Secure Development LifeCycles (SDLC)

Similar documents
Microsoft SDL: Agile Development

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Secure Development Lifecycle. Eoin Keary & Jim Manico

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

SECURITY AND RISK MANAGEMENT

Development Processes (Lecture outline)

Secure Code Development

Software Development: The Next Security Frontier

Software Application Control and SDLC

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Beyond ISO Intel's Product Security Maturity Model (PSMM)

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Security Development Lifecycle for Agile Development

Building Security into the Software Life Cycle

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

OpenSAMM Software Assurance Maturity Model

The Security Development Lifecycle

AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

Agile and Secure: Can We Be Both?

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

! Resident of Kauai, Hawaii

112 BSIMM Activities at a Glance

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Cloud Security Fails & How the SDLC could (not?) have prevented them

Comparison of Secure Development Frameworks for Korean e- Government Systems

Matt Bartoldus

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Secure Programming Lecture 9: Secure Development

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

When is Agile the Best Project Management Method? Lana Tylka

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)

How to Build a Trusted Application. John Dickson, CISSP

Table of Contents. The Case for SharePoint. SharePoint with an Agile Execution. Typical LASER Project. Build the Right Solutions/ Solutions Right

Agile Security Successful Application Security Testing for Agile Development

Adobe Systems Incorporated

HP Application Security Center

Building Software in an Agile Manner

Effective Software Security Management

Web Application Security

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Enterprise Application Security Program

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Reducing Application Vulnerabilities by Security Engineering

How To Protect Your Data From Attack

Session 3: Security in a Software Project

Threat Modelling (Web)Apps Myths and Best Practices OWASP The OWASP Foundation Matthias Rohr

On the Secure Software Development Process: CLASP and SDL Compared

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

ISSECO Syllabus Public Version v1.0

Scaling a Software Security Initiative: Lessons from the BSIMM

From Chaos to Clarity: Embedding Security into the SDLC

elearning for Secure Application Development

Product Stack and Corporate Overview

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Microsoft Services Premier Support. Security Services Catalogue

Security aspects of e-tailing. Chapter 7

Application Security Testing How to find software vulnerabilities before you ship or procure code

Tobias Gondrom (OWASP Global Board Member)

Software Development Life Cycle (SDLC)

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Integrating Software Development Security Activities with Agile Methodologies

SAFECode Security Development Lifecycle (SDL)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Best-Practice Software Engineering: Software Processes to Support Project Success. Dietmar Winkler

Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT

Contents. -Testing as a Services - TaaS 4. -Staffing Strategies 4. -Testing as a Managed Services - TaaMS 5. -Services 6.

Network Test Labs (NTL) Software Testing Services for igaming

Rational AppScan & Ounce Products

Using the Agile Methodology to Mitigate the Risks of Highly Adaptive Projects

Learning objectives for today s session

Third Party Security: Are your vendors compromising the security of your Agency?

MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)

AGILE & SCRUM. Revised 9/29/2015

Revision History Revision Date Changes Initial version published to

WHITEPAPER Executive Summary Fortify Software

A Survey on Requirements and Design Methods for Secure Software Development*

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Cutting Edge Practices for Secure Software Engineering

Course Title: Managing the Agile Product Development Life Cycle

!"#$%&'(%)*$+ :%;$)*%<&%6 4.7&68'9"/6")& 0)1.%$2.3*%./'4"55*)6 ,&+-%$+./ !"#$%&##'()*+&## Figure 1: Five OSP Dimensions

On the secure software development process: CLASP, SDL and Touchpoints compared

Transcription:

www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win

Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications ISC 2 CSSLP certified Senior Manager @ PwC Belgium: Expertise Center Leader Secure Software (Web) Application tester (pentesting, arch. review, code review,...) Trainer for several courses related to secure software Specialized in Secure Software Development Lifecycle (SDLC) OWASP OpenSAMM co-leader Contact me at bart.de.win@be.pwc.com 2

Agenda 1. Motivation 2. Process Models 3. Maturity Models 4. Agile Development 5. Conclusion 3

Application Security Problem Technology stacks Software complexity Growing connectivity Mobile Cloud Adaptability Training Better Faster 75% of vulnerabilities are application related 4

Application Security Symbiosis 5

Application Security during Software Development Analyse Design Implement Test Deploy Maintain Bugs Flaws Cost 6

The State-of-Practice in Secure Software Development Analyse Design Implement Test Deploy Maintain (Arch review) Pentest Penetrate & Patch Problematic, since: Focus on bugs, not flaws Penetration can cause major harm Not cost efficient No security assurance - All bugs found? - Bug fix fixes all occurences? (also future?) - Bug fix might introduce new security vulnerabilities 7

SDLC? Analyse Design Implement Test Deploy Maintain SDLC Enterprise-wide software security improvement program Strategic approach to assure software quality Goal is to increase systematicity Focus on security functionality and security hygiene 8

SDLC Objectives To develop (and maintain) software in a consistent and efficient way with a demonstrable & standardscompliant security quality, inline with the organizational risks. 9

SDLC Cornerstones People Roles & Responsibilities Risk Process Knowledge Activities Deliverables Control Gates Standards & Guidelines Compliance Transfer methods Training 2013 Tools & Components Development support Assessment tools Management tools 10

Strategic? Organizations with a proper SDLC will experience an 80 percent decrease in critical vulnerabilities Organizations that acquire products and services with just a 50 percent reduction in vulnerabilities will reduce configuration management and incident response costs by 75 percent each. 11

Does it really work? 12

(Some) SDLC-related initiatives Microsoft SDL TouchPoints SP800-64 CLASP BSIMM SSE-CMM TSP-Secure SAMM GASSP 13

Agenda 1. Motivation 2. Process Models 3. Maturity Models 4. Agile Development 5. Conclusion 14

Selected Example: Microsoft SDL (SD3+C) 15

Training Content 1. 2. 3. 4. 5. 6. 7. Training Requirements Design Implementation Verification Release Response Secure design Threat modeling Secure coding Security testing Privacy Why? 16

Requirements Project inception 1. 2. 3. 4. 5. 6. 7. Training Requirements Design Implementation Verification Release Response Advisor When you consider security and privacy at a foundational level Cost analysis Determine if development and support costs for improving security and privacy are consistent with business needs 17

Design Establish and follow best practices for Design 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response secure-coding best practices Risk analysis Threat modeling STRIDE 18

Implementation Creating documentation and tools for users that address security and privacy 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response Establish and follow best practices for development 1. Review available information resources 2. Review recommended development tools 3. Define, communicate and document all best practices and policies 19

Verification Security and privacy testing 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response 1. Confidentiality, integrity and availability of the software and data processed by the software 2. Freedom from issues that could result in security vulnerabilities Security push 20

Release Public pre-release review 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response 1. Privacy 2. Security Implementation Planning requirements Preparation for incident response 21

Release Final security and privacy review 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response Outcomes: - Passed FSR - Passed FSR with exceptions - FSR escalation Release to manufacturing/release to web Sign-off process to ensure security, privacy and other policy compliance 22

Response Execute Incident Response Plan 1. Training 2. Requirements 3. Design 4. Implementation 5. Verification 6. Release 7. Response => able to respond appropriately to reports of vulnerabilities in their software products, and to attempted exploitation of those vulnerabilities. 23

Process Models: wrapup Microsoft SDL: Mature, long-term practical experience Heavyweight, ISV flavour Several supporting tools and methods Other process models exist, with their pro s and con s In general, no process will fit your organization perfectly Mix-and-Match + adaptation are necessary 24

Agenda 1. Motivation 2. Process Models 3. Maturity Models 4. Agile Development 5. Conclusion 25

Why Maturity Models? An organization s behavior changes slowly over time. Changes must be iterative while working toward long-term goals There is no single recipe that works for all organizations A solution must enable risk-based choices tailor to the organization Guidance related to security activities must be prescriptive A solution must provide enough details for non-security-people Overall, must be simple, well-defined, and measurable 26

Selected example: OpenSAMM http://www.opensamm.org Version 1.0, 2009 27

Core Structure 28

Notion of Maturity Level Interpretation 0 Implicit starting point representing the activities in the practice being unfulfilled 1 Initial understanding and ad-hoc provision of the security practice 2 Increase efficiency and/of effectiveness of the security practice 3 Comprehensive mastery of the security practice at scale 29

An example 30

OpenSAMM also defines Objective Activities Results Success Metrics Costs Personnel Related Levels 31

Assessments 32

Roadmap templates per company type (ISV) 33

BSIMM5 statistics: summary 34

BSIMM5 statistics: per activity 35

Maturity Models wrapup OpenSAMM Comprehensive and rich model, more than just activities Supporting tools are available Real-world case studies, but few are openly shared Other models exist with their pro s and con s Maturity models provide an excellent framework for reasoning on software assurance, on a strategic level. 36

Agenda 1. Motivation 2. Process Models 3. Maturity Models 4. Agile Development 5. Conclusion 37

Agile Models: Rationale and Fundamentals Many traditional, large-scale software development projects are going wrong Combination of business and technical causes Software is delivered late in the lifecycle Little flexibility during the process Agile models focus on: Frequent interaction with stakeholders Short cycles => to increase flexibility and reduce risk 38

Agile Models: Scrum 39

Agile & Secure development: a mismatch? Agile Dev. Speed & Flexibility Short cycles Limited documentation Functionality-driven Security Stable & Rigorous Extra activities Extensive analysis Non-functional 40

MS SDL-Agile Basic approach: Fit SLD tasks to the backlog as non-functional stories Non-Technical vs. Technical Requirement vs. Recommendation Each SDL task goes in one of three types of requirements: Every Sprint Bucket One- Time 41

Every-Sprint Requirements (excerpt) All team members must have had security training in the past year All database access via parameterized queries Fix security issues identified by static analysis Mitigate against Cross-Site Request Forgery Update Threat models for new features Use Secure cookies over HTTPS Link all code with the /nxcompat linker option Encrypt all secrets such as credentials, keys and passwords Conduct internal security design review 42

Bucket Requirements (excerpt) Bucket A: Security Verification Perform fuzzing (network/activex/file/rpc/ ) Manual and automated code review for high-risk code Penetration testing Bucket B: Design Review Conduct a privacy review Complete threat model training Bucket C: Planning Define or update the security/privacy bug bar Define a BC/DR plan 43

One-Time Requirements (excerpt) Create a baseline threat model Establish a security response plan Identify your team s security expert Use latest compiler versions 44

Abuser Stories Treat application security into software development by writing up application security risks as stories Security stories: As a developer, I want to prevent SQLi into my application Not a real user story (not relevant for product owner, but to help the development team) Never really finished Cfr MS examples Thinking like the bad guy: User X should not have access to this type of data Think about what users don t want to and can t do, how to trust users, what data is involved, 45

Thou shall use Iteration Zero Many agile projects start with an Iteration Zero to Get the team together Choose tools and frameworks Get to know the domain This is an opportunity for security too, to Assign security responsibles Select security tools Determine risk levels 46

Security Involvement in the Process Ensure that security-savvy people are involved at important phases: Planning game (to enhance/verify requirements) Development (daily follow-up) Review (to support acceptance) Retrospective (to improve dev. Practices for security) Different profiles can be distinguished: Security architect Security engineer Risk Manager/Governance 47

Agenda 1. Motivation 2. Process Models 3. Maturity Models 4. Agile Development 5. Conclusion 48

Conclusions SDLC is the framework for most of this week s sessions No model is perfect, but they provide good guidance Agile development can be improved as well Take into account all cornerstones Risk Management is key for rationalizing effort 49

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information