Building an AppSec Practice in a Fast-moving Environment: The Power of On-premises and as a Service Panel Facilitator: Stan Wisseman Panelists: Troy Bowen, Verizon Steve Pettit, Verizon #MicroFocusCyberSummit Michael Gutsche, Micro Focus
A Reactive Approach to AppSec is Inefficient and Expensive Somebody builds insecure Somebody builds insecure software software Cost to Remediate Requirements IT deploys the insecure QA finds vulnerabilities in software software Design/ Architecture We are breached or pay to We convince & pay the 7X Coding have someone tell us our developer to fix it thereby code is bad delaying the release 15X Testing We convince and pay the Deployments/ developer to fix it 30X Maintenance NIST Study, 2002
Goals and Benefits of an Application Security Program The mitigation of application security risks is not a one time exercise; rather it is an ongoing activity that requires paying close attention to emerging threats and planning ahead for the deployment of new security measures to mitigate these new threats. This includes the planning for the adoption of new application security activities, processes, controls and training. Source: “Application Security Guide for CISOs,” OWASP, 2013 A successful applications security program needs to: Map security priorities to business priorities Assess the current state and target state using a security program maturity model And seamlessly integrate into development processes 3
Building an AppSec Program – Major Milestones Project Planning Solution Roadmap SOC Process & Procedures Initial Monitoring Capability Assess / Design Development Implementation Mature / Operate Operate / Transition Architecture design Workflow Creation Deliver KPIs and Metrics Business Process Integration AppSec Maturation Enhancements, monitoring & Maturity Assessment Activate development and SDL system tuning, process and Rollout of Processes and technology adjustments Procedures (documentation Processes & Staff Planning and training) Procedures Role definition Update Roadmap Data Onboarding Business Interviews Advanced Analysis Operational Hiring Integrated Hunt Operations AppSec Operations go-live Analyst Development Plan Technical ML / Analytics Hiring + Training Analytical ODS Assess Deployment Workshop Toolset Deployment Baseline Assessment Toolset integration Requirements Data Readiness Roadmap Source: Fortify Professional Services, 2018
Companies are Adopting DevOps for Rapid Development … but security is often outside of the process Security Business Demand App Release Planning App Testing App release Deployed App Development decision ? Increase Automation Reduce Latency Increase Visibility Source: Micro Focus 2017 Application Security Research Update 5
DevOps Teams Starting to Recognize the Importance of Integrating Security Collaborating with security ranked as the most important strategy for DevOps in regulated industries But, security teams can’t keep up as development teams are growing at an 80:1 ratio Source: “10 Things to Get Right for Successful DevSecOps ,” Gartner, Inc., 2017 6
Modern Application Security Programs Need to Adapt New languages Mobile Apps Software Supply Chain Internet of Things Open Source Software Components Skills Agility Bimodal IT Micro services and containers Continuous Integration Cloud Automation DevOps More robust and dynamic apps Continuous Development 7
Panel
#MicroFocusCyberSummit Thank You.
#MicroFocusCyberSummit
Recommend
More recommend
