Information Security In Pakistan
& Software Security As A Quality Aspect
Nahil Mahmood, Chairman,
Pakistan Cyber Security Association (PCSA)
Software Quality
[Includes Security]
LETS OWN SECURITY !
Agenda
What is global extent of Cybercrime market ?
Where does Pakistan stand ?
Information & Software Security – Challenges in PK
The Solution – Software Security Transformation
Software Security Benchmarks & Standards
Extent of Cybercrime &
Cybercrime As A Service
Research-as-a-service
Crimeware-as-a-service
Cybercrime-infrastructure-as-
service
Hacking-as-a-service
Where does Pakistan stand ?
Legal
Technical
Organizational
Capacity building
Cooperation
Global Cybersecurity Index & Wellness Profile
Asia Pacific Region
South Asia Comparison
As per Microsoft report:
https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-
cybersecurity.pdf
Global Infection Heatmap
https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-
cybersecurity.pdf
Information & Software Security
challenges in Pakistan
Cyber Security Survey ResultsSurvey Question Yes No
Formal information security policy signed off by Board/Steering Committee ? 7 3
Separate department for Information Security with a Head of Infosec / CISO ? 6 4
Internal vulnerability management program (VM) and appropriate tools for VM ? 3 7
Independent security assessment by a 3rd party in the last 6 months ? 1 9
Penetration testing by a 3rd party in the last 6 months ? 3 7
Security hardening benchmark such as CIS/DISA/OWASP for IT assets hardening ? 1 9
Security awareness program and testing mechanism for IT staff ? 2 8
Implemented global security framework such as ISO27001:2013 or PCI ? 1 9
Cooperative culture among depts such as IT/Risk/InfoSec/Audit/Compliance ? 1 9
Process oriented culture for IT and Information Security ? 2 8
Formal process for InfoSecurity team to conduct security accreditation ? 4 6
For in-house software development, is security well-embedded in the SDLC ? 2 8
Organization demonstrates management commitment ? 2 8
InfoSec staff is atleast 15-20% of IT staff ? 1 9
Do you have a formal incident management and change management process ? 2 8
AVERAGE SCORE = 2.5/10
Information Security: Ground Realities
IT
InfoSec
Compliance
Risk
Audit
IT Challenges Summary
IT is complex and difficult to manage
IT under pressure from business groups
Lack of sufficient (competent) resources
Lack of process culture
IT IS CLEARLY NOT ALIGNED TO PERFORM
DILIGENT SECURITY WORK
Information Security Challenges
Silos and lack of coherent Information Security
ownership
Lot of time and energy wasted in traversing
departmental boundaries
Information Security is tough work – enabling
environment missing
Fundamental security hardening of IT assets
(including software)
“in the trenches” is glaringly absent
Industry Characteristics
Wavering management commitment
“Superficial dressing” security
Reactive to regulator, audit/compliance, or
International customer mandate
Security hardening remains largely
“untouched”
Industry in denial
Security
Network
Systems (OS)
DB
Application
Physical
Mobile
The Solution – Software
Security Transformation
Building-In Security Into The SDLC
Design Flaws
1. Educate personnel on
software security
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
TRAINING
2. Formally assign
responsibility for
software security
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
SOFTWARE SECURITY
GROUP (SSG)
3. Perform security
focused requirements
gathering
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
-ABUSE CASES
-INITIAL RISK ANALYSIS
Abuse Cases
4. Establish
comprehensive risk
management process
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Requirements Gathering
-IDENTIFY MAJOR RISKS &
EXECUTE A MITIGATION PLAN
-ENSURE PROPER SECURITY
DESIGN
5. Perform architecture
reviews & threat
modelling
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Design
ARCHITECTURE RISK ANALYSIS
1. Analyzing fundamental design
principles
2. Assessing the attack surface
3. Enumerating various threat agents
4. Identifying weaknesses and gaps in
security controls
6. Carry out code reviews
during implementation
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Implementation
-ABUSE & MISUSE CASES
-INITIAL RISK ANALYSIS
7. Execute test plans and
perform penetration tests
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Verification -Malformed input handling
-Business logic flaws
-Authentication/authorization
bypass attempts
-Overall security posture
8.Deploy software product
https://www.synopsys.com/blogs/software-security/infuse-security-into-your-software-
development-life-cycle/
SDLC Phase: Deployment/Maintenance
-Deployment plan
-Change management plan
-Roll-back plan
-DR & IR plans
Software Security
Benchmarks & Standards
OWASP Source Code Flaws – Top 10
OWASP PROJECTS
OWASP PROJECTS
OWASP PROJECTS
OWASP PROJECTS
32 WORKING GROUPS
SECURITY, TRUST & ASSURANCE
REGISTRY (STAR)
CSA STAR is the industry’s most powerful program for security assurance in the cloud.
STAR encompasses key principles of transparency, rigorous auditing, harmonization of
standards, with continuous monitoring also available in late 2015. STAR certification
provides multiple benefits, including indications of best practices and validation of
security posture of cloud offerings.
CLOUD CONTROLS MATRIX (CCM)
Other Security Benchmarks & Standards
Conclusion
Conclusion
Security implementation is generally weak in Pakistan’s IT sector
Security is hard work, and requires cooperation from all stakeholders
Security to be linked with annual performance appraisals for best results
For software security, build-in security into all phases of the sec-SDLC
QA Depts must offer an integrated QA+Security quality gate for developers
Software security eco-system to be addressed by improving software security awareness and training in Universities & industry
Role of Pakistan Cyber Security Association (PCSA)
Software Quality
[Includes Security]
LETS OWN SECURITY !