21
Secure SDLC

Intro to Security in SDLC

Tags:

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Intro to Security in SDLC

Secure SDLC

Page 2: Intro to Security in SDLC

Because the question is not IFThe Question is WHEN

Page 3: Intro to Security in SDLC

Protecting software is much easier if the software is

built with security in mind

Page 4: Intro to Security in SDLC

Design Build Test Production

GENERIC APPROACH FOR SECURITY

security requirements / risk and threat

analysis

coding guidelines

/code reviews/ static analysis

security testing / dynamic analysis

vulnerability scanning / WAF

Reactive ApproachProactive Approach

Secure SDLC

Page 5: Intro to Security in SDLC

SECURE SDLC Re

quire

men

ts Security RequirementsCompliance AnalysisGovernance Definition

Des

ign Risk

AssessmentSecure Architecture

Impl

emen

tatio

n Code ReviewsCode Analysis

Verifi

catio

n Security TestingRisk Assessment ReviewPenetration Testing

Rele

ase Security

ReviewIncident Response Plan Re

spon

se Incident ForensicsSecurity Monitoring

Security Awareness Trainings

Ensure the Best Practices are integral to the development program and applied

over the lifecycle of the Application

Page 6: Intro to Security in SDLC

SOFTWARE SECURITY IS EVERYONE’S JOB

Page 7: Intro to Security in SDLC

PRIMARY BENEFITS

Minimize the costs of the Security related issues

Avoid repetitive security issues

Avoid inconsistent level of the security

Determine activities that pay back faster during current state of the project 

Page 8: Intro to Security in SDLC

ORGANIZATION CHALLENGES

An organization’s behavior changes slowly over time• Changes must be iterative

while working toward long-term goals

There is no single recipe that works for all organizations• A solution must enable risk-

based choices tailored to the organization

Guidance related to security activities must be prescriptive• A solution must provide

enough details for non-security-people

Overall, must be simple, well-defined, and measurable• Understandable

measurement can be used

8

Page 9: Intro to Security in SDLC

IMPLEMENTATION CHALLENGES

Team Pushback

Security Ownership

The “Security is Special” problem

“Official/Actual Adoption Dilemma”

Benefits Measurement

Page 10: Intro to Security in SDLC

Typical Engagement Models

Page 11: Intro to Security in SDLC

AUTOMATED CODE ANALYSIS

Page 12: Intro to Security in SDLC

LINEAR INTEGRATION APPROACH

Page 13: Intro to Security in SDLC

• After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-weekDevelopment cycle (iteration) will addressthe highest ranked items

• Upon delivery of completed code, securitytesting is performed both manually and using automated testing tools

• Results from manual and automatedscans end up in the same backlogrepository, to be reviewed and prioritized by Development Management

ITERATION BASED TEST ONLY APPROACH

Page 14: Intro to Security in SDLC

Analyze Current

Practices

Define Goals

Define Roadmap

Execute /Oversee /Adjust

HOW TO GET STARTED

Discovery

Page 15: Intro to Security in SDLC

Case Study

Page 16: Intro to Security in SDLC

BUSINESS ISSUEDrivers: Customer Request, Potential IssuesRequestor: Security Department

Client knows they have an issues and requested a team to address them

Page 17: Intro to Security in SDLC

SOLUTION

• Tactical Goals: address existing local finding (tool generated)

• Strategic Goals: address security design flaws, prevent issues reappear in the future

Issues Root Cause Analysis

• Team structure to Addressing and Remediation teams, achieving Tactical and Strategic Goals correspondingly

• Prioritized roadmap for the Remediation Team• Security Risk Assessment• Security Architecture Analysis• Security Awareness Trainings for the Team

• Roadmap for the Secure SDLC practices adoption

Solution for the Strategic Goals

Page 18: Intro to Security in SDLC

SOLUTIONR

equir

em

ents Security

RequirementsCompliance AnalysisGovernance Definition

Desi

gn Risk

AssessmentSecure Architecture

Imple

menta

tion Code ReviewsCode Analysis

Veri

fica

tion Security

TestingRisk Assessment ReviewPenetration Testing

Rele

ase Security

ReviewIncident Response Plan R

esp

onse Incident

ForensicsSecurity Monitoring

Security Awareness Trainings

Phase 1: 1 – 2 MonthTeam: FTE Security Analyst

Page 19: Intro to Security in SDLC

SOLUTIONR

equir

em

ents Security

RequirementsCompliance AnalysisGovernance Definition

Desi

gn Risk

AssessmentSecure Architecture

Imple

menta

tion Code ReviewsCode Analysis

Veri

fica

tion Security

TestingRisk Assessment ReviewPenetration Testing

Rele

ase Security

ReviewIncident Response Plan R

esp

onse Incident

ForensicsSecurity Monitoring

Phase 2: 2 – 3 MonthTeam: Part Time Security Analyst

Security Awareness Trainings

Page 20: Intro to Security in SDLC

VALUE

Approach addressing both Tactical and Strategic Goals

Decrease number of the Security issues on Project

Minimize potential Security issues that might be introduced in the future

Improve Security Expertise/Practices for current Team

Experience Sharing with Client Security Program

POC Remediation Approach for other Products in Client Portfolio

Page 21: Intro to Security in SDLC

Thank You

Questions?


Application Security in the SDLC

Application Security in the SDLC

Documents
Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security

Secure SDLC: The Good, The Bad, and The Ugly - OWASP · 2020-01-17 · Secure SDLC: The Good, The Bad, and The Ugly. Joey Peloquin, Director, Application Security. FishNet Security

Documents
Basic SDLC Models. Agenda SDLC definition Waterfall SDLC V-Shape SDLC Spiral SDLC RUP SDLC Agile methods

Basic SDLC Models. Agenda SDLC definition Waterfall SDLC V-Shape SDLC Spiral SDLC RUP SDLC Agile methods

Documents
1 Security in Application & SDLC Barkan Asaf (abarkan@mercury.com) (abarkan@mercury.com) Nov, 2006

1 Security in Application & SDLC Barkan Asaf ([email protected]) ([email protected]) Nov, 2006

Documents
Se Intro Sdlc

Se Intro Sdlc

Documents
Intro to Security

Intro to Security

Career
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile SDLC

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile SDLC

Presentations & Public Speaking
Intro Maritime Security

Intro Maritime Security

Documents
Yesser SDLC - Overall SDLC

Yesser SDLC - Overall SDLC

Documents
Application Security SAST & DAST in the Secure SDLC · 2020. 7. 23. · Application Security SAST & DAST in the Secure SDLC Paul Kitor Fortify Solution Architect. Static Application

Application Security SAST & DAST in the Secure SDLC · 2020. 7. 23. · Application Security SAST & DAST in the Secure SDLC Paul Kitor Fortify Solution Architect. Static Application

Documents
Intro Security Concepts

Intro Security Concepts

Documents
Implementing Information Technology IT Security (SDLC

Implementing Information Technology IT Security (SDLC

Documents
Integrating Software Security Into the Software Development Life Cycle (SDLC)

Integrating Software Security Into the Software Development Life Cycle (SDLC)

Documents
1 Security in Application & SDLC Barkan Asaf Nov, 2006

1 Security in Application & SDLC Barkan Asaf Nov, 2006

Documents
Devops security-An Insight into Secure-SDLC

Devops security-An Insight into Secure-SDLC

Technology
Mod Security Intro

Mod Security Intro

Documents
Integrate Application Security Testing into your SDLC

Integrate Application Security Testing into your SDLC

Technology
The software development life-cycle (SDLC) & security ...edrdo/QSES1819/lectures/... · The SDLC You probably heard about different types of software development methodologies. They

The software development life-cycle (SDLC) & security ...edrdo/QSES1819/lectures/... · The SDLC You probably heard about different types of software development methodologies. They

Documents
02 Information Security & SDLC

02 Information Security & SDLC

Documents
Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training

Commonwealth Information Security Advisory …...Security Domains 1. SDLC Security 2. Software Change Mgmt 3. Monitoring & Logging 4. Standard Config. 5. Security Awareness Training

Documents
Application Security And The SDLC

Application Security And The SDLC

Documents
Information Security and the SDLC

Information Security and the SDLC

Technology
Web Security Intro

Web Security Intro

Technology
Security Day - Intro

Security Day - Intro

Business
Application Certified Application Security Engineer...Certified Application Security Engineer (CASE) 07 What You Will Learn In-depth understanding of secure SDLC and secure SDLC models

Application Certified Application Security Engineer...Certified Application Security Engineer (CASE) 07 What You Will Learn In-depth understanding of secure SDLC and secure SDLC models

Documents
Eim Intro - Sdlc Test

Eim Intro - Sdlc Test

Documents
11.1 - Romney_ch18 Intro to SDLC

11.1 - Romney_ch18 Intro to SDLC

Documents
Intro of SDLC

Intro of SDLC

Documents
Network security-intro

Network security-intro

Documents
Improving your Secure SDLC ( SSDLC ) with Prevoty · Improving your Secure SDLC ( SSDLC ) with Prevoty February 2015 How adding real-time application security dramatically decreases

Improving your Secure SDLC ( SSDLC ) with Prevoty · Improving your Secure SDLC ( SSDLC ) with Prevoty February 2015 How adding real-time application security dramatically decreases

Documents