integrating security into the software development lifecycle · integrating security into the...

www.eideba i l ly.com

Integrating Security into the Software Development Lifecycle

May 2016

Presented by: Anders Erickson & Jason Dunn


Content for Presentation

• Series of whitepapers on software security developed by Mano Paul for (ISC)2

• Other whitepapers from industry-leading security experts in information security (e.g., OWASP and SANS)

• Our own experiences in IT security consulting and auditing.


Getting Started

How do the pictures that follow relate to software development?


Picture #1

4

The danger is often right in front of us


Picture #2

5

We misuse tools to accomplish a task


Picture #3

6

Trying to get rid of older technologies can be difficult


Picture #4

7

Protecting users from themselves


Picture #5

8

We need the right tools to begin with


Picture #6

9

We often expose ourselves to threats


Agenda

• Foundations of Application Security

• Challenges to Secure Software Development

• Software Development Models

• Integrating Security into Software Development

• Critical Controls for Software Security

• Software Development and the Examination

Process


Why Application Security?

• Applications are THE interface to an organization’s systems and data.

• Impact all aspects of security, especially integrity.

• Innumerable threats and exploits.


The Changed Landscape

Survey of 240 companies by Forrester Consulting

• Over half of respondents had at least one web application security incident in the prior 18 months

• 18 percent put their losses at more than $500,000

• 8 percent saw losses in excess of $1 million

• Two reported losses of more than $10 million



• Rapid development, quick response to requests

• Compliance requirements

Security must be considered early and throughout the Software Development Lifecycle



“The need to consider security and privacy ‘up front’ is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules.”

- Simplified Implementation of the Microsoft SDL



According to the National Institute of Standards and Technology (NIST), the cost benefits of finding and addressing defects early are staggering. For every $1 spent on addressing defects during the coding phase of development, it will cost an organization $30 dollars to address if detected in production.

David Rice, former cryptographer for the NSA and Navy, author of Geekonomics: The Real Cost of Insecure Software, approximates, as reported on Forbes.com, that the total economic cost of security flaws in software is around $180 billion a year.


Challenges to Secure Software Development

• Just becoming good developers

• Developers are unaware of ways they can introduce security problems into their code.

Computer Science programs don’t focus on security



Misalignment between stakeholders

• Misaligned priorities

• Misaligned process

• Misaligned tools


Software Development Models

• Waterfall• Iterative/Prototyping• Spiral• Extreme Programming (Agile)• SCRUM Method (Agile)



Waterfall



Iterative / Prototyping



Spiral



Extreme Programming (Agile)



SCRUM Method (Agile)



Questions• Who has seen any of these?• What are some of the challenges you have

observed with each?• What are the advantages as it relates to

security?


Integrating Security into the SDLC

Requirements Gathering Design Development/

Testing Deployment Maintenance Disposal

SDLC Phases


Requirements Gathering

Security Controls Recommended Tools & Processes

1. Engage the Business Partner or Client

2. Identify Applicable Policies and Standards

3. Identify Applicable Regulatory, Compliance, and Privacy Requirements

4. Develop Confidentiality, Integrity, and Availability Objectives

5. Develop Procurement Requirements

6. Perform Preliminary Risk Assessment

• Business Partner Questionnaire

• Policy/Standards Checklist

• Local and International Checklists

• CIA Questionnaire

• Data Classification

• Procurement Checklist

• Rapid Risk Triage / Prototype or Questionnaire


Design


1. Modeling Misuse Cases

2. Conduct Security Design and Architecture Reviews

3. Perform Threat and Risk Modeling

4. Security Requirements and Test Cases Generation

• Requirements Traceability Matrix

• Security Plan

• Threat Model

• Security Test Cases Template


Development & Testing


1. Writing Secure Code

2. Security Code Review

3. Security Documentation

4. Security Testing

5. Redo Risk Assessment

• Security Checklist

• Code Scanners

• Security Test Cases


Deployment


1. Secure Installation

2. Vulnerability Assessment and Penetration Testing

3. Security Certification and Accreditation

4. Risk Adjustments

• Environment Configuration Document

• Vulnerability Assessment Plan

• Penetration Testing Procedures

• C&A Workflow


Maintenance


1. Change Control and Configuration Control

2. Recertification and Reaccreditation

3. Incident Handling

4. Auditing

5. Continuous Monitoring

• Change Control Process

• C&A Workflow

• Incident Management Plan

• Audit Review Plan

• Monitoring Procedures


Disposal


1. Secure Data Archiving and Sanitization

2. Secure Disposal

• Records Management Policy

• Data Sanitization and Disposal procedures


SANS Critical Security Controls

SANS Institute• Founded in 1989• Focus on training information security

professionals

Critical Security Controls• Prioritize and focus • Small number of actionable controls • High-payoff with a "must do first" philosophy


SANS Critical Security Control #6

Application Software SecurityManage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

ID# Description

CSC 6‐1 For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations.

CSC 6‐2 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks, including but not limited to cross‐site scripting, SQL injection, command injection, and directory traversal attacks.

QUICK WINS



Application Software Security

ID# Description

CSC 6‐3 For in‐house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

CSC 6‐4 Test in‐house‐developed and third‐party‐procured web applications for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis. Include tests for application behavior under denial‐of‐service or resource exhaustion attacks.

CSC 6‐5 Do not display system error messages to end‐users (output sanitization).

CSC 6‐6 Maintain separate environments for production and nonproduction systems. Developers should not typically have unmonitored access to production environments.

VISIBILITY/ATTRIBUTION




ID# Description

CSC 6‐7 Test in‐house‐developed web and other application software for coding errors and potential vulnerabilities prior to deployment using automated static code analysis software, as well as manual testing and inspection. In particular, input validation and output encoding routines of application software should be reviewed and tested.

CSC 6‐8 For acquired application software, examine the product security process of the vendor (history of vulnerabilities, customer notification, patching/remediation) as part of the overall enterprise risk management process.

CSC 6‐9 For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.

CONFIGURATION/HYGIENE




ID# Description

CSC 6‐10 Ensure that all software development personnel receive training in writing secure code for their specific development environment.

CSC 6‐11 For in‐house developed applications, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software, or accessible in the production environment.

CONFIGURATION/HYGIENE


Relevance to the Examination Process

• Align, Plan, & Organize (APO)• Build, Acquire, & Implement (BAI)• Deliver, Service, & Support (DSS)• Monitor, Evaluate, and Assess (MEA)


Questions?


Contact Information

Anders Erickson – CISSP, CISA, CRISCEide Bailly, LLPRisk Advisory Senior [email protected]

Jason Dunn – CPA, CISAEide Bailly, LLPAudit Senior [email protected]

integrating security into the software development lifecycle · integrating security into the...

Documents