you can’t boil the ocean - Home | Lantech · Agile Secure lifecycle management 1. Because we have...

En dan ben je baasje securityyou can’t boil the ocean

Uw spreker:Dr. Barry Derksen

© BITTI BV. 2011

Dr.lec. Barry Derksen MSc MMC CISA CGEIT

Versterk het vertrouwen in je product of idee door minimaal een van de volgende dia's toe te voegen:

➔ MijlpalenWat is er bereikt en wat moet er mogelijk nog worden aangepakt?

➔ TestimonialsWie steunt je idee (of niet)?

➔ Wat nu?Hoe kan het publiek meedoen of meer ontdekken?

Security baasje is….

© BITTI BV. 2011source: Nancy Rademaker

70% = 93%

20% = 7% 110% = 0%

Primaire aandacht van directie

© BITTI BV. 2011

source: Nancy Rademaker

Echter kijkend

naar wat zij doen

4. AfsluitingVersterk het vertrouwen in je product of idee door minimaal een van de volgende dia's toe te voegen:




Security baasje en de nabije toekomst..

Search Social

Drivers: Smart Cities

Robotics Singularity

Wearables Quantified self

Smart systems 3D printing

Physical elements are next!

High Level of digitalization

1995-2005

1st phase

Internet

2005-2015

2nd phase

Internet

Low level of digitalization

2015-2030

3rd phase

IoT

Media / Information

15% of the Economy

Digitalizing the physical environment (produc

tion, healthcare, homes, cities,….)

85% of the Economy





Dan maar aan de slag…

1. Do we know all URLs & are those OWASP proof?

2 Abuse cases created?

8 When was your last physical security testing?

7 ISO27001? By obligation or by heart?

6 Prioritized Risk Backlog?For software?

5 How many systems are pentested?

4 Is your testdata scrambled?

3 Are our big data analysts screened?

12 How good is our SOC compared to peers?

11 Developer staff trained in security practices?

10 How many data leakages reported?

9 Analysis? GDPR compliant?Security laws?

1. Take picture2. Set goals3. Implement4. Monitor progress5. Evaluate

❏ Fix paar grote problemen

❏ Focus op operatie (monitoring

& incident)

❏ Trek stekkers uit

Don’t boil the ocean

Vertrouwen bouwen❏ Ziel van het bedrijf raken

❏ Zoek je peers

❏ Risk based, CIA…wat is echt belangrijk?





Agile = AIRgile

Ga voor

kersen

Sensatie

IAM, Sec.

Dashboard,

DMARC…

Leren = publicerenAgile Secure lifecycle management

1. Because we have to!

2. Developers meets hacker

3. Agile beats structure

4. Software Security Fundamentals

5. Introducing Agile secure Software Development

6. Agile Secure Software Framework

7. Maturing Agile Secure Software Life Cycle

Sprints:

❏ Example #1 "As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized"

❏ Example #2 "As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized"

❏ Example #3 "As a hacker, I can read and even modify all data that is input and output by your application"

Leren: EVIL User Stories





Call for Agile:

❏ Social media❏ Mobile living❏ Analytics & Big Data❏ Cloud❏ IoT❏ Chain trends❏ Risks changes

Accepteren: Agile beats structure

Kennen: Software Security Fundamentals

Security measures in SDLC, Source: Gary McGraw, Software Security in ,2006





Toepassen: Agile Secure Software Development

❏ Stakeholders part of risk assessment

❏ Stakeholders security tests during

product review

❏ Acceptance criteria security user stories

❏ Use Agile retrospectives

❏ Group to minimize security damage

Risk in Waterfall and Agile software development, Source: Cirdam Group

B

Implementeren: Adopting security focused stories

❏ Develop Security user stories

❏ Prioritize risk based

❏ decrease risk acceptance level in time

❏ (you’re never finished)

Figure 15: Security Focused story, Source: Safecode.org

Circel rond: Agile SECURE IT

THREATS● Functional threats● Architectural threats

○ architecture inventory

○ threat library● Mitigations

IMPLEMENTATION● Secure coding principles● Secure coding standards● Code Audit

VERIFICATION● Verification method

○ code review○ penetration test○ vulnerability scan○ fuzzing○ abuse tests

● Verification process

CONTEXT● Functions & Environment● Application assets● Security requirements● Security assumptions

& the day after tomorrow…

SECURE PERSONAL DISTINCTIVE

Programma – De Toekomst is Nu

Ochtend:10:45 – 11:00 Pauze11:05 – 11:35 Keynote Fred Streefland – Cloud Security is een kans! Grijp die kans!!! 11:40 – 12:55 Mogelijkheid om het nieuwe Militair Museum te bekijken en Lunchpauze

Middag:

15:00 – 16:00 Keynote – Richard van Hooijdonk - Trends 2030 16:00 – 17:00 Afsluiting dagvoorzitter en netwerkborrel

Zaal Auditorium Workshop Klas van ‘45

13:00 CRH - Peter Middel Cisco – Christopher van der Made Dell - Erik Zandboer

13:35 Lantech - Hans Willem Verwoerd

Amaris Zorggroep - Geert-Jan Schroot Proofpoint - Jim Cox

14:25 Lantech - Solutions engineer Extreme Networks - Mathew Edwards

you can’t boil the ocean - Home | Lantech · Agile Secure lifecycle management 1. Because we have...

Documents

Transcript of you can’t boil the ocean - Home | Lantech · Agile Secure lifecycle management 1. Because we have...