Security as a process

Security as a process

We will look into the software development lifecycle, how to turn it into a secure software development lifecycle and take a look at a tool that can help with that even if you are just a small team and not a large process driven company.

Dd04c77354394458bbd4afd64bf7e8b3?s=128

Frank Kleine

October 12, 2019
Tweet

Transcript

  1. 2.

    FRANK KLEINE • Software Architect @ United Internet Corporate Service

    GmbH • Security SPOC for department • Love travelling with railways • Critic, rants etc about the talk: @bovigo
  2. 5.

    STUDY FROM 2004 HOW SECURE WERE OPERATING SYSTEMS? • Windows

    XP + SP1: 4 minutes on Internet before compromised • Windows XP + SP1 + ZoneAlarm: most secure, not compromised • Windows XP + SP2: not compromised • Windows Small Business Server 2003: 8 hours until compromised • Mac OS X 10.3.5, Linspire (Linux): not compromised Source: Automated “Bots” Overtake PCs Without Firewall Within 4 Minutes
  3. 6.

    SOME REASONS WHY WAS WINDOWS INSECURE? • Not created with

    computers connected to the world in mind • Attacks from outside simply weren’t an issue • Suddenly, everyone connects their computers to the internet • Probably missing knowledge about new security risks attached to the new usage scenarios
  4. 7.

    THINGS CHANGED TODAY • We commonly don’t talk about Windows

    being insecure by default any more. • Yes, there are still attacks and security fixes are issued all the time, but they don’t gain headlines most of the time. • Most attacks today require user interaction - back then they didn’t.
  5. 8.

    ?

  6. 11.

    THINK ABOUT SECURITY IN ALL PHASES. AND SECURE? • Requirements

    analysis: identify security requirements and objectives • Design: identify important components, think about risks • Implementation: write tests, do code reviews, use available tools to prevent security flaws • Testing: search systematically (and automatically) for security flaws • Evolution: provide means to react quickly on discovered flaws
  7. 12.

    THAT’S NICE, BUT WE ARE NOT MICROSOFT HOW TO START?

    • Learn about what’s available • Pick something to start with • If it works for you - great, go ahead and pick the next one • If it doesn’t - abandon and try something else
  8. 17.

    A TOOL THAT MAY HELP SECURITYRAT The core functionality of

    SecurityRAT ("Requirement Automation Tool") can be described in the following steps: 1. You tell SecurityRAT what kind of a software artefact you're going to develop / are running 2. SecurityRAT tells you which requirements you should fulfil. 3. You decide how you want to handle the desired requirements. 4. You persist the the artefact state in an issue tracker and create tickets for the requirements where an explicit action is necessary 5. Throughout the continuous development of the particular artefact, you respect the rules defined in SecurityRAT and document relevant changes in requirement compliance whenever appropriate. Focus of SecurityRAT is currently put on automation of procedures rather than quality of requirements. There is a set of requirements provided which you can start with, nevertheless it is recommended to create your own set of requirements which fits your company risk profile. Source: OWASP
  9. 18.
  10. 19.

    HOW MUCH OF A TIME SINK IS THAT? EFFORTS •

    Setting up SecurityRAT: 1 day • Modifying the requirements to your needs: how much time are you willing to spend? • Tip: start with the requirements that the default set brings, and whenever you think one isn’t right just modify it then. Don’t rework all the requirements right on introduction. • For the actual run-through when a new project is started: 60-90 minutes. Your mileage may vary.
  11. 20.

    BECAUSE THERE’S A LOT MORE TO DISCOVER SOME MORE LINKS

    • Addressing Security Requirements in Development Projects - Daniel Kefer, René Reuter @ AppSecEU 16 • SecurityRAT @ Github • Microsoft SDL Progress Report from 2010 • Microsoft Security Development Lifecycle • OWASP Application Security Verification Standard
  12. 22.

    NOT THE USUAL “WE HAVE JOBS” ANNOUNCEMENT I’M LOOKING FOR

    A NEW JOB • Software Architect • Developer (mainly Go & PHP) • @bovigo