Secure Software Development

Dr. Asankhaya SharmaSIT

May 1, 2023 2

May 1, 2023 3

• Consider security throughout the software development lifecycle– Requirements– Design– Implementation– Testing– Deployment

May 1, 2023 4

Requirements

• Identify sensitive data and resources• Define security requirements for them– Confidentiality– Integrity– Availability

• Consider threats and abuse cases that violate these requirements

May 1, 2023 5

Application Specific• Abuse/Misuse

Cases• Threat Models• Attacks• Assets

Generic• Common Best

Practices• Legal• IT• Development

Architectural Risk Analysis• Underlying

Framework• Ambiguity Analysis• Fundamental

Weakness

Attack Patterns• Historical Risks• Vulnerabilities

May 1, 2023 6

Design

• Apply principles for secure software design– Prevent, mitigate and detect possible attacks

• Security principles– Favor Simplicity– Trust with Reluctance– Defend in Depth

May 1, 2023 7

May 1, 2023 8

Implementation

• Apply coding rules that implement secure design

• Use automated code review techniques to find potential vulnerabilities components– Static Analysis– Symbolic execution

May 1, 2023 9

May 1, 2023 10

Testing

• Penetration Testing to find potential flaws in the real system– Fuzz testing• Employ attack patterns

May 1, 2023 11

Different methodologies

• BSIMM (Building Security In – Maturity Model)– http://bsimm.com

• Microsoft Security Development Lifecycle– https://www.microsoft.com/en-us/sdl/

• OpenSAMM Software Assurance Maturity Model– http://opensamm.org

May 1, 2023 12

May 1, 2023 13

Continuous Delivery of Software

May 1, 2023 14

May 1, 2023 15

Continuous Security

• Requires security automation• Integrate into CD environment and tools– Source code management systems• GitHub, Bitbucket etc.

– Build systems• Travis CI, Jenkins etc.

• Audit third party component and open-source library usage

May 1, 2023 16

Takeaways

• Security practices should be built in during the software development process

• Continuous delivery needs continuous security

May 1, 2023 17

Thanks!

• Questions?• Contact– @asankhaya

Secure Software Development

Software

A Model for Integrating Information Security into the …SD3: Secure by Design, Secure by Default, Secure by Deployment SDLC: Software Development Life Cycle SecSDM: Secure Software

CSCE 201 Secure Software Development Best Practices

A Systematic Literature Review on Secure Software Development

Secure Software Development Life Cycle Processes - Defense

Secure Software Development

Secure Software Development Life Cycle Processes: A ... · processes, standards, life cycle models, frameworks, and methodologies that support or could support secure software development

Security Management April 8, 2008 Managing Secure System/Software Development Models/Methods Managing Secure System/Software Development Models/Methods

The Application of a New Secure Software Development Life

Secure Software Development Life Cycle Processes: A Technology

Secure Software Development Models/Methods …IS 2620: Developing Secure Systems Secure Software Development Models/Methods Lecture 1 Sept 6, 2018 James Joshi Professor School of Computing

CSCE 548 Secure Software Development Security Use Cases

Fundamental Practices for Secure Software Development: A Guide

Secure Software Development Framework (SSDF) Version 1.1

Secure Software Development Chris Herrick 01/29/2007

Secure software development strategy essentials...Secure software development strategy essentials — 5 Education and training regarding the dangers of public networks, as well as

Secure Software DevelopmentSecure Software Development ...Secure Software DevelopmentSecure Software Development Models/Methods Lecture 1 Aug 27, 2014 ... Leveraging software engineering

Secure Software Workforce Development: Panel Discussion · Secure Software Workforce Development Panel Discussion March 20–23, 2017 Software Solutions Symposium 2017 CICESS Value

CSCE 548 Secure Software Development Test 1 Review

Secure Software Development - Sonntag · 2009. 8. 13. · © Michael Sonntag 2009 Secure Software Development Security and Privacy Budapest 2009 Institute for Information Processing

CSCE 522 Secure Software Development Best Practices