Re: [SC-L] Darkreading: Getting Started
Hi Andy, Good point about 4 (tool first). Sometimes security feature rollout can provide a good impetus. We saw that too, focused around crypto for PCI with one of our major customers. The only real danger with following that path is that you tend to emphasize that security is a feature (and only a feature), which as we all know is a big misunderstanding among dev people. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: Andy Steingruebl [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 10:59 PM To: Secure Coding Mailing List (SC-L@securecoding.org) Cc: Gary McGraw Subject: Re: [SC-L] Darkreading: Getting Started On Jan 9, 2008 4:48 PM, Gary McGraw <[EMAIL PROTECTED]> wrote: > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. Gary, I had success with #4, but not using the tools we usually think of for bootstrapping a program, namely static analysis or testing tools. When I took the position they had already settled on using Netegrity's Siteminder product for a common authentication and authorization scheme across all of the applications. I managed to get them to settle on doing a quasi-RBAC with Siteminder, using it almost as an identity service as well. Settling on one common high-quality authentication and authorization tool/framework had three effects: 1. It removed these services from the realm of development. They just had to integrate with it, but didn't have to figure out all of the corner cases to password changes, etc. that so often crop up, and people mess up in homegrown approaches. 2. It convinced developers to build clean interfaces in their code for things like authorization to call out externally and/or have the data provided to them in a standard fashion. By settling on RBAC it also helped a lot with role and permission modeling that did need to happen in the app. 3. In a shop that usually wanted to do everything itself, it broke that cycle and people got used to not having to write everything from scratch. It was a bit of a non-standard way to use a tool to bootstrap a security program. They essentially got sold Netegrity originally for the wrong reasons, but they picked it and in implementing it correctly did themselves a huge service. Just one data point on leading with a tool that focused more on architecture and design than it did on finding defects. -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
Hi Jim, Good question. Often a coordinated/distributed approach will work. However, to make things simple, I tried to untangle the threads. We have actual customers who have followed each of the 4 paths (with other interesting twists of course), so it made sense to carve things out that way to me. I agree with you on 4 (tool first), but the reality of the situation is that many enterprises were sold tools as a just-add-water solution and they've been looking around for the water ever since. That is one way to get started and it does work. Reality sucks, huh? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Manico Sent: Thursday, January 10, 2008 12:50 AM Cc: Secure Coding Mailing List (SC-L@securecoding.org) Subject: Re: [SC-L] Darkreading: Getting Started Gary, Interesting article. May I ask, why get started with only one of these approaches? Since 1-3 effects different parts of the organization (portfolio risk seems like a biz-management approach, top-down framework seems to effect software development management, and training effects developers, primarily) - why not *start* an initiative on all levels? In fact, doesn't it really take all of the above to truly effect permanent change in an organization? 4) Makes me nervous. I worry if you just toss a very expensive static code analysis or app scanning tool at development staff, you only provide a false sense of security since the coverage of even the best application security tools is very limited. Doesn't it take rather in-depth developer training and awareness for a tool to be truly useful? - Jim > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track reaction > to topics more carefully than in the past. You can help make software > security more prominent by reading the article and passing the URL on to > others you may find interested. Another thing that helps is posting to the > message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org List > information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) as a free, non-commercial service to the software > security community. > ___ > > > > -- Best Regards, Jim Manico [EMAIL PROTECTED] 808.652.3805 (c) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
hi gp, Yup. I count that as 1 (top-down framework) because that approach often leads with the creation of a special ops execution team that becomes the software security group. By far, this is the most impressive approach in terms of results and the one that is the most effective in well-run enterprises. Please do note that getting started does not mean you have to stick with only one of the ways. Any mature approach to software security requires aspects of each of the getting started ways. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 10:00 PM To: Gary McGraw; Secure Mailing List Subject: Re: [SC-L] Darkreading: Getting Started Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that works with many groups to help develop threat models, attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for specialized tasks for secure web app dev, say how do I use cardspace in my web app? Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure web app deve, etc. You can use #2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a large organization. -gp On 1/9/08 6:48 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > hi sc-l, > > One of the biggest hurdles facing software security is the problem of > how to get started, especially when faced with an enterprise-level > challenge. My first darkreading column for 2008 is about how to get > started in software security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track > reaction to topics more carefully than in the past. You can help make > software security more prominent by reading the article and passing > the URL on to others you may find interested. Another thing that > helps is posting to the message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org List > information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) as a free, non-commercial service to the software > security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
Gary, Interesting article. May I ask, why get started with only one of these approaches? Since 1-3 effects different parts of the organization (portfolio risk seems like a biz-management approach, top-down framework seems to effect software development management, and training effects developers, primarily) - why not *start* an initiative on all levels? In fact, doesn't it really take all of the above to truly effect permanent change in an organization? 4) Makes me nervous. I worry if you just toss a very expensive static code analysis or app scanning tool at development staff, you only provide a false sense of security since the coverage of even the best application security tools is very limited. Doesn't it take rather in-depth developer training and awareness for a tool to be truly useful? - Jim > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track reaction > to topics more carefully than in the past. You can help make software > security more prominent by reading the article and passing the URL on to > others you may find interested. Another thing that helps is posting to the > message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > > > -- Best Regards, Jim Manico [EMAIL PROTECTED] 808.652.3805 (c) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
On Jan 9, 2008 4:48 PM, Gary McGraw <[EMAIL PROTECTED]> wrote: > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. Gary, I had success with #4, but not using the tools we usually think of for bootstrapping a program, namely static analysis or testing tools. When I took the position they had already settled on using Netegrity's Siteminder product for a common authentication and authorization scheme across all of the applications. I managed to get them to settle on doing a quasi-RBAC with Siteminder, using it almost as an identity service as well. Settling on one common high-quality authentication and authorization tool/framework had three effects: 1. It removed these services from the realm of development. They just had to integrate with it, but didn't have to figure out all of the corner cases to password changes, etc. that so often crop up, and people mess up in homegrown approaches. 2. It convinced developers to build clean interfaces in their code for things like authorization to call out externally and/or have the data provided to them in a standard fashion. By settling on RBAC it also helped a lot with role and permission modeling that did need to happen in the app. 3. In a shop that usually wanted to do everything itself, it broke that cycle and people got used to not having to write everything from scratch. It was a bit of a non-standard way to use a tool to bootstrap a security program. They essentially got sold Netegrity originally for the wrong reasons, but they picked it and in implementing it correctly did themselves a huge service. Just one data point on leading with a tool that focused more on architecture and design than it did on finding defects. -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that works with many groups to help develop threat models, attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for specialized tasks for secure web app dev, say how do I use cardspace in my web app? Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure web app deve, etc. You can use #2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a large organization. -gp On 1/9/08 6:48 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote: > hi sc-l, > > One of the biggest hurdles facing software security is the problem of how to > get started, especially when faced with an enterprise-level challenge. My > first darkreading column for 2008 is about how to get started in software > security. In the article, I describe four approaches: > 1. the top-down framework; > 2. portfolio risk; > 3. training first; and > 4. leading with a tool. > > We've tried them all with some success at different Cigital customers. > > Are there other ways to get started that have worked for you? > > By the way, I can use your help. Darkreading is beginning to track reaction > to topics more carefully than in the past. You can help make software > security more prominent by reading the article and passing the URL on to > others you may find interested. Another thing that helps is posting to the > message boards. Thanks in advance. > > Here's to even more widespread software security in 2008! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Darkreading: Getting Started
hi sc-l, One of the biggest hurdles facing software security is the problem of how to get started, especially when faced with an enterprise-level challenge. My first darkreading column for 2008 is about how to get started in software security. In the article, I describe four approaches: 1. the top-down framework; 2. portfolio risk; 3. training first; and 4. leading with a tool. We've tried them all with some success at different Cigital customers. Are there other ways to get started that have worked for you? By the way, I can use your help. Darkreading is beginning to track reaction to topics more carefully than in the past. You can help make software security more prominent by reading the article and passing the URL on to others you may find interested. Another thing that helps is posting to the message boards. Thanks in advance. Here's to even more widespread software security in 2008! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
