s ecurity and r isk m anagement
play

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT - PowerPoint PPT Presentation

Sep 03, 2022 •171 likes •505 views

S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 # WHOAMI Security Architect @ Financial Services Organization Location: Austin, TX Certified

  1. S ECURITY AND R ISK M ANAGEMENT IN A GILE S OFTWARE D EVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12

  2. # WHOAMI  Security Architect @ Financial Services Organization  Location: Austin, TX  Certified Scrum Master  TOGAF 9 Certified Architect  Co- Author: “Spring Roo in Action” Book  Editor (InfoQ.com) 2

  3. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 3

  4. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 4

  5. P ROGRAM  Goals:  Security & Risk Management at Enterprise level  Build Security In  Sustainable Compliance  Risk based Security Architecture Strategy  Architecture Framework  Process 5

  6. O RGANIZATIONAL A GILITY  Vertical:  Strategy  Portfolio  Project  Release  Iteration/Sprint  Daily Sprints  Horizontal:  Process  People  Tools/Technologies 6 Source: VersionOne

  7. S ECURITY ARCHITECTURE P ROGRAM Strategy Communication Initiatives / Framework Process Plan / Metrics Engagements Stakeholder Disciplines Projects Matrix CoE Team Components R&D 7 Activities

  8. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 8

  9. F RAMEWORK  Defines “Structure” and “Lifecycle” of the Architecture Strategy  Structure: Framework Components  Structure:  Disciplines  Components  Activities  Lifecycle: Process Activities  Components’ mapping with Process Activities 9

  10. R EFERENCE F RAMEWORKS NIST 800-53 FISMA TOGAF 9 Microsoft Secure Development BSIMM SAFECode Lifecycle (SDL) OWASP Standards 10

  11. D ISCIPLINES Identity and Security Security Access Assessment & Architecture & Management Authorization Design (IAM) System & Systems & Information Communications SIEM Integrity Protection Technologies Governance and Tools 11

  12. C OMPONENTS Identification Risk Threat and Assessment Modeling Authentication Application Technologies Data Security Security and Tools Standards and R&D Best Practices 12

  13. D ISCIPLINES V . C OMPONENTS Security Assessment • Risk Assessment & Authorization • Regulatory Compliance • Threat Modeling Architecture and • Reference Architecture and RI Design • Model Driven Security • Identification and Authentication Identity and Access • Access Control Management • ESSO • Data Security System and • Encryption Information Integrity • Application Security • Standards and Best Practices Governance • Reviews (Architecture, Design and Code) 13 • R&D

  14. S TANDARDS  Standards at all levels of product development  Architecture  Design & Coding (based on OWASP Standards)  Technologies & Tools  Standards Enforcement  Automatic scans  Manual Reviews  Lifecycle:  Identify exceptions/waivers at beginning of project  Continuous feedback to refine standards (via Agile retrospectives) 14

  15. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 15

  16. A RCHITECTURE L IFECYCLE P ROCESS  Integrate security risk assessment and management into all phases of product development  Security touch-points with PMLC & SDLC processes  Reviews to ensure architecture compliance  Reviews v. Sign-offs 16

  17. P RODUCT LIFECYCLE (PMLC) Product Vision Support & Inception Maintenan ce Implemen Architectu tation re Design & Testing Developme 17 nt

  18. PMLC W/ S ECURITY TOUCHPOINTS Product Vision Support Risk & Assessme Maintena nt nce Inceptio Security Sign-off n Security Architect Impleme ure ntation Assessme nt Security Architect Architect ure ure Review Design & 18 Developm ent

  19. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 19

  20. A SSESSMENTS AND R EVIEWS Product Vision Risk Assessment Initial Check Privacy/ Info Security Initial Check Product Initiation Assessment Security Architecture Architecture Design & Development Review Design & Development Security Code Review Functional Testing Security Architecture Functional Testing Performance Testing Impl Review Final Security Review Performance Testing Implementation and Sign-off 20

  21. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 21

  22. C ENTERS OF E XCELLENCE  Cross-team Security Architecture and Risk Management group  Champion the management and governance of all aspects of security architecture program  Core and Extended Teams  Application, Security and Data  Business and Technology 22

  23. C O E C HARTER  Risk Assessments  Security Architecture and Design Consulting  Communicate architecture decisions & guidelines to project teams  Review & present security architecture related proposals to ARB  Escalate critical security issues  Awareness & Education (via Newsletters, Wiki, Brown Bag sessions)  Security Training  Security Reviews (Architecture, Design, and Development)  Threat Modeling (Future)  Guidance on Code Scans, Pre-deployment Scans & Penetration Testing  Assist in product development and product acquisition 23

  24. E NGAGEMENTS  Collaboration between team members  Communication at the right places in the process  Security requirements & test cases during Sprint Planning  Security architecture walk-throughs  Architecture retrospectives (end of sprint)  Projects, Initiatives, Ad-Hoc Consulting  Governance Model  Research Labs (for R&D) 24

  25. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 25

  26. T RAINING AND A WARENESS  Education focused - Learning v. Teaching  Stakeholder specific  Business Analyst, Product / Project Manager  QA Testing Engineer  Technical Lead, Developer  DBA, Network Admin  Topic/Module Specific  Requirements Management  Testing and Validation  Development: User Interface, Services, Data, SQL Injection, XSS  Internal & External; Online & Classroom based 26

  27. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 27

  28. L ESSONS L EARNED  Manual architecture, design and code reviews  Solution: Automated Static & Dynamic Code Analysis Tool  Skill set challenges  Solution: Enhancements to training program  Assessments overhead  Solution: Refinements based on project experience 28

  29. R OADMAP  Current State: 2+ yrs since the start (3 yrs effort at the previous organization)  Threat Modeling (Agile Version)  Security & risk management aspects in:  Social Computing *  Mobile Development *  Cloud Computing  NoSQL Databases 29 * In progress

  30. A GENDA  Security Architecture Program  Architecture Strategy and Framework  Development Process Changes  Security and Risk Assessments  Architecture Centers of Excellence  Training and Awareness  Lessons Learned  Conclusions 30

  31. C ONCLUSIONS  Get commitment from Senior Mgmt. team  Get involved in the strategic planning process  Process and Standards are critical  Automate the process as much as possible  Agile governance model  Community of best practices (CoE)  “Agile or Security” v. “Agile and Security”  “One Size Fits All” fits nothing 31

  32. R ESOURCES  Agile Threat Modeling (http://www.infoq.com/articles/threat-modeling-express)  TOGAF  SABSA  The Building Security In Maturity Model (BSIMM) (http://bsimm.com)  Software Security: Building Security In by Gary McGraw  Secure Programming with Static Analysis by Brian Chess and Jacob West  Security Metrics (http://www.securitymetrics.org/content/Wiki.jsp) 32

  33. T HANK Y OU  Contact Information  http://www.infoq.com/author/Srini-Penchikala  srinipenchikala@gmail.com  @srinip  http://srinip2007.blogspot.com  Spring Roo in Action Book  Questions? 33

Recommend

1 Clean Stream What is Stormwater? M anagement Stormwater is water runoff after a rain storm

1 Clean Stream What is Stormwater? M anagement Stormwater is water runoff after a rain storm

Agenda Camp Hill 1) Introductions Borough 2) Role of Stormwater M anagement Stormwater 101 History of Stormwater M anagement Common Stormwater Problems / Best Stormw ater Utility Implementation M anagement Practices (BM

451 views • 9 slides
I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and

I NTRODUCTION TO W EB S ECURITY by Fabrizio dAmore Department of Computer, Control, and Management Engineering Antonio Ruberti Sapienza University of Rome WHY W EB S ECURITY April 2013 recent studies conform a trend that has been

958 views • 62 slides
R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC

R esearching esearching I I Pv6 Pv6 S S ecurity ecurity R C apabilities apabilities C ( RISC RISC ) ) ( Bio: Bio: Antonios Atlasis Antonios Atlasis An IT engineer for more than 20 years, developer and instructor in several Computer

1.3k views • 80 slides
Investment Arbitration Investors enforce treaty rights directly against host States

Investment Arbitration Investors enforce treaty rights directly against host States

E FFECTIVE M ANAGEMENT OF I NVESTMENT D ISPUTES R AHUL D ONDE S ENIOR A SSOCIATE , L VY K AUFMANN -K OHLER G ENEVA , S WITZERLAND 1 I NTRODUCTION I. I NTRODUCTION TO ISDS II. R EASONS FOR E FFECTIVE M ANAGEMENT OF ISDS III. IV. M ANAGEMENT T

414 views • 30 slides
S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @

S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @

S eeking Truth Exploring Mental Health in Information S ecurity Philippe Dorman @ philippedorman Obj ectives Define S ubj ect Environment Information S ecurity The Individual Existing Resources Who am I? ~10 years

521 views • 23 slides
T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S

T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S

S ESSION 9 T HE S TATE : M ILITARISM , N ATIONAL S ECURITY , I MPERIALISM 1 N ATION AND S TATE UNDER S ECURITY war-making & national security increasing state power The State of Siege Karl Marx, the state of siege Vesting

258 views • 8 slides
S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE ,

S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE ,

S ECURITY & P RIVACY IN 3G/4G/ 5G NETWORKS : T HE AKA P ROTOCOL W ITH S.A LT , P.-A. F OUQUE , G. M ACARIO -R AT , B. R ICHARD M E , MYSELF , AND EMSEC BSc. & MSc. Mathematics, TU Eindhoven Master thesis on multiparty

748 views • 53 slides
Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement

Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement

Coor ordi dinated nated Bo Bord rder er Man anagement agement Coordinated Key ey To Tool ols s fo for r Moder dern n Bo Bord rder er Man anagement agement Border Management 4 October 2013 Theo Hesselink Toshihiko Osawa

349 views • 11 slides
Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES AND M ORE E FFICIENT C ONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED

535 views • 34 slides
M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED

M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED

T HE F EDERAL G RANTS M ANAGEMENT P ROCESS C ENTERS FOR M EDICARE AND M EDICAID S ERVICES (CMS) J UNE 19, 2015 P RESENTED BY M ONICA A NDERSON O FFICE OF A CQUISITIONS & G RANTS M ANAGEMENT A GENDA Overview of the Center for Medicare &

543 views • 16 slides
W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

W HAT IS DAA? 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 ROM I NSTANTIATIONS 4 S

D IRECT A NONYMOUS A TTESTATION Essam Ghadafi ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol Brown Univeristy 14 th March - 2013 D IRECT A NONYMOUS A TTESTATION O UTLINE W HAT IS DAA? 1 S ECURITY M ODEL OF DAA

1.06k views • 71 slides
Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A

Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A

Y ES , G-CAN! E NDORSING F OOD S ECURITY W ITH G ENDER - R ESPONSIVE AND C LIMATE -R ESILIENT A GRICULTURE P RESENTATION A UDIO T RANSCRIPT N OVEMBER 10, 2016 P RESENTERS Claudia Ringler, International Food Policy Research Institute (IFPRI)

384 views • 19 slides
Higher ( S ecurity) Social disruptions International relations Land rights 1

Higher ( S ecurity) Social disruptions International relations Land rights 1

Willingness to 1.4 billion people lack utilize political safe water access collateral 2.4 billion people lack adequate sanitation 80% of diseases Lower ( s ecurity) carried by water killing 5-7 million people annually

482 views • 29 slides
Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M

Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M

Emergency Management in Montgomery County, MD M ONTGOMERY C OUNTY O FFICE OF E MERGENCY M ANAGEMENT & H OMELAND S ECURITY Montgomery County Office of Emergency Management & Homeland Security 1 1 http://www.montgomerycountymd.gov/OEMHS/

731 views • 35 slides
E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P

E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P

E MERGENCY P REPAREDNESS / E MERGENCY M ANAGEMENT N OVEMBER 13, 2019 W HAT IS E MERGENCY P REPAREDNESS ? W HAT IS E MERGENCY M ANAGEMENT ? E MERGENCY P REPAREDNESS U PDATE AND WRITE PLANS FOR C ITIES AND C OUNTIES W RITE , COORDINATE , AND P

459 views • 12 slides
USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 B LIND S IGNATURES S ECURITY M

USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 B LIND S IGNATURES S ECURITY M

B LIND S IGNATURES S ECURITY M ODEL R ELATED W ORK O UR C ONSTRUCTION E FFICIENCY C OMPARISON O PEN P ROBLEMS E FFICIENT T WO -M OVE B LIND S IGNATURES IN THE C OMMON R EFERENCE S TRING M ODEL E. Ghadafi N.P. Smart Department of Computer Science,

1.17k views • 32 slides
2 CFR P ART 200 AND 24 CFR P ART 570: F INANCIAL M ANAGEMENT Key Point To effectively and

2 CFR P ART 200 AND 24 CFR P ART 570: F INANCIAL M ANAGEMENT Key Point To effectively and

2 CFR P ART 200 AND 24 CFR P ART 570: F INANCIAL M ANAGEMENT Key Point To effectively and compliantly administer CDBG-DR awards, subrecipients must maintain an accurate, appropriate, effective, timely Additional Financial Management and Grant

521 views • 6 slides
S ecurity A ssured C yberinfrastructure in P ennsylvani a June 14-15, 2018 Pittsburgh This

S ecurity A ssured C yberinfrastructure in P ennsylvani a June 14-15, 2018 Pittsburgh This

S ecurity A ssured C yberinfrastructure in P ennsylvani a June 14-15, 2018 Pittsburgh This workshop is part of the following project funded by the National Science Foundation (NSF) NSF Award #1642117: CICI: Regional: SAC-PA: Towards Security

163 views • 14 slides
Service Quality M anagement in Fira Barcelona Introduction Complaints are directly related

Service Quality M anagement in Fira Barcelona Introduction Complaints are directly related

Service Quality M anagement in Fira Barcelona Introduction Complaints are directly related to Exhibitor services sales From To Complaint M anagement Elimination Objectives eliminate 80% of the improve Exhibitor complaints Satisfaction

289 views • 26 slides
COLUMN DEFINITIONS T REE D EFINITIONS C ATALOG IS NOW R EPORT DEFINITIONS R EPORT W IZARD S

COLUMN DEFINITIONS T REE D EFINITIONS C ATALOG IS NOW R EPORT DEFINITIONS R EPORT W IZARD S

M ANAGEMENT R EPORTER Susan Conrod Senior Implementation Specialist suer@calszone.com W HAT IS M ANAGEMENT R EPORTER What does it look like? Whats Changed? New Security Upgrading from FRx to MR Things to look forward to in MR

764 views • 19 slides
M ICRO - AND N ANO -S ENSOR FOR I O T S ECURITY US-K OREA F ORUM ON N ANOTECHNOLOGY @ N ANO K OREA

M ICRO - AND N ANO -S ENSOR FOR I O T S ECURITY US-K OREA F ORUM ON N ANOTECHNOLOGY @ N ANO K OREA

Y OUNGHYUN K IM U NIVERSITY OF W ISCONSIN M ADISON M ICRO - AND N ANO -S ENSOR FOR I O T S ECURITY US-K OREA F ORUM ON N ANOTECHNOLOGY @ N ANO K OREA , J ULY 13, 2018, I LSAN , K OREA V ARIATIONS IN S EMICONDUCTOR M ANUFACTURING 2 Fast Slow

325 views • 8 slides
I S NSTITUTE FOR ECURITY FOR T ECHNOLOGY S TUDIES T ECHNOLOGY S TUDIES Cyber Security and

I S NSTITUTE FOR ECURITY FOR T ECHNOLOGY S TUDIES T ECHNOLOGY S TUDIES Cyber Security and

Traps, Events, Emulation and Enforcement: the Yin and Yang of virtualization-based security Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, Sean W. Smith Dartmouth College Dartmouth College I NSTITUTE S ECURITY I S NSTITUTE FOR

540 views • 31 slides
Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S

Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S

next generation of access control Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S eevorstadt 103b, CH-2501 Biel-Bienne Lorenz Mller Mobile: + 41 79 341 03 26 Lorenz.mueller@axsionics.ch 1 next

1.21k views • 60 slides
T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan

T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan

BIO PRESENTATION T14 Thursday, May 18, 2006 1:30PM S ECURITY T ESTING : A RE Y OU A D EER IN THE H EADLIGHTS ? Ryan English SPI Dynamics Inc International Conference On Software Testing Analysis and Review May 15-19, 2006 Orlando, Florida USA

578 views • 41 slides

More recommend