secure development lifecycle, the good, the bad and the ugly!€¦ · owasp infosec romania 2013...
TRANSCRIPT
![Page 1: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/1.jpg)
OWASP InfoSec Romania 2013
October 25th 2013
Martin Knobloch
OWASP Netherlands Chapter Leader
Secure Development Lifecycle, The good, the bad
and the ugly!
![Page 2: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/2.jpg)
![Page 3: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/3.jpg)
Applications are about information!
• 3 pillars of Information Security:
– Confidentiality
– Integrity
– Availability
![Page 4: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/4.jpg)
User requirements
Business requirements
System requirements
F
u
n
c
t
i
o
n
a
l
Non
f
u
n
c
t
i
o
n
a
l
Business rules
Externe interfaces
Constraints
‘Why’
‘What’
‘How’
![Page 5: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/5.jpg)
Development Environment
WebServer
Application Server
Database Server
Test Environment
WebServer
Application Server
Database Server
Production Environment
WebServer
Application Server
Database Server
System Environment
Internet Web
Application
Back Office
Database
Firewall Firewall Firewall
DMZ
Private Network Private Network
System User? Systeem access?
Error handling? Error handling? Error handling?
Database access?
User Rights? User Rights? User privileges?
![Page 6: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/6.jpg)
Your security “perimeter” has huge holes at the application layer
|7 Firew
all
Hardened OS
Web Server
App Server
Firewall
Dat
abas
es
Lega
cy S
yste
ms
We
b S
erv
ice
s
Dir
ect
ori
es
Hu
man
Re
srcs
Bill
ing Custom Developed
Application Code APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk
La
ye
r A
pp
lic
ati
on
L
aye
r
![Page 7: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/7.jpg)
8
An Attacker has 24x7x365 to Attack
Scheduled Pen-Test
Scheduled Pen-Test
Attacker Schedule
The Defender has 20 man days per year to detect and defend
![Page 8: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/8.jpg)
Tools – At Best 45%
• MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695)
• They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
![Page 9: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/9.jpg)
10
![Page 10: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/10.jpg)
![Page 11: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/11.jpg)
![Page 12: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/12.jpg)
Explanation bySponsor
Project Leader
interpretation
Design by
AnalistCoded Program
Bus. Consultant
Description
ProjectDocumentation
OperationsInstallation
Customer BillingSupport
Performed
Actual User
Wants andNeeds
![Page 13: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/13.jpg)
![Page 14: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/14.jpg)
![Page 15: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/15.jpg)
17
OW
ASP
Fram
ewo
rk
SDLC & OWASP Guidelines
![Page 16: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/16.jpg)
CLASP
Touchpoints
Microsoft SDL
![Page 17: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/17.jpg)
![Page 18: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/18.jpg)
![Page 19: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/19.jpg)
CLASP
• Comprehensive, Lightweight Application Security Process
– Centered around 7 AppSec Best Practices
– Cover the entire software lifecycle (not just development)
• Adaptable to any development process
– Defines roles across the SDLC
– 24 role-based process components
– Start small and dial-in to your needs
![Page 20: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/20.jpg)
![Page 21: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/21.jpg)
Part of the ‘Big 4’
Building Guide
Code Review Guide
Testing Guide
Application Security Desk Reference (ASDR)
![Page 22: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/22.jpg)
25
• Free and open source –Gnu Free Doc License
• Most platforms –Examples are J2EE, ASP.NET, and
PHP • Comprehensive
–Thread Modeling –Advise & Best Practices –Web Services –Key AppSec Area’s:
• Authorization/Authentication • Session Management • Data Validation
![Page 23: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/23.jpg)
What it is:
Examination of
developed source
code for quality.
Security = Quality
Robust & Stable code
More Expensive
Can be more Accurate
Requires unique skill
set to do properly
What it isn't:
Silver Bullet
Replacement for other
security controls
Replacement for poor
application development
Easy
Cheap (Not Manual
anyways)
![Page 24: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/24.jpg)
![Page 25: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/25.jpg)
• 1. Frontispiece
• 2. Introduction
• 3. The OWASP Testing Framework
• 4. Web Application Penetration Testing
• 5. Writing Reports: value the real risk
• Appendix A: Testing Tools
• Appendix B: Suggested Reading
• Appendix C: Fuzz Vectors
• Appendix D: Encoded Injection
![Page 26: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/26.jpg)
![Page 27: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/27.jpg)
Part of the ‘Big 4 +1’
Building Guide
Code Review Guide
Testing Guide
Application Security Desk Reference (ASDR)
ASVS
![Page 28: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/28.jpg)
Coverage
No malicious developers
The design has to be right
The controls have to be right
Scan
D
ep
th –
Le
ve
l o
f R
igo
r
Breadth – Number of Requirements
![Page 29: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/29.jpg)
Find Vulnerabilities Using the Running Application
Find Vulnerabilities Using the Source Code
Automated Application Vulnerability Scanning
Automated Static Code Analysis
Manual Application Penetration Testing
Manual Security Code Review
![Page 30: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/30.jpg)
Part of the ‘Big 4 +2’
Building Guide
Code Review Guide
Testing Guide
Application Security Desk Reference (ASDR)
ASVS SAMM
![Page 31: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/31.jpg)
![Page 32: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/32.jpg)
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
![Page 33: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/33.jpg)
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
![Page 34: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/34.jpg)
Assessment process
• Supports both lightweight and detailed assessments
• Organizations may fall in between levels (+)
![Page 35: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/35.jpg)
Threat Modeling – The Basics
Asset:
Valuable resource
Vulnerability:
Exploitable
weakness
Threat:
Causes harm
Risk:
Chance of harm occurring
?
Countermeasure:
Reduces risk
![Page 36: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/36.jpg)
Why start again?
Asset
Threat
Risk is low
Countermeasure
Dependency
Dependency’s
Countermeasure
Dependency’s
Threat
![Page 37: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/37.jpg)
> Applications are about information
> Confidentiality, Integrity & Availability
> Explicit security requirements
> Make security verifiable!
> Security in depth
> Security considered through the whole application
> Propagation of credentials
> Security by default
> Who may do what?
>> More code == more bugs! <<
![Page 38: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/38.jpg)
Functional Designers & Architects: > It is not only about what functionality the application has
to supply, it also what it may not!
Engineers: > Quality is not just ‘does it work’ .
Testers: > Security weaknesses are not different from other,
functional, bugs. They can be traced down the same way.
Managers: > Reserve project time for security
> Understand security as manditory value of an application
Security Analyst: Involve a security Analyst at the beginning of the design
phase.
![Page 39: Secure Development Lifecycle, The good, the bad and the ugly!€¦ · OWASP InfoSec Romania 2013 October 25th 2013 Martin Knobloch OWASP Netherlands Chapter Leader Secure Development](https://reader034.vdocuments.site/reader034/viewer/2022050323/5f7c9e46d0a01e799a6a9891/html5/thumbnails/39.jpg)
46
That’s it…
..thank you!