DEVELOPING SECURE SOFTWARE

Similar documents
SAFECode Security Development Lifecycle (SDL)

Principles for Software Assurance Assessment. A Framework for Examining the Secure Development Processes of Commercial Technology Providers

Software Assurance Forum for Excellence in Code

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

ensuring security the way how we do it

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

Adobe Systems Incorporated

Developing Secure Software in the Age of Advanced Persistent Threats

elearning for Secure Application Development

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Editor Stacy Simpson, SAFECode. Contributors

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Cutting Edge Practices for Secure Software Engineering

Where every interaction matters.

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Juniper Networks Secure

Development Processes (Lecture outline)

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

05.0 Application Development

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

SERENA SOFTWARE Serena Service Manager Security

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

SAST, DAST and Vulnerability Assessments, = 4

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Security Testing & Load Testing for Online Document Management system

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Security Testing with Selenium

(WAPT) Web Application Penetration Testing

Cloud Security:Threats & Mitgations

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

A Survey on Security Issues in Service Delivery Models of Cloud Computing

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Testing for Security

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Software Development: The Next Security Frontier

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Chapter 4 Application, Data and Host Security

Columbia University Web Security Standards and Practices. Objective and Scope

Auditing the Security of an SAP HANA Implementation

Network Test Labs (NTL) Software Testing Services for igaming

IBM Connections Cloud Security

D. Best Practices D.1. Assurance The 5 th A

Software Assurance: An Overview of Current Industry Best Practices

Application Security Testing How to find software vulnerabilities before you ship or procure code

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

External Supplier Control Requirements

An introduction to Cryptosoft

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Chapter 1 Web Application (In)security 1

What is Web Security? Motivation

CONTENTS. PCI DSS Compliance Guide

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Software Security Touchpoint: Architectural Risk Analysis

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

The Security Development Lifecycle

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Sitefinity Security and Best Practices

Attack Vector Detail Report Atlassian

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

8070.S000 Application Security

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Reducing Application Vulnerabilities by Security Engineering

CompTIA Security+ (Exam SY0-410)

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Secure Code Development

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Web Application Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Keyword: Cloud computing, service model, deployment model, network layer security.

Transcription:

DEVELOPING SECURE SOFTWARE A FOUNDATION FOR CLOUD AND IOT SECURITY Eric Baize @ericbaize Senior Director, Product Security Office EMC Corporation Chairman of SAFECode CSA EMEA Congress November 2015 1

ABOUT SAFECODE The Software Assurance Forum for Excellence in Code (SAFECode) is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Howard A. Schmidt Executive Director Associate Members Autodesk Boeing Cigital Codenomicon Huawei NetApp SonaType Telecommunications Systems, Inc. VeraCode VMware 2

SOFTWARE RUNS ON NEW TYPES OF HARDWARE... 3

...SAME SOFTWARE SECURITY PROBLEMS Law of Software Assurance All software has errors and a small subset of these errors result in software vulnerabilities 4

STRONGEST SECURITY TECHNOLOGIES DO NOT SUSTAIN INSECURE SOFTWARE Insecure Software Secure Communications 5

SECURE SOFTWARE IS A FOUNDATION FOR CLOUD AND IOT SECURITY ARCHITECTURES Cloud New consumption model New deployment model New trust boundaries Internet of Things New physical boundaries New device management model New privacy challenges Same Fundamental Practices for Secure Software Development Comprehensive and holistic Adapt to new threats and new models 6

SOFTWARE ASSURANCE STAKEHOLDERS Software Professional Technology Developer Technology Consumer Create the software directly or indirectly for the technology developer Leverage software to deliver products, applications or services to customers Buy or use the products / services delivered by the technology developer 7

THE SOFTWARE PROFESSIONAL CREATE THE SOFTWARE FOR THE TECHNOLOGY DEVELOPER Rapidly growing population 48% of software developers never received a degree in computer science (*) Graduates from colleges receive little to no security training SAFECode Principle: Awareness of software assurance is fundamental to software engineering proficiency. (*) Source: Stackoverflow 2015 Developer Survey 8

SAFECODE TRAINING RESOURCES & ACTION PLAN All Colleges & Universities Employers Technical training modules available online for free https://training.safecode.org/ Include software assurance awareness in any software engineering curriculum Include requirements for software assurance skills in software engineering job postings Introduction to Cryptography Secure Memory Handling in C 101 Threat Modeling 101 Secure Java Programming 101 Cross Site Scripting (XSS) 101 Product Penetration Testing 101 Auth 101: A Passwords Backgrounder for Everyone DOH: Default, Obscure and Hidden Content for Everyone An Introduction to Windows Access Controls File Permissions 101: Linux and OS X Injections 101: SQL and Beyond CSRF 101: Cross Site Request Forgery for Everyone 9

THE TECHNOLOGY DEVELOPER LEVERAGE SOFTWARE TO DELIVER PRODUCTS OR SERVICES TO CUSTOMERS Subject to non-realistic software assurance expectations Required to adapt their software engineering processes and train their workforce Increasingly leverage open source software SAFECode Principle: Secure software development is an organizational commitment and a holistic process 10

FUNDAMENTAL PRACTICES FOR SECURE SOFTWARE DEVELOPMENT SAFECode Fundamental Practices for Secure Development Experts have converged on core set of secure development practices that can be applied across diverse development environments to improve software security Threat Modeling Use Least Privilege Implement Sandboxing Minimize Use of Unsafe String and Buffer Functions Validate Input and Output to Mitigate Common Vulnerabilities Use Robust Integer Operations for Dynamic Memory Allocations and Array Offsets Use Anti-Cross Site Scripting (XSS) Libraries Use Canonical Data Formats Avoid String Concatenation for Dynamic SQL Statements Eliminate Weak Cryptography Use Logging and Tracing Determine Attack Surface Use Appropriate Testing Tools Perform Fuzz / Robustness Testing Perform Penetration Testing Use a Current Compiler Toolset Use Static Analysis Tools 11

THE TECHNOLOGY CONSUMERS / BUYERS CONSUMES PRODUCTS OR SERVICES DELIVERED BY THE TECHNOLOGY DEVELOPER Need to manage technology risk Lack of broadly adopted standards to assess security of procured software Often use ad hoc and ineffective assessment methods SAFECode Principle: developers should work towards providing more transparency in software assurance processes and practices to help customers and other key stakeholders manage risk effectively. 12

SOFTWARE ASSURANCE ASSESSMENT TODAY TOO MANY AD HOC AND INEFFECTIVE APPROACHES Ineffective assessment methods Require suppliers to: Attest that no vulnerabilities exist in code Share product source code Share known vulnerabilities Adopt specific tools or coding standards Challenges for suppliers Ad hoc assessment are not scalable across customers Divert expert resources from more critical tasks Misalignment with realworld secure development practices 13

Low High SUPPLIER ASSESSMENT FRAMEWORK Supplier Software Assurance Maturity TO BE RELEASED: END OF NOVEMBER 2015 Vendor Process Review: 1. Secure development practices 2. Product security governance 3. Vulnerability response process International Standards: IEC/ISA-62443 (industrial automation and control products) ISO/IEC 27034-1: 2011 (Application security) Software Testing Penetration testing or, Binary code analysis or, Network scanning International standards focused on the IT industry lack maturity or are not broadly adopted. Now Timeline for broad adoption Future 14

SOFTWARE ASSURANCE: TAKE ACTION NOW Software Professional Technology Developer Technology Consumer All: Leverage online training available Academia: Teach software assurance to all software engineering students Adopt a holistic proven software assurance process as a foundation to any security architecture Use standard-based framework to assess suppliers software assurance process 15

www.safecode.org Twitter: @safecodeforum Blog: http://blog.safecode.org Eric Baize @ericbaize 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information