Seeking ROI by Sally

Seeking security ROI Secure application development

Agenda 1

The current state of Information Security

Realizing the value of producing secure code

Addressing the issues programmatically

How infoedge can help capture this value

ÂŠ 2015

Cost of Cyber security â&#x20AC;&#x201C; 2014 $71 Billion

2014 IT security spending globally (7.9% increase over 2013) The sum of just 3 of the major breaches

65% US Population

(e.g. JP Morgan Chase, Target, and Home Depot) is sufficient to cover over 65% of the US population

$8.6 Million

Avg annual cost of cyber attacks on U.S. retailers

$12.7 Million

Avg annual cost of successful cyber attacks on communication

$14.5 Million

Avg annual cost of successful attacks on technology sector

$20.8 Million

Avg annual cost of successful attacks on financial services

$2 Billion

American firms spent on cyberliability insurance coverage (65% increase over 2013 $1.3) ÂŠ 2015

Worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise and consumer IT equipment, will reach $86 billion in 2016

U.S. Corporate IT Security Spending

!46% of organizations expect to increase budget for network security from 2013 to 2014

Gartner Report 2012

ÂŠ 2015

SQL injection Spear Phishing DDoS Physical Access Trojan Software XSS

Unknown

Size of circle estimates relative impact of incident in terms of cost to business

IBM X Force Report – 2012 Security Incidents / Breaches/Attacks

Deprecated API Manipulation Session hijacking Zero day LDAP injection Buffer overflow XML injection Cross-site scripting SQL injection

• • •

Command Injection Header manipulation Directory traversal

Sony Data Breach Grows by 25 Million – $1 Billion Price Tag

Target Puts Data Breach Costs at $148 Million, and Forecasts Profit Drop Target, said in a security filing on Tuesday that costs associated with the episode reached $148 million in the second quarter.

Sony just admitted this week that their Sony Online Entertainment (SOE) division, which they though was not affected by the recent breach, has also been compromised.

By Rachel Abrams, The New York Times, AUG. 5, 2014

By John Sileo, sileo.com

Anthem now says 78.8M were affected by breach

Why $250M did not protect JP Morgan from hackers

The Anthem data breach may have exposed 78.8 million records…Anthem is still investigating exactly how many records hackers extracted from a database.

JPM CEO Jamie Dimon said the U.S. Bank will probably double it’s $250M annual security budget in the next 5 years

By Jeremy Kirk, IDG News Service, Feb 24, 2015

Nationwide mutual hack affected 1.1 million Americans Over a million U.S. citizens, according to new data

Home Depot facing dozens of data breach lawsuits

Charlie Osborne, ZDNet December 6, 2012

Home Depot is facing at least 44 lawsuits related to a data breach at the home-improvement retailer that involved the theft of payment card information and customer e-mail addresses.

Why 40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards. June 20, 2005: 3:18 PM EDT

By John Kell, Fortune.com, Nov. 25, 2014

By Jeanne Sahadi, CNN/Money senior writer

Significant growth in reported breaches attributed to Cyber-espionage (46%) and Web Application attacks (66%) 2013

2014 31%

14%

POS Intrusions 21%

35%

Web App Attacks 8%

Insider Misuse 1%

Physical Theft/ Loss

Miscellaneous Errors

Crimeware 14%

0% 15% 5%

1,000

1% 2%

750 500 9%

POS Intrusions

Web App Attacks

250

Cyber-espionage Everything else

Insider Misuse

Card Skimmers DoS Attacks

Number of selected incident classification patterns over time

Cyber-espionage

22%

Card Skimmers

2009 6%

2010

2011

2012

Verizon Data Breach Investigations Report 2014

ÂŠ 2015

2013

Move security decisioning forward to minimize development rework costs Low-Medium Risk Industry: Medium Risk Industry: High Risk Industry:

>$30K per defect post release phase (NIST) >$250K per defect post release phase (Microsoft) >$350K per defect post release phase (Military)

Source: Applied Software Measurement, Capers Jones

ÂŠ 2015

And avoid the significant business impact of delayed product • •

Product annually achieving $30M gross revenue with Annual development costs of $7.5M  

•

Weekly revenue ~$580K Weekly development costs ~$140K

A week delay equates to ~$720K** in lost revenue

**Excluding other considerations e.g. first-mover advantage, regulatory mandates, marketing and sales campaigns, etc.

“Secure software development, more than any other discipline, is where the largest gap between risk and response attention by the information security profession exists” The 2013 (ISC)² Global Information Security Workforce Study

Security Requirements

Code Review (TOOLS) Risk Analysis

Abuse Cases

Penetration Testing

Risk-Based Security Tests

Risk Analysis

Security Operation

“What’s needed is more secure software, NOT more security software.” WhiteHat Website Security Statistics Report, May 2013

Apply extensible frameworks that are tried & proven

Training

Core Security Training

Requirements

Design

Implementation

Verification

Release

Establish Security Requirements

Establish Design Requirements

Use Approved Tools

Dynamic Analysis

Incident Response Plan

Create Quality Gates/ Bug Bars

Analyze Attack Surface

Deprecate Unsafe Functions

Fuzz Testing

Final Security Review

Security & Privacy Risk Assessment

Threat Modeling

Static Analysis

Attack Surface Review

Release Archive

Education

Execute Incident Response Plan

Accountability

Process

ÂŠ 2015

Response

Application security is a shared responsibility; not solely the obligation of the security organization Smart Governance

Support

Shared Learning

Guidance

Adoption

Change Management

Policies

Standards

Controls

Processes

Metrics

Roadmaps

Executive Sponsorship and Commitment Clients • • • •

Partners

Business units CTO organization Development shops Developers

• • • • • • •

IT policy Legal & procurement Human resources Project management & PMO Process & Quality management Security, architecture, ops Governance, risk, compliance

Change organizational behaviors

Current State Reactive “Find & Fix” approach to security defects Security issues identified late in the SDLC and fixes are “Bolted On” Risks often remediated post-production, increasing risk Security activities commonly perceived as a roadblock to release Security is the responsibility of the “security team”

Future State Mindset

Proactive “Build-Security-In” approach across SDLC phases

Timeliness

Security issues identified earlier in SDLC or avoided entirely

Remediation Business Focus

Risk Culture

Risks avoided altogether or remediated pre-production Security planned for throughout the release cycle supporting time-tomarket Secure development mindset woven into culture

•

Establish Security Requirements Create Quality Gates/Bug Bars

Training Core Security Training

• •

Requirements

•

Use Approved Tools Perform Static Analysis

•

Design

Implementation

Establish Design Requirements Perform Threat Modeling

•

Verification

Develop an Incident Response Plan Perform a Final Security Review

Release

Response Execute Incident Response Plan

Information Governance, Risk and Compliance (iGRC) Securely managing information risk, ensuring stable governance processes and aligning with Assessment regulatory mandates

Assessment

• • •

Advisory

Operationalization

• • •

Develop S-SDLC roadmap Prepare S-SDLC investment business case Create new S-SDLC organizational capabilities, services, and offerings

• •

Drive broad organizational and program change Orchestrate effective socialization and awareness campaigns Accelerate S-SDLC program, capability, and/or service implementation

•

Assurance

• •

Overcome secure software lifecycle impediments Assess S-SDLC maturity Identify S-SDLC value proposition

Embed smart governance to proactively monitor and manage program effectiveness Manage S-SDLC risk through by leveraging key leading indicators and customized reporting

Infoedge works with our clients to understand their existing capabilities across the S-SDLC and identify opportunities for focused improvement and capability development. Applying industry best practices, including the Microsoft SDL framework, our consultants perform the following types of assessment activities:

• • • • • •

Assessment

•

Identify the S-SDLC value proposition across the organization Discover secure software lifecycle impediments Assess organizational S-SDLC maturity Analyze S-SDLC domain capabilities Review application security policies, standards, and controls Investigate S-SDLC process flows and review release / development methodologies (e.g. Agile, Waterfall) Validate the effectiveness of existing application security activities (e.g. threat modeling, penetration, static or dynamic testing)

Information Governance, Risk and Compliance (iGRC) Managing information risk, ensuring stable governance processes and aligning with regulatory mandates

• • • • • •

Advisory

•

Develop multi-year S-SDLC roadmap and implementation strategy Identify program mission, vision, goals and objectives Define S-SDLC control objectives, controls, and standards Develop RACI-based S-SDLC control processes and procedures Recommend organizational functional and staffing plans Conduct stakeholder analysis and obtain near real-time feedback through Voice of the Customer (VoC) sessions Determine the operating model to engage business units, partners, and other key stakeholders Co-create new S-SDLC organizational services, and offerings supported by a service hierarchy, catalog(s), and playbook(s)

•

Operationalization

•

Provide initial and on-going project management support to influence and drive organizational and program change Orchestrate and deliver broad awareness campaigns through effective communication of the value of the S-SDLC services Provide integrated executive, senior management, line of business and other stakeholder communications Develop RACI-based S-SDLC capability implementation guidance and deliver S-SDLC capability training programs Engage with key business units, partners and stakeholders to realize new service implementation at all levels Co-evolve S-SDLC service delivery capabilities over time

•

Assurance

•

Identify critical business drivers supported by the S-SDLC program and determine leading KPIs and KRIs of interest Attach clear business outcomes to S-SDLC risk measures (e.g. % of incidents where customer data was at risk due to non-compliance of specific application development vendors) Develop a robust reporting framework by understanding information needs of key stakeholder groups and individuals Develop an operational approach collecting and “rolling-up” key metrics across the SSDLC program Design and implement an approach for sourcing, confirming, and articulating key leading metrics and embedding smart S-SDLC program governance into existing approaches