Integration into the SDLC

Information about Integration into the SDLC

Published on August 30, 2007

Author: BAWare

Source: authorstream.com

Content

Integration into the SDLC(Software Development Life Cycle):  Integration into the SDLC (Software Development Life Cycle) With Eoin Keary [email protected] Slide2:  Bespoke Applications Vs. Commercial Applications Application Development internal use: Bespoke, customized, one-off application Audience is not so great: (Users, developers, test) Vulnerabilities are not discovered too quickly by users. Vulnerabilities are discovered by hackers, they actively look for them. Bespoke application = Small audience = Less chance of vulnerabilities being discovered This is unlike, Say Microsoft XP 210 Million copies sold (http://www.forbes.com/ May2004) First Line of Defense: The Developer: Writes the code. Understands the problem better than anyone! Has the skill set. More effective and efficient in providing a solution Complexity Vs Security:  Complexity Vs Security As Functionality and hence complexity increase security decreases. Integrating security into functionality at design time Is easier and cheaper. '100 Times More Expensive to Fix Security Bug at Production Than Design' – IBM Systems Sciences Institute It also costs less in the long-term. -maintenance cost A Few Facts and figures::  A Few Facts and figures: How Many Vulnerabilities Are Application Security Related? Growth of Threat: Growth in the tools available.:  Growth of Threat: Growth in the tools available. Source: PestPatrol.com Categories: Binder Carding Cracking Tool Flooder Key Generator Mail Bomber Mailer Misc Tool Nuker Packer Password Cracker Password Cracking Word List Phreaking Tool Port Scanner Probe Tool Sniffer Spoofer Trojan Trojan Creation Tool Virus Creation Tool Virus Source Virus Tutorial War Dialer A Few Facts and figures (contd):  A Few Facts and figures (contd) Ref: http://ganssle.com/Inspections.pdf Interesting Statistics – Employing code review IBM Reduces 82% of Defects Before Testing Starts HP Found 80% of Defects Found Were Not Likely To Be Caught in Testing 100 Times More Expensive to Fix Security Bug at Production Than Design' – IBM Systems Sciences Institute Promoting People Looking at Code Improvement Earlier in SDLC Fix at Right Place; the Source Takes 20% extra time – payoff is order of magnitude more. If cars Were Built Like Applications….:  If cars Were Built Like Applications…. 70% of all cars would be built without following the original designs and blueprints. The other 30% would not have designs. Car design would assume that safety is a function of road design and that all drivers were considerate, sober and expert drivers. Cars would have no airbags, mirrors, seat belts, doors, roll-bars, side-impact bars, or locks, because no-one had asked for them. But they would all have at least six cup holders. Not all the components would be bolted together securely and many of them would not be built to tolerate even the slightest abuse. Safety tests would assume frontal impact only. Cars would not be roll tested, or tested for stability in emergency maneuvers, brake effectiveness, side impact and resistance to theft. Many safety features originally included might be removed before the car was completed, because they might adversely impact performance. 70% of all cars would be subject to monthly recalls to add major components left out of the initial production. The other 30% wouldn’t be recalled, because no-one would sue anyway. The after-market for safety devices would include such useful products as training wheels, screen doors, elastic seatbelts and devices that would restrict the car’s top speed to 3mph, if found to be unsafe (which would be always). Useful safety could be found, but could only be custom retro-fitted, would take six months to fit and would cost more than the car itself. A NCT/MOT inspection would consist of counting the wheels and making recommendations on wheel quantity. Your only warning indicator would be large quantities of smoke and flame in the cab. You could only get insurance from one provider, it would be extremely expensive, require a duplicate NCT/MOT inspection, and you might still never be able to claim against the policy. - Denis Verdon How do we do it?:  How do we do it? Security Analyst: Get involved early in SDLC. Security is a function of the asset we want to secure, what's it worth? Understanding the information held in the application and the types of users is half the battle. Involve an analyst in the design phase and thereafter. Developer: Embrace secure application development. (Educate) Quality is not just 'Does it work' Security is a measure of quality also. How do we do it? (contd):  How do we do it? (contd) QA: Security vulnerabilities are to be considered bugs, the same way as a functional bug, and tracked in the same manner. Managers: Factor some time into the project plan for security. Consider security as added value in an application. – $1 spent up front saves $10 during development and $100 after release Slide10:  Software security tollgates in the SDLC Requirements and use cases Design Test plans Code Test results Field feedback Security requirements Risk analysis Risk-based security tests Static analysis (tools) Penetration testing Design Review Iterative approach Code Review Risk = Threat x Vulnerability x Cost What do we need to test, And how Code review tools Application Security Risk Categorization:  Application Security Risk Categorization Goal More security for riskier applications Ensures that you work the most critical issues first Scales to hundreds or thousands of applications Tools and Methodology Security profiling tools can gather facts Size, complexity, security mechanisms, dangerous calls Questionnaire to gather risk information Asset value, available functions, users, environment, threats Risk-based approach Evaluates likelihood and consequences of successful attack Application Security Project Plan:  Application Security Project Plan Define the plan to ensure security at the end Ideally done at start of project Can also be started before or after development is complete Based on the risk category Identify activities at each phase Necessary people and expertise required Who has responsibility for risks Ensure time and budget for security activities Establish framework for establishing the 'line of sight' Application Security Requirements Tailoring:  Application Security Requirements Tailoring Get the security requirements and policy right Start with a generic set of security requirements Must include all security mechanisms Must address all common vulnerabilities Can be use (or misuse) cases Should address all driving requirements (regulation, standards, best practices, etc.) Tailoring examples… Specify how authentication will work Detail the access control matrix (roles, assets, functions, permissions) Define the input validation rules Choose an error handling and logging approach Design Reviews:  Design Reviews Better to find flaws early Security design reviews Check to ensure design meets requirements Also check to make sure you didn’t miss a requirement Assemble a team Experts in the technology Security-minded team members Do a high-level penetration test against the design Be sure to do root cause analysis on any flaws identified Software Vulnerability Analysis:  Software Vulnerability Analysis Find flaws in the code early Many different techniques Static (against source or compiled code) Security focused static analysis tools Peer review process Formal security code review Dynamic (against running code) Scanning Penetration testing Goal Ensure completeness (across all vulnerability areas) Ensure accuracy (minimize false alarms) Application Security Testing:  Application Security Testing Identify security flaws during testing Develop security test cases Based on requirements Be sure to include 'negative' tests Test all security mechanisms and common vulnerabilities Flaws feed into defect tracking and root cause analysis Application Security Defect Tracking and Metrics:  Application Security Defect Tracking and Metrics 'Every security flaw is a process problem' Tracking security defects Find the source of the problem Bad or missed requirement, design flaw, poor implementation, etc… ISSUE: can you track security defects the same way as other defects Metrics What lifecycle stage are most flaws originating in? What security mechanisms are we having trouble implementing? What security vulnerabilities are we having trouble avoiding? Configuration Management and Deployment:  Configuration Management and Deployment Ensure the application configuration is secure Security is increasingly 'data-driven' XML files, property files, scripts, databases, directories How do you control and audit this data? Design configuration data for audit Put all configuration data in CM Audit configuration data regularly Don’t allow configuration changes in the field What now?:  What now? 'So now, when we face a choice between adding features and resolving security issues, we need to choose security.' -Bill Gates If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. -Bruce Schneier The user's going to pick dancing pigs over security every time. -Bruce Schneier Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. -Gene Spafford

Related presentations


Other presentations created by BAWare

hot topic
28. 09. 2007
0 views

hot topic

hispanics
01. 10. 2007
0 views

hispanics

zhang
10. 10. 2007
0 views

zhang

schwa
30. 08. 2007
0 views

schwa

aocc
30. 08. 2007
0 views

aocc

Pedersen
30. 08. 2007
0 views

Pedersen

Mining Sciences
30. 08. 2007
0 views

Mining Sciences

Intelligence Gathering mallorca
30. 08. 2007
0 views

Intelligence Gathering mallorca

ppt00021
30. 08. 2007
0 views

ppt00021

hoe wat over adsl
30. 11. 2007
0 views

hoe wat over adsl

The Healthy Potato
04. 12. 2007
0 views

The Healthy Potato

KINDS OF NOUNS
05. 11. 2007
0 views

KINDS OF NOUNS

CUPA 2007 Adv HW part 3
07. 11. 2007
0 views

CUPA 2007 Adv HW part 3

p Javier Carrillo
14. 11. 2007
0 views

p Javier Carrillo

High Intensity Interval Training
13. 12. 2007
0 views

High Intensity Interval Training

measurement
17. 12. 2007
0 views

measurement

OWASP AppSecEU2006 AJAX Security
30. 08. 2007
0 views

OWASP AppSecEU2006 AJAX Security

Feb05Sepracor
29. 11. 2007
0 views

Feb05Sepracor

aula17
28. 12. 2007
0 views

aula17

lab 04
11. 12. 2007
0 views

lab 04

cattle2000
31. 12. 2007
0 views

cattle2000

Mechanized Logging
02. 01. 2008
0 views

Mechanized Logging

Lightning Safety
03. 01. 2008
0 views

Lightning Safety

water problems
21. 11. 2007
0 views

water problems

mideastmaps
07. 01. 2008
0 views

mideastmaps

schulze
12. 10. 2007
0 views

schulze

Sept 17 03B
19. 11. 2007
0 views

Sept 17 03B

Empowerment2
29. 10. 2007
0 views

Empowerment2

LIU MIT 2006
28. 11. 2007
0 views

LIU MIT 2006

USFS Tourism
22. 11. 2007
0 views

USFS Tourism

omni partner guide pps
02. 10. 2007
0 views

omni partner guide pps

convergence
28. 12. 2007
0 views

convergence

sal mauro 061128
28. 02. 2008
0 views

sal mauro 061128

lec05
29. 02. 2008
0 views

lec05

nypss nsta nov 2003
26. 06. 2007
0 views

nypss nsta nov 2003

Movies MC 061129 3
26. 06. 2007
0 views

Movies MC 061129 3

MOUG 08 2002
26. 06. 2007
0 views

MOUG 08 2002

mold
26. 06. 2007
0 views

mold

moilanen movies
26. 06. 2007
0 views

moilanen movies

MMC Bonato
26. 06. 2007
0 views

MMC Bonato

mm class 8
26. 06. 2007
0 views

mm class 8

Oceans 2005
26. 06. 2007
0 views

Oceans 2005

C3A6
04. 01. 2008
0 views

C3A6

Session8Massimiliano Claps
21. 03. 2008
0 views

Session8Massimiliano Claps

paper Columbia pipelines
30. 08. 2007
0 views

paper Columbia pipelines

CDW Ches99 Talk
05. 01. 2008
0 views

CDW Ches99 Talk

Marketing Mix IPG Presentation
26. 03. 2008
0 views

Marketing Mix IPG Presentation

Moab Marketing
27. 03. 2008
0 views

Moab Marketing

0Kim
30. 08. 2007
0 views

0Kim

Coglx to cultlx
22. 11. 2007
0 views

Coglx to cultlx

12 Igra 4pm
06. 12. 2007
0 views

12 Igra 4pm

Rao
28. 03. 2008
0 views

Rao

Goorevich Richard
30. 03. 2008
0 views

Goorevich Richard

06MYMRes2
09. 04. 2008
0 views

06MYMRes2

quickreview
10. 04. 2008
0 views

quickreview

MontanaDDpresentatio n060105a
13. 04. 2008
0 views

MontanaDDpresentatio n060105a

The Happy Monkey
29. 11. 2007
0 views

The Happy Monkey

cnea 376
20. 11. 2007
0 views

cnea 376

e know GV Presentation
17. 04. 2008
0 views

e know GV Presentation

SustainabilityCaseSt udies
22. 04. 2008
0 views

SustainabilityCaseSt udies

mark
30. 08. 2007
0 views

mark

Dialectal Differentiation
24. 11. 2007
0 views

Dialectal Differentiation

Chapter01
30. 08. 2007
0 views

Chapter01

n0102 SPIE1
26. 06. 2007
0 views

n0102 SPIE1

tues RMI cloonan
07. 12. 2007
0 views

tues RMI cloonan

Modi
26. 06. 2007
0 views

Modi

mne tools scripts kskassam
26. 06. 2007
0 views

mne tools scripts kskassam

hausmesse vortrag meyer
16. 11. 2007
0 views

hausmesse vortrag meyer

sjw
21. 12. 2007
0 views

sjw

stew cartons
17. 06. 2007
0 views

stew cartons

stellmach tim
17. 06. 2007
0 views

stellmach tim

Twelfth Night 2
17. 06. 2007
0 views

Twelfth Night 2

tuebingen seminar nov 04
17. 06. 2007
0 views

tuebingen seminar nov 04

TNG Presentation1
17. 06. 2007
0 views

TNG Presentation1

THE SCIENCE OF LOVE
17. 06. 2007
0 views

THE SCIENCE OF LOVE

t06B Functions Examples
17. 06. 2007
0 views

t06B Functions Examples

Sunny
17. 06. 2007
0 views

Sunny

28 1330 HARP rohacs hideg
18. 03. 2008
0 views

28 1330 HARP rohacs hideg

Water way Awareness
17. 06. 2007
0 views

Water way Awareness

Watergate Political Cartoons
17. 06. 2007
0 views

Watergate Political Cartoons

Valentine s PPT
17. 06. 2007
0 views

Valentine s PPT

USB FunctionDrv
17. 06. 2007
0 views

USB FunctionDrv

urban legends
17. 06. 2007
0 views

urban legends

unti 17Le 1 Funny stories
17. 06. 2007
0 views

unti 17Le 1 Funny stories

Understanding Political Cartoons
17. 06. 2007
0 views

Understanding Political Cartoons

Week2 Augustineandhisera
17. 06. 2007
0 views

Week2 Augustineandhisera

Tee
09. 10. 2007
0 views

Tee

seshun
13. 11. 2007
0 views

seshun

Locke 1 07
30. 08. 2007
0 views

Locke 1 07

ames tornado
05. 10. 2007
0 views

ames tornado

TEAM 9
08. 11. 2007
0 views

TEAM 9

Ferragina
23. 11. 2007
0 views

Ferragina

robo wk 4 controls
07. 01. 2008
0 views

robo wk 4 controls

ScottStroup
02. 11. 2007
0 views

ScottStroup

dyer w ref
04. 03. 2008
0 views

dyer w ref

act31sld
30. 08. 2007
0 views

act31sld

WA Final
17. 06. 2007
0 views

WA Final

EnB presentatie Fischbacher
30. 08. 2007
0 views

EnB presentatie Fischbacher

What to do in Harrisonburg
17. 06. 2007
0 views

What to do in Harrisonburg