Onboard security in software companies 软件企业的安全之道 Wenjun Wang(王文君) Hewlett Packard Enterprise software security lead Self introduction –Hewlett Packard Enterprise software security lead, responsible for BU security with $1B revenue –10+ years enterprise software then security –CSSLP & CISSP –Co-author Web应用安全威胁与防治 Vulnerabilities 以上内容来自于乌云网 Adhoc solution What should do The fact Cost to fix these issues RnD’s voice to security Revenue driven Legacy I’m a developer Security scanner RnD’s impression to security guys RnD’s expectation to security guys Security guys’ challenge Product team Security architect Security as a quick start 1. Create security bug type Damage Security bug • Severity • Impact • Released version Verify success • Meet release criteria • Mitigation is provided Reproducibility Exploitability Affected users Discoverability 2. Security user story User story • Agile • Attacker view Verify success • In backlog • Test cases “As an [operator], I want to [do something] so that I can [derive a benefit]” “As an [attacker], I want to [do something] so that I can [damage the system]” 3. Security dashboard Dashboard • Aggregation • Drill down Verify success • Stakeholders are aware • Business decision So evolve On board security program Low hanging fruit Adhoc solution Security awareness training Diversity Options • Management • Dev • QA • Instructor based • Web based • Event Security release criteria Risk Criteria • DREAD • CVSS3 • Threshold • Business balance Threat modeling and security design review Threat Review • Threat list • Refresh list • Security pattern • Security user story Security assessment Automatic Manually • Static • Dynamic • Check list • Pen test Risk response Pre-event Post-event • 3rd party lib scan • Subscription • Action plan • Risk tracker Apply what you learnt today 3 months 3 weeks 3 days • Know security methodology in this document • Handle low hanging fruit in your company • Start onboarding security program