uni tübingen secure software...
TRANSCRIPT
![Page 1: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/1.jpg)
AGIL, ABER SICHER?
SECURE SOFTWARE ENGINEERING
11.5.2016, ANDREAS FALK, UNI TÜBINGEN SOFTWARE ENGINEERING
![Page 2: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/2.jpg)
Über Mich
11.05.2016 Secure Software Engineering - Universität Tübingen
Andreas Falk
NovaTec Consulting GmbH [email protected]
@NT_AQE
@Agile_Security
Mitglied der
2
![Page 3: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/3.jpg)
Wichtige Literatur
11.05.2016 Secure Software Engineering - Universität Tübingen 3
![Page 4: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/4.jpg)
Inhalte dieser Session
11.05.2016 Secure Software Engineering - Universität Tübingen 4
Wichtigkeit von Security bewusst machen!
Agilität und Security – Wie geht das zusammen?
Security-Grundlagen: Keine „Hacker“-Session!
https://creativecommons.org/licenses/by-sa/4.0/deed.en + Security?
![Page 5: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/5.jpg)
Wirklich sicher? Hacks können Leben verändern!
11.05.2016 Secure Software Engineering - Universität Tübingen 5
![Page 6: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/6.jpg)
Wirklich sicher? https://www.shodan.io
11.05.2016 Secure Software Engineering - Universität Tübingen 6
![Page 7: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/7.jpg)
Wirklich sicher? Verschlüsselung „a la“ stackoverflow.com
11.05.2016 Secure Software Engineering - Universität Tübingen
Verschiebechiffre:
https://de.wikipedia.org/wiki/ROT13
7
![Page 8: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/8.jpg)
Wirklich sicher? Nutzerverhalten!
11.05.2016 Secure Software Engineering - Universität Tübingen
https://www.sicher-im-netz.de/downloads/dsin-sicherheitsindex-2015
8
![Page 9: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/9.jpg)
Wir haben doch eine „Security“-Firewall !?
11.05.2016 Secure Software Engineering - Universität Tübingen
„The Great Firewall“
Potentiell
unsichere Systeme
„Böse“ Requests „Gute“ Requests?
App A
App B
App C
App D
9
![Page 10: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/10.jpg)
Wir setzen doch „sichere“ Frameworks und Plattformen ein!?
11.05.2016 Secure Software Engineering - Universität Tübingen
und viele andere…
10
![Page 11: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/11.jpg)
Dokumentation, Tests und Security fallen zuerst weg!
11.05.2016 Secure Software Engineering - Universität Tübingen
Features
Dokumentation
Security / Tests
Features!
11
![Page 12: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/12.jpg)
Entwickler vs. Security!
11.05.2016 Secure Software Engineering - Universität Tübingen 12
![Page 13: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/13.jpg)
Qualität als Maslow‘sche Pyramide
11.05.2016 Secure Software Engineering - Universität Tübingen
http://gojko.net/2012/05/08/redefining-software-quality Maslow‘sche Pyramide
Selbstverwirklichung
Anerkennung
Soziales
Sicherheit
Grundbedürfnisse
13
![Page 14: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/14.jpg)
OWASP Top 10 (2013)
11.05.2016 Secure Software Engineering - Universität Tübingen
http://owasp.org
14
![Page 15: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/15.jpg)
Neue Herausforderungen für Security
11.05.2016 Secure Software Engineering - Universität Tübingen
Cloud Computing &
Big Data
Micro-
service
Micro-
service Microservices
Internet of Things (IoT)
Big Data
NoSQL
Computing
Storage
Map/Reduce
15
![Page 16: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/16.jpg)
Neue Herausforderungen für Security
11.05.2016 Secure Software Engineering - Universität Tübingen
IoT
16
Gerätespeicher
Firmware
Geräte-Interface (Hardware)
Geräte-Interface (Web)
Netzwerk-Kommunikation
Cloud 3rd Party Backend APIs
3rd Party Backend APIs
Eigene Backend APIs
Updateverteilung
Datenschutz
Sensoren
![Page 17: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/17.jpg)
Gibt es nicht schon sichere Entwicklungsprozesse?
Microsoft SDLC https://www.microsoft.com/en-us/sdl
Security @ Adobe https://www.adobe.com/security/proactive-efforts.html
11.05.2016 Secure Software Engineering - Universität Tübingen 17
![Page 18: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/18.jpg)
Next Stop: Sichere Agile Entwicklung
11.05.2016 Secure Software Engineering - Universität Tübingen 18
Waterfalls
Scrum
![Page 19: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/19.jpg)
Sichere Agile Entwicklung – Scrum Framework Elemente
11.05.2016 Secure Software Engineering - Universität Tübingen 19
http://guntherverheyen.com/2016/01/29/worrying-interpretations-of-scrum
![Page 20: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/20.jpg)
Ausgangslage: Sicherheit == Agil?
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint 1 Sprint 2 Sprint …n
Story A
Story B
Story C
Story D
Story E
Story F
Story G
Story H
Penetrationstest Security Features
20
Go Live
![Page 21: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/21.jpg)
Angreifer vs. DevOps
11.05.2016 Secure Software Engineering - Universität Tübingen
Zeit
Angriffe (24x7)
Deployments Penetrations-Test
Sprint Sprint Sprint Sprint Sprint Sprint Sprint
21
![Page 22: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/22.jpg)
Auslieferbare Inkremente in Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Das Entwicklungsteam besteht aus Profis,
die am Ende eines jeden Sprints ein
fertiges Inkrement übergeben, welches
potentiell auslieferbar ist.
Potentiell unsicher ausliefern?
http://www.scrumguides.org
“
“
22
![Page 23: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/23.jpg)
DevOps
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint
Auslieferbares
Inkrement
Betrieb /
Support
SecDevOps
Product
Backlog
Continuous Delivery
23
Vision
+ Security
![Page 24: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/24.jpg)
DevOps
11.05.2016 Secure Software Engineering - Universität Tübingen
Betriebssystem
Java VM / Datenbank
Applikationsserver
3rd Party Bibliotheken
Anwendungscode
Netzwerk-
Firewall
Web-
Anwendungs-
Firewall
Netzwerk
SSL
Security
SecDevOps
Security
24
![Page 25: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/25.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint
Potentiell
auslieferbares
Inkrement
Sprint
Review &
Retro
Sprint
Planning
Sprint
Backlog Product
Backlog
25
Daily Scrum
+ Security
![Page 26: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/26.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Scrum Master Product Owner
Entwickler
Test & QA Security-
Officer
26
![Page 27: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/27.jpg)
Secure DevOps = SecDevOps
11.05.2016 Secure Software Engineering - Universität Tübingen
Scrum Master
Product Owner
Entwickler
Test & QA
Security-
Officer Betrieb &
Support
27
![Page 28: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/28.jpg)
Rollenspezifische Security Trainings
11.05.2016 Secure Software Engineering - Universität Tübingen
Development
Team
Product
Owner
28
Security-
Officer
Betrieb &
Support
![Page 29: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/29.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Story A
Story B
AbUser Story
Security Features
29
Product
Backlog
Threat
Modeling
![Page 30: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/30.jpg)
Threat Modeling ist auch „Agil“
11.05.2016 Secure Software Engineering - Universität Tübingen
1
2
3
4
6
5
Produktiv Code
erstellen
Test Driven
Development (TDD)
Security Testfälle und
AbUser Stories
Threat Model
Identifikation und
Vermeidung
von Bedrohungen
Festlegung Software-
Architektur
30
![Page 31: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/31.jpg)
AbUser Stories
11.05.2016 Secure Software Engineering - Universität Tübingen
Business User
Story
AbUser Story 1
AbUser Story N
…
Als Kunde möchte ich
Produkte auswählen
und zum Warenkorb
hinzufügen um diese zu
kaufen.
Als Angreifer möchte ich
Anfragen so
manipulieren um Preise
der Produkte im
Warenkorb zu ändern.
31
![Page 32: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/32.jpg)
Beispiel: AbUser und Security User Stories
11.05.2016 Secure Software Engineering - Universität Tübingen 32
![Page 33: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/33.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen 33
Sprint
Planning
![Page 34: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/34.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Daily
Scrum
34
![Page 35: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/35.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint
35
Security
![Page 36: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/36.jpg)
Secure Architektur/Design – Standard Architektur / Patterns
11.05.2016 Secure Software Engineering - Universität Tübingen 36
Layering
Microservices
CQRS
MVC
http://martinfowler.com/bliki/CQRS.html
![Page 37: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/37.jpg)
Secure Architektur/Design – Standard Frameworks
11.05.2016 Secure Software Engineering - Universität Tübingen 37
![Page 38: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/38.jpg)
Spring Security – Sichere “Cloud Native” Anwendungen
11.05.2016 Secure Software Engineering - Universität Tübingen
Enterprise Application Development
Spring IO
„Convention over Configuration“
Spring Boot
Web Application Security
Spring Security (Core)
Web
C
loud
Single Sign On (SSO)
Spring OAuth2 & Spring SAML
38
![Page 39: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/39.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint
39
Security
![Page 40: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/40.jpg)
Secure Design / Coding – Security Patterns
11.05.2016 Secure Software Engineering - Universität Tübingen 40
![Page 41: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/41.jpg)
Secure Design / Coding – Cross-Site Scripting
11.05.2016 Secure Software Engineering - Universität Tübingen 41
@NotNull
@Size(min = 1, max = 50)
@Pattern (
regexp = "^[A-Za-z0-9 ]*$",
message = "Only alphanumeric and
space characters are allowed" )
private String subject;
JPA mit „Whitelist“ Bean Validation
Input Validierung
![Page 42: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/42.jpg)
Secure Design / Coding – Cross-Site Scripting
<script>alert('xss')</script>
11.05.2016 Secure Software Engineering - Universität Tübingen 42
<script>alert('xss')</script>
Output Escaping
![Page 43: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/43.jpg)
Secure Design / Coding – CSRF
11.05.2016 Secure Software Engineering - Universität Tübingen 43
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
Online Banking Anwendung
<img src = "http://bank.com/transfer.do?acct=BOB&amount=100"
width = "0" height = "0" border = "0">
Email (HTML-Content)
Cross-Site Request Forgery (CSRF)
![Page 44: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/44.jpg)
Secure Design / Coding – Security Response Header
11.05.2016 Secure Software Engineering - Universität Tübingen 44
![Page 45: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/45.jpg)
Secure Design / Coding – Sichere Fehlermeldungen
11.05.2016 Secure Software Engineering - Universität Tübingen 45
![Page 46: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/46.jpg)
Secure Design / Coding – Security Patterns
11.05.2016 Secure Software Engineering - Universität Tübingen 46
https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.owasp.org/index.php/Cheat_Sheets
![Page 47: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/47.jpg)
EINE SICHERE WEBANWENDUNG
IN 5 MINUTEN
https://start.spring.io
DEMO
![Page 48: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/48.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint
48
Security
![Page 49: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/49.jpg)
Agile Security Testing
11.05.2016 Secure Software Engineering - Universität Tübingen 49
![Page 50: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/50.jpg)
Agile Security Testing – Statische Code Analyse
11.05.2016 Secure Software Engineering - Universität Tübingen 50
+
![Page 51: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/51.jpg)
Agile Security Testing – Code Review
11.05.2016 Secure Software Engineering - Universität Tübingen 51
Code-Reviews (Github, Gitlab, Gerrit, …)
![Page 52: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/52.jpg)
Agile Security Testing
11.05.2016 Secure Software Engineering - Universität Tübingen
Technology
Business
Detail
Complexity / Cost Manual,
Exploratory
Testing
Automated UI-Tests
Service Layer Tests
(API-Layer)
Integrationstests
Unit Tests
Quantity
Cri
spin
, L
isa;
Gre
gor
y, J
anet
(20
08
). A
gil
e T
esti
ng
:
Unit & Component Tests
Security
52
![Page 53: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/53.jpg)
Agile Security Testing – Security-Integrationstests
11.05.2016 Secure Software Engineering - Universität Tübingen
@Test
public void verifyAdminPathAuthorizeOK() throws Exception {
this.mvc.perform( get( "/admin" )
.with(user("admin").password("admin").roles("ADMIN") ) )
.andExpect ( status ().isOk () );
}
@Test
public void verifyAdminPathAuthorizeNOK() throws Exception {
this.mvc.perform ( get( "/admin")
.with(user("user").password("secure").roles("USER") ) )
.andExpect ( status ().isForbidden () );
}
53
![Page 54: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/54.jpg)
Stage 1: Statisches Security Testing
11.05.2016 Secure Software Engineering - Universität Tübingen
Continuous Integration (CI)
Developer 1
1 Pull-Request
2 Trigger Build
3 Check-Out 4
Build & Tests
& Static Code Analysis
& Dependency Check
5 Report Build Result
Developer 2 6 (Security) Code-
Review
7 Push to Stable
54
![Page 55: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/55.jpg)
Dynamisches Security-Testing
OWASP Zed Attack Proxy (ZAP)
Open Source
11.05.2016 Secure Software Engineering - Universität Tübingen
https://github.com/zaproxy/zaproxy
Burp Suite Professional
Kommerziell
https://portswigger.net/burp
55
![Page 56: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/56.jpg)
Stage 2: Dynamisches Security-Testing
11.05.2016 Secure Software Engineering - Universität Tübingen
Acceptance Testing
UI-Testing 2 1 Deploy
4
Reporting 3 Active Scanning
Proxy
56
![Page 57: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/57.jpg)
Sichere Agile Entwicklung mit Scrum
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint Review
& Retro
57
![Page 58: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/58.jpg)
Idealzustand: Security == Agile!
11.05.2016 Secure Software Engineering - Universität Tübingen
Sprint 1 Sprint 2 Sprint …n
Story A
Story B
Story C
Story D
Story E
Story F
Story G
Story H
Pen-
Test
Abuse Story
Abuse Story
Security Features
58
Go Live
![Page 59: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/59.jpg)
SecDevOps – Security + DevOps
11.05.2016 Secure Software Engineering - Universität Tübingen
Kommunikation
Zusammenarbeit
Werkzeuge
Continuous Delivery
59
![Page 60: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/60.jpg)
SecDevOps – Testing „Infrastructure As Code“
11.05.2016 Secure Software Engineering - Universität Tübingen
/usr/bin/ruby -S rspec spec/www.example.jp/sample_spec.rb
Package "httpd" should be installed
Service "httpd"
should be enabled
should be running
Port "8443"
should be listening
Finished in 0.21091 seconds (files took 6.37 seconds to load)
4 examples, 0 failures
http://serverspec.org
60
![Page 61: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/61.jpg)
SecDevOps – Kostenlose SSL-Zertifikate
11.05.2016 Secure Software Engineering - Universität Tübingen
https://letsencrypt.org/
61
HTTPS für alle Websites !!
![Page 62: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/62.jpg)
SecDevOps – Sichere TLS (SSL) Konfiguration
11.05.2016 Secure Software Engineering - Universität Tübingen
https://www.ssllabs.com/ssltest/index.html
62
![Page 63: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/63.jpg)
SecDevOps – Sicherheit von HTTP Response-Headern
11.05.2016 Secure Software Engineering - Universität Tübingen
https://securityheaders.io
63
![Page 64: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/64.jpg)
SecDevOps – Kenne eingesetzte 3rd Party Bibliotheken
11.05.2016 Secure Software Engineering - Universität Tübingen
https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
64
![Page 65: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/65.jpg)
Open Web Application Security Project
11.05.2016 Secure Software Engineering - Universität Tübingen
Frei und Offen
Non-Profit! Community für
sichere
Software
> 130
Projekte
> 250 lokale
„Chapters“
> 2500
Mitglieder
https://www.owasp.org
65
![Page 66: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/66.jpg)
Open Web Application Security Project
11.05.2016 Secure Software Engineering - Universität Tübingen 66
![Page 67: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/67.jpg)
Fazit
11.05.2016 Secure Software Engineering - Universität Tübingen
Ausbildung für Security
Security transparent machen
Security-Aktivitäten
im gesamten Entwicklungsprozess
67
http://www.gameofhacks.com
http://www.itsecgames.com
![Page 68: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/68.jpg)
Ausblick / Weitere Schritte
11.05.2016 Secure Software Engineering - Universität Tübingen
Security-Aktivitäten im Projekt
Besuch einer (Security-) Konferenz
68
https://2016.appsec.eu
![Page 69: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/69.jpg)
Damit das nicht mehr passiert!
11.05.2016 Secure Software Engineering - Universität Tübingen 69
![Page 70: Uni Tübingen Secure Software Engineeringps.informatik.uni-tuebingen.de/teaching/ss16/se/8_secure... · 2016. 5. 13. · Agile Security Testing 11.05.2016 Secure Software Engineering](https://reader033.vdocuments.us/reader033/viewer/2022060523/605287ea82a4b5425c5f1123/html5/thumbnails/70.jpg)
FRAGEN?
11.05.2016, ANDREAS FALK
aqe.novatec-gmbh.de
@NT_AQE
blog.novatec-gmbh.de