SlideShare a Scribd company logo

Secure by design and secure software development

Download as ppt, pdf
Bill Ross
Bill Ross

This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.

1 of 45
Downloaded 50 times
IINFOSECFORCENFOSECFORCE 1 Application SecurityApplication Security BILL ROSS Application Security BILL ROSS 15 Sept 2008 IINFOSECFORCENFOSECFORCE ““ Balancing security controls to business requirements “Balancing security controls to business requirements “
IINFOSECFORCENFOSECFORCE SecuritySecurity and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
IINFOSECFORCENFOSECFORCE Slickum brief objectivesSlickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
IINFOSECFORCENFOSECFORCE What You Need to KnowWhat You Need to Know 4 Symantec Internet Security Threat Report, Volume XIV
IINFOSECFORCENFOSECFORCE  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild Operational reportOperational report
IINFOSECFORCENFOSECFORCE 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks Common attack toolsCommon attack tools
IINFOSECFORCENFOSECFORCE ““ the Cyber Battle Field”the Cyber Battle Field” Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Google China cyber attack part of vast espionage campaign, experts say Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
IINFOSECFORCENFOSECFORCE • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Malicious code is installedMalicious code is installed Symantec Internet Security Threat Report
IINFOSECFORCENFOSECFORCE Cyber criminals want YOUR information • Focus on exploits targeting end-users for financial gain Web-based malicious activity has accelerated • Primary vector for malicious activity • Target reputable, high-traffic websites Increased sophistication of the Underground Economy • Well-established infrastructure for monetizing stolen information Rapid adaptation to security measures • Relocating operations to new geographic areas • Evade traditional security protection Symantec Internet Security Threat Report “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Key trendsKey trends
IINFOSECFORCENFOSECFORCE Key Trends – Global ActivityKey Trends – Global Activity • Data breaches can lead to identity theft • Theft and loss top cause of data leakage for overall data breaches and identities exposed • Threat activity increases with growth in Internet/Broadband usage • Documented vulnerabilities up 19% (5491) • Top attacked vulnerability: Exploits by Downadup • 95% vulnerabilities attacked were client-side • Trojans made up 68 percent of the volume of the top 50 malicious code • 66% of potential malicious code infections propagated as shared executable files • 76% phishing lures target Financial services (up 24%) • Detected 55,389 phishing website hosts (up 66%) • Detected 192% increase in spam across the Internet with 349.6 billion messages • 90% spam email distributed by Bot networks Internet Security Threat Report
IINFOSECFORCENFOSECFORCE 11 Website compromiseWebsite compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Web application vulnerabilitiesSite-specific vulnerabilities 11Internet Security Threat Report,
IINFOSECFORCENFOSECFORCE Impact of Security DefectsImpact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
IINFOSECFORCENFOSECFORCE The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase. The SDL Reduces the Total CostThe SDL Reduces the Total Cost of Developmentof Development
IINFOSECFORCENFOSECFORCE Broken access control SUN Top 10 Web Security ThreatsTop 10 Web Security Threats Unvalidated input Improper error handling Insecure storage Application denial-of-service Insecure configuration management Injection flaws Buffer overflows Cross-site scripting (XSS)Broken authentication
IINFOSECFORCENFOSECFORCE Web Application Security ThreatsWeb Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
IINFOSECFORCENFOSECFORCE 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting Web Application Security Threats 2Web Application Security Threats 2
IINFOSECFORCENFOSECFORCE Source: IBM Hacker targetsHacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. Attack vector analysesAttack vector analyses A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.”
IINFOSECFORCENFOSECFORCE Application security paradoxApplication security paradox SOURCE: SPIDYNAMICS Internet DMZ Trusted Inside Corporate Inside HTTP(S) IMAP, FTP SSH , TELNET POP3, XML Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any – Web Server: 80 Firewall only allows applications on the web server to talk to application server. Firewall only allow application server to talk to database server. IIS SunOne Apache ASP .NET WebSphere Java SQL Oracle DB2 Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place.
IINFOSECFORCENFOSECFORCE Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews Hacking the Super BowlHacking the Super Bowl
IINFOSECFORCENFOSECFORCE How did this happen ?How did this happen ? Business engines fueled by multiple and powerful applications
IINFOSECFORCENFOSECFORCE Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA Expanding “e-com” perimeterExpanding “e-com” perimeter
IINFOSECFORCENFOSECFORCE Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA Expanding “e-com” perimeterExpanding “e-com” perimeter Social networks, I-Pod, I-PAD as a network, peripheral-geddon & “THE CLOUD”
IINFOSECFORCENFOSECFORCE Security coding errorsSecurity coding errors
IINFOSECFORCENFOSECFORCE Prevent & fortifyPrevent & fortify
IINFOSECFORCENFOSECFORCE This ….. IBM believesThis ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
IINFOSECFORCENFOSECFORCE  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner)  Undetected • QA testing tools not designed to detect security defects in applications Security Defects MatterSecurity Defects Matter SOURCE: Seagate Technology Security Business CaseSecurity Business Case  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the market has become a mandatory requirement … the cost of fixing defects after deployment is almost 100 times greater than detecting and eliminating them during development. 1000 application sample ‘Healthchecks’ with AppScan – 98% vulnerable: all had firewalls and encryption solutions in place… =
IINFOSECFORCENFOSECFORCE Best practice solutionsBest practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning  Data Classification – Classify data according to the sensitivity of the data.  Risk Assessment – Conduct preliminary risk assessment before development begins and after planning is complete. Security Requirements – Identify and document the security requirements of the application early in the development lifecycle.  Security Design – Use the Data Classification process to determine specific security services needed by the application  SDLC – Address security within all stages of the SDLC. Application Development Minimal set of coding practices  Input Validation – Validate input from all sources.  Default deny – Access control should be based on specific permission rather than exclusion.  By default all access should be denied.  Principle of Least Privilege – Perform all processes with the least set of required privileges  Quality Assurance – Quality assurance identifies and eliminates software vulnerabilities.  Perform internal testing – Use source code auditing, pen testing, manual code review, or automated source code review Prod and Maintenance  Applications shall be hosted on servers compliant with the corporate Security requirements for IT system hardening  Applications classified as sensitive shall at a minimum have annual vulnerability assessments, when a significant change to the application has occurred, or depending on the data sensitivity and risk.
IINFOSECFORCENFOSECFORCE TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN Principles of Secure ProgrammingPrinciples of Secure Programming
IINFOSECFORCENFOSECFORCE Application security risk analysesApplication security risk analyses Hardened infrastructure (will not block port 80 attacks)Relevant controls HighRisk summary HighOverall risk rating HighRisk Impact rating HighLikelihood rating Multiple avenues of attack on organizational vital information assets Risk Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Threat Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Vulnerability Follow application security planning, development and production best practices. Build security into all SDLC phases. Risk mitigation
IINFOSECFORCENFOSECFORCE SLCMPSLCMP Embed information security in the SDLCEmbed information security in the SDLC and PLCMP by applying the practicesand PLCMP by applying the practices and procedures defined in SLCMPand procedures defined in SLCMP
IINFOSECFORCENFOSECFORCE ““ Building highly secure software is nothing less thanBuilding highly secure software is nothing less than an eloquently choreographed dance that calls uponan eloquently choreographed dance that calls upon the talent and skills of the developer, projectthe talent and skills of the developer, project manager and information security teaming to ensuremanager and information security teaming to ensure that an application securely glides with grace acrossthat an application securely glides with grace across the technical stage ”the technical stage ” An art form
IINFOSECFORCENFOSECFORCE SLCMPSLCMP and theand the SDLC …SDLC …“The Dance”“The Dance” Statement of need for new business process, application or technology Functional requirements document designed Design and technical architecture developed Code development 1 st phase prod testing QA Initiate Design/Develop Implement Pre prod Prod Post Prod Production INFOSEC participation in feasibility analyses, no documentation required Build the System Security Plan based on NIST 800-53 control guidelines. Preliminary risk and vulnerability assessment done. Measures requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted INFOSEC architecture document created based on data security categorization, policy, application functionality and risk and vulnerability assessments Integrate controls and create detailed application security test plan defining testing tools, timelines, remedial action processes and testers. Gain approval from project manager. First phase application security testing. Once code begins solidifying, use soft tools such as AppScan or Spi Dynamics for high level testing. Feedback findings to developers for code correction Second phase app security testing using formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security test which follows phase one testing process. Used as final verification that code is stable from INFOSEC perspective Create final risk acceptance document Application and infrastructure penetration testing Server cert 2 nd phase prod testing Ongoing pen tests, vulnerability assessments, risk management * * Security certification and accreditation should be finalized
IINFOSECFORCENFOSECFORCE SLCMP DeliverablesSLCMP Deliverables InitiateInitiate DevelopDevelop ImplementImplement ProductionProduction - Data security categorization - Preliminary risk assessment - Security plan - Risk assessment - Functional requirements analyses - Assurance requirements - Control selection - Security control integration - Second phase app security testing - Third phase app security testing - Security certification - Security accreditation - Threat management - Configuration management and control - Continuous monitoring - Incident response plan - Security architecture - Functional and vulnerability test plan - First phase testing - Additional planning assignments
IINFOSECFORCENFOSECFORCE Control selection begins. Defines high level technical and security architecture. Detailed technical and security design Validate designs, validate cost estimates, and implement final solutions and designs Operations provide operational support for all final solutions and designs implemented as part of the infrastructure. Demand manger reviews the request and categorizes project type as a small, medium, or larger project. • Architecture Standards and Convergence • Project Review • Scoping • Solution Design • Cost Estimation • Security architecture • Design and technical architecture developed • Architecture Review • Detailed Design • Level 4 Support design • Implementation • Change Management Capacity Monitoring • Day to Day Operations planning • Define Security requirements • Preliminary risk assessment • Patch management • Monitoring • Incident response • Security administration • KPI reporting on security metrics • Data and Infrastructure Categorization • Risk assessment • Functional requirements analyses • Assurance requirements analyses • Control selection and standard integration • Security architecture • Security test plan design • Control selection and standard integration • Security control integration • Security penetration and vulnerability testing • Security certification • Security accreditation • Final risk assessment • Design security controls • Begin organizing security plan development • Threat management • Ongoing pen and vulnerability testing • Determines validity of security architecture • Determines security process shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK SLCMP and the PLCMPSLCMP and the PLCMP Initiate Design/Develop Implement Production
IINFOSECFORCENFOSECFORCE SLCMP adopted guidelinesSLCMP adopted guidelines In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place SP 800-18 Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP 800-60 Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system FIPS 200 / SP 800-53 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP 800-53A / SP 800-26 / SP 800-37 Security Control Assessment SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP 800-37 System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-37 Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP 800-70 Starting Point SLCMPSLCMP INPUTSINPUTS Source: NIST
IINFOSECFORCENFOSECFORCE SLCMP BenefitsSLCMP Benefits  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs SLCMP ROI
IINFOSECFORCENFOSECFORCE ConclusionsConclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
IINFOSECFORCENFOSECFORCE 38 QUESTIONS
IINFOSECFORCENFOSECFORCE BACK UP SLIDES
IINFOSECFORCENFOSECFORCE Initiate deliverablesInitiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
IINFOSECFORCENFOSECFORCE Develop and designDevelop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements analyses Ensure that enterprise security policy and standards are followed. Determine which laws must be followed by the application. Assurance requirements analyses Determine what level of certification application requires. For example, government applications might require a FISMA C&A.
IINFOSECFORCENFOSECFORCE Develop …..continuedDevelop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability test plan Multi phase technical plan designed to ensure security controls work and that business logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning components RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc
IINFOSECFORCENFOSECFORCE Implement deliverablesImplement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security testing Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security testing Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
IINFOSECFORCENFOSECFORCE Production deliverablesProduction deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management and control Operational process and plan to ensure environment receives current security patches and other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
IINFOSECFORCENFOSECFORCE SDLC/PLCMP DeliverablesSDLC/PLCMP Deliverables - Security control integration - Second phase app security testing - Third phase app security testing Implement - Data security categorization - Security Plan - Preliminary risk assessment Initiate - Threat management - Configuration management and control - Continuous monitoring - Incident response plan Production - Risk assessment - Functional requirements analyses - Assurance requirements - Control selection Design and develop - Security architecture - Functional and vulnerability test plan - First phase testing - Additional planning assignments - Security certification - Security accreditation - Final risk acceptance document REF: NIST 800-53
Ad

Recommended

Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
Asif Anik
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
Anna Royzman
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
schwarz10
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 
Ad

More Related Content

What's hot (20)

Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
Asif Anik
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
Anna Royzman
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
Asif Anik
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
Anna Royzman
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 

Similar to Secure by design and secure software development (20)

DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
schwarz10
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
Cmano Kar
 
A Review Paper on Cyber-Security
A Review Paper on Cyber-SecurityA Review Paper on Cyber-Security
A Review Paper on Cyber-Security
IRJET Journal
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
VIRAJDEY1
 
Analyzing Cyber-Attacks: Case Studies of Five Organizations
Analyzing Cyber-Attacks: Case Studies of Five OrganizationsAnalyzing Cyber-Attacks: Case Studies of Five Organizations
Analyzing Cyber-Attacks: Case Studies of Five Organizations
Boston Institute of Analytics
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanism
CAS
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
Gaurav Srivastav
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
schwarz10
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
Cmano Kar
 
A Review Paper on Cyber-Security
A Review Paper on Cyber-SecurityA Review Paper on Cyber-Security
A Review Paper on Cyber-Security
IRJET Journal
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
VIRAJDEY1
 
Analyzing Cyber-Attacks: Case Studies of Five Organizations
Analyzing Cyber-Attacks: Case Studies of Five OrganizationsAnalyzing Cyber-Attacks: Case Studies of Five Organizations
Analyzing Cyber-Attacks: Case Studies of Five Organizations
Boston Institute of Analytics
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanism
CAS
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_230 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
30 it securitythreatsvulnerabilitiesandcountermeasuresv1_2
Gaurav Srivastav
 
Ad

More from Bill Ross (10)

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Bill Ross
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Bill Ross
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
Bill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
Bill Ross
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
Bill Ross
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
Bill Ross
 
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Bill Ross
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Bill Ross
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
Bill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
Bill Ross
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
Bill Ross
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
Bill Ross
 
Ad

Recently uploaded (20)

Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Dark Dynamism: drones, dark factories and deurbanization
Dark Dynamism: drones, dark factories and deurbanizationDark Dynamism: drones, dark factories and deurbanization
Dark Dynamism: drones, dark factories and deurbanization
Jakub Šimek
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?
Eric Torreborre
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Viam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdfViam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdf
camilalamoratta
 
IT484 Cyber Forensics_Information Technology
IT484 Cyber Forensics_Information TechnologyIT484 Cyber Forensics_Information Technology
IT484 Cyber Forensics_Information Technology
SHEHABALYAMANI
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
James Anderson
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
Dark Dynamism: drones, dark factories and deurbanization
Dark Dynamism: drones, dark factories and deurbanizationDark Dynamism: drones, dark factories and deurbanization
Dark Dynamism: drones, dark factories and deurbanization
Jakub Šimek
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?Shoehorning dependency injection into a FP language, what does it take?
Shoehorning dependency injection into a FP language, what does it take?
Eric Torreborre
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Viam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdfViam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdf
camilalamoratta
 
IT484 Cyber Forensics_Information Technology
IT484 Cyber Forensics_Information TechnologyIT484 Cyber Forensics_Information Technology
IT484 Cyber Forensics_Information Technology
SHEHABALYAMANI
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
AsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API DesignAsyncAPI v3 : Streamlining Event-Driven API Design
AsyncAPI v3 : Streamlining Event-Driven API Design
leonid54
 
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
James Anderson
 

Secure by design and secure software development

  • 1. IINFOSECFORCENFOSECFORCE 1 Application SecurityApplication Security BILL ROSS Application Security BILL ROSS 15 Sept 2008 IINFOSECFORCENFOSECFORCE ““ Balancing security controls to business requirements “Balancing security controls to business requirements “
  • 2. IINFOSECFORCENFOSECFORCE SecuritySecurity and Project Lifecycles Security and Lifecycle Management Process (SLCMP) Said “slickum” A “practitioner’s” view ….. Bill Ross
  • 3. IINFOSECFORCENFOSECFORCE Slickum brief objectivesSlickum brief objectives  Purpose: - Discuss application security issues - Describe web application information security - To describe a process by which software is securely developed  Expected outcome: - An increased awareness of how to prevent web application attacks - How to implement the SLCMP process into the SDLC - More securely built applications and infrastructure
  • 4. IINFOSECFORCENFOSECFORCE What You Need to KnowWhat You Need to Know 4 Symantec Internet Security Threat Report, Volume XIV
  • 5. IINFOSECFORCENFOSECFORCE  Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues, according to the Common Vulnerabilities and Exposures (CVE) project.  Web and business applications are increasingly compromised around the world causing businesses to loose millions of dollars through data compromise  Hacking is no longer for fun …… it is for profit …. Internal or external hackers exploit weaknesses in application code to achieve their objectives.  Symantec 2008 Cyber report indicates there are 1,656, 227 number of new threats in the wild Operational reportOperational report
  • 6. IINFOSECFORCENFOSECFORCE 1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. 2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code. 3. Spam Electronic junk mail or junk newsgroup postings. 4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. 5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. 6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. 8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored 9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions 10. Web application attacks Common attack toolsCommon attack tools
  • 7. IINFOSECFORCENFOSECFORCE ““ the Cyber Battle Field”the Cyber Battle Field” Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times) Google China cyber attack part of vast espionage campaign, experts say Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009
  • 8. IINFOSECFORCENFOSECFORCE • In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month. • Over 60% of Symantec’s malicious code signatures were created in 2008. • Over 90% of threats discovered in 2008 are threats to confidential information. Malicious code is installedMalicious code is installed Symantec Internet Security Threat Report
  • 9. IINFOSECFORCENFOSECFORCE Cyber criminals want YOUR information • Focus on exploits targeting end-users for financial gain Web-based malicious activity has accelerated • Primary vector for malicious activity • Target reputable, high-traffic websites Increased sophistication of the Underground Economy • Well-established infrastructure for monetizing stolen information Rapid adaptation to security measures • Relocating operations to new geographic areas • Evade traditional security protection Symantec Internet Security Threat Report “The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response. The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity. It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.” Key trendsKey trends
  • 10. IINFOSECFORCENFOSECFORCE Key Trends – Global ActivityKey Trends – Global Activity • Data breaches can lead to identity theft • Theft and loss top cause of data leakage for overall data breaches and identities exposed • Threat activity increases with growth in Internet/Broadband usage • Documented vulnerabilities up 19% (5491) • Top attacked vulnerability: Exploits by Downadup • 95% vulnerabilities attacked were client-side • Trojans made up 68 percent of the volume of the top 50 malicious code • 66% of potential malicious code infections propagated as shared executable files • 76% phishing lures target Financial services (up 24%) • Detected 55,389 phishing website hosts (up 66%) • Detected 192% increase in spam across the Internet with 349.6 billion messages • 90% spam email distributed by Bot networks Internet Security Threat Report
  • 11. IINFOSECFORCENFOSECFORCE 11 Website compromiseWebsite compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts • Once the site is compromised, attackers modify pages so malicious content is served to visitors Web application vulnerabilitiesSite-specific vulnerabilities 11Internet Security Threat Report,
  • 12. IINFOSECFORCENFOSECFORCE Impact of Security DefectsImpact of Security Defects Bad Business • On average, there are 5 to 15 defects in every 1,000 lines of code  US Dept. of Defense and the Software Engineering Institute Slow Business • It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each  5 Year Pentagon Study • Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours  Intel White paper, CERT, ICSA Labs Loss of Business • A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week  Gartner Group
  • 13. IINFOSECFORCENFOSECFORCE The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase. The SDL Reduces the Total CostThe SDL Reduces the Total Cost of Developmentof Development
  • 14. IINFOSECFORCENFOSECFORCE Broken access control SUN Top 10 Web Security ThreatsTop 10 Web Security Threats Unvalidated input Improper error handling Insecure storage Application denial-of-service Insecure configuration management Injection flaws Buffer overflows Cross-site scripting (XSS)Broken authentication
  • 15. IINFOSECFORCENFOSECFORCE Web Application Security ThreatsWeb Application Security Threats 1. Unvalidated input (Mother of all Web Tiered Attacks) Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers ) 2. Broken Access Control Insecured IDs, Poor file permissions, Service account exploit, Path Traversal 3. Broken Authentication and Session Management Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user 4. Cross site scripting Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)
  • 16. IINFOSECFORCENFOSECFORCE 5. Buffer Overflow Errors Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself 6. Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information 7 . Improper Error Handling The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed. 8. Application DOS Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting Web Application Security Threats 2Web Application Security Threats 2
  • 17. IINFOSECFORCENFOSECFORCE Source: IBM Hacker targetsHacker targets • From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended than the rest of the IT infrastructure. Attack vector analysesAttack vector analyses A Garner report states “ that over 75% of attacks against websites and web- based applications come at the application layer and not lower infrastructure and network layers.”
  • 18. IINFOSECFORCENFOSECFORCE Application security paradoxApplication security paradox SOURCE: SPIDYNAMICS Internet DMZ Trusted Inside Corporate Inside HTTP(S) IMAP, FTP SSH , TELNET POP3, XML Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any – Web Server: 80 Firewall only allows applications on the web server to talk to application server. Firewall only allow application server to talk to database server. IIS SunOne Apache ASP .NET WebSphere Java SQL Oracle DB2 Applications, data and business processes are vulnerable even when a robust network and infrastructure security program is in place.
  • 19. IINFOSECFORCENFOSECFORCE Is nothing sacred anymore ????  Super Bowl exploits “ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “ Source Robert Vamosi Senior editor, CNET Reviews Hacking the Super BowlHacking the Super Bowl
  • 20. IINFOSECFORCENFOSECFORCE How did this happen ?How did this happen ? Business engines fueled by multiple and powerful applications
  • 21. IINFOSECFORCENFOSECFORCE Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA Expanding “e-com” perimeterExpanding “e-com” perimeter
  • 22. IINFOSECFORCENFOSECFORCE Microsoft’s vision for secure and Easy “ anywhere access ” Bill Gates, 2007 RSA Expanding “e-com” perimeterExpanding “e-com” perimeter Social networks, I-Pod, I-PAD as a network, peripheral-geddon & “THE CLOUD”
  • 25. IINFOSECFORCENFOSECFORCE This ….. IBM believesThis ….. IBM believes Application Security Strategies Engineering security into application systems is a critical discipline and should be a key component in multi-disciplinary, concurrent or distributed development teams. This applies to the development, integration, operation, administration, maintenance and evolution of e-Business application systems as well as to the development, delivery, and evolution of software-based products. Source: IBM
  • 26. IINFOSECFORCENFOSECFORCE  Frequent • 3 out of 4 business websites are vulnerable to attack (Gartner)  Pervasive • Majority of hacks occur at the Application level (Gartner)  Undetected • QA testing tools not designed to detect security defects in applications Security Defects MatterSecurity Defects Matter SOURCE: Seagate Technology Security Business CaseSecurity Business Case  Expensive • Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the market has become a mandatory requirement … the cost of fixing defects after deployment is almost 100 times greater than detecting and eliminating them during development. 1000 application sample ‘Healthchecks’ with AppScan – 98% vulnerable: all had firewalls and encryption solutions in place… =
  • 27. IINFOSECFORCENFOSECFORCE Best practice solutionsBest practice solutions  Application security requirements define the high level specifications for securely developing and deploying applications Application Planning  Data Classification – Classify data according to the sensitivity of the data.  Risk Assessment – Conduct preliminary risk assessment before development begins and after planning is complete. Security Requirements – Identify and document the security requirements of the application early in the development lifecycle.  Security Design – Use the Data Classification process to determine specific security services needed by the application  SDLC – Address security within all stages of the SDLC. Application Development Minimal set of coding practices  Input Validation – Validate input from all sources.  Default deny – Access control should be based on specific permission rather than exclusion.  By default all access should be denied.  Principle of Least Privilege – Perform all processes with the least set of required privileges  Quality Assurance – Quality assurance identifies and eliminates software vulnerabilities.  Perform internal testing – Use source code auditing, pen testing, manual code review, or automated source code review Prod and Maintenance  Applications shall be hosted on servers compliant with the corporate Security requirements for IT system hardening  Applications classified as sensitive shall at a minimum have annual vulnerability assessments, when a significant change to the application has occurred, or depending on the data sensitivity and risk.
  • 28. IINFOSECFORCENFOSECFORCE TARGET THESE AREAS  Minimize attack surface area  Secure defaults  Principle of least privilege  Principle of defense in depth  Fail securely  External systems are insecure  Separation of duties  Do not trust security through obscurity  Simplicity  Fix security issues correctly SUN Principles of Secure ProgrammingPrinciples of Secure Programming
  • 29. IINFOSECFORCENFOSECFORCE Application security risk analysesApplication security risk analyses Hardened infrastructure (will not block port 80 attacks)Relevant controls HighRisk summary HighOverall risk rating HighRisk Impact rating HighLikelihood rating Multiple avenues of attack on organizational vital information assets Risk Numerous threats such as: - SQL injection, cross site scripting, buffer overflow Threat Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls Vulnerability Follow application security planning, development and production best practices. Build security into all SDLC phases. Risk mitigation
  • 30. IINFOSECFORCENFOSECFORCE SLCMPSLCMP Embed information security in the SDLCEmbed information security in the SDLC and PLCMP by applying the practicesand PLCMP by applying the practices and procedures defined in SLCMPand procedures defined in SLCMP
  • 31. IINFOSECFORCENFOSECFORCE ““ Building highly secure software is nothing less thanBuilding highly secure software is nothing less than an eloquently choreographed dance that calls uponan eloquently choreographed dance that calls upon the talent and skills of the developer, projectthe talent and skills of the developer, project manager and information security teaming to ensuremanager and information security teaming to ensure that an application securely glides with grace acrossthat an application securely glides with grace across the technical stage ”the technical stage ” An art form
  • 32. IINFOSECFORCENFOSECFORCE SLCMPSLCMP and theand the SDLC …SDLC …“The Dance”“The Dance” Statement of need for new business process, application or technology Functional requirements document designed Design and technical architecture developed Code development 1 st phase prod testing QA Initiate Design/Develop Implement Pre prod Prod Post Prod Production INFOSEC participation in feasibility analyses, no documentation required Build the System Security Plan based on NIST 800-53 control guidelines. Preliminary risk and vulnerability assessment done. Measures requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted INFOSEC architecture document created based on data security categorization, policy, application functionality and risk and vulnerability assessments Integrate controls and create detailed application security test plan defining testing tools, timelines, remedial action processes and testers. Gain approval from project manager. First phase application security testing. Once code begins solidifying, use soft tools such as AppScan or Spi Dynamics for high level testing. Feedback findings to developers for code correction Second phase app security testing using formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security test which follows phase one testing process. Used as final verification that code is stable from INFOSEC perspective Create final risk acceptance document Application and infrastructure penetration testing Server cert 2 nd phase prod testing Ongoing pen tests, vulnerability assessments, risk management * * Security certification and accreditation should be finalized
  • 33. IINFOSECFORCENFOSECFORCE SLCMP DeliverablesSLCMP Deliverables InitiateInitiate DevelopDevelop ImplementImplement ProductionProduction - Data security categorization - Preliminary risk assessment - Security plan - Risk assessment - Functional requirements analyses - Assurance requirements - Control selection - Security control integration - Second phase app security testing - Third phase app security testing - Security certification - Security accreditation - Threat management - Configuration management and control - Continuous monitoring - Incident response plan - Security architecture - Functional and vulnerability test plan - First phase testing - Additional planning assignments
  • 34. IINFOSECFORCENFOSECFORCE Control selection begins. Defines high level technical and security architecture. Detailed technical and security design Validate designs, validate cost estimates, and implement final solutions and designs Operations provide operational support for all final solutions and designs implemented as part of the infrastructure. Demand manger reviews the request and categorizes project type as a small, medium, or larger project. • Architecture Standards and Convergence • Project Review • Scoping • Solution Design • Cost Estimation • Security architecture • Design and technical architecture developed • Architecture Review • Detailed Design • Level 4 Support design • Implementation • Change Management Capacity Monitoring • Day to Day Operations planning • Define Security requirements • Preliminary risk assessment • Patch management • Monitoring • Incident response • Security administration • KPI reporting on security metrics • Data and Infrastructure Categorization • Risk assessment • Functional requirements analyses • Assurance requirements analyses • Control selection and standard integration • Security architecture • Security test plan design • Control selection and standard integration • Security control integration • Security penetration and vulnerability testing • Security certification • Security accreditation • Final risk assessment • Design security controls • Begin organizing security plan development • Threat management • Ongoing pen and vulnerability testing • Determines validity of security architecture • Determines security process shortfalls • Determines product successful functionality and shortfalls • Security administration • Security monitoring INPUT SECURITY PLAN FEEDBACK SLCMP and the PLCMPSLCMP and the PLCMP Initiate Design/Develop Implement Production
  • 35. IINFOSECFORCENFOSECFORCE SLCMP adopted guidelinesSLCMP adopted guidelines In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place SP 800-18 Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP 800-60 Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system FIPS 200 / SP 800-53 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP 800-53A / SP 800-26 / SP 800-37 Security Control Assessment SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP 800-37 System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-37 Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP 800-70 Starting Point SLCMPSLCMP INPUTSINPUTS Source: NIST
  • 36. IINFOSECFORCENFOSECFORCE SLCMP BenefitsSLCMP Benefits  Fortified applications or infrastructure projects  Hardened against internal and external attack  Meets regulatory compliance mandates  Enhances IS staff knowledge and capability  Reduces long term costs SLCMP ROI
  • 37. IINFOSECFORCENFOSECFORCE ConclusionsConclusions • 80 % of all attacks on Information Security are directed to the web application layer • 2/3 of all web applications are vulnerable • Infrastructure security doesn’t directly protect code • The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design • One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects
  • 40. IINFOSECFORCENFOSECFORCE Initiate deliverablesInitiate deliverables Data security Categorization Rate application importance as a low, medium, or high impact application. This is a business impact analyses which defines impact on an organization if security controls are breeched. Leads to proper selection of security controls required. Preliminary risk assessment Measures application/project requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted. Focuses on early assessment of the application's requirements for confidentiality, integrity and availability (CIA)
  • 41. IINFOSECFORCENFOSECFORCE Develop and designDevelop and design Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented. Functional requirements analyses Ensure that enterprise security policy and standards are followed. Determine which laws must be followed by the application. Assurance requirements analyses Determine what level of certification application requires. For example, government applications might require a FISMA C&A.
  • 42. IINFOSECFORCENFOSECFORCE Develop …..continuedDevelop …..continued Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet. Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan. Functional and vulnerability test plan Multi phase technical plan designed to ensure security controls work and that business logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models. First phase testing Provides developers early high level look at code stability Additional planning components RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc
  • 43. IINFOSECFORCENFOSECFORCE Implement deliverablesImplement deliverables Security control integration Security control settings and switches enabled IAW Security plan and architecture Second phase app security testing Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security testing Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed
  • 44. IINFOSECFORCENFOSECFORCE Production deliverablesProduction deliverables Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment. Configuration management and control Operational process and plan to ensure environment receives current security patches and other software preventive updates ensuring application or environment integrity is maintained Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work. Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.
  • 45. IINFOSECFORCENFOSECFORCE SDLC/PLCMP DeliverablesSDLC/PLCMP Deliverables - Security control integration - Second phase app security testing - Third phase app security testing Implement - Data security categorization - Security Plan - Preliminary risk assessment Initiate - Threat management - Configuration management and control - Continuous monitoring - Incident response plan Production - Risk assessment - Functional requirements analyses - Assurance requirements - Control selection Design and develop - Security architecture - Functional and vulnerability test plan - First phase testing - Additional planning assignments - Security certification - Security accreditation - Final risk acceptance document REF: NIST 800-53

Editor's Notes

  • #11: We offer customers choice and flexibility in how they purchase and use our products and services. These range from modular software suites like Symantec Protection Suites for enterprises to all-in-one software products such as Norton 360 for consumers. We have professional services – 4,000 security experts providing everything from advisory to supports services – to Norton Live consumer services. There are a variety of solutions that we offer as a service (SaaS) – from online backup for consumers to messaging security for enterprises. And then there are managed services – from residency to MSS to Norton Live for consumers.
  • #12: Fewer site-specific vulns in 2008 but they still aren’t being patched. Only 394 (3%) patched in 2008 compared to 1,240 (7%) in 2007. The number of site-specific vulns is adding up over time. In 2008, 63% of identified vulnerabilities affected Web applications, an increase over 2007, when 59% did. In 2008 there were a number of high-profile incidents involving SQL injection vulnerabilities. The purpose of these attacks was to inject malicious content into compromised sites that would then attempt to exploit subsequent site visitors. Attackers used a technique that allowed them to dynamically inject malicious content into strings throughout the database without detection. This provided a means of generically exploiting vulnerable applications rather than having to develop application-specific payloads. Messaging: Web servers can be difficult to secure. Patching requires downtime and frequently corporate sites are hosted on third-party server networks. As a result they can frequently be easy targets for attackers. Because of this, Web servers and connected databases need to be continuously monitored for suspicious activity.
  • #27: STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
  翻译: