{"id":62,"date":"2014-11-06T18:44:34","date_gmt":"2014-11-06T18:44:34","guid":{"rendered":"https:\/\/softwaresecurityconsulting.com\/?p=62"},"modified":"2014-11-07T17:53:46","modified_gmt":"2014-11-07T17:53:46","slug":"adventures-code","status":"publish","type":"post","link":"https:\/\/softwaresecurityconsulting.com\/?p=62","title":{"rendered":"Adventures in Code"},"content":{"rendered":"<p><a href=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-63\" src=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco.png\" alt=\"SanFrancisco\" width=\"1560\" height=\"296\" srcset=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco.png 1560w, https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco-300x56.png 300w, https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco-1024x194.png 1024w, https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco-624x118.png 624w\" sizes=\"auto, (max-width: 1560px) 100vw, 1560px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">\u00a0<strong>Adventures in Code<\/strong><\/p>\n<p>As a cyber-professional we are tasked with being protectors of software and infrastructure on the Internet. We protect ourselves from unknown adversaries. We place devices and services to monitor and filter our experience and to protect us.<\/p>\n<p>Our continued effort has strengthened the armor of our networks but we need to also observe our software. We need insight into the level of security practices that we observe in our software development lifecycles &#8211; right where the software is made. A root-cause security issue can often start with the code.<\/p>\n<p>Code is telling our machines what to do. It runs our social, our public, our business, and our private lives. We display our social lives through Facebook, Twitter, and Instagram. Life in general produces so many public documents that they are just a click-away and our private and business life are absorbed into activities on the Web, Mobile, and Cloud.<\/p>\n<p>Our software runs in hostile environments. The introduction of Mobile and Cloud architectural changes over the last few years has reinforced the need for software to be protected at its source. Countless studies have shown that its a strong strategic move to address the security gaps found at this point of the software lifecycle.<\/p>\n<p style=\"text-align: center;\"><strong>So, we always Move Left.<\/strong><\/p>\n<p>So the rule is: \u201cWe need to protect our software at its source and move left&#8221;.<\/p>\n<p><strong>Move Left<\/strong> is a movement to protect software holistically along the lifecycle by addressing security practices and managing risk. All area are reviewed and Domains and Security Practices are matured. Even down to where the code is composed by Moving left. The long-term strategy is to mature practices by tactically refreshing SDLC security practices along the lifecycle.<\/p>\n<p>A non-standard SDLC may not be bad. But will need to be reviewed on its merits for its security practices.<\/p>\n<p>Education, Architecture, Code, Data-flow and rest, and\u00a0testing all have structure and can be understood.<\/p>\n<p>There is some practical knowledge that should be observed at this point that a\u00a0well-rounded software security program helps protect the software.<\/p>\n<p>Metrics create a compare and contrast ability to measure your efforts against yourself, against other\u00a0organizations, and against Industry and Sector(ISV, Retail,..). This provides insight into the gaps in your software security initiative.<\/p>\n<p style=\"text-align: center;\"><strong>Security minimums<\/strong><\/p>\n<p>Security minimums (training, architectural analysis, code review, penetration testing, and privacy)\u00a0are the standard starting point for any effort: [T1.1] [AA1.1] [CR1.4] [PT1.1]\u00a0[CP1.2]<\/p>\n<p style=\"text-align: center;\">Review: http:\/\/bsimm.com\/download\/BSIMM-V.pdf<\/p>\n<p>There is an unsettling reality that there are a lot of attacks that are done out of &#8216;matter of convenience&#8217;. Absent Security practices make for holes in software. Convenience attacks are simple attacks that allow entry into the privacy, data, and systems of others.<\/p>\n<p>There is a set of common key areas that are practiced throughout the industry. Not all SDLCs and programs will look exactly alike. But, a good security program is baked though-out the SDLC into a Move-Left mindset by maturing the security practices iteratively.<\/p>\n<p>Simply, good security is baked into the environment.\u00a0Solid software security practices are being observed that are incorporated into the level and skill of the team. Adopted security practices will mature the team and their lifecycle by reducing a root-cause issue, the code.<\/p>\n<p style=\"text-align: center;\"><strong>Industry Common Areas:<\/strong><\/p>\n<p>[SM1.4] &#8211; What SDLC is being used and what gates are enforced?<br \/>\n[AM1.2] &#8211; Create a data classification scheme and inventory. Prioritize applications by data consumed and data manipulated.<br \/>\n[AA1.1] &#8211; Perform a security feature review and get started with Architectural Analysis.<br \/>\n[PT1.1] &#8211; Use Penetration Testers to find problems<br \/>\n[CP1.2] &#8211; Identify PII obligations and promote privacy<br \/>\n[SFD1.1] &#8211; Build and track a common library of security features for re-use.<br \/>\n[CR1.4] -Use manual code analysis review along-side automation.\u00a0\u00a0Use automated\u00a0tools to drive efficiency and consistency .<br \/>\n[SE1.2] &#8211; Host and network security basics are in place.<br \/>\n[T1.1] &#8211; Provide security awareness training. Promote culture of security throughout the organization.<br \/>\n[SR1.1] &#8211; Create security standards<br \/>\n[ST1.3] &#8211; Drive tests with security requirements and security features<br \/>\n[CMVM1.2] &#8211; Use Operations data to change development behavior<\/p>\n<p style=\"text-align: center;\">Review: http:\/\/bsimm.com\/download\/BSIMM-V.pdf<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; &nbsp;Adventures in Code As a cyber-professional we are tasked with being protectors of software and infrastructure on the Internet. We protect ourselves from unknown adversaries. We place devices and services to monitor and filter our experience and to protect us. Our continued effort has strengthened the armor of our networks but we need to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":63,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-62","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-security-lab","post_format-post-format-image"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.7.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Adventures in Code - Software Security Consulting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/softwaresecurityconsulting.com\/?p=62\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Adventures in Code - Software Security Consulting\" \/>\n<meta property=\"og:description\" content=\"&nbsp; &nbsp;Adventures in Code As a cyber-professional we are tasked with being protectors of software and infrastructure on the Internet. We protect ourselves from unknown adversaries. We place devices and services to monitor and filter our experience and to protect us. Our continued effort has strengthened the armor of our networks but we need to [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/softwaresecurityconsulting.com\/?p=62\" \/>\n<meta property=\"og:site_name\" content=\"Software Security Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2014-11-06T18:44:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-11-07T17:53:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1560\" \/>\n\t<meta property=\"og:image:height\" content=\"296\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"lucidmonk\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"lucidmonk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=62\",\"url\":\"https:\/\/softwaresecurityconsulting.com\/?p=62\",\"name\":\"Adventures in Code - Software Security Consulting\",\"isPartOf\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#website\"},\"datePublished\":\"2014-11-06T18:44:34+00:00\",\"dateModified\":\"2014-11-07T17:53:46+00:00\",\"author\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9\"},\"breadcrumb\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=62#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/softwaresecurityconsulting.com\/?p=62\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=62#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/softwaresecurityconsulting.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adventures in Code\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#website\",\"url\":\"https:\/\/softwaresecurityconsulting.com\/\",\"name\":\"Software Security Consulting\",\"description\":\"It&#039;s better to learn wisdom late, than never learn it at all.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/softwaresecurityconsulting.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9\",\"name\":\"lucidmonk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g\",\"caption\":\"lucidmonk\"},\"url\":\"https:\/\/softwaresecurityconsulting.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Adventures in Code - Software Security Consulting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/softwaresecurityconsulting.com\/?p=62","og_locale":"en_US","og_type":"article","og_title":"Adventures in Code - Software Security Consulting","og_description":"&nbsp; &nbsp;Adventures in Code As a cyber-professional we are tasked with being protectors of software and infrastructure on the Internet. We protect ourselves from unknown adversaries. We place devices and services to monitor and filter our experience and to protect us. Our continued effort has strengthened the armor of our networks but we need to [&hellip;]","og_url":"https:\/\/softwaresecurityconsulting.com\/?p=62","og_site_name":"Software Security Consulting","article_published_time":"2014-11-06T18:44:34+00:00","article_modified_time":"2014-11-07T17:53:46+00:00","og_image":[{"width":1560,"height":296,"url":"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/11\/SanFrancisco.png","type":"image\/png"}],"author":"lucidmonk","twitter_misc":{"Written by":"lucidmonk","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/softwaresecurityconsulting.com\/?p=62","url":"https:\/\/softwaresecurityconsulting.com\/?p=62","name":"Adventures in Code - Software Security Consulting","isPartOf":{"@id":"https:\/\/softwaresecurityconsulting.com\/#website"},"datePublished":"2014-11-06T18:44:34+00:00","dateModified":"2014-11-07T17:53:46+00:00","author":{"@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9"},"breadcrumb":{"@id":"https:\/\/softwaresecurityconsulting.com\/?p=62#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/softwaresecurityconsulting.com\/?p=62"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/softwaresecurityconsulting.com\/?p=62#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/softwaresecurityconsulting.com\/"},{"@type":"ListItem","position":2,"name":"Adventures in Code"}]},{"@type":"WebSite","@id":"https:\/\/softwaresecurityconsulting.com\/#website","url":"https:\/\/softwaresecurityconsulting.com\/","name":"Software Security Consulting","description":"It&#039;s better to learn wisdom late, than never learn it at all.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/softwaresecurityconsulting.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9","name":"lucidmonk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g","caption":"lucidmonk"},"url":"https:\/\/softwaresecurityconsulting.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62"}],"version-history":[{"count":10,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/62\/revisions"}],"predecessor-version":[{"id":73,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/62\/revisions\/73"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/media\/63"}],"wp:attachment":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}