Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Applications Securely (May 2021)

Eoin Woods
July 06, 2021
Programming
0
41

Building Applications Securely (May 2021)

Security is now everyone’s problem, not just something that people who work for banks or Facebook need to worry about. This talk explains how to integrate security into the day-to-day work of a busy software delivery team, the practices that are important to understand, the (limited) role of tools, and how to ensure that every build is as secure as possible. The talk recaps security fundamentals, explain the tools and practices that help teams to increase the security of their software and how development teams can integrate these into their normal work.

Eoin Woods

July 06, 2021
Tweet

More Decks by Eoin Woods

See All by Eoin Woods
Effective Practices for Continuous Architecture
eoinwoods
0
78
Software Architecture for a Digital Age
eoinwoods
0
210
Democratising Software Architecture
eoinwoods
0
39
API Vulnerabilties and What to Do About Them
eoinwoods
0
120
Three Practices for Effective DevOps Adoption
eoinwoods
0
120
Building Applications Securely
eoinwoods
0
79
Secure by Design at ACCU 2019
eoinwoods
0
120
Democratising Software Architecture
eoinwoods
6
2.1k
Secure by Design - Security Design Principles for the Working Architect
eoinwoods
3
1.8k

Other Decks in Programming

See All in Programming
一日30回リリースを可能にするpixiv開発
picopico
0
850
Unit of Workパターンで永続化とトランザクションを制御する
shimabox
6
1.3k
Jetpack Media3로 좋은 콘텐츠 소비 경험 구현하기
workspace93
0
100
Your Code Can be Poetry Too
jrf
0
120
The Unyielding Spirit Of Android - Droidcon NYC '23
adammc331
1
160
新卒研修でNext.js AppRouterを導入した 学びと反省
iuchimasatoshi
1
190
7 principles for rich web apps And how next.js achieves these principles
yosuke_furukawa
PRO
5
970
GDSC NYCU 2023 茶會
rabbitmagician1
1
110
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
520
素早いバリュー提供のための
DROBEの新戦略
ippey
0
470
個人開発のiOSアプリでUI/UXを標準に寄せてみた / 20230919_orochi
uhooi
0
180
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
150

Featured

See All Featured
The Language of Interfaces
destraynor
149
22k
Producing Creativity
orderedlist
PRO
336
38k
GitHub's CSS Performance
jonrohan
1021
440k
Done Done
chrislema
178
15k
Building Adaptive Systems
keathley
29
1.6k
BBQ
matthewcrist
76
8.4k
Music & Morning Musume
bryan
37
5k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.1k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
The Invisible Customer
myddelton
113
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M

Transcript

  1. Eoin Woods
    @eoinwoodz | www.eoinwoods.info
    BUILDING APPLICATIONS SECURELY

    View Slide

  2. EOIN WOODS
    • Endava’s CTO, based in London (6 years)
    • 10+ years in products - Bull, Sybase, InterTrust
    • 10 years in capital markets - UBS and BGI
    • Software engineer, architect, now CTO
    • Long time security dabbler concerned at increasing cyber threats to systems
    • Author, editor, speaker, community guy

    View Slide

  3. CONTEXT OF THIS TALK
    link
    link
    link

    View Slide

  4. 4
    Agenda
    1. The Threat
    2. Mitigation via Software Security
    3. Principles for Secure Implementation
    4. Implementation Guidelines
    5. Summary

    View Slide

  5. 1
    The Threat
    BUILDING APPLICATIONS SECURELY

    View Slide

  6. SECURITY THREATS
    •We need systems that are dependable in the face of
    •Malice, Mistakes, Mischance
    •People are sometimes bad, careless or just unlucky
    •System security aims to mitigate these situations

    View Slide

  7. TODAY’S THREAT LANDSCAPE
    Today’s internal application is tomorrow’s “digital channel”
    System interfaces on the Internet
    Introspection of APIs
    Attacks being ”weaponized”

    View Slide

  8. DATA BREACHES: 2005 - 2007
    http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

    View Slide

  9. DATA BREACHES: 2008 - 2011

    View Slide

  10. DATA BREACHES: 2012 - 2015

    View Slide

  11. DATA BREACHES: 2016 - 2018

    View Slide

  12. DATA BREACHES: 2019 – 2021

    View Slide

  13. THE IMPORTANCE OF SOFTWARE SECURITY
    • Verizon research security
    incidents annually
    • There are many root causes
    • Applications are significant
    • This study suggests that about a
    quarter are application related
    https://enterprise.verizon.com/resources/reports/dbir
    Applications
    23%
    Crimeware
    6%
    Cyber-Espionage
    3%
    Denial of Service
    62%
    Other
    3%
    Payment Cards
    2%
    Stolen Assets
    1%

    View Slide

  14. 2
    Mitigation via Software Security
    BUILDING APPLICATIONS SECURELY

    View Slide

  15. DIMENSIONS OF SECURITY PRACTICE
    SECURE SYSTEM OPERATION
    SECURE APPLICATION
    IMPLEMENTATION
    SECURE APPLICATION DESIGN
    SECURE INFRASTRUCTURE
    DESIGN
    SECURE INFRASTRUCTURE
    DEPLOYMENT

    View Slide

  16. SECURE APPLICATION IMPLEMENTATION
    SECURE APPLICATION
    IMPLEMENTATION
    HOW YOU BUILD
    WHAT YOU DO
    HOW YOU VERIFY
    S-SDLC
    PRINCIPLES &
    GUIDELINES
    TESTING &
    VALIDATION
    Secure Design
    Inputs

    View Slide

  17. SECURITY IN THE DEVELOPMENT LIFECYCLE
    Microsoft SDL OWASP SAMM
    SAFECode
    Fundamental
    Practices
    Building Security In
    Maturity Model

    View Slide

  18. MICROSOFT SECURE DEVELOPMENT LIFECYCLE
    • Developed by Microsoft for their product groups
    • 17 practices across the lifecycle
    • Good resources available from Microsoft
    • Needs to be applied to your development lifecycle

    View Slide

  19. OWASP SOFTWARE ASSURANCE MATURITY MODEL
    • Project from OWASP volunteers since 2008
    • Governance, Construction, Verification & Operation
    • Three key practice areas for each
    • Maturity model rather than an SDLC

    View Slide

  20. “BUILDING SECURITY IN” MATURITY MODEL
    • Synopsys study of software
    security practice
    • Member firms surveyed to
    establish practices
    • Statistics & trends published
    • Organisations can
    “benchmark” against
    aggregated findings

    View Slide

  21. SAFECODE
    • Membership organization of
    some leading software
    security firms
    • Publish free on-demand
    training, blogs and guides

    View Slide

  22. 3
    Principles for Secure Development
    BUILDING APPLICATIONS SECURELY

    View Slide

  23. SECURE DEVELOPMENT PRINCIPLES
    1. Security is everyone’s concern
    2. Focus continually through the lifecycle
    3. Good design improves security
    4. Use proven tools and technologies
    5. Automate security checking
    6. Verify your software supply chain
    7. Generic and technology specific concerns matter

    View Slide

  24. SECURITY IS EVERYONE’S CONCERN
    • A “concern“ not a ”feature”
    • Needs team-wide awareness
    • Avoid security being a
    ”specialist” problem
    • Integrate security awareness into
    normal dev tasks

    View Slide

  25. SECURITY CHAMPIONS
    • Security is everyone’s problem …
    but always someone else’s
    • You need enthusiastic advocates
    • People who will take ownership
    • Self-selecting ”security champions”
    • Invest, involve, promote, support
    • don’t isolate them!

    View Slide

  26. FOCUS CONTINUALLY THROUGH THE LIFECYCLE
    • Cannot “test security in”
    • Traditional security testing
    delays deployment
    • Need continual security work
    through lifecycle
    • analysis, design, dev, test, …

    View Slide

  27. A WORD ON DEVSECOPS
    “Security says no”
    We’re all security engineers now
    ⇒ “Security” is another silo to integrate
    into the cross-functional delivery team

    View Slide

  28. GOOD DESIGN IMPROVES SECURITY
    • Careless design often creates
    vulnerabilities
    • Strong types, simple
    mechanisms, well structured
    code all aid security
    • Simpler implementation is easier
    to understand & secure

    View Slide

  29. GOOD DESIGN IMPROVES SECURITY
    Perfectly “reasonable” code … but with a potential security problem
    … what happens if qty < 0 ?

    View Slide

  30. GOOD DESIGN IMPROVES SECURITY
    Example of DDD improving security ”for free”

    View Slide

  31. USE PROVEN TOOLS AND TECHNOLOGY
    • Software is hard to secure
    • Security software is very hard to
    secure
    • Vulnerabilities emerge over time
    (from attacks)
    • Proven tools & technology
    reduce production vulnerabilities

    View Slide

  32. AUTOMATE SECURITY CHECKING
    • Some security checks can be
    automated – SAST, DAST
    • Consistency and efficiency
    • Find (some) problems earlier
    • Challenges include false positives
    and responding effectively
    • Only ever part of the solution

    View Slide

  33. VERIFY YOUR SOFTWARE SUPPLY CHAIN
    • 3rd party code is a possible risk –
    often open source
    • Tools exist for OSS security, risk
    & compliance:
    • BlackDuck, Whitesource,
    Sonatype, Snyk, …
    • Scan code to find dependencies
    • Checks for known vulnerabilities
    • Alerts and dashboards for
    monitoring

    View Slide

  34. GENERAL AND SPECIFIC CONCERNS MATTER
    • Many security concerns
    transcend technology
    • Injection, logging, …
    • Technical stacks also have their
    specific weaknesses:
    • C/C++ - memory management
    • Java – reflection, serialisation
    • Python – module loading

    View Slide

  35. 4
    Implementation Guidelines
    BUILDING APPLICATIONS SECURELY

    View Slide

  36. GENERIC SECURE CODING GUIDELINES
    OWASP Secure
    Coding Practices
    SAFECode Secure
    Coding Practices
    Common Weaknesses
    Enumeration

    View Slide

  37. TECHNOLOGY SPECIFIC GUIDELINES
    Secure Coding
    Guidelines
    .NET Secure
    Coding Guidelines

    View Slide

  38. SECURE CODING GUIDELINES
    • There are quite a few standards, which overlap significantly
    • Need time to understand and apply
    •Oracle Java Security Guidelines contains 71 guidelines in 10 sections
    • Something for your Security Champions to work through
    •you need the practical minimal subset for your threats and risks

    View Slide

  39. GENERIC EXAMPLE – INJECTION ATTACKS
    Unvalidated input passed to any interpreter
    • Operating system and SQL are most common
    • Configuration injection often overlooked
    Defences include “escaping” inputs, bind variables, using white lists, …
    SELECT * from table1 WHERE name = ’%1’
    Set ‘%1’ to ‘ OR 1=1 -- … this results in this query:
    SELECT * FROM table1 WHERE name = ’ ’ OR 1=1 --

    View Slide

  40. JAVA SPECIFIC EXAMPLE – RANDOM NUMBERS
    Java has two random number generators:
    java.util.Random and java.security.SecureRandom
    Guess which one isn’t random but most people use?
    $> java com.artechra.RandomTest
    Util Random Execution Time: 7
    Secure Random Execution Time: 49

    View Slide

  41. Python has a serialization system called “Pickle”
    • Java, C# and others have similar mechanisms
    A useful way of moving data around … and a security liability
    To be fair, the docs clearly state:
    “The pickle module is not secure. Only unpickle data you trust.”
    PYTHON SPECIFIC EXAMPLE – UNPICKLING DATA

    View Slide

  42. SECURITY TESTING AND VALIDATION
    • Like any other critical system quality application security needs to be tested early
    and often – mix of automation and manual techniques
    • Detailed description of testing is beyond this talk
    • But we need to be aware of it so that we know someone is doing it
    • Automated security testing: Static Analysis (SAST) and Dynamic Analysis (DAST)
    • Automated functional testing: do the application security features work?
    • Exploratory testing: fuzz testing and penetration testing
    • Platform testing: testing application’s use of platform & configuration
    Remember: security also needs to be tested from an infrastructure and operational perspective!

    View Slide

  43. 5
    Summary
    BUILDING APPLICATIONS SECURELY

    View Slide

  44. SUMMARY (I)
    • Much of the technology we use is inherently insecure
    •Mitigation needs to be part of application development
    • Attacking systems is becoming industrialised
    •Digital transformation is providing more valuable, insecure targets
    • Secure implementation is part of an end-to-end approach

    View Slide

  45. SUMMARY (II)
    • Three aspects to secure implementation
    •HOW do you go about building the software? (SDLC)
    •WHAT do you do to build the software? (Principles, Guidelines)
    •HOW do you verify what you build? (Testing, Validation)
    • We explored a set of principles
    • Security is everyone’s concern
    • Continual focus through the lifecycle
    • Good design improves security
    • Use proven tools and technologies
    • Automate security checking
    • Verify your software supply chain
    • Generic and technology specific
    concerns matter

    View Slide

  46. SUMMARY (III)
    • Both generic and language-specific concerns
    •A number of sets of guidelines exist … use them!
    •SAFECode, OWASP Secure Coding Practices, Oracle Secure Java
    Guidelines, Microsoft .NET Secure Guidelines, CERT Coding Practices
    • We haven’t explored security testing and validation
    •critically important and another area to learn about
    •involve specialist experts, particularly for manual aspects

    View Slide

  47. BOOKS & PUBLICATIONS

    View Slide

  48. WHAT DO I DO NEXT?
    Get started …
    Work out where you are …
    Get some people interested …
    Work out what to improve next …
    Improve that thing …
    REPEAT !

    View Slide

  49. Eoin Woods
    Endava
    @eoinwoodz
    [email protected]
    careers.endava.com
    THANK YOU
    51

    View Slide