Software Development Security: Setup or Evolution, Best Practices - Viswanath Chirravuri -...
Click here to load reader
-
Upload
devsecopssg -
Category
Technology
-
view
140 -
download
0
Transcript of Software Development Security: Setup or Evolution, Best Practices - Viswanath Chirravuri -...
SOFTWARE DEVELOPMENT SECURITY PROGRAMS E T U P O R E VO LU T I O N
B Y V I S WANATH S C H I R RAVURI , G E M A LT O
30 MIN TO KEEP OUR EARS ACTIVE…
Program overview
More focus on security during software development
Future trends
Success criteria
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
PROGRAM OBJECTIVES… [APPLICATION SECURITY]
Identify & categorize (based on sensitivity) software products or applications across the firm
Realize the required external security regulations and compliance (based on Legal, Industry and Country) [Policy, Standards, Procedures and Guidelines]
Recruit necessary security people for security activities in governance, development and operations
Apply security based on sensitivity of the application (very sensitive, then highly secure and trusted)
Build or buy security training material [awareness, basic, autonomous, expert] (SANS, etc.)
Define, build & maintain risk assessment approach and methodology
Embed security into SDLC based on dev-model [Waterfall, Agile, etc.]
Build & maintain cyber threat intelligence [STRIDE, Attack patterns, WAF deployment, etc.]
Conduct penetration testing on the deployed software [blackbox, greybox or whitebox]
Define and Implement vulnerability management approach and methodology
Transform the vulnerability into security risk and handle it [Mitigate, Avoid, Transfer, Accept]
Create and maintain CSIRT & Forensic team
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
Main mission: Guarantee the fundamental security properties of the software offered to our customers or users
SOFTWARE DEVELOPMENT SECURITYStarts by adding a security quotation at project kick-off (for every new version release)
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
Free Commercial
Adding security requirements (based on appl ication technology & functional i ty) OWASP ASVS -
Architecture / design security [Threat Modelling] * Recommended to be manual
Microsoft SDL, OWASP, etc. -
Source code security (SAST) -Fortify, Checkmarx, Coverity, AppScan
Source, Veracode
Third-party library security OWASP Dependency Check Sonatype Nexus, BlackDuck Hub, etc.
Security testing (DAST, IAST) OWASP ZAP, BurpSuiteWebInspect, BurpSuite Pro, Contrast,
AppScan, etc.
WAF / RASP setup or maintenance modsecurity.org F5 ASM, Imperva, Veracode, Contrast
Risk assessment ISO 27005, DREAD, simplerisk -
Build or update vulnerability dashboards to realize trends per release Threadfix Threadfix Enterprise
Platform security scan (App Servers, Web Servers, Databases, OS, etc.) OpenVAS Nessus, Nexpose, etc.
Security Tools / MethodologyArea to Focus
TLS / SSL scan --> https://testssl.sh, Qualys
SECURITY IN AGILE (WITH CI-CD)
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
ApplicationVersion
ApplicationVersion
ApplicationVersion
ApplicationVersion
ApplicationVersion
ApplicationVersion
ApplicationVersion
Secure-Coding training to developers before
assigning to projectsE.g. SecureCodeWarrior
(www.securecodewarrior.com)
Training developers
Evaluate the developers knowledge
(Quiz?)
PREPARATION PHASEDEVELOPMENT & DELIVERY PHASE
2
Automated DAST/IAST
5
Automated DAST/IAST
2 - 3
Sprint-2
4
Automated DAST/IAST
4
v1.0.35
v1.0.43
v1.0.21 - 2
Sprint-15 - 6
Sprint-5
1
Automated DAST/IAST
6
v1.0.56
v1.0.62
v1.0.1
6
Automated DAST/IAST
6 - 6
Sprint-64 - 5
Sprint-43 - 4
Sprint-3
1
v1.0
3
Automated DAST/IAST
2
Threat Modelling
1
Threat Modelling
3
Threat Modelling 4
Threat Modelling
5
Threat Modelling
6
Threat Modelling2
Automated SAST + TPL
1
Automated SAST + TPL
3
Automated SAST + TPL 4
Automated SAST + TPL
5
Automated SAST + TPL 6
Automated SAST + TPL
[Manual] Security Requirements + [Manual] Architecture & Design security analysis
[Automated] SAST tool + [Automated] Third-party lib security scan
[Automated] DAST / IAST tool + Auto-generate WAF rules + risk assessment
WHAT’S IN PIPELINE?
- Fully automated anti-virus scan of the software developed (before release)
- Fully automated security scan when deployed into cloud platform
- Automated platform hardening
- Automated application security fixes (better virtual patching)
- New ways of authentication (out of the band verification, etc.)
- RASP evolution
- Better cryptography to handle secret / private data
- More penetration testing tools
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
SUCCESS OF THIS PROGRAM RELIES ON…
Strong support from senior management of the company towards security
Ability to push security awareness to development managers and business owners and secure coding to developers
Strong tie-ups between security engineer and the application development team
Strong tie-ups between security engineer and the application deployment / operations team
Strong tie-ups between application development team and deployment / operations team on security activities
The selection of right security tools and the time available to the security engineer to perform comprehensive vulnerability assessment, security audit, penetration testing, risk assessment
Mitigation solutions implemented by the application development or maintenance team
Ability (skill set) of the security engineer to: explain the risk of the identified security issue to the application stakeholders
continuously synchronize with latest industry trends (technologies, zero-day, etc.)
Ability to periodically convince management on investment vs. return (KPI) to keep it well balanced
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016
SECURITY IS COSTLY?A
Cost of security = $$• costs of hiring and maintaining security people
• recurring costs of threat modeling for every application release
• costs of implementing security requirements
• one time cost of integrating SAST+DAST+IAST tools into build system (Jenkins, Hudson, Maven, Ant, etc.)
• recurring costs of managing identified security issues / risk treatment
B
Cost of non-security = $$$$$$$$$$$$$ costs of legal claims by customers or end users when your company software gets hacked
costs of legal claims by country governments due to non-compliance on regulatory needs
costs of reputation loss to the firm (due to attack) and impact on future company sales
costs of software downtime created due to hacks
In any industry, any technology, any business, any country, it is almost always proven that
A < B
VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016