adopsi open samm untuk pengembangan tata kelola pengamanan perangkat lunak
DESCRIPTION
Pengenalan Open SAMM oleh Ivano Aviandi (CEO Cybertech Solusindo, Dosen, Praktisi Keamanan Informasi) disampaikan pada Diskusi Publik Tata Kelola Pengamanan Perangkat Lunak Hotel Sahid Jaya Jakarta, 7 November 2013TRANSCRIPT
Kementrian Komunikasi dan Informatika
TATA KELOLA PENGAMANANPERANGKAT LUNAK
CONFIDENTIAL
Information Security
CONFIDENTIAL
Introduction
Introduction
CONFIDENTIAL
Introduction
CONFIDENTIAL
Introduction
CONFIDENTIAL
Security Guideline
CONFIDENTIAL
Open SAMMSecure
Software Development
Governance DeploymentConstruction Verification
• Strategy & Metrics
• Policy and Compliance
• Education and
Guidance
• Threat Assessment
• Security Requirements
• Secure Architecture
• Design Review
• Code Review
• Security Testing
• Vulnerability
Management
• Environment
Hardening
• Operational
Enablement
CONFIDENTIAL
Information Security Institute
Requirement
Design
Deployment
Coding
Testing
• Security Requirement• Setting up Phase
Gates• Risk Assessment
• Identify Design Sec. Req.
• Arch and Design Review
• Threat Modeling
• Coding Best Practice• Perform Static
Analysis
• Vulnerability Assessment
• Fuzzing
• Srv. Configuration Review
• Net. Configuration Review
CONFIDENTIAL
FoundStone - McAfee
Requirement Design Implementation Verification Release Support and Services
Analysis and Design Develop Testing and
Implementation Deployment
SANS Institute
CONFIDENTIAL
How About?Secure
Software Development
Governance DeploymentConstruction Verification
• Strategy & Metrics• Policy and Compliance • Education and
Guidance
• Threat Assessment • Security Requirements• Secure Architecture
• Design Review• Code Review• Security Testing
• Vulnerability Management
• Environment Hardening
• Operational Enablement
Implementation
Coding w/ Best Practice Guidance
Implementation
Implementation
Account Security Mechanism
Session Management
Input & Output Based Handling
• Username & Password Quality
• Account and Password Ages Policy
• Lock Account Policy• Lockout Duration• Transmission Process
• Session Termination• Cookies Management• Dynamic Token• Multiple Session
• Input Validation• Display Error• File Validation• Meta Character
Filtering
CONFIDENTIAL
CONFIDENTIAL
Sample Case
Man in the Middle Attack
CONFIDENTIAL
Man in the Middle Attack
Construction
CONFIDENTIAL
Threat Assessment
Security Requirement
Security Architecture
Implementation
Account Security
Mechanism
Session Management
Terima Kasih
CONFIDENTIAL
Q and A