agile and secure sdlc

Secure SDLC. Approach and realization

by Nazar Tymoshyk, Ph.D., CEH

Even best applicationsget challenges

Big applications get bigger challenges

Security is important factor for your app

Consequences

PenaltiesReputation loss Data loss

IP Theft

Modify Victims website to deploy

MALWARE to website visitors

Breaching organizational

perimeters

Taking over high-value accounts

Threats

Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more

Hackers motives

Web application firewall

Microsoft IIS Apache Nginx

CYA (cover your apps)

Time-to-Fix vs. Time-to-Hack

Automated Temporary Patches

• Effective design of protected code requires a change in the mindset of the participants involved.

• Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes.

• Following the conventional approach, the designer must be qualified penetration tester to start writing secure code.

• It DOES NOT WORK!

Why

• Effective design of protected code requires a change in the mindset of the participants involved.

• Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes.

WHY

• Following the conventional approach, the designer must be qualified penetration tester to start writing secure code.

It DOES NOT WORK!

• Focus on functional requirements• Know about:

– OWASP Top 10– 1 threat (DEADLINE fail)

• Concentrated on risks

«I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman

Developer

Security Officer

• Focused on requirement to security

• Known difference between vulnerability and attack

• Focused on vulnerabilities

Risks are for managers, not developers

Typical Security Report delivered by security firm

Typical Security Report delivered by other auditor

How security is linked to development

Than start process of re-Coding, re-Building, re-Testing, re-Auditing

3rd party or internal audit

Tone of security defects

BACK to re-Coding, re-Building, re-Testing, re-Auditing

How much time you need to fix security issues in app?

How it should look

With proper Security Program number of security defects should decrease

from phase to phase

Automated security

Tests

CIintegrated

Manualsecurity

Tests

OWASP methodology

Secure

Codingtrainings

RegularVulnerability

Scans

Minimize the costs of the Security related issues

Avoid repetitive security issues

Avoid inconsistent level of the security

Determine activities that pay back faster during current state of the project

Primary Benefits

SecureDevelopment Lifecycle

Mapping SDL to Agile•Every-Sprint practices: Essential security practices that should be performed in every release.

•Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.

•One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.

Microsoft SDL

PRE SDL TRAINING:• Introduction to Microsoft SDL• Essential Software Security Training f

or the Microsoft SDL

• Basics of Secure Design, Development and Test

• Introduction to Microsoft SDL Threat Modeling

• SDL Quick Security References• SDL Developer Starter Kit

Training

• SDL Practice #2: Establish Security and Privacy Requirements (one time practice)

• SDL Practice #3: Create Quality Gates/Bug Bars

• SDL Practice #4: Perform Security and Privacy Risk Assessments (one time practice)

Requirements Phase

• Establish Design Requirements (one time practice)

• Attack Surface Analysis/Reduction (one time practice)

• Use Threat Modeling• Mitigation of threats• Secure Design • Formulating security guidelines• Security Design Review

Design

• SDL Practice #8: Use Approved Tools• SDL Practice #9: Deprecate Unsafe

Functions• SDL Practice #10: Perform Static

Analysis

Implementation

Bucket practices:

• SDL Practice #11: Perform Dynamic Analysis

• SDL Practice #12: Fuzz Testing• SDL Practice #13: Attack Surface

Review

Verification Phase

• SDL Practice #14: Create an Incident Response Plan (one time practice)

• SDL Practice #15: Conduct Final Security Review

• SDL Practice #16: Certify Release and Archive

Release Phase

• SDL Practice #17: Execute Incident Response Plan– Analysis vulnerability information– Risk calculation– Patch release– Clients notification– Information publishing

Response Phase

Value20-40% time for testing/re-testing decrease

Catch problems as soon as possible

Avoid repetitive security issues

Improve Security Expertise/Practices for current Team

Automation, Integration, Continuously

Proactive Security Reporting

Full coverage

CI SECURITY

Typical CI Workflow

Continuous Integration Delivery Deployment

High level vision

Dynamic Security testingStatic Code Analysis

CI tools

Deploying application

Security Reports

Pull source code

CI Security process

Build• Build code

with special debug options

Deploy• Pack build

and code• Deploy app

to VM for test

Test Security• Run code

test• Run Test

dynamic web application from VM with security tools

Analyze• Collect and

format results

• Verify results• Filter false

positive / negative

• Tune scanning engine

• Fix defects

CI Workflow

A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object ReferencesA5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards

Dynamic tests with Security scanner

OWASP Top 10 Risk coverage

Tools for Secure SDLC

• IBM AppScan Sources• Burp Suite• Sonar• OWASP ZAP• HP Fortify• Netsparcer• Coverify• Veracode

Supported Languages

• Java• .NET (C#,

ASP.NET, and VB.NET)

• JSP• Client-side

JavaScript• Cold Fusion

• C/C++• Classic ASP (both

JavaScript/VBScript)

• PHP, Perl• Visual Basic 6• COBOL• T-SQL, PL/SQL

Analysis of App Security Statistic

Sonar – for code quality coverage

Code Security Analysis

We are able to detect line of bugged code

Filtering false positive

It really works!

Applications Secured -Business Protected

THANK YOU45

Email: root.nt@gmail.comSkype: root_nt