Security for Modern Engineering Information Security & Risk Management



Download 132.18 Kb.
Page4/7
Date31.07.2017
Size132.18 Kb.
#25172
1   2   3   4   5   6   7

5Our approach


Our approach to the challenges is itself an agile one in which we are evolving the solution through incremental feedback and updates. We are on this journey to evolve and to enhance how we integrate security with modern engineering and how we enable our engineering teams to succeed. The following are the four core tenets around which we are building our solution:


Figure Four core Tenets

5.1Knowledge management


Having a sound knowledge management process is one of the key aspects of any effective security solution. Underneath any SDL process are the requirements, which we call Technical Control Procedures (TCPs). Defining clear technical requirements for engineering teams is the foundation of an SDL program, and over the years our Control Assessment Library and Methodology (CALM) board has continuously refined our requirements.

5.1.1CALM board


A successful knowledge management solution ensures that there is a governance process to constantly refine and refresh the requirement set. We do this by keeping our TCPs up-to-date through our CALM board. Subject matter experts (SMEs) from across the security teams sit on this board. The CALM board meets monthly and makes updates to specific TCPs so that engineers have the most up-to-date controls. They continuously evolve the library, and they make sure controls are relevant with the changing security landscape.

5.1.2Technical Control Procedures


TCPs are the actionable security controls that engineering teams must implement during the development of applications. TCPs are the minimum bar for security standards that all LOB applications must meet. TCPs are technical or process-oriented and are defined to be agnostic of technology. The following are a few examples of areas these requirements cover:


Figure Areas of Coverage for TCPs
TCPs are built around positive instead of negative attributes and are focused towards engineering teams. We identify what the known positive controls are that a system should implement to be secure. In our taxonomy of a TCP, we define (among other attributes):

  • How to implement Implement the control or safeguard in an application.

  • How to verify Verify the technical control procedure to measure if it is correctly implemented or needs improvement.

  • Why to implement Align to company security standard(s) and policy for compliance measurements.

The following are few example categories from the TCP library and their underlying procedures:



Table TCP Categories

TCPs are the backbone of everything we drive with the engineering teams. The following are areas of the SDL to which TCPs are integral:



  • Core guidance to our development engineers

TCPs are the avenue by which we deliver core guidance to our engineers about how controls must be implemented and about their applicability. TCPs are the super set of security controls, and we hold our engineering teams accountable to them through the SDL process.

  • Security control assessment criteria

When an application is selected for a security assessment, all the applicable TCPs based on the context of the application are tested and verified for correct implementation. Any identified failures result in risk findings for the engineering teams to fix.

  • Tool evaluation

Security tools evaluations are fundamentally focused around which TCPs the tools will help automate (either for detection, correction, or both). This mapping to TCPs not only allows us to optimize our manual process, but also helps reveal where we have adequate tool coverage.

  • Compliance alignment to company security policy

TCPs must be aligned to the company’s standards and security policy. This provides the rationale behind “Why.” Alignment helps business and risk stakeholders determine the risk in omitting the implementation of TCPs. The alignment function’s biggest payoff is simplifying the engineering team’s interaction with standards. For example, multiple standards may have a requirement for encryption, and the TCPs allow us to combine each of those requirements into a single actionable control for the engineering team.


Figure Alignment to company policy

5.1.2.1TCP maintenance


As described earlier, TCPs are maintained by our CALM board and are authored in a technology agnostic fashion. We review our full set at least quarterly – and also the methodology by which the assessment occurs – and if we have carefully defined them, there should be few changes. For example, TCPs that define requirements for input validation should rarely change. However, when it comes to implementation details that are technology-specific, such as implementing security controls in Azure, we update the implementation guidance that supports the given TCP more often. Because this implementation guidance can change more often, we needed to find a method to address areas in which engineers have frequent questions. The need is also amplified by the fact that development platforms such as .NET and Azure are updating more frequently. To keep up with such a pace, we are experimenting with the concept of a “guidance factory.”

5.1.3Guidance factory


To keep pace with modern engineering, the old form of "guidance documents" just aren't as efficient. We don't have the luxury to spend several months (or even weeks) to publish an essay about "Writing secure code for [fill in your platform here]." TCPs are the next step and provide an excellent minimum bar, but sometimes, engineers need bite-sized snacks of guidance. We created a guidance factory where we could take requests on demand and turn them around into bite-sized chunks in a timely fashion.

We started piloting a guidance factory approach in 2015. In this pilot, an analyst posts quick guidance in response to questions from the engineering team to a SharePoint site. We leveraged that site as a key input to our TCP maintenance process and continue to evolve them over time. With this agile approach, engineers receive up-to-date guidance that delves deeper than our currently published TCPs in a timely fashion, and in the long term we leverage the guidance produced into the TCPs.




Download 132.18 Kb.

Share with your friends:
1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page