Software Quality Through Security

Transcript

1. Software Quality Through Security How we need to change our

   way of creating software Thomas Konrad, SBA Research B2B Software Days, May 10–12, 2021

2. Classification: Customer 2 SBA Research gGmbH, 2019 $ whoami Thomas

   Konrad $ id uid=123(tom) gid=0(SBA Research) gid=1(Vienna, Austria) gid=2(Software Security) gid=3(Penetration Testing) gid=4(Software Development) gid=5(Security Training) gid=6(sec4dev Conference & Bootcamp)

3. 3 How Do We Currently Build Software? An analysis of

   the current state of the art SBA Research, 2021

4. 4 “We Must Be First On The Market!” Initial velocity

   rules them all. • We trade sustained velocity for initial velocity. • Prototypes become production systems. • Few organizations have sustainable long-term visions on their software. SBA Research, 2021

5. 5 “Software Engineering Is Assembly-Line Work” SBA Research, 2021

6. 6 “We’ll Fix It Later” SBA Research, 2021

7. 7 “We’ll Do Penetration Tests Until All Findings Are Resolved”

   There isn’t a good understanding of what a penetration test can do. • “Can you give us a certificate that we’re secure now?” • It’s a quality assurance tool with a focus on technical, directly exploitable issues. • You cannot pentest your app secure. SBA Research, 2021

8. 8 SBA Research, 2020 Photo by Brian Wangenheim on Unsplash

9. 9 What Problems Arise From That Approach? The outcomes of

   our attitude SBA Research, 2021

10. 10 Breaches. Breaches Everywhere! SBA Research, 2021 Source: https://haveibeenpwned.com/

11. 11 The Problem With Breaches: They Don’t Hurt Breaches are

    often comparably small problems for individuals. • Data breaches can have an enormous scale. • It’s a bit like stealing € 0.01 from 1,000,000,000 people. • We’re not good at dealing with seemingly small problems at scale. • A data breach cannot be taken back. SBA Research, 2021

12. 12 What Must Change? We must change the way be

    build software. SBA Research, 2021

13. 13 Building and Running Dependable Software Is Hard Let’s recognize

    this! It’s hard … • … for security to keep pace with agility. • … to know where to best invest your resources. • … to acknowledge that there is no glory in prevention. • … to not make security the only important thing (scaring people away is also a risk!). • … to sacrifice initial velocity for long-term velocity. SBA Research, 2021

14. 14 Automation: Distinguish “Scalable Baseline” from “Deep Understanding” SBA Research,

    2021

15. 15 Build Security Into Your Team: Security Champions SBA Research,

    2020 Architect Advisor Challenger Coach Developer Explorer

16. 16 Requirements Give a Security Perspective SBA Research, 2020 Functional

    requirement with security aspect Security requirement Functional requirement

17. 17 Training: Become a Security Expert! SBA Research, 2020 Secure

    SDLC Essentials Web App Security IoT Security Secure Coding Cloud Security C / C++ Security Threat Modeling Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Basic Advanced Pick your area Expert

18. 18 The Pillars Of Manageable Software Security 1. Get a

    sense of the criticality of your software 2. Define security requirements early on 3. Don’t just consider bugs, also flaws 4. Educate your development team 5. Have someone manage security on the team 6. Define what vulnerability classes are relevant 7. Automate away as much as possible 8. Feed insights back to other activities 9. Have a centralized and filterable change management 10. Have recurring tasks in place that force to rethink SBA Research, 2021

19. 19 Here’s The Good Part: It’ll Improve Quality Overall Security

    is just one aspect of quality. • High-security but low-quality software products are rare. • The activities mentioned before pay into your quality account. SBA Research, 2021

20. 20 SBA Research: Software Security Consulting SBA Research, 2020 SBA

    Research Software Security Penetration Testing Security Champions Secure SDLC Trainings Code Reviews Threat Modeling Security Automation

21. 21 Photo by Emily Morter on Unsplash Follow me on

    Twitter! @_thomaskonrad Thomas Konrad SBA Research Floragasse 7, 1040 Vienna +43 664 889 272 17 [email protected]