Development Processes (Lecture outline)

Similar documents
Software Security Touchpoint: Architectural Risk Analysis

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Cyber Security & Data Privacy. January 22, 2014

Adobe Systems Incorporated

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Magento Security and Vulnerabilities. Roman Stepanov

Web application testing

Building Security into the Software Life Cycle

112 BSIMM Activities at a Glance

OWASP Top Ten Tools and Tactics

Integrating Security Testing into Quality Control

Secure Programming Lecture 9: Secure Development

Successful Strategies for QA- Based Security Testing

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

OWASP AND APPLICATION SECURITY

ISSECO Syllabus Public Version v1.0

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Web Application Security

Pentests more than just using the proper tools

Cloud Security:Threats & Mitgations

Essential IT Security Testing

Where every interaction matters.

How to Build a Trusted Application. John Dickson, CISSP

Overview of the Penetration Test Implementation and Service. Peter Kanters

A Survey on Requirements and Design Methods for Secure Software Development*

Pentests more than just using the proper tools

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Reducing Application Vulnerabilities by Security Engineering

Making your web application. White paper - August secure

Testing the OWASP Top 10 Security Issues

Passing PCI Compliance How to Address the Application Security Mandates

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

05.0 Application Development

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

How To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook (Windows 3) (For Windows) (Programmer) (Or

Secure Development LifeCycles (SDLC)

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Penetration Testing

Understanding and evaluating risk to information assets in your software projects

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Software Security. Building Security In. Gary McGraw. A Addison-Wesley

(WAPT) Web Application Penetration Testing

Using Free Tools To Test Web Application Security

90% of data breaches are caused by software vulnerabilities.

Web Application Report

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Secure development and the SDLC. Presented By Jerry

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Learning objectives for today s session

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Sitefinity Security and Best Practices

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Web Application Security

How To Fix A Web Application Security Vulnerability

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Testing. How security testing is different Types of security attacks Threat modelling

MANAGED SECURITY TESTING

Table of Contents. Page 2/13

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Network Test Labs (NTL) Software Testing Services for igaming

SQuAD: Application Security Testing

Web Engineering Web Application Security Issues

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

elearning for Secure Application Development

Who, What, Where, How: Five Big Questions in Mobile Security

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Mobile Application Threat Analysis

Developing Secure Software, assignment 1

The Top Web Application Attacks: Are you vulnerable?

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Software Application Control and SDLC

The New OWASP Testing Guide v4

Securing Enterprise Web Applications at the Source: An Application Security Perspective

Interactive Application Security Testing (IAST)

Rational AppScan & Ounce Products

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research

Secure Coding in Node.js

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Threat Modeling. 1. Some Common Definition (RFC 2828)

Attack Vector Detail Report Atlassian

Columbia University Web Security Standards and Practices. Objective and Scope

Transcription:

Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle OWASP CLASP Cigital's Security touchpoints Building Security In Maturity Model BSIMM 412*

Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx 414* Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle OWASP CLASP Cigital's Security touchpoints Building Security In Maturity Model BSIMM 415*

Open Web Application Security Project OWASP https://www.owasp.org/ Collect resources for Web applications Top ten security flaws Various security testing tools Various security control means e.g., code review guide Injection Cross-site Scripting (XSS) Broken authentication and session management Insecure direct object references Cross-site request forgery (CSRF) Security misconfiguration Insecure cryptographic storage Failure to restrict URL access Insufficient transport layer protection Unvalidated redirects and forwards CLASP Comprehensive Lightweight Application Security Process 416* Open Web Application Security Project OWASP https://www.owasp.org/ Collect resources for Web applications Top ten security flaws Various security testing tools Various security control means e.g., code review guide Injection Cross-site Scripting (XSS) Broken authentication and session management Insecure direct object references Cross-site request forgery (CSRF) https://www.owasp.org/index.php/ OWASP_Appsec_Tutorial_Series Security misconfiguration Insecure cryptographic storage Failure to restrict URL access Insufficient transport layer protection Unvalidated redirects and forwards CLASP Comprehensive Lightweight Application Security Process 417*

CLASP https://www.owasp.org/index.php/category:owasp_clasp_project Goal: move security concerns into the early stages of the software development lifecycle, whenever possible Set of process pieces that can be integrated into any software development process Introduction to the Concepts behind CLASP to get started Seven key Best Practices High-level Security Services (authorisation, authentication, ) Core Security Principles Roles Activities Process engineering and roadmaps Checklisted Coding Guidelines Vulnerabilities that occur in source code Searchable Vulnerability Checklist 418* CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines 419*

CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines People should consider security to be an important project goal Train all team members Make people aware of security setting Institute accountability for security issues Appoint a project security officer Institute rewards for handling of security issues 420* CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Security analysis of and design Threat modelling Source-level security review Security tests 421*

CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Treat security same way as functional Define security policy Identify attack surface Identify resources and trust boundaries Identify misuse cases Specify operational environment 422* CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Annotate classes with security properties Apply principles of secure design Manage resources Manage contracts and interfaces 423*

CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Address reported security issues Manage security issue disclosure process 424* CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Select metrics Collect data Evaluate results 425*

CLASP Best Practices Institute awareness programs Perform application assessments Capture security Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics Publish operational security guidelines Build operational security guide Specify database security configuration 426* Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle OWASP CLASP Cigital's Security touchpoints Building Security In Maturity Model BSIMM 427*

Seven Security Touchpoints G. McGraw, Software Security: Building Security In All software projects produce at least one artifact: source code 428* Seven Security Touchpoints G. McGraw, Software Security: Building Security In All software projects produce at least one artifact: source code 1. Code review (tools) 2. Risk analysis 3. Penetration test 4. Risk-based security test 5. Abuse analysis 6. Security 7. Security attacks * External analysis 429*

Code review (tools) Aim: catching implementation bugs early Tool helps to achieve good code coverage Aim for good, not perfect 430* Risk analysis Create description of architecture Start with one page Forest-level view Attack resistance Use checklists of known attacks Example: Microsoft STRIDE Spoofing, Tampering, Repudiation, Info disclosure, Denial of service, Elevation of privilege Ambiguity analysis Discover new risks Find unclear parts in how the system works Trust, data sensitivity, threat models Weakness analysis Impact of external software dependencies Platform (hardware, OS) Frameworks Called services Combine risks and consider business impact Rank risks Find solutions 431*

Penetration test Attack on a system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data Use the source Otherwise people send time on reverseengineering system Apply business priorities Logic flaw vs. XSS flaw XSS is important if it contributes towards compromising business logic Use in-house QA department They already know the system Use tools and training to add security testing skills Test more than once Incorporate the findings back into development 432* Risk-based security test Test based on priorities Architectural risks Risks discovered during code review Test malicious input Use fuzzing tool 433*

Abuse analysis and Security requirement Security is not a set of features How system should react to illegitimate use Like use cases, but with malicious users 434* 1. Input validation and Representation 2. API Abuse 3. Security Features 4. Time and State 5. Error Handling 6. Code Quality 7. Encapsulation * Environment Tsipenyuk*et#al.,*2005* Seven Pernicious Kingdoms *435**

External analysis Unfortunately Software architects, developers, and testers are largely unaware of the software security problems Good news They acknowledge that security problems exists! Bad news Barely begun to apply the security solutions 436* Exercise ISSRM domain model Security modelling Security risk measurement Secure Tropos Goal modelling i */ Tropos Mal-activity diagrams Secure UML Security access management Phishing Trojan Horse Security monitoring ISSRM process Trust management Security trade-off analysis Security error taxonomy Security elicitation Security taxonomy Misuse cases Role-based access control UMLsec Social engineering Cryptography CIA 437*

Exercise Assign terms/techniques according to different stages of Microsoft SDC ISSRM domain model Security modelling Security risk measurement Secure Tropos Goal modelling i */ Tropos Mal-activity diagrams Secure UML Security access management Phishing Trojan Horse Security monitoring ISSRM process Trust management Security trade-off analysis Security error taxonomy Security elicitation Security taxonomy Misuse cases Role-based access control UMLsec Social engineering Cryptography CIA 438* Exercise Align terms/techniques to different CLASP activities Institute awareness programs Perform application assessments Capture security Publish operational security guidelines Implement secure development practices Build vulnerability remediation procedures Define and monitor metrics ISSRM domain model Security modelling Security risk measurement Secure Tropos Goal modelling i */ Tropos Mal-activity diagrams Secure UML Security access management Phishing Trojan Horse Security monitoring ISSRM process Trust management Security trade-off analysis Security error taxonomy Security elicitation Security taxonomy Misuse cases Role-based access control UMLsec Social engineering Cryptography CIA 439*

Exercise What techniques could be used at different touchpoints? ISSRM domain model Security modelling Security risk measurement Secure Tropos Goal modelling i */ Tropos Mal-activity diagrams Secure UML Security access management Phishing Trojan Horse Security monitoring ISSRM process Trust management Security trade-off analysis Security error taxonomy Security elicitation Security taxonomy Misuse cases Role-based access control UMLsec Social engineering Cryptography CIA 440* Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle OWASP CLASP Cigital's Security touchpoints Building Security In Maturity Model BSIMM 441*

Building Security in Maturity Model Empirical approach to secure software design Gathered data from 42 large-scale software security initiatives Tech companies (e.g., Adobe, Google, Microsoft, ) Financial companies (e.g., DTCC, Wells Fargo) Added only activities seen in the real world Actual practices, not best practices 442* Software Security Framework 12 practices in 4 domains Each practice consists of activities 110 activities in total Each activity at least in one company No company that does it all 443*

Software Security Framework 444* Four Domains Governance Organize, manage, and measure a software security initiative Staff development Intelligence Collections of corporate knowledge used in carrying out software security activities throughout the organization Collections include both proactive security guidance and organizational threat modeling SSDL Touchpoints Analysis and assurance of particular software development artifacts and processes All software security methodologies include these practices Deployment Traditional network security and software maintenance organizations Software configuration, maintenance, and other environment issues have direct impact on software security 445*

Software Security Framework Goal: transparency of expectations and accountability for results $ $ EXAMPLE$ Level 1: Attain a common understanding of direction and strategy Publish process, evolve as necessary Create evangelism role/internal marketing Educate executives Identify gate locations, gather necessary artefacts Require security sign off Level 2: Align behaviour with strategy and verify behaviour Level 3: Practice risk-based portfolio management 446* Development Processes Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle OWASP CLASP Cigital's Security touchpoints Building Security In Maturity Model BSIMM 447*

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information