Embed Size (px)
DESCRIPTION
How we implement and apply security on our development projects.
Citation preview
Secure SDLC. Approach and realization
by Nazar Tymoshyk, Ph.D., CEH
Even best applicationsget challenges
Big applications get bigger challenges
Security is important factor for your app
Consequences
PenaltiesReputation loss Data loss
IP Theft
Modify Victims website to deploy
MALWARE to website visitors
Breaching organizational
perimeters
Taking over high-value accounts
Threats
Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more
Hackers motives
Web application firewall
Microsoft IIS Apache Nginx
CYA (cover your apps)
Time-to-Fix vs. Time-to-Hack
Automated Temporary Patches
• Effective design of protected code requires a change in the mindset of the participants involved.
• Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes.
• Following the conventional approach, the designer must be qualified penetration tester to start writing secure code.
• It DOES NOT WORK!
Why
• Effective design of protected code requires a change in the mindset of the participants involved.
• Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes.
WHY
• Following the conventional approach, the designer must be qualified penetration tester to start writing secure code.
It DOES NOT WORK!
• Focus on functional requirements• Know about:
– OWASP Top 10– 1 threat (DEADLINE fail)
• Concentrated on risks
«I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman
Developer
Security Officer
• Focused on requirement to security
• Known difference between vulnerability and attack
• Focused on vulnerabilities
Risks are for managers, not developers
Typical Security Report delivered by security firm
Typical Security Report delivered by other auditor
How security is linked to development
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of security defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
How much time you need to fix security issues in app?
How it should look
With proper Security Program number of security defects should decrease
from phase to phase
Automated security
Tests
CIintegrated
Manualsecurity
Tests
OWASP methodology
Secure
Codingtrainings
RegularVulnerability
Scans
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current state of the project
Primary Benefits
SecureDevelopment Lifecycle
Mapping SDL to Agile•Every-Sprint practices: Essential security practices that should be performed in every release.
•Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.
•One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
Microsoft SDL
PRE SDL TRAINING:• Introduction to Microsoft SDL• Essential Software Security Training f
or the Microsoft SDL
• Basics of Secure Design, Development and Test
• Introduction to Microsoft SDL Threat Modeling
• SDL Quick Security References• SDL Developer Starter Kit
Training
• SDL Practice #2: Establish Security and Privacy Requirements (one time practice)
• SDL Practice #3: Create Quality Gates/Bug Bars
• SDL Practice #4: Perform Security and Privacy Risk Assessments (one time practice)
Requirements Phase
• Establish Design Requirements (one time practice)
• Attack Surface Analysis/Reduction (one time practice)
• Use Threat Modeling• Mitigation of threats• Secure Design • Formulating security guidelines• Security Design Review
Design
• SDL Practice #8: Use Approved Tools• SDL Practice #9: Deprecate Unsafe
Functions• SDL Practice #10: Perform Static
Analysis
Implementation
Bucket practices:
• SDL Practice #11: Perform Dynamic Analysis
• SDL Practice #12: Fuzz Testing• SDL Practice #13: Attack Surface
Review
Verification Phase
• SDL Practice #14: Create an Incident Response Plan (one time practice)
• SDL Practice #15: Conduct Final Security Review
• SDL Practice #16: Certify Release and Archive
Release Phase
• SDL Practice #17: Execute Incident Response Plan– Analysis vulnerability information– Risk calculation– Patch release– Clients notification– Information publishing
Response Phase
Value20-40% time for testing/re-testing decrease
Catch problems as soon as possible
Avoid repetitive security issues
Improve Security Expertise/Practices for current Team
Automation, Integration, Continuously
Proactive Security Reporting
Full coverage
CI SECURITY
Typical CI Workflow
Continuous Integration Delivery Deployment
High level vision
Dynamic Security testingStatic Code Analysis
CI tools
Deploying application
Security Reports
Pull source code
CI Security process
Build• Build code
with special debug options
Deploy• Pack build
and code• Deploy app
to VM for test
Test Security• Run code
test• Run Test
dynamic web application from VM with security tools
Analyze• Collect and
format results
• Verify results• Filter false
positive / negative
• Tune scanning engine
• Fix defects
CI Workflow
A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object ReferencesA5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards
Dynamic tests with Security scanner
OWASP Top 10 Risk coverage
Tools for Secure SDLC
• IBM AppScan Sources• Burp Suite• Sonar• OWASP ZAP• HP Fortify• Netsparcer• Coverify• Veracode
Supported Languages
• Java• .NET (C#,
ASP.NET, and VB.NET)
• JSP• Client-side
JavaScript• Cold Fusion
• C/C++• Classic ASP (both
JavaScript/VBScript)
• PHP, Perl• Visual Basic 6• COBOL• T-SQL, PL/SQL
Analysis of App Security Statistic
Sonar – for code quality coverage
Code Security Analysis
We are able to detect line of bugged code
Filtering false positive
It really works!
Applications Secured -Business Protected
