Software Development Security: Setup or Evolution, Best Practices - Viswanath Chirravuri -...

SOFTWARE DEVELOPMENT SECURITY PROGRAMS E T U P O R E VO LU T I O N

B Y V I S WANATH S C H I R RAVURI , G E M A LT O

30 MIN TO KEEP OUR EARS ACTIVE…

Program overview

More focus on security during software development

Future trends

Success criteria

VISWANATH S CHIRRAVURI, GEMALTOWednesday, 12 October, 2016

PROGRAM OBJECTIVES… [APPLICATION SECURITY]

Identify & categorize (based on sensitivity) software products or applications across the firm

Realize the required external security regulations and compliance (based on Legal, Industry and Country) [Policy, Standards, Procedures and Guidelines]

Recruit necessary security people for security activities in governance, development and operations

Apply security based on sensitivity of the application (very sensitive, then highly secure and trusted)

Build or buy security training material [awareness, basic, autonomous, expert] (SANS, etc.)

Define, build & maintain risk assessment approach and methodology

Embed security into SDLC based on dev-model [Waterfall, Agile, etc.]

Build & maintain cyber threat intelligence [STRIDE, Attack patterns, WAF deployment, etc.]

Conduct penetration testing on the deployed software [blackbox, greybox or whitebox]

Define and Implement vulnerability management approach and methodology

Transform the vulnerability into security risk and handle it [Mitigate, Avoid, Transfer, Accept]

Create and maintain CSIRT & Forensic team


Main mission: Guarantee the fundamental security properties of the software offered to our customers or users

SOFTWARE DEVELOPMENT SECURITYStarts by adding a security quotation at project kick-off (for every new version release)


Free Commercial

Adding security requirements (based on appl ication technology & functional i ty) OWASP ASVS -

Architecture / design security [Threat Modelling] * Recommended to be manual

Microsoft SDL, OWASP, etc. -

Source code security (SAST) -Fortify, Checkmarx, Coverity, AppScan

Source, Veracode

Third-party library security OWASP Dependency Check Sonatype Nexus, BlackDuck Hub, etc.

Security testing (DAST, IAST) OWASP ZAP, BurpSuiteWebInspect, BurpSuite Pro, Contrast,

AppScan, etc.

WAF / RASP setup or maintenance modsecurity.org F5 ASM, Imperva, Veracode, Contrast

Risk assessment ISO 27005, DREAD, simplerisk -

Build or update vulnerability dashboards to realize trends per release Threadfix Threadfix Enterprise

Platform security scan (App Servers, Web Servers, Databases, OS, etc.) OpenVAS Nessus, Nexpose, etc.

Security Tools / MethodologyArea to Focus

TLS / SSL scan --> https://testssl.sh, Qualys

SECURITY IN AGILE (WITH CI-CD)


ApplicationVersion

ApplicationVersion

ApplicationVersion

ApplicationVersion

ApplicationVersion

ApplicationVersion

ApplicationVersion

Secure-Coding training to developers before

assigning to projectsE.g. SecureCodeWarrior

(www.securecodewarrior.com)

Training developers

Evaluate the developers knowledge

(Quiz?)

PREPARATION PHASEDEVELOPMENT & DELIVERY PHASE

2

Automated DAST/IAST

5

Automated DAST/IAST

2 - 3

Sprint-2

4

Automated DAST/IAST

4

v1.0.35

v1.0.43

v1.0.21 - 2

Sprint-15 - 6

Sprint-5

1

Automated DAST/IAST

6

v1.0.56

v1.0.62

v1.0.1

6

Automated DAST/IAST

6 - 6

Sprint-64 - 5

Sprint-43 - 4

Sprint-3

1

v1.0

3

Automated DAST/IAST

2

Threat Modelling

1

Threat Modelling

3

Threat Modelling 4

Threat Modelling

5

Threat Modelling

6

Threat Modelling2

Automated SAST + TPL

1


3

Automated SAST + TPL 4


5

Automated SAST + TPL 6


[Manual] Security Requirements + [Manual] Architecture & Design security analysis

[Automated] SAST tool + [Automated] Third-party lib security scan

[Automated] DAST / IAST tool + Auto-generate WAF rules + risk assessment

WHAT’S IN PIPELINE?

- Fully automated anti-virus scan of the software developed (before release)

- Fully automated security scan when deployed into cloud platform

- Automated platform hardening

- Automated application security fixes (better virtual patching)

- New ways of authentication (out of the band verification, etc.)

- RASP evolution

- Better cryptography to handle secret / private data

- More penetration testing tools


SUCCESS OF THIS PROGRAM RELIES ON…

Strong support from senior management of the company towards security

Ability to push security awareness to development managers and business owners and secure coding to developers

Strong tie-ups between security engineer and the application development team

Strong tie-ups between security engineer and the application deployment / operations team

Strong tie-ups between application development team and deployment / operations team on security activities

The selection of right security tools and the time available to the security engineer to perform comprehensive vulnerability assessment, security audit, penetration testing, risk assessment

Mitigation solutions implemented by the application development or maintenance team

Ability (skill set) of the security engineer to: explain the risk of the identified security issue to the application stakeholders

continuously synchronize with latest industry trends (technologies, zero-day, etc.)

Ability to periodically convince management on investment vs. return (KPI) to keep it well balanced


SECURITY IS COSTLY?A

Cost of security = $$• costs of hiring and maintaining security people

• recurring costs of threat modeling for every application release

• costs of implementing security requirements

• one time cost of integrating SAST+DAST+IAST tools into build system (Jenkins, Hudson, Maven, Ant, etc.)

• recurring costs of managing identified security issues / risk treatment

B

Cost of non-security = $$$$$$$$$$$$$ costs of legal claims by customers or end users when your company software gets hacked

costs of legal claims by country governments due to non-compliance on regulatory needs

costs of reputation loss to the firm (due to attack) and impact on future company sales

costs of software downtime created due to hacks

In any industry, any technology, any business, any country, it is almost always proven that

A < B


Software Development Security: Setup or Evolution, Best Practices - Viswanath Chirravuri -...

Technology

Transcript of Software Development Security: Setup or Evolution, Best Practices - Viswanath Chirravuri -...