Software Quality Through Security How we need to change our way of creating software Thomas Konrad, SBA Research B2B Software Days, May 10–12, 2021 

Classification: Customer 2 SBA Research gGmbH, 2019 $ whoami Thomas Konrad $ id uid=123(tom) gid=0(SBA Research) gid=1(Vienna, Austria) gid=2(Software Security) gid=3(Penetration Testing) gid=4(Software Development) gid=5(Security Training) gid=6(sec4dev Conference & Bootcamp) 

3 How Do We Currently Build Software? An analysis of the current state of the art SBA Research, 2021 

4 “We Must Be First On The Market!” Initial velocity rules them all. • We trade sustained velocity for initial velocity. • Prototypes become production systems. • Few organizations have sustainable long-term visions on their software. SBA Research, 2021 

5 “Software Engineering Is Assembly-Line Work” SBA Research, 2021 

6 “We’ll Fix It Later” SBA Research, 2021 

7 “We’ll Do Penetration Tests Until All Findings Are Resolved” There isn’t a good understanding of what a penetration test can do. • “Can you give us a certificate that we’re secure now?” • It’s a quality assurance tool with a focus on technical, directly exploitable issues. • You cannot pentest your app secure. SBA Research, 2021 

8 SBA Research, 2020 Photo by Brian Wangenheim on Unsplash 

9 What Problems Arise From That Approach? The outcomes of our attitude SBA Research, 2021 

10 Breaches. Breaches Everywhere! SBA Research, 2021 Source: https://haveibeenpwned.com/ 

11 The Problem With Breaches: They Don’t Hurt Breaches are often comparably small problems for individuals. • Data breaches can have an enormous scale. • It’s a bit like stealing € 0.01 from 1,000,000,000 people. • We’re not good at dealing with seemingly small problems at scale. • A data breach cannot be taken back. SBA Research, 2021 

12 What Must Change? We must change the way be build software. SBA Research, 2021 

13 Building and Running Dependable Software Is Hard Let’s recognize this! It’s hard … • … for security to keep pace with agility. • … to know where to best invest your resources. • … to acknowledge that there is no glory in prevention. • … to not make security the only important thing (scaring people away is also a risk!). • … to sacrifice initial velocity for long-term velocity. SBA Research, 2021 

14 Automation: Distinguish “Scalable Baseline” from “Deep Understanding” SBA Research, 2021 

15 Build Security Into Your Team: Security Champions SBA Research, 2020 Architect Advisor Challenger Coach Developer Explorer 

16 Requirements Give a Security Perspective SBA Research, 2020 Functional requirement with security aspect Security requirement Functional requirement 

17 Training: Become a Security Expert! SBA Research, 2020 Secure SDLC Essentials Web App Security IoT Security Secure Coding Cloud Security C / C++ Security Threat Modeling Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Basic Advanced Pick your area Expert 

18 The Pillars Of Manageable Software Security 1. Get a sense of the criticality of your software 2. Define security requirements early on 3. Don’t just consider bugs, also flaws 4. Educate your development team 5. Have someone manage security on the team 6. Define what vulnerability classes are relevant 7. Automate away as much as possible 8. Feed insights back to other activities 9. Have a centralized and filterable change management 10. Have recurring tasks in place that force to rethink SBA Research, 2021 

19 Here’s The Good Part: It’ll Improve Quality Overall Security is just one aspect of quality. • High-security but low-quality software products are rare. • The activities mentioned before pay into your quality account. SBA Research, 2021 

20 SBA Research: Software Security Consulting SBA Research, 2020 SBA Research Software Security Penetration Testing Security Champions Secure SDLC Trainings Code Reviews Threat Modeling Security Automation 

21 Photo by Emily Morter on Unsplash Follow me on Twitter! @_thomaskonrad Thomas Konrad SBA Research Floragasse 7, 1040 Vienna +43 664 889 272 17 [email protected]