Download to read offline
Uploaded bySigma Software
Дмитро Терещенко, "How to secure your application with Secure SDLC"
More Related Content
Similar to Дмитро Терещенко, "How to secure your application with Secure SDLC"
More from Sigma Software
Дмитро Терещенко, "How to secure your application with Secure SDLC"
- 1. Security Practices in SoftwareDevelopment (S-SDLC) Dmytro Tereshchenko, Head of Information Security Department Open Tech Week, December, 2020
- 3. BASIC RULES — Humanis the weakest link Don’t rely ONLY on OWASP Top 10 or SANS Top 25 «Hackers only need to be lucky once. You need to be lucky every time». Source «I'm not a bug hunter I'm a tech debt collector». Source 3
- 4.
- 5. 5 SIMPLIFIED SOFTWARE DEVELOPMENTLIFECYCLE — Requirements Design Development Testing Deployment SDLC
- 6. 6 COMMON CASE — Requirements DesignDevelopment Testing Deployment SDLC Penetration Testing
- 7. 7 SIMPLIFIED S-SDLC &SHIFT LEFT APPROACH — Requirements Design Development Testing Deployment Security Requirements Threat Modeling SAST/DAST Penetration Testing Hardening & Monitoring Security in SDLC Software Development Lifecycle Security Issues fixing cost
- 8. 8 SECURE SOFTWARE DEVELOPMENT LIFECYCLE — CommonS-SDLC Standards: ISO 27034 NIST SP 800-64 BSIMM Microsoft S-SDLC OWASP SAMM
- 9. 9 OWASP SAMM v2FRAMEWORK — Security Assurance Implementation Verification OperationsDesignGovernance Defect Management Security Testing Operational Management Security Architecture Education & Guidance Secure Deployment Requirements Driven Testing Environment Management Security Requirements Policy & Compliance Secure Build Architecture Assessment Incident Management Threat Assessment Strategy & Metrics
- 10. 10 SECURITY TESTING (ST) PRACTICE — ScalableBaseline: Level 1 - Detect software vulnerabilities with automated security testing tools; Level 2 - Improves the efficiency and effectiveness of security testing automation by customizing them towards the software; Level 3 - Allows to detect software vulnerabilities at the speed of build and deployment by integrating test tools as part of this process; Deep Understanding: Level 1 - Detect vulnerabilities that cannot by found with tools; Level 2 - Tests the robustness of the software by emulating an attacker that tries to penetrate it; Level 3 - Identify security issues earlier in the development process by testing security early and often
- 11.
- 12.
- 13. Employees arethe first line of defense. List of Security Trainings in Sigma Software: Security Training Course for Development Team; Security Awareness Training; Personal Data Protection & GDPR Training; Secure SDLC (Secure Software Engineering); Security Champions. TRAININGS FOR EMPLOYEES — 13 Education & Guidance
- 14. 14 SECURITY TRAINING COURSE — GENERAL INFO: All topics in Security Fundamentals Training Course correspond to OWASP Top 10 (2017) and OWASP Testing Guide; The course consists of 8 workshops; The duration of one workshop is 90 minutes; All presentation materials have links for in-depth self-study and additional practical exercises; After each module there is a quiz and a practical tasks; It will take 4-6 hours for self-study and homework for each module;
- 15. Stream A:Application Risk Profile Stream B: Threat Modeling Question Level 1: Do you identify and manage architectural design flaws with threat modeling? Quality criteria: You perform threat modeling for high-risk applications You use simple threat checklists, such as STRIDE You persist the outcome of a threat model for later use THREAT ASSESSMENT — 15 Security Requirements Threat Assessment
- 16.
- 17. Stream A:Software Requirements Question Level 1: Do project teams specify security requirements during development? Quality criteria: Teams derive security requirements from functional requirements and customer or organization concerns Security requirements are specific, measurable, and reasonable Security requirements are in line with the organizational baseline Stream B: Supplier Security SECURITY REQUIREMENTS — 17 Security Requirements
- 18. OWASP CheatSheet Project: https://cheatsheetseries.owasp.org/ OWASP Application Security Verification Standard: Github OWASP Mobile ASVS: Github SECURITY REQUIREMENTS — 18 Security Requirements
- 19.
- 20. Stream A:Build Process Question Level 1: Is your full build process formally described? Quality criteria: You have enough information to recreate the build processes Your build documentation up to date Your build documentation is stored in an accessible location Produced artifact checksums are created during build to support later verification You harden the tools that are used within the build process BUILD PROCESS — 20 Security Requirements Secure Build
- 21. Stream B:Software Dependencies Question Level 1: Do you have solid knowledge about dependencies you're relying on? Quality criteria: You have a current bill of materials (BOM) for every application You can quickly find out which applications are affected by a particular CVE You have analyzed, addressed, and documented findings from dependencies at least once in the last three months SOFTWARE DEPENDENCIES — 21 Security Requirements Secure Build
- 22. Stream A:Deployment Process Question Level 2: Are deployment processes automated and employing security checks? Quality criteria: Deployment processes are automated on all stages Deployment includes automated security testing procedures You alert responsible staff to identified vulnerabilities You have logs available for your past deployments for a defined period of time DEPLOYMENT PROCESS — 22 Security Requirements Secure Deployment
- 23. Stream B:Secret Management Question Level 1: Do you limit access to application secrets according to the least privilege principle? Quality criteria: You store production secrets protected in a secured location Developers do not have access to production secrets Production secrets are not available in non-production environments SECRET MANAGEMENT — 23 Security Requirements Secure Deployment
- 24. Stream A:Defect Tracking Question Level 1: Do you track all known security defects in accessible locations? Quality criteria: You can easily get an overview of all security defects impacting one application You have at least a rudimentary classification scheme in place The process includes a strategy for handling false positives and duplicate entries The defect management system covers defects from various sources and activities Stream B: Metrics and Feedback DEFECT MANAGEMENT — 24 Security Requirements Defect Management
- 25.
- 26. Stream A: ScalableBaseline Vulnerability Management: Tenable.io; Qualys; Wazuh; Built-in scanning in Amazon ECR. 3rd Party components analysis: OWASP Dependency Checker; Snyk.io; Amazon ECR. Static Application Security Testing (SAST): SonarQube; Rips; Checkmarx; HP Fortify. Dynamic Application Security Testing (DAST): Burp Suite Pro with Active Scan; OWASP ZAP. Stream B: Deep Understanding Penetration Testing: Internal or External Penetration testing team. SECURITY TESTING ACTIVITIES & TOOLS — 26 Security Testing
- 27. We utilize awide variety of automated tools and services to identify missing patches and updates. And follow Security Best Practices for hardening systems and environments. Patching and Updating: Tenable.io; Qualys; Wazuh; OWASP Dependency Checker; Fast Roll-back procedure in case of patching failure; Configuration Hardening: CIS Benchmark; STIG Benchmark; Vendor Specific Security Guidelines. PATCH MANAGEMENT & HARDENING — 27 Environment Management
- 28. AWS CloudTrails- Activity Audit AWS Guard Duty - Intrusion Detection and Prevention AWS WAF - Web Application Firewall, common attack detection and prevention. AWS Shield - DDoS detection and Prevention. AWS Inspector/ECR - Vulnerability Detection. Compliance Management. AWS IAM - Identity and Access Management. AWS STS - Simple Token Service. AWS KMS - Encryption; Key Management Wazuh - HIDS, Compliance & Security Management, SIEM. EXAMPLE OF SERVICES & TOOLS USED (AWS+) — 28 Cloud Security Controls
- 29.
- 30. 30 TAKEAWAYS & TIPS — Implement Secure SDLC; Focus of Design phase; Use «Shift Left» approach; Use Automation;
- 31. infosec.team@sigma.software dmytro.tereshchenko@sigma.software Skype: dmytriytereshchenko Telegram: +380 (67) 577-40-90 CONTACTS — 31
- 32.