Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages

Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages

Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages au salon MtoM Embedded Systems - Paris.

83124b745752d1a1b0ca2eee1af0bd48?s=128

Alexis DUQUE

March 20, 2019
Tweet

Transcript

  1. IOT MAKERS EXPERTS EN PRODUITS INTELLIGENTS ET CONNECTÉS

  2. Secure by Design ▸ 1 - Introduction ▸ 2 –

    Risk Analysis ▸ 3 – DevSecOps ▸ 4 – DevSecOps @Rtone ▸ 5 – Return on Experience 2
  3. 1. Introduction 3

  4. 4 Alexis Duque R&D and Security leader at Rtone PhD

    @alexis0duque alexisd@rtone.fr security.rtone.fr
  5. 5 Didier Midroit Directeur du développement didier-midroit-0b045019 didier@rtone.fr security.rtone.fr

  6. 100 PROJECTS 11 years 30 people 3 M€ IOT MAKERS

  7. 7

  8. 8 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

    which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners
  9. NEWS & MEDIAS 9

  10. STATEMENT We delivered not secured product RESPONSABILITIES Inform customers Security

    by Design as a new process 10
  11. 2. Risk Analysis 11

  12. 12 The correct level of security

  13. 13

  14. OWASP IOT TOP 10 2018 14

  15. LEGAL ASPECTS GDPR LABELING 15 STANDARDISATION LAW ENFORCMENT

  16. 3. DevSecOps

  17. WHAT IS DEVSECOPS? ‘‘Deliver secure software and products at the

    DevOps speed’’ 17
  18. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Customer Value ++ 18
  19. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 19
  20. 4. DevSecOps @ Rtone 20

  21. DEVSECOPS @ RTONE 21 Training Exigences Conception Diffusion Validation Implementa

    tion Response
  22. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming FIST Action Group + WEEKLY Team Meeting 22
  23. 2. REQUIREMENTS ▸ Define security level 23

  24. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assesment (PIA) 24
  25. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 25 Risks Context Threat Scenarios Security Measures Feared Events
  26. 3. CONCEPTION 26 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>
  27. 3. CONCEPTION 27 RISK = LIKEHOOD x GRAVITY

  28. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 28
  29. 5. VALIDATION ▸ ‘On-Target’ integration tests 29

  30. IoT Integration Testing on Target 30 CI Server IoT Device

    Program / Run Test Debug Probe
  31. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assesment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 31
  32. 32

  33. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 33
  34. 34

  35. 4. Return on Experience 35

  36. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Bring Sec & Dev team together! 36
  37. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en- us/SDL/process/design.aspx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp- content/uploads/2018/03/SAFECode_Fundamental_Pra ctices_for_Secure_Software_Development_March_201 8.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 38
  38. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 39
  39. 40 THANKS! Any questions? Find us at @RtoneIoTSec , alexisd@rtone.fr

    & didier@rtone.fr !