Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.

Software Confidence. Achieved.

Deployment of a Code AnalysisMethodology

Critical Discussion Towards a Roadmap for Success

John StevenSoftware Security Principal

Technical Director

Office of the CTO

Cigital Inc.

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Motivation - Common Goals & Challenges

Initial Goals

Introduce lightweight code analysis to SDLC

Inexpensively purchase security expertise

Consistently apply expertise

Subsequent Desires

Scale ‘whitebox’ code analysis Automate checking against

corporate security coding standards

Enable developers to test powerfully

Non-starters

Unwieldy build integration Overwhelming False positive

reduction Inappropriate division of labor:

filtering findings, writing rules

Stumbling Blocks

Unclear process/tool ownership, inability to Shepherd the tool

Overcoming objections to accuracy, alternatives

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Initial Adoption, Pilot Deployment

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Pilot Inception Goal: Introduce lightweight code analysis to SDLC

Define Secure SDLC Palatable to Development

management Sufficient to exercise software

security

Stand up App. Sec. Roles Assure proper support level for roll

out Avoid inadequate skills for tool

support Appropriately assign adoption

tasks

Classify Portfolio’s Risk Apply tools where they count first

Software Security Training Begin to set expectations

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Pilot Requirements Define Tool Pilot

Decide who will pilot tool

Secure Coding Awareness Set expectations about tool’s

capabilities Show tool along side other

software security activities Differentiate tool’s success

criteria from other developer feedback proactively

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Elaboration: Phase I PilotPotential Challenges: Unwieldy build integration Overwhelming False positive

reduction

Tool Deployment Handbook Face & overcome issues before

development sees tool: Integration problems Unnecessary ‘on by default’

rules

Tune, customize rules High-confidence, accurate rules

for desktop Stage rule packs (over time) Leave rules whose findings

require savvy for security personnel

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Subsequent Roll out, Widespread Adoption

Key to avoiding pushback

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Implementation

Baseline all applications Face integration issues all over

again Agreement rule pack essential

to measurement

Deploy Incentives Program Measurement essential to

incentives Enforce adoption as a quality

gate

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

On-going Maintenance

Goals: Scale ‘whitebox’ code

analysis Automate checking

against corporate security coding standards

Enable developers to test powerfully

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Roles and Responsibilities

Essential Roles (by priority)

1. Tool Shepherd 1 FTE, 1+ over time

2. Deployment Manager 1/2 FTE

3. Rules Maven 1 FTE, Later

All report into Application Security Group Appoint Tool Shepherds in B.U.s if:

Build env. differs dramatically B.U. remains very autonomous

Rules maven: a longer-term, lower-priority hire

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tool Shepherd

Allows self-sufficiency w/o Fortify Sales Engineer Tackle ‘other 20%’ of integration issues in teams Finish elaboration and drive implementation

1st year tasks: Integration handbook (HOWTO) F.A.Q. for build failures Results interpretation heuristics: “Blacklist”, other Cull results, participate in determining rule pack

constituency

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Deployment Manager Delegates Shepherd’s time into teams Broker decisions about rule pack configurations

Security Analyst configuration - Kitchen Sink Build

New Dev - Accurate kitchen sink Maintenance - Reduced rule pack

Desktop New Dev - Accurate, very fast, reduce pack Maintenance - Very accurate, very fast, very reduced

Measurement & Progress Deployment coverage Rule accuracy Findings rates (density) Remediation (rate ,LoE, etc.)

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Rules Maven

Does not exist, must be grown Can wait for a year to begin

True Subject Matter Expert (SME) Creates vulnerability patterns from:

Incidence Assurance work Industry best practices

Threat model Generates rule test cases