewards

Deloitte Belgium 2017 Impact Report FY2017 Performance metrics

Digital Fluency Academy Do you speak Digital?

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

Rich Mobile Content. by DigitalMIX. Dynamically publish content without changing a single line of code

Does Gen Y want the keys to the car? The changing nature of mobility

Everywhere Analytics Bringing Insights to Executive Officers 2016/05/19

Process Mining Invoice Process Rabobank NL Discovery & Optimization. Tijn van der Heijden, MSc.

Deloitte M&A Deal Corridor US/EU

Managing your career Faster, higher, stronger

Data Standards in Oil & Gas

Simplification of work: Knowledge management as a solution within the European Institutions

Audit committee performance evaluation

IFRS 16 Technologies 12 June 2018

Contents PROVIDING THE PERFECT TALENT FIT ENGAGING US HOW DO YOU BENEFIT? INTRODUCING FLEXIBLE RESOURCES MANAGEMENT CLIENTS MILLENNIALS

Investment management analytics The three-minute guide

Annual Financial Reporting Seminar The Winds of Change. Tuesday 21 October 2014 Convention Centre Dublin

Investment management analytics The three-minute guide

Headline Verdana Bold Build your own board potential What it means to be a board April 2018

EMEA TMC client conference Tax Operating Model defining your tax resourcing, governance and technology approach. The Crystal, London 9-10 June 2015

Global Manufacturing Industry Landscape

Funds in a Box Solutions Factsheets and on-line Fund Profiles. Funds in a Box Solutions Factsheets 2.0

Procure to Pay (P2P) Risk Analytics. Risk Advisory

Financial Reporting Advisory Advancing your growth

HR Metrics and Model for Modern Times

Deloitte Consolidation & Close Transform your financial consolidation and close.

Reimagine everything Accelerate digital enterprise transformation

Global Luxury Market The evolving consumer. Vladimir Biryukov, Partner 22 September 2015

IAB report on online ad-spend Affiliates results 2011

Managing FTI Data Compliance. Addressing Publication 1075

Independent Wealth Management in Luxembourg Perspective on a sector at crossroads 22 June 2018

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

HR Benchmarks for Modern Times

It's your business Take control. Controlling services

Mid-market technology trends: Leveraging disruption to drive value The Dbriefs Private Companies series Anthony Stephan, Principal, Deloitte

Presentation to NERSA Work performed relating to Deloitte s review of Eskom s RCA application

Compliance As A Profession Aditi Taylor, Senior Manager, Deloitte & Touche LLP

Accounting & Auditing News IFRS 15 Revenue from Contracts with Customers: Part 3B Impact on Retail, Wholesale and Distribution Sector

How to build construction management processes

Credit management Because a sale is a gift until it is paid. Financial resources

Tasmanian Economic Update. David Rumbens Partner, Deloitte Access Economics 27 th May 2016

Online Risk and Digital Reputation Management. September Risk Advisory

Enabling the Digital Organization. Michael Gretczko, Principal, Deloitte Consulting LLP

Global Trade Advisory M&A Deloitte Tax LLP

High-Impact Succession Management The Performance Model: Key Drivers and Talent Outcomes Andrea Derler, Ph.D., Research Manager, Leadership &

Online Risk and Digital Reputation Management For private circulation only. Risk Advisory

CFO Insights Crossing the chasm: From operator to strategist. By Dr Ajit Kambil

Five Steps to Predictive Analytics

Time to take action IFRS 16 Leases

Top Management Reporting Survey Are you realizing the full potential of your management reporting?

Software Asset Management Reducing costs, mitigating risk, gaining control. Ninety years in the Middle East

The Robots Are Here! RPA Services in Greece

The 2016 Deloitte Millennial Survey. Australia - Country Report 17 January 2016

Federal Reserve Guidance on Supervisory Assessment of Capital Planning and Positions for Large Financial Institutions.

Beyond EDI Unlocking new value with transactions enabled by SAP Ariba and the Ariba Network

The 2016 Deloitte Millennial Survey. Switzerland - Country Report 17 January 2016

Talent Management in Growth Markets: India

Going beyond risk and compliance: Legal functions embracing digital

Governance in a multidimensional environment

Internal Business Review The Deloitte methodology. Deloitte Malta Risk Advisory - Banking

Everything You Always Wanted to Know About Benchmarking* (*But Were Afraid to Ask)

Day 2: Session 5 Invoice Management

DevSecOps Embedded Security Within the Hyper Agile Speed of DevOps

The people dimension of amalgamations. Machinery of government The people dimension of amalgamations. Three part series

The journey to successful business partnering

Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing

Duty of Care: from must to accelerator?

Board Evaluation Is your Board ready for SREP governance reviews? Deloitte Malta Risk Advisory - Banking

The Role of the Board in Strategy & Risk. NACD National Conference Power Breakfast October 15, 2012

Shine a light on media accountability

Innovating the Audit to make a difference

Are you ready for Industry 4.0? FY2017 Stakeholder engagement summary

Create Experiences. Build Customers. Drive Sales.

Global trends for community services in Western Australia

Invloed technologische ontwikkleingen op kleine IAF s. 12 oktober 2017 WELKOM

So they tell me there s a talent crisis in the public sector? 2017 NASACT Emerging Leaders Conference Redefining Your Talent Strategies

Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November 1 December 2016

Diversity and inclusion: Why training isn't enough The HR Executive Dbriefs series

Becoming Digital May 2017

Revenue matters Is Australia ready for AASB 15?

ISACA San Francisco Chapter

Deloitte in Kazakhstan Sharing your aspirations of growth. Deloitte Kazakhstan, 2015

FSI Governance Board effectiveness Insights & (emerging) best practices. EcoDa 25 October 2017

A View from the C-Suite: The Value Proposition of Shared and Global Business Services The Conference Board 20th Annual Global Business and Shared

Digital finance The new superhero

Ready for takeoff? Overcoming the practical and legal difficulties in identifying and realizing the value of data. Self-assessment guide

Chemical industry Deloitte CIS Research Centre 2018

March IAB report on Programmatic Trading The Netherlands

Switched on to current trends and implications Middle East Energy and Resources Managing scarcity for the future

Enabling a Digital India. Rajarshi Sengupta Senior Director, Deloitte 26 June 2015

Business Succession Planning It s Never Too Soon. Kate Ahern Partner, Deloitte Private Wednesday 21 October 2015

Transcription:

Building an AppSec Program from Scratch Chris Pfoutz, CISSP, GWAPT Manager Application Security

Intro: Who s Who Chris Pfoutz Schooled as a developer 10 years Infosec - Consulting - Financial Services - Risk Assessments - AppSec Spent 2 years developing an application security program for a global financial technology company Spent the last year participating in an established 6 person team at Deloitte Touche Tohmatsu Limited. 1

Intro: Audience Survey Show of Hands General IT or aspiring into security Security General or other non-appsec AppSec Development 2

Content Section 1: Why AppSec Section 2: How Most Companies Do It Section 3: Steps to Build a Program Section 4: Assurance Components Section 5: Advice Along the Way 3

Section 1: Why AppSec?

Spend The State of Risk-based Security Management: US and UK; 2013. Ponemon Institute. Pp 40. 5

Vulnerabilities Microsoft Security Intelligence Report Vol. 15; 2013. Microsoft. Pp. 23. 6

Challenges Relative infancy of the profession Traditional network/infrastructure focus Lack of qualified talent Lack of leadership understanding 7

Section 2: How Most Companies Do It

How Most Companies Do Things Tell the network security person to buy an application scanner Scan everything Send pdfs to the developers Have your network pen testing company pen test apps where necessary Intended goal: Sexy program with immediate results 9

Why This Doesn t Work How do you know what to scan and when to scan it? Do you have enough manpower? Are your developers really going to pay attention to a pdf? How will you keep track of the remediation? Result: Frustration 10

Section 3: Steps to Build a Program

12

Step 1: Application Inventory Perfect for your GRC tool Sources DR Inventory Asset Inventory Validate with IT and Business Owners Include COTS, in house developed and bespoke developed software 13

Step 2: Business Impact Analysis (BIA) or Risk Scorecard Short, multiple choice questionnaire Fields to Collect Confidentiality Data Elements intellectual property, PII, employment records Integrity Financial transactions Branding Embedded systems Availability Recovery Time Objective (RTO) Brand Revenue 14

Step 3: Risk Ranking and Checklist Segregate applications into 3-5 groups Develop set of controls applicable to each tier of application Standards Risk Assessment Inject validation checks to ensure assurance levels are in place Low risk applications may get green light 15

Step 4: Build Secure SDLC with Change Control Gates Determine where checkpoints belong Have PMO add checkpoints to official SDLC Establish sign off gates Make an example Don t punish them for sins of the past 16

Section 4: SDLC Components

18

Vulnerability Assessments Dynamic Analysis Static Analysis Binary Analysis Source Code Analysis SaaS vs. In House Integration with build train Vendor Support Resources Cost What is the best tool? Penetration Testing Test, fix, retest Letter of attestation Design Reviews 19

Section 5: Advice Along the Way

Metrics Show increase of testing activity overlayed with number of flaws Warn team management before providing a count of flaws per team Break out 5-10 most important flaws at each reporting level Break out security flaws in issue tracking Drive for incremental improvement Remember: Many flaws are legacy 21

Don t Call Their Baby Ugly 22

Take a Developer s Perspective 23

Developer Training and Architecture/Coding Standards Breed Success 24

Don t Blindly Trust your Tools or Your Pen Testers 25

You Software Security Team and Consultants Need an Application Focus 26

Treat Security Issues as Bugs 27

Resources OWASP Software Assurance Maturity Model Software Security: Building Security In by Gary McGraw The Web Application Hacker s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto Contact Chris Pfoutz cpfoutz@deloitte.com 28

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence. Disclaimer This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback