The proliferation and complexity of software-enabled systems have amplified risk for many organizations. Conventional approaches to software security don’t work, typically encompassing no more running vulnerability scanning. Executives need a better way to understand which products, systems, and teams are putting their enterprise at most risk – and deploy appropriate action plans. SToRM represents a new approach for enterprises to more effectively assess and protect software-dependent IT systems. Change your approach – evolve from a vulnerability-focused approach to risk-based one. Learn pragmatic steps to ensure you’re mitigating the most risk with limited resources, time, and budget. Topics include: • Why traditional approaches aren’t working • How to identify risks at the business workflow and IT system levels • Techniques to calibrate assessment and mitigation efforts

1. 1

2. 2
• Securing software in all the challenging places….
• ….while helping clients get smarter
Assessment: show me the gaps
Standards: set goals and make it easy
Education: help me make good decisions
Over
3 Million
Users
Authored
18
Books
Named
6x
Gartner MQ
About Security Innovation

3. 3
• CEO by day; engineer by trade (and heart)
• Mechanical Engineer, Software Engineer
• Ponemon Institute Fellow
• Privacy by Design Ambassador, Canada
• In younger days, built non-lethal weapons
systems for Federal Government
About Me

4. 4
Agenda
 Why Traditional Approaches Aren’t Working
 Identifying Business Workflow and IT System Level Risk
 Calibrating Assessment and Mitigation Efforts to Risk

5. 55
Why Traditional Approaches Aren’t Working

6. 6
Software Powers the World
• Consider all the software dependent security disciplines: physical,
data, infrastructure, networks, cloud
• Factor in all the different data flows and technologies
• Toss in software-borne exploits: Heartbleed, Shellshock, Stuxnet
• Compound the challenge with business requirements
• Regulatory, customer, legal obligations
• 3rd-party services and supply chain dependencies
• Intellectual property protection
• The dilemma: Leaders need to know which products, systems, and
teams are putting their business at most risk

7. 7
• As an industry, we are over reliant on:
• Scanning
• Miss certain vulnerabilities, false positives, non contextual ratings
• Fail to address code-, system-, business logic- and workflow- vulnerabilities
• Vulnerability hunting: amounts to whack-a-mole
• Network defenses: defense in depth is critical, but often bypassed
• Without a systemic & adaptive approach, the tail continues to wag the dog
Conventional Approaches to Software Risk
Management

8. 8
• SToRM prioritizes high risk software via
rapid, relative risk & threat analysis
• Assessment and controls are
commensurate with application/data risk
• Roadmap is contextual and weighted
• From security engineering activities, to policies
and tools usage, to training
New Approach to Software Security Risk Management

9. 9
Polling Question #1
• On a scale of 1-4, how much insight into the real risk of software do
you feel your organization has?
• 1 (no insight)
• 2
• 3
• 4 (full insight)

10. 1010
Identifying Business Workflow and IT System Level Risk

11. 11
The value of understanding
security risks is only realized
when you can decide where
(and whether) to dive deeper
into specific problems and
take appropriate risk
mitigation actions
SToRM Overview

12. 12
SToRM in Action: Application Asset Rating
• Applications rely heavily on their environment to operate
• These resources all provide input to the software, which can fail
• Step 1: Portfolio Analysis
• Document critical assets; should represent your full portfolio
• Step 2: Prioritize business applications
• Rate them on a relative scale that makes sense to you; ensure it’s used consistently
• You can also base asset rankings on:
• Business Impact Analysis (BIAs) that may have already been performed
• Sensitivity of data processed by assets, value to the business, or impact on operations

13. 13
Secure SDLC Gap Analysis
• Can be a simple questionnaire against best practices (e.g. PCI SSF) or more advanced
model like OpenSaMM
• Result should be gap report and creation of secure development policy
• Documenting a policy is not a guarantee that it’s being followed
• Use similar approach for 3rd-party providers for acceptance testing

14. 14
SToRM in Action: Risk Discovery & Assessment
• Review of application- or systems-level technical specs to understand how it’s
been designed and deployed
• To ensure implications are correctly assessed, construct a unified view of threats
and risks at business workflow and technical system levels
• Different threat modeling techniques can be used for a 360-degree view
• My favorite is STRIDE, however PASTA and others are great too
• Carnegie Mellon University’s Software Engineering Institute lists 12 modeling methods
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html

15. 15
SToRM in Action: Risk Assessment
Includes review and/or development of:
• Asset and data classification schemas
• Security classification schema for applications which specifies
classification criterion, e.g.
• type of data processed, internal vs. external
• Tabletop exercises to discuss additional threat vectors
• Current secure SDLC security practices and controls
• Portfolio risk rating framework that considers impact, threats,
requirements, etc

16. 16
Examine Application and its Environment
• Generate a business-level threat model and as many deep
threat vectors as possible
• Identify and prioritize high-risk applications based on
business impact, security threats, compliance mandates
and operational risk
• Recommend security assessment activities based on
application & data security risk
• May range from a rapid fully- automated scan to a
deep manual inspection
• Create a risk rating framework that calibrates assessment
efforts to criticality

17. 17
Threat Analysis
• Threat modeling of the application workflow
• Couple with attack modeling and design/code review
• Trace all the ways users and admins might accidentally or intentionally exploit faulty
control logic or coding errors
• Insight should be used to determine next steps for your application’s lifecycle:
• Deeper or broader testing
• Rebuilding
• Replacing it with another application
• Accepting the risks as-is
• Deploying different/additional mitigation controls
• Taking it out of service completely

18. 18
Outcomes of Risk Discovery & Assessment
• Digital assets that are most at risk and require protection
• Most likely threats to those at-risk assets
• Specific malicious attacks that could be used to realize
those threats
• Design & deployment conditions under which attacks
would be successful
• Mitigations or additional testing that must be conducted
to reduce identified threats or prove/disprove their
existence

19. 19
SToRM in Action: Application Re-ordering
• After Threat Modeling, reassess application
risk rating
• Create tiers and place each application in
one based on criteria
• Data classification reflects level of impact
if data is compromised
• Attack exposure is an important
factor in relative risk
• Combination of data criticality and attack
exposure results in risk rating grouping

20. 20
Sample Risk Rating: Application #4 (of 9)
• Internal support help-desk application for support and ticketing
• Customer records are stored in a central database in an internal data center;
however, it is only customer name and email address
• Built in-house and the product it supports will be end-of-lifed soon

21. 21
• Operational e-commerce application
• Built by 3rd party
• Data is sensitive and once collected, is stored in an encrypted database
Sample Risk Rating: Application #7 (of 9)

22. 22
Grouping Software Applications
Oversimplified Example
• 5 basic categories and assign a 0, 1, 2, or 3 based on risk factors:

23. 23
Polling Question #2
Which Software Risk Management technique do you see as the most
important?
• Threat Modeling
• Application Risk Rating
• Data Classification
• SDLC Gap Analysis/Optimization

24. 2424
Calibrating Assessment and Mitigation Efforts

25. 25
Persistent Asset: Application Risk Rating/Grouping
• Teams have framework/blueprint to implement:
• Implement risk-based practice
• Make informed decisions
• Calibrate security assessment to business exposure
• Revisit when new applications are planned
• As you get more mature, add criteria, adjust ratings, etc

26. 26
SToRM in Action: Security Test Calibration
• You’ve considered criticality of data stored, transmitted/processed, and exposure
• There is no standard formula; risk tolerance and data mapping is contextual
• Goal is to have recommended testing frequency and depth for each tier

27. 27
Persistent Asset: SDLC Gap Analysis & Remediation
Roadmap
• Sequencing of new activities and tools should be considered carefully
• Don’t focus on one pillar (technology, people, process/standards)
• They are highly dependent on each other
• Consider skills development a critical success factor
• Introducing tools without training on objective & activity will have limited impact
• Consider each job function and technology stack
• Java developer needs different training than .NET developer, even though both build Web apps
• IT engineer that protects software in play will require different training than a software/DevOps
engineer focused on building security into the process

28. 28
Persistent Asset: Business Level Threat Model
• Needs to be living assets that can be revisited in the future
• Threats are not vulnerabilities – they live forever
• Considering a significant new feature? Read about a new attack?
• Return to the threat model and make necessary tweaks to understand impact
Courtesy:
Sean Gallagher

29. 29
2/21/2020
Vulnerable to
Heartbleed?
Threat #12
Compromise
App Password
1.1
Access “in-use”
password
1.2
Guess password
1.3
Access
Password in DB
1.1.1
Sniff network
1.1.2
Phishing attack
1.2.1
Password is
weak
1.2.2
Brute force
attack
1.3.1
Password is in
cleartext
1.3.2
Compromise
database
1.3.2.1
SQL injection
attack
1.3.2.2
Access database
directly
1.3.2.2.1
Port open
1.3.2.2.2
Weak db account
password(s)
Use TLS to encrypt
OpenSSL 1.0.1f
Require strong Password
8+ char, upper, lower,
number, special char
Use Prepared Statements
.NET parameterized queries
OleDbCommand() with
bind variables
Restrict Port Access
Firewall configuration

30. 30
Persistent Asset: Development & Procurement Policy
• Almost every organization has a combination of home-
grown, COTS, and outsourced/bespoke applications
• Each poses similar risks and should have cybersecurity
acceptance testing criteria based on your SDLC policy
• Documentation of security standards/checklists for dev
teams (regardless of where they reside organizationally)
is a byproduct of this exercise
• Be sure to enforce them and review them regularly

31. 31
Final Thoughts
• Organizations are too reliant on software to apply a one size fits all strategy
• If you don’t break the Find & Fix hamster wheel, you know what happens
• Eliminating risk is impossible; yielding high Mitigation on Investment (MoI) isn’t
• There are no standard formulas for managing software risk
• The by-products of SToRM activities ensure teams:
• Are judicious with their limited resources
• Understand where top priorities are
• Have proper context/vision to do their job
• Can make informed (aka risk based) decisions

32. 32
How Can We Help?
Secure SDLC Risk Review
• Fill compliance gaps with tools,
activities and skills
• Roadmap with optimal sequencing
Computer Based Training
• Covers all major technologies,
roles, frameworks
• Maps to PCI DSS, GDRP, OWASP,
ISO, NIST, NERC, CSSLP, CWE,
HIPAA
Cyber Range
• Authentic, turn-key, fun
• Reports map to specific
courses
• Identify champions

33. 33
Questions?

34. 34
www.securityinnovation.com
Thank You!