Security in the Software Development Life Cycle (SDLC)

Transcript

1. Security in the Software Development Life Cycle

2. Our Team PM Frances 2nd in Command Brandon Writer Charles

   Developer Justin Writer Jordan

3. Phase 1 Frances ❖ Planning ❖ Analyzing Risk ❖ Cost

   Analysis ❖ Security Requirements [1][2][3][4][5]

4. How to Approach Risks Application Security - issue based, short

   term - penetration - patching - threat modeling - code reviews Software Security - holistic, long term - root cause analysis - organizational change

5. When to Address the Security Vulnerabilities Most developers today test

   after the software is built.

6. Sample Software Security Costs Unbudgeted time to fix security problems

   1000 employee hours Cost of training software developers in security $100 million Inadequate software testing costs $3.3 billion DoS Attack $500 million Fixing a Patch with 1K servers, it costs $300K to test and deploy Fixing a Defect $6K per defect Source: Business Week, Gartner Microsoft, NIST

7. So how do we do it? • define roadmaps for

   software security • define entry scenarios • define strategic activity tracks

8. The Software Development Life Cycle with Security Incorporated

9. Phase 2 Brandon ❖ Designing Securely ❖ Integration of Security

   ❖ Implementation

10. Designing Securely Influence - Establish and follow best practices -

    best time to implement a security plan is early in the life cycle - threat modeling must be completed during this phase - Security Requirements - security design review with an advisor for a project - Privacy Requirements - complete detailed privacy analysis - have a privacy subject matter expert

11. Integration of Security Recommendations - Functional and Design Spec -

    section dedicated to impacts on security - Security architecture document - provides a description of security on a software project - Attack surface Measurement - Product structure - Minimize default attack surface

12. Risk Management Disaster recovery - Have a plan - Disasters

    are inevitable - Risk Mitigation - know what risk are associated with the project - Options to handle include Assume,Avoid,Control,Transfer Watch/Monitor

13. Security Management Cycle

14. Steps for Creating a Secure Design • Making sure proper

    security protocols are defined • Having a solid Security Plan and Disaster Recovery Plan • Review Security protocols with experts in security

15. Phase 3 Charles ❖ Implementation Phase ❖ Securing the Implementation

16. What Occurs? ❖ After the system design documents are received,

    is time for the project or application or project to be brought to life. ❖ This involves whatever actions that are necessary to get the project up and running. ❖ Successful completion of this phase includes: system deployment, and training on the system.

17. Activities ❖ Activities in this phase also include efforts required

    for utilization including notification to end users, execution of training, and data entry or conversion. ❖ This phase continues until the production system is operating in accordance with the defined requirements and planning for sustainment has begun.

18. Security in the Implementation Phase ❖ When security comes into

    play in this phase there are several actions that must be taken. ❖ One must create and maintain a list of recommended software frameworks, services and other software components.

19. Security (cont.) ❖ In addition, one must develop a list

    of guiding security principles as a checklist against detailed designs. ❖ Also, one must distribute, promote and apply the design principles to the project that is in development.

20. Reviewing ❖ The reviewing and analysis of the software’s code

    is also required to ensure security. ❖ It is essential to review the code for the software being developed not only amongst yourself, but amongst your peers as well. ❖ This portion of the phase is essential to the success of the project.

21. Security in the Testing Phase Justin ❖ Security testing in

    software. ❖ Types of Software Testing ❖ What it means to have secure software.

22. What is Security Testing in Software ❖ Security Testing in

    software is the process of revealing possible vulnerabilities in the system. ❖ Ensuring software quality ➢ Reliability: All functions within the software works. ➢ Resiliency: Software that can withstand attempts of attackers. ➢ Recoverability: Software that can be restored if something goes wrong with a function or its resiliency.

23. How to approach Security Testing ❖ Thinking outside the box

    ➢ Think like an attacker in some cases from a user’s perspective, and it other cases from a developer’s perspective. ❖ Must have a passion for technology ➢ Stay up to date with new technologies and adjust to new attack strategies. ➢ More than 317 million new pieces of malware was created in 2014.

24. Types of Software Testing ❖ Functional testing ➢ Unit testing

    breaks the software into smaller parts and tests each part individually ➢ Logic testing validates the accuracy of the software’s process logic ❖ Performance testing ➢ How the software performs when subjected to large volumes of data ➢ How the software performs when the peak load is exceeded ❖ Security testing ➢ Ensures the software is designed and developed in a way that reduces the risk of exploitation ➢ Black Box/White Box Testing

25. Types of Software Security Testing ❖ Black box testing ➢

    A method of testing in which the tester has no knowledge about the software’s architecture or how it was built. ➢ Tests how the software behaves from a users perspective. ❖ White box testing ➢ A method of testing in which the tester has considerable knowledge about the software’s architecture, how it was built, and even about its source code.

26. What is means to have secure software ❖ Successfully testing

    software means to have quality software and achieve software assurance. ❖ Can we adequately secure software through testing?

27. Phase 5 Jordan ❖ Maintenance Phase

28. Maintenance Phase ❖ According to ithandbook.ffiec.gov, The Maintenance Phase involves

    making changes to hardware, software, and documentation to support its operational effectiveness ❖ This includes making changes to improve a system’s performance, enhance security, correct problems, and/or address user requirements ❖ Establishing appropriate change management standards and procedures helps to ensure mods do not disrupt operations or negatively affects a system’s security or performance.

29. Maintenance Phase ❖ Systems and Products are put in place

    and operating enhancements are developed and tested, also hardware and software components are added or replaced. ❖ Configuration Management and control activities should be conducted to document any proposed or actual changes in security plan of the system. ❖ Documenting information system modifications and evaluating the impact of these changes on the security of a system are ideal when trying to prevent lapses in the system security accreditation
30. None

31. Security Enhancing Process Models ❖ Microsoft’s Trustworthy Computing Security Development

    Lifecycle ❖ Support & Servicing ➢ Response Execution ➢ Security Servicing ❖ Control Gates ➢ Operational Readiness Review ➢ Change Control Board Review of Proposed Changes ➢ Review of POA&Ms ➢ Accreditation Decisions (Every three years or after a major system change)

32. Key Security Activities ❖ Conduct an Operational Readiness Review ➢

    Many times when a system transitions to a production environment, unplanned modifications to the system occur;should be considered to help mitigate risk and efficiently address last-minute surprises. ❖ Manage the Configuration of the system ➢ An effective agency configuration management and control policy and associated procedures are essential to ensure adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. ➢ Establishing an initial baseline of hardware, software, and firmware components for the information system and also for controlling and maintaining an accurate inventory of any changes to the system. ❖ Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls ➢ The ultimate objective is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates. ➢ Can be done in many ways such as security reviews, self- assessments, configuration management, antivirus management, patch management, security testing and evaluation, or audits ❖ Perform Reauthorization as required ➢ The static, single point-in-time risk determination and risk acceptance decision that occurs after initial authorization

33. Steps to Improve Development Methodology ❖ Assigning a security team

    to every development project ➢ Make it known that they are a big part of the team ❖ Educate developers about security and the attack surface; ➢ The developers should understand the importance of security and all points of exposure ❖ Evaluate policies and procedures ➢ Review existing policies and procedures and in certain cases create new policies and procedures focused on security ❖ Measure Success ➢ Building security into the SDLC reduces errors, reduces costs and creates a more secure application

34. References [1] R. Baskerville. Information systems security design methods: Implications

    for information systems development. ACM Computing Surveys, 25(4):375–414, Dec. 1993. [2] G. Brose. A typed access control model for CORBA. In F. Cuppens, Y. Deswarte, D. Gollmann, and M. Weidner, editors, Proc. European Symposium on Research in Computer Security (ESORICS), LNCS 1895, pages 88–105. Springer, 2000. [3] G. Brose. Access Control Management in Distributed Object Systems. PhD thesis, Freie Universität Berlin, 2001. [4] The Ten Best Practices for Secure Software Development: https://www.isc2.org/uploadedfiles/(isc) 2_public_content/certification_programs/csslp/isc2_wpiv.pdf [5] Processes to Produce Secure Software: https://www.cigital.com/papers/download/secure_software_process.pdf [6] Risk Mitigation Planning, Implementation, and Progress Monitoring: http://www.mitre.org/publications/systems-engineering- guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

35. [7] Disaster Recovery:Best Practices: http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11- 453495.html [8] Eternal Sunshine Of

    The IS Mind: https://eternalsunshineoftheismind.wordpress.com/2013/03/10/sdlc-phase-5-maintenance/ [9] On Point : http://www.onpointcorp.com/uploads/1385/doc/SecurityandtheSystemDevelopmentLifestyle_TimSmith_OnPoint0. pdf [10] Nearly 1 million new malware attacks every day: http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks- security/ [11] Software Security Testing: https://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/sw-test.pdf [12] Assuring Software Security Through Testing: https://www.isc2.org/uploadedfiles/(isc) 2_public_content/certification_programs/csslp/software%20security%20through%20testing.pdf [13] Operation/Maintenance Phase: http://www.fedramp.net/operation-maintenance-phase References

36. Thanks for listening! Any questions, comments, or concerns?