sdlc presentation

1

04/11/23

Building Security Into Your SDLC Methodology

Integral Business Solutions

11/16/2006

2

04/11/23

Discussion Terms• Methodology

• Software Development Lifecycle (SDLC)

• Secure Software Development Lifecycle (SSDLC)

• Agile Practices

• Integral Secure Agile Methodology (ISAM)

• Risk Management

• IT Frameworks

• Application Frameworks

• Tools

• What we learned

3

04/11/23

Is there a need

• Applications need to match the maturity of Infrastructure components

• “Bolting security” after development is complex and expensive than “baking in” during the life cycle.

• “Development Process should be held accountable for application security short comings”

– Howard Schmidt

4

04/11/23

Field of Reference

• Application Development• Application Integration• Certification and Accreditation

5

04/11/23

SDLC

• Wikipedia: – a framework for developing software successfully

• Have traditionally followed a set pattern

– Define->Design->Develop

• Evolved with methodologies over time

6

04/11/23

SDLC historyWaterfall Methodologies

• Very structured – one phase ends,

another begins

• Deliverables are extremely detailed

• Hand-offs occur between teams

with specific and disparate skills

– Traditional Analysts (only),

Developers, QA

• Accepted approach for developing

host-based applications

– Complex systems

– Inflexible languages and tools

– Largely static application logic

• Procedural systems

Spiral (Iterative) Methodologies

• Cyclical and adaptive

– One phase leads to another, but

there are continuous feedback loops

• Continuous change and

improvement is assumed

– Documentation is a key

• Matrix-based teams – mix of skills

and roles

• Emerged with advent of 4th

Generation Languages

• Object-Oriented Analysis and

Design

– Client-Server and web-based

systems

Agile Methodologies

• Lightweight approach – shifts the

focus from the process to

interaction – tenets include:

– Quick delivery of software (versus

extended planning)

– Massive collaboration (versus

contract formulation)

– Responsive change management

(versus structured procedures)

– Individual interaction (versus tools

automation)

• Examples include:

– Extreme Programming (XP)

– Feature-Driven Development

7

04/11/23

Secure SDLC

• SSDLC:

– Software development lifecycle process based on application security principles

adhering to a recognized standard and information privacy

– Focus on Risk, Compliance and C & A

– Includes activities designed to ensure compliance to the standard

– Requires security-related steps in application development procedures

– Integrated automated testing framework

• Automated unit test

• Regression test

• System integration test

• Performance test

• Threat and vulnerability audit

8

04/11/23

Integral Secure Agile Methodology (ISAM) ™

The Integral Secure Agile Methodology (ISAM) ™ is a collection of practices organized in a phased approach that provide the basis for an organization to ensure regulatory compliance, information security, and adherence to policy standards.

9

04/11/23

Formation Guidelines

• Created as a formulation of our "best practices" • Need for security and regulatory elements in application

development• “Securing” Software Development Lifecycle (SSDLC)

and related activities• Certification and Accreditation Objectives

10

04/11/23

Methodology Guidelines

• ISAM ™ adheres to the principles of the ISO 17799:2005 Information Security Management Standard developed by the International Organization for Standardization– Means the specific controls are derived from ISO 17799

• Provides flexibility to Introduce other control elements, policies and framework objectives

• Is a methodology to “Create or Modify” another methodology– Why ? Usually a fork lift approach of change is expensive and

not accepted– Incremental approach and absorbs the existing business and

standards objectives

11

04/11/23

ISAM Overview

Integral Secure Agile Methodology

(ISAM)™

Goal

Objective

Define

Design

Develop

Enhance

12

04/11/23

ISAM Phases

Goal Objective Define Design Develop

Long-RangePlan

Short-RangePlan

SolutionRequirements

SolutionDesign

SolutionDevelopment

Integral Secure Agile Methodology (ISAM) ™Phases

Enhance

13

04/11/23

ISAM Phase Detail

Enhance

Goal Objective Define Design Develop

Long-RangePlan

Short-RangePlan

SolutionRequirements

SolutionDesign

SolutionDevelopment

· Business Strategy· Competitive Survey· Business Trends· Core Competencies· IT Strategy· Security Policy· Business Continuity Plan

· Business Model· Stakeholders· Governance Structure· Initial Functionality· Systems Inventory· Analysis Approach· Organization· Readiness Assessment· Asset Inventory

· Prioritized Feature List· Functional Gap Analysis· Use Case Analysis· User Categorization· Storyboards· Component Diagrams· Architecture Diagrams· Activity Diagrams· Project Plan· Security Plan· Access Control Strategy

· Physical Architecture Diagrams

· Volumetrics· Logical and Physical

Data Models· User Interface Design· Class Diagrams· State Diagrams· Deployment Diagrams· Interface Integration Plan· Test Plan· Deployment Plan· Logical and Physical

Security Diagrams

· N-Tier Development· Unit Test· System Test· External Interface Test· Usability and Acceptance

Test· Performance Test· Deployment

· C&A Process· Regression Testing· Security Audit· Configuration Management· Acceptance Plan· Change Management· Program Management· Continuous Improvement· Monitoring Scheme

14

04/11/23

ISAM Goal Phase

Goal

Business Strategy - Understand the current business direction

and examine how technology can help drive it.

Competitive Survey - Analyze the competitive forces that will

impact technology direction of the business.

Business Trends - Recognize emerging trends that will shape

the business direction and technology approach.

Core Competencies - Assess historical and planned future business competencies relative to technology direction.

IT Strategy - Examine the information technology direction from a

business planning perspective.

Security Policy - Specify the business approach to securing information in its

systems, processes, and operating procedures.

Information Continuity Plan - Establish a plan to ensure business operations

in the event of a disruption to information systems.

ISO 17799 - 5.1.1 Security Policy Information Security Policy Information Security Policy Document

ISO 17799 - 15.1.4 Compliance Compliance with Legal Requirements Data Protection and Privacy of Personal Information

ISO 17799 - 14.1.3 Business Continuity Management Information Security Aspects of Business Continuity Developing and Implementing Continuity Plans Including Information Security

15

04/11/23

ISAM Objective Phase

Objective

Business Model -Analyze suggested technology approach relative

to operational business needs.

Stakeholders -Determine constituents in areas affected by

technology direction.

Governance Structure -Establish responsibility structure for

technology decisions.

Initial Functionality -Compile listing of core functionality for

technology implementation.

Systems Inventory -Categorize existing technology platforms

and solutions.

Analysis Approach - Define high-level plan to derive technology

solution requirements.

Organization Readiness Assessment -Outline potential pitfalls for solution development

and implementation.

ISO 17799 - 6.1.1Organization of Information SecurityInternal OrganizationManagement Commitment to Information Security

ISO 17799 - 7.2.1Asset ManagementInformation ClassificationClassification Guidelines

ISO 17799 - 7.1.1Asset ManagementResponsibility for AssetsInventory of Assets

ISO 17799 - 6.1.2Organization of Information SecurityInternal OrganizationInformation Security Coordination

ISO 17799 - 6.1.3Organization of Information SecurityInternal OrganizationAllocation of Information Security Responsibilities

Asset Inventory - Identify information assets and categorize each

according to regulatory impact, business criticality,and sensitivity.

16

04/11/23

ISAM Define Phase

Define

Prioritized Feature List - Examine the desired features of the solution,

categorized by low-medium-high risk, capability, difficulty, and implementation order.

Feature Gap Analysis -Detail the capability gaps in the initial

functionality of the solution.

Use Case Analysis -Describe the functional uses of the

information system.

User Categorization -Classify the makeup and structure of groups

of individuals who will interact with the system.Story Boards -

Detail scenarios for user interaction with the system.

Component Diagrams -Describe the high-level application components

of the solution.

Architecture Diagrams -Describe the infrastructure, interface and application

component environments and interactions.

ISO 17799 - 12.1.1Systems Acquisition, Development and MaintenanceSecurity Requirements of Information SystemsSecurity Requirements and Specification

ISO 17799 - 12.x.x Systems Acquisition, Development and Maintenance

Project Plans -Outline the sequential allocation of resources

to produce solution features in a given timeline.

Activity Diagrams -Describe the processing sequence of

functional solution components.

Security Plan -Specify control procedure for secure operation

of the solution from deployment through continuedoperation.

Access Control Strategy -Describe the approach to controlling access

to the system.

ISO 17799 - 11.1.1Access ControlBusiness Requirement for Access ControlAccess Control Policy

17

04/11/23

ISAM Design Phase

Design

Physical Architecture Diagrams – layout software solutions, hardware, and

network topology

Volumetrics -Examine volume levels for user

Interaction with the solution.

Logical and Physical Data Models -Describe data requirements in abstact and

concrete form.

User Interface Design -Develop prototypes of user interfaces

to the system.

Class Diagrams -Derive component software classes

from solution definition artifacts.

State Diagrams -Detail the system component runtime

states and transitions.

Deployment Diagrams -Outline deployment strategy for solution components.

ISO 17799 - 12.1.1Systems Acquisition, Development and MaintenanceSecurity Requirements of Information SystemsSecurity Requirements and Specification

ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance

Interface Integration Plan -Detail the solution's interactions with

external systems.

Test Plan -Establish procedures to validate system components through development and

deployment.

Deployment Plan -Establish procedures to ensure the

integrity of deployed system components.

Logical and Physical Security Diagrams -Outline security plan for protecting system

components and information.

ISO 17799 - 10.6.1Communications and Operations ManagementNetwork Security ManagementNetwork Controls

ISO 17799 - 10.3.1Communications and Operations ManagementSystem Planning and AcceptanceCapacity Management

ISO 17799 - 6.2.1Organization of Information SecurityExternal PartiesIdentification of Risks Related to External Parties

ISO 17799 - 10.8.xCommunications and Operations ManagementExchange of Information- Information Exchange Policies and Procedures- Physical Media in Transit- Electronic Messaging- Business Information Systems

18

04/11/23

ISAM Develop Phase

Develop

N-Tier Development -Develop application components partitioned

across appropriate infrastructure tiers.

Unit Test -Perform iterative application

component testing.

System Test -Perform integrated application

component tests.

External Interface Test -Test application interaction with

external entities.

Usability and Acceptance Test -Evaluate application interface components and

indicate acceptance by users.

ISO 17799 - 12.3.xSystems Acquisition, Development and MaintenanceCryptographic Controls- Policy of the Use of Cryptographic Controls- Key Management

Performance Test -Simulate application load to

validate volumetrics.

Deployment -Implement the completed solution in

its production infrastructure environment.

ISO 17799 - 12.2.xSystems Acquisition, Development and MaintenanceCorrect Processing in Applications- Input Data Validation- Control of Internal Processing- Message Integrity- Output Data Validation


ISO 17799 - 12.4.xSystems Acquisition, Development and MaintenanceSecurity of System Files- Control of Operational Software- Protection of System Test Data- Access Control to Program Source Control

ISO 17799 - 12.6.1System Acquisition, Development and MaintenanceTechnical Vulnerability ManagementControl of Technical Vulnerabilities

ISO 17799 - 10.8.1Communications and Operations ManagementExchange of InformationInformation Exchange Policies and Procedures


19

04/11/23

ISAM Enhance Phase

Enhance

Security Audit -Check system components for

compliance with security standards.

Regression Testing -Test existing functionality when

changes are made to the solution.

Configuration Management -Maintain release integrity with

secure and controlled environments.


ISO 17799 - 10.6.1Communications and Operations ManagementNetwork Security ManagementNetwork Controls

ISO 17799 - 11.xAccess Control- Network Access Control- Operating System Access Control- Application and Information Access Control

ISO 17799 - 10.1.xCommunications and Operations ManagementOperational Procedures and Responsibilities- Documented Operating Procedures- Change Management- Segregation of Duties- Separation of Development, Test, and Operational Facilities



ISO 17799 - 15.2.2ComplianceCompliance with Security Policies and Standards, and Technical ComplianceTechnical Compliance Checking

ISO 17799 - 15.3.1ComplianceInformation Systems Audit ConsiderationsInformation Systems Audit Controls

Acceptance Plan - Outline criteria and define

procedures for user acceptanceof system changes.

Change Management -Manage changes through control

procedures

ISO 17799 - 10.1.2Communications and Operations ManagementOperational Procedures and ResponsibilitiesChange Management

ISO 17799 - 10.4.1Communications and Operations ManagementProtection Against Malicious and Mobile CodeControls Against Malicious Code

ISO 17799 - 12.5.xSystems Acquisition, Development and MaintenanceSecurity in Development and Support Processes- Change Control Procedures- Technical Review of Applications After Operating System Changes- Restrictions on Changes to Software Packages

Continuous Improvement -Maintain feedback loop through

system lifecycle.Monitoring Scheme -Proactively manage solution through

process, event, threat, and log monitoring.

ISO 17799 - 6.1.8Organization of Information SecurityInternal OrganizationIndependent Review of Information Security

ISO 17799 - 10.10.xCommunications and Operations ManagementMonitoring- Audit Logging- Monitoring System Use- Protection of Log Information- Administrator and Operator Logs- Fault Logging- Clock Synchronization

20

04/11/23

NIST – Security in System Development Life Cycle.

21

04/11/23

ISAM Develop Phase – NIST Inclusion

Develop

N-Tier Development -Develop application components partitioned

across appropriate infrastructure tiers.

Unit Test -Perform iterative application

component testing.

System Test -Perform integrated application

component tests.

External Interface Test -Test application interaction with

external entities.

Usability and Acceptance Test -Evaluate application interface components and

indicate acceptance by users.

ISO 17799 - 12.3.xSystems Acquisition, Development and MaintenanceCryptographic Controls- Policy of the Use of Cryptographic Controls- Key Management

Performance Test -Simulate application load to

validate volumetrics.

Deployment -Implement the completed solution in

its production infrastructure environment.

ISO 17799 - 12.2.xSystems Acquisition, Development and MaintenanceCorrect Processing in Applications- Input Data Validation- Control of Internal Processing- Message Integrity- Output Data Validation



ISO 17799 - 12.6.1System Acquisition, Development and MaintenanceTechnical Vulnerability ManagementControl of Technical Vulnerabilities

ISO 17799 - 10.8.1Communications and Operations ManagementExchange of InformationInformation Exchange Policies and Procedures


SP 800-36 Selecting Infosec ProductsSP 800-36

Selecting Infosec Products

Corresponds to NIST SDLC SP 800-36 Phase 3

SP 800-57 Key ManagementSP 800-57

Key Management

22

04/11/23

Observations

• Risk management during each phase is key– Can be challenging on an uncompleted cycle– Identification of mitigation points is tricky.

• Assistance to a C & A process can be “in-line”• Awareness is the driving factor• Collaboration helped awareness• Awareness brought in discipline• Discipline > Structure > Control

23

04/11/23

Risk Management Through IT Frameworks

• Structure• Process • Communication

The primary objective of a framework is to bring forth a governance with the most important following principles:

Frameworks like ITIL, COBIT seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels.

Information security should considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained in each phase.

24

04/11/23

IT Frameworks

• Policies - overall objectives an organization is attempting to achieve • Processes - what has to happen to achieve the objectives • Procedures - who does what and when to achieve the objectives • Work instructions - instructions for taking specific actions

A typical IT framework divides the overall Information security concept into:

25

04/11/23

IT Frameworks (cont.)

Initial Security Efforts and Baseline

Requirements SLA

Reporting ImplementationMonitoring

Analysis

OLAModifications

Define information security as a complete cyclical process with continuous review and improvement.

26

04/11/23

IT Frameworks (cont.)Frameworks improve on security by providing…

• Focus – Security is not a “cost center” any more. It is well aligned with the business requirements

• Structure – move away from “fire fighting” to a structured best practice• Continuous review

– The security reviews and functions are not static. Reviews, audits and assessments are done in a repeatable cyclic fashion, ensures that changes, modifications are duly analyzed for potential threats and vulnerabilities

– Periodic audits ensures how well goals and guiding principles are followed

– Ensures a positive motion in Information Security Maturity model for the enterprise

27

04/11/23

IT Frameworks (cont.)Frameworks improve on security by providing…

• Documented process and procedures ensures compliance and auditability (HIPAA, SOX)

• Framework enforces an SSDLC environment to adhere to several control processes like– Change Management– Configuration Management– Incident Management

• Measurable information security activity in each phase – ensures that the organization will not have “rushed” approach in decision making

• Defined roles and responsibilities – auditability and traceability• Defined communication process – e.g reporting

28

04/11/23

Risk Management - Application Frameworks

• Consistency – application code is written in a consistent manner that can more easily be audited and enhanced

• Repeatability – core application services are provided in a common and structured manner

• Conformance – framework modules are thoroughly tested before implementation, and continuously re-tested through the software regression test cycle

Application frameworks enhance the overall security concept by ensuring that applications are more robust and secure in the following ways:

The following discussion highlights some commonly used application frameworks with security implications and potential pros and cons.

29

04/11/23

Communication and CollaborationTo be successful in developing secure software the entire team must be aware of what is occurring within the architecture of the solution and the code base. Communication of change and traceability of change can be assisted by the introduction of tools to help automate this communication and collaboration.

Having a strong culture of collaboration and a methodology that enforces the communication is also key. Tools help facilitate and even can enforce the rules laid out but they will not guarantee compliance. That is where Audits enter in.

30

04/11/23

Awareness

• Formal Trainings were good but hard to find• Peer to Peer interaction• Automated detection and assessment tools

Awareness was the hardest to achieve. Different levels of skill and adaptability posed challenges. Once the effort was made, progression was much easier

31

04/11/23

Tools

Collaboration software

– Gforge – Collaboration and project management tool for tracking and communicating changes, bugs, enhancements to your source code. Has reporting and integrations with many 3rd party tools such as cvs, svn, MS Project, Eclipse IDE.

– Blogging software can be used to effectively communicate individual team member’s struggles and triumphs with project tasks. It is an effective way to gather unstructured data for later search and retrieval. Think of it as the electronic notebook for the development team.

– Wiki technologies – can be used in a similar fashion to blogging but wiki provides a quick and easy way to publish web base documentation with a structure for the team to use. Wikis can be secured so that only your team can view and edit.

There are many tools available that help your team communicate, collaborate, and ensure securely developed websites and traceability of changes to your systems.

32

04/11/23

Tools (cont.)Source Control Management (SCM)

– CVS – Industry standard for source code control and distributed project development.

– SVN – The next industry standard for source code control and distributed project development.

– ClearCase – Source code control from the Rational suite of products.

– Visual Source Safe – Microsoft SCM tool.

– Tortoise – Visual tool for interfacing with CVS and SVN repositories via the windows file explorer interface.

33

04/11/23

Tools (cont.)IDEs

– Eclipse – industry leading java development platform. IBMs IDE is developed upon the eclispse core. Many plugins available to help with development on PHP, .net, C, C++ language based projects.

– Visual Studio – industry leading MS language development platform. Excellent integration with the Microsoft product tool suite.

Virtualization

– VMWare – A system to virtualize Operating systems. Extremely helpful in server consolidation and enables organizations to create function specific computing environments with no extra investment. Also provides flexibility in the behavior of testing, QA etc.

34

04/11/23

Tools (cont.)Quality Assurance / Build Automation

– Ant – script based tool for build. Used to call many of the other QA/Build apps. Can be used to help ensure compliance. It is essentially a cross platform Make.

– Junit – unit level test. Used with Ant and Tinderbox to help provide traceability of code failures and complete regression test.

– Httpunit – unit level test for web interface. Used with Ant and Tinderbox to help provide traceability of code failures and complete regression test.

– Tinderbox - Tinderbox is a detective tool. It allows you to see what is happening in the source tree. It shows you who checked in what; what platforms have built successfully; what platforms are broken and exactly how they are broken (the build logs); and the state of the files that made up the build so you can figure out who broke the build, so you can do the most important thing, hold them accountable for their actions.

35

04/11/23

Tools (cont.)Quality Assurance / Build Automation

– Jmeter - Apache JMeter may be used to test performance both on static and dynamic resources (files, Servlets, Perl scripts, Java Objects, Databases and Queries, FTP Servers and more). It can be used to simulate a heavy load on a server, network or object to test its strength or to analyze overall performance under different load types. You can use it to make a graphical analysis of performance or to test your server/script/object behavior under heavy concurrent load.

– Loadrunner – A commercial based jmeter, the industry leader in the performance testing space. Obtain an accurate picture of end-to-end system performance. Verify that new or upgraded applications meet specified performance requirements. Identify and eliminate performance bottlenecks during the development lifecycle.

36

04/11/23

Tools (cont.)Auditing tools

– Ouncelabs - Ounce Labs helps our customers manage their software risk across the enterprise and down to the line of code.

– Watchfire Appscan - is the industry's first web application vulnerability scanning and reporting solution for the enterprise. Building on the market-leading AppScan technology, AppScan Enterprise provides centralized control with new advanced application scanning, remediation capabilities, executive security metrics and dashboards, key regulatory compliance reporting and seamless integration with the desktop version of AppScan.

– ARCWall – A system to provide central security policy enforcement for access control for databases. Also useful for auditing purposes to identify potential access control defects etc.

37

04/11/23

Concluding Remarks

• Conscious effort and buy-off from management and customer

– Systematic and some times intrusive changes

• Educating staff – awareness• Implementing Peer reviews• Automation Tools (Commercial and Open

Source)• Focus on testing – security test cases included

in functional, regression and performance testing

• Checkpoints through out the life cycle.

• Greater reduction of risk posture

$-

$5,000

$10,000

$15,000

$20,000

$25,000

$30,000

$35,000

$40,000

$45,000

0 50 100 150 200

Risk Rating

Co

st t

o R

edu

ce

Lower Left = Low Risk and Low Cost – Recommend FixLower Right = High Risk and Low Cost – Recommend FixUpper Left = Low Risk and High Cost – Recommend EvaluateUpper Right = High Risk and High Cost – Recommend Schedule

38

04/11/23

• Questions?

sdlc presentation

Technology