17
Secure Software Development Dr. Asankhaya Sharma SIT

Secure Software Development

Embed Size (px)

Citation preview

Page 1: Secure Software Development

Secure Software Development

Dr. Asankhaya SharmaSIT

Page 2: Secure Software Development

May 1, 2023 2

Page 3: Secure Software Development

May 1, 2023 3

Secure Software Development

• Consider security throughout the software development lifecycle– Requirements– Design– Implementation– Testing– Deployment

Page 4: Secure Software Development

May 1, 2023 4

Requirements

• Identify sensitive data and resources• Define security requirements for them– Confidentiality– Integrity– Availability

• Consider threats and abuse cases that violate these requirements

Page 5: Secure Software Development

May 1, 2023 5

Application Specific• Abuse/Misuse

Cases• Threat Models• Attacks• Assets

Generic• Common Best

Practices• Legal• IT• Development

Architectural Risk Analysis• Underlying

Framework• Ambiguity Analysis• Fundamental

Weakness

Attack Patterns• Historical Risks• Vulnerabilities

Page 6: Secure Software Development

May 1, 2023 6

Design

• Apply principles for secure software design– Prevent, mitigate and detect possible attacks

• Security principles– Favor Simplicity– Trust with Reluctance– Defend in Depth

Page 7: Secure Software Development

May 1, 2023 7

Page 8: Secure Software Development

May 1, 2023 8

Implementation

• Apply coding rules that implement secure design

• Use automated code review techniques to find potential vulnerabilities components– Static Analysis– Symbolic execution

Page 9: Secure Software Development

May 1, 2023 9

Page 10: Secure Software Development

May 1, 2023 10

Testing

• Penetration Testing to find potential flaws in the real system– Fuzz testing• Employ attack patterns

Page 11: Secure Software Development

May 1, 2023 11

Different methodologies

• BSIMM (Building Security In – Maturity Model)– http://bsimm.com

• Microsoft Security Development Lifecycle– https://www.microsoft.com/en-us/sdl/

• OpenSAMM Software Assurance Maturity Model– http://opensamm.org

http://bsimm.com/
https://www.microsoft.com/en-us/sdl/
https://www.microsoft.com/en-us/sdl/
http://opensamm.org/
Page 12: Secure Software Development

May 1, 2023 12

Page 13: Secure Software Development

May 1, 2023 13

Continuous Delivery of Software

Page 14: Secure Software Development

May 1, 2023 14

Page 15: Secure Software Development

May 1, 2023 15

Continuous Security

• Requires security automation• Integrate into CD environment and tools– Source code management systems• GitHub, Bitbucket etc.

– Build systems• Travis CI, Jenkins etc.

• Audit third party component and open-source library usage

Page 16: Secure Software Development

May 1, 2023 16

Takeaways

• Security practices should be built in during the software development process

• Continuous delivery needs continuous security

Page 17: Secure Software Development

May 1, 2023 17

Thanks!

• Questions?• Contact– @asankhaya

https://twitter.com/asankhaya

CSCE 548 Secure Software Development Risk-Based Security Testing

CSCE 548 Secure Software Development Risk-Based Security Testing

Documents
Fundamental Practices for Secure Software Development

Fundamental Practices for Secure Software Development

Documents
Secure Software Development for the Cloud - IARIA Software Development for the Cloud Developing Secure Distributed Algorithms & Architectures Aspen Olmsted. Cybersecurity/Software

Secure Software Development for the Cloud - IARIA Software Development for the Cloud Developing Secure Distributed Algorithms & Architectures Aspen Olmsted. Cybersecurity/Software

Documents
Secure Software Development Life Cycle Processes: A Technology

Secure Software Development Life Cycle Processes: A Technology

Documents
ASFWS 2011 - Secure software development for mobile devices

ASFWS 2011 - Secure software development for mobile devices

Technology
Training on Secure Software Development asics and Models

Training on Secure Software Development asics and Models

Documents
CSCE 548 Secure Software Development Test 1 Review

CSCE 548 Secure Software Development Test 1 Review

Documents
CSCE 548 Secure Software Development Test 1 Review

CSCE 548 Secure Software Development Test 1 Review

Documents
Secure Software Development Life Cycle Processes - Defense

Secure Software Development Life Cycle Processes - Defense

Documents
Secure software development presentation

Secure software development presentation

Education
The Application of a New Secure Software Development Life

The Application of a New Secure Software Development Life

Documents
Secure Software Development Chris Herrick 01/29/2007

Secure Software Development Chris Herrick 01/29/2007

Documents
CSCE 548 Secure Software Development Web Application Security

CSCE 548 Secure Software Development Web Application Security

Documents
Secure Software DevelopmentTDDC90/literature/slides/TDDC90_Swsec_201… · Secure Software Development Anna Vapen, IDA/ADIT TDDC90 Software Security 2013-11-08 2 Agenda Software security

Secure Software DevelopmentTDDC90/literature/slides/TDDC90_Swsec_201… · Secure Software Development Anna Vapen, IDA/ADIT TDDC90 Software Security 2013-11-08 2 Agenda Software security

Documents
Secure Software Development Lifecycle

Secure Software Development Lifecycle

Software
Secure Software Workforce Development: Panel Discussion · Secure Software Workforce Development Panel Discussion March 20–23, 2017 Software Solutions Symposium 2017 CICESS Value

Secure Software Workforce Development: Panel Discussion · Secure Software Workforce Development Panel Discussion March 20–23, 2017 Software Solutions Symposium 2017 CICESS Value

Documents
Industrial Challenges of Secure Software Development

Industrial Challenges of Secure Software Development

Software
CSCE 522 Secure Software Development Best Practices

CSCE 522 Secure Software Development Best Practices

Documents
Secure Software Development with 3rd Party Dependencies

Secure Software Development with 3rd Party Dependencies

Software
Basics of Secure Design, Development, and Test Secure software made easier

Basics of Secure Design, Development, and Test Secure software made easier

Documents
Security Management April 8, 2008 Managing Secure System/Software Development Models/Methods Managing Secure System/Software Development Models/Methods

Security Management April 8, 2008 Managing Secure System/Software Development Models/Methods Managing Secure System/Software Development Models/Methods

Documents
Secure by design and secure software development

Secure by design and secure software development

Technology
CSCE 548 Secure Software Development Security Use Cases

CSCE 548 Secure Software Development Security Use Cases

Documents
Managing Business Processes for Secure Software Development

Managing Business Processes for Secure Software Development

Documents
Secure Software Development Models/Methods …IS 2620: Developing Secure Systems Secure Software Development Models/Methods Lecture 1 Sept 6, 2018 James Joshi Professor School of Computing

Secure Software Development Models/Methods …IS 2620: Developing Secure Systems Secure Software Development Models/Methods Lecture 1 Sept 6, 2018 James Joshi Professor School of Computing

Documents
Secure Software Development Life Cycle Processes: A Technology

Secure Software Development Life Cycle Processes: A Technology

Documents
Secure software development presentación de servicios

Secure software development presentación de servicios

Technology
A Systematic Literature Review on Secure Software Development

A Systematic Literature Review on Secure Software Development

Documents
Fundamental Practices for Secure Software Development: A Guide

Fundamental Practices for Secure Software Development: A Guide

Documents
Secure Software Development - Sonntag · 2009. 8. 13. · © Michael Sonntag 2009 Secure Software Development Security and Privacy Budapest 2009 Institute for Information Processing

Secure Software Development - Sonntag · 2009. 8. 13. · © Michael Sonntag 2009 Secure Software Development Security and Privacy Budapest 2009 Institute for Information Processing

Documents