Using the Cloud and SaaS to Secure the
SDLC
About Me
Andy Earle
• HP/Fortify
– Security Solutions Architect / Presales Engineer
– Sell, deliver solutions to commercial and US Fed
• Past
– PM for High Assurance computer system at BAE
– Mobile and App Security, multiple jobs
– Software Engineer, multiple jobs
Agenda
• Terms and Background
• Application Security (AppSec) Deployment
Models
– SaaS / Cloud (On Demand)
– On-Premise
• AppSec Industry Evolution
– Relevant Trends
– Case for “Hybrid” Implementation
• Hybrid On-Premise / cloud delivery of S-SDLC
Terms and Background
• Terms
– SaaS : Software as a Service
– SDLC : Software Development Lifecycle
– SSA : Software Security Assurance
• Background
– Focus is static analysis…but many concepts applicable
to dynamic
– SaaS and (public) cloud somewhat interchangeable,
for this session
– Caveats: Lots of variety of offerings amongst vendors;
many of my statements are necessarily generalities
APPSEC DEPLOYMENT MODELS
What is SaaS?
Software as a Service (SaaS)
…or Security as a Service, in the AppSec world
• SaaS is a delivery model where software, data and
services are hosted in the cloud and delivered on
demand
• Application Security SaaS offerings include
– Static, dynamic, and manual analyses
– Expert review and prioritization of results
– Various delivery offerings (web interface, reports,
artifacts that integrate with onsite infrastructure)
AppSec via SaaS
1
Dev Org
4
Stakeholders
SaaS Web Portal
2
Analysis
SaaS Process, On-Demand
1) Deliver code or bytes
2) Analysis as a Service
3) Expert Review
4) Results made available
3
AppSec SME
- review & triage
What is an SDLC?
Software Development Lifecycle (SDLC)
…or Secure Development Lifecycle
…or Secure Software Dev Lifecycle (S-SDLC)
S-SDLC incorporates security across all phases of
the development lifecycle. Security is built into
applications from the start.
Result: Software Security Assurance (SSA)
Sample Secure SDLC
Check in Code
Check-out, Build
and Scan
IDE Plug-in
Code Repository
Repeat as
Necessary
Build Machine
Possibly Continuous
Integration
Developers
Developer Fixes
Bug / Security
Finding
Bug Tracking
Vulnerability Scan
Submit Findings
to Bug Tracker
Auditor
Reviews Results
On Premise Deployment
Auditor / Security
PM / Tech Lead
Building Security into an SDLC
Build Security in: Activities & Tasks
• Developer & staff training
• Vulnerability analysis technologies
• Technology integrations and automation
• AppSec processes, procedures and metrics
• Governance, enforcement of the above
…Basically, process reengineering
…This is SSA
SSA Challenges
Challenges to implementing an SSA program
• Tools “wanted by security, need to be used by
development”
• Developers not security trained. Security doesn’t
understand source code
• Seamless integration of security requires big
upfront commitment
• Expertise is scarce (and expensive in time or $$$)
• And more…
SaaS vs. On-Premise
SaaS
On Premise
No deployment, no hardware,
no training
Easy
Deployment
Scans executed, results triaged
by experts and delivered in easy
to read reports
Little
Expertise Required
Days, sometimes weeks per
scan
Days
Time to Results
Hours
Standardized process
Less
Control
More
100% control - instant access to
all capabilities at any time
Primary results are in report,
but can be sent to bug
tracking systems and IDEs
Less
Integration
More
Tight integration with build
systems, bug tracking, revision
control, test automation
Very
Results in-house, consumable &
usable in IDEs, development
and security infrastructure
Reports , web sites, web
services challenging for use
in fixing found issues
Less
Actionable Results
Involved
Significant
Requires local installation
and supporting hardware
Requires expertise to set filters
and triage results
Hours per scan
The Strengths of
SaaS and On-Premise
Pure SaaS Deployment
• Easy and cost effective to get started
• Little to no expertise required
• Findings make case for future appsec investments
• Meet compliance and reporting obligations
Pure On-Premise Deployment
• Better model for “The Fix”
• Addresses the systemic problem
• Integration and automation maximize efficiency
A Solid Plan for SSA
Phase 1: Pure SaaS
• Assess Critical Apps
• Prioritize and secure funding for Phase 2
• Train and/or hire resources
• Fix critical vulnerabilities, low hanging fruit
Phase 2: Pure On-Premise
• Bring technology and expertise in-house
• Solve the systemic problem – reduce repeat vulnerabilities
• Integration and automation maximize efficiency
• Mature SSA program
• This could include putting SaaS onsite (private cloud)
HOW THINGS ARE EVOLVING
Relevant AppSec Trends
People
• Developers are increasingly security trained and aware
• AppSec SMEs more prevalent, many in the solution
providers and security firms
Product
• Applications increasingly complex
– Hardware and time to analyze steepening
– Increased expertise required to scan accurately
• SaaS increasingly integrate-able with onsite systems
Process
• Compliance obligations mandating S-SDLC
S-SDLC Baseline Deployment
Check in Code
Check-out, Build
and Scan
Code Repository
Developer Fixes
Bug / Security
Finding
Repeat as
Necessary
Build Machine
Possibly Continuous
Integration
Developers
Bug Tracking
Vulnerability Scan
Submit Findings
to Bug Tracker
Auditor
Reviews Results
Basic, On Premise
Auditor / Security
S-SDLC Needs
Analysis Needs:
• Power, processing, memory
• Multiple servers
• Expertise to scan accurately
Developers
Development Needs:
• Security, vulnerability training
• IDE integration of results
• Low impact to current processes
Vulnerability Scan
Auditor Needs:
• Deep appsec knowledge
• Expertise with scanning tool
• Knowledge of app deployment
= SaaS
Auditor / Security
= On Premise
SaaS Integration Points
Check in Code
Check-out, Build
and Scan
Code Repository
Developers
Developer Fixes
Bug / Security
Finding
Repeat as
Necessary
Build Machine or
Continuous Integration
Bug Tracking
Vulnerability Scan
Submit Findings
to Bug Tracker
Auditor
Reviews Results
On Premise Infrastructure
Auditor / Security
SaaS Integration Points
Code Repository
Developers
Build Machine or
Continuous Integration
SaaS
Bug Tracking
On Premise Infrastructure
Auditor / Security
PM / Tech Lead
• Point & click
• Automated
• Web-based
Bringing it all Together
• Key Concepts in a Hybrid S-SDLC Deployment
– Expertise available via SaaS is typically superior to
that found on-premise (they are the experts)
– Some tasks require on-site activity (like fixing bugs)
– Disruptions to existing processes can slow
adoption; start small and build slowly
– Integration points can blur the on-premise / ondemand separation, facilitating adoption
Hybrid Delivered Secure SDLC
Triggered
Check-out
Continuous
Integration
Check in Code
IDE Plug-in
Code Repository
Developers
Developer views
bugs & findings
Triggered send
for Analysis
Dev loads issues
in IDE Plug-in
SaaS
• Analyze/Scan
• Expert Review
Hybrid Deployment
Bug Tracking
Download,
Prioritize Results
Submit Findings
to Bug Tracker
Auditor / PM
Integration Points
Deliver
Source
View/Pull
Results
Developer IDE
Y
Y
Continuous Integration Server
Y
Y
Code Repository / Version Control
Y
Web Interface
Y
Y
Web Services / Custom Integrations
Y
Y
Development and Security Technology
Lots of opportunity for customization and fitting the deployment
model to the customer environment
Plan for SSA, Revisited
Phase 1: Pure SaaS
• Assess Critical Apps
• Prioritize and secure funding for Phase 2
Phase 2: On-Premise Pilot and SaaS
• Continue SaaS regime
• Deploy on-premise technology, design and test long term processes
• Train and/or hire resources
• Fix critical vulnerabilities, low hanging fruit
Phase 3: Hybrid On-Premise and SaaS Deployment
• Deploy more technology and expertise in-house
• Difficult apps (for example) are still analyzed, triaged via SaaS
• Integration and automation max efficiency across deployments
• Mature SSA program
Final Thoughts
 Take advantage of expertise where it resides,
potentially buying time to bring it in-house
 The general maturity curve is still
on-demand --> on-premise
 Automated or easy integrations are vital to successful
hybrid deployment
 Plan! Think long term.
 Sometimes a pure on-premise or on-demand
deployment is still the best answer. The important
thing is to fit the solution to the problem and need.
Resources
http://www.owasp.org
http://www.opensamm.org/
…and check out the next session on this track
http://bsimm.com/
http://buildsecurityin.us-cert.gov/bsi/
…Many, many others…