Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Software Quality Through Security

Software Quality Through Security

Initial velocity rules it all when it comes to software development. However, this is not a sustainable way to build software. In this talk, we'll cover how we are currently building software, what data breaches mean to us as affected individuals, and how manageable software security can not only lead to a better security level, but also better quality in general. We'll also talk about the role of a Security Champion in software development teams.

30c94b96aa264994559fc0556b207bd8?s=128

Thomas Konrad

May 12, 2021
Tweet

Transcript

  1. Software Quality Through Security How we need to change our

    way of creating software Thomas Konrad, SBA Research B2B Software Days, May 10–12, 2021
  2. Classification: Customer 2 SBA Research gGmbH, 2019 $ whoami Thomas

    Konrad $ id uid=123(tom) gid=0(SBA Research) gid=1(Vienna, Austria) gid=2(Software Security) gid=3(Penetration Testing) gid=4(Software Development) gid=5(Security Training) gid=6(sec4dev Conference & Bootcamp)
  3. 3 How Do We Currently Build Software? An analysis of

    the current state of the art SBA Research, 2021
  4. 4 “We Must Be First On The Market!” Initial velocity

    rules them all. • We trade sustained velocity for initial velocity. • Prototypes become production systems. • Few organizations have sustainable long-term visions on their software. SBA Research, 2021
  5. 5 “Software Engineering Is Assembly-Line Work” SBA Research, 2021

  6. 6 “We’ll Fix It Later” SBA Research, 2021

  7. 7 “We’ll Do Penetration Tests Until All Findings Are Resolved”

    There isn’t a good understanding of what a penetration test can do. • “Can you give us a certificate that we’re secure now?” • It’s a quality assurance tool with a focus on technical, directly exploitable issues. • You cannot pentest your app secure. SBA Research, 2021
  8. 8 SBA Research, 2020 Photo by Brian Wangenheim on Unsplash

  9. 9 What Problems Arise From That Approach? The outcomes of

    our attitude SBA Research, 2021
  10. 10 Breaches. Breaches Everywhere! SBA Research, 2021 Source: https://haveibeenpwned.com/

  11. 11 The Problem With Breaches: They Don’t Hurt Breaches are

    often comparably small problems for individuals. • Data breaches can have an enormous scale. • It’s a bit like stealing € 0.01 from 1,000,000,000 people. • We’re not good at dealing with seemingly small problems at scale. • A data breach cannot be taken back. SBA Research, 2021
  12. 12 What Must Change? We must change the way be

    build software. SBA Research, 2021
  13. 13 Building and Running Dependable Software Is Hard Let’s recognize

    this! It’s hard … • … for security to keep pace with agility. • … to know where to best invest your resources. • … to acknowledge that there is no glory in prevention. • … to not make security the only important thing (scaring people away is also a risk!). • … to sacrifice initial velocity for long-term velocity. SBA Research, 2021
  14. 14 Automation: Distinguish “Scalable Baseline” from “Deep Understanding” SBA Research,

    2021
  15. 15 Build Security Into Your Team: Security Champions SBA Research,

    2020 Architect Advisor Challenger Coach Developer Explorer
  16. 16 Requirements Give a Security Perspective SBA Research, 2020 Functional

    requirement with security aspect Security requirement Functional requirement
  17. 17 Training: Become a Security Expert! SBA Research, 2020 Secure

    SDLC Essentials Web App Security IoT Security Secure Coding Cloud Security C / C++ Security Threat Modeling Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Basic Advanced Pick your area Expert
  18. 18 The Pillars Of Manageable Software Security 1. Get a

    sense of the criticality of your software 2. Define security requirements early on 3. Don’t just consider bugs, also flaws 4. Educate your development team 5. Have someone manage security on the team 6. Define what vulnerability classes are relevant 7. Automate away as much as possible 8. Feed insights back to other activities 9. Have a centralized and filterable change management 10. Have recurring tasks in place that force to rethink SBA Research, 2021
  19. 19 Here’s The Good Part: It’ll Improve Quality Overall Security

    is just one aspect of quality. • High-security but low-quality software products are rare. • The activities mentioned before pay into your quality account. SBA Research, 2021
  20. 20 SBA Research: Software Security Consulting SBA Research, 2020 SBA

    Research Software Security Penetration Testing Security Champions Secure SDLC Trainings Code Reviews Threat Modeling Security Automation
  21. 21 Photo by Emily Morter on Unsplash Follow me on

    Twitter! @_thomaskonrad Thomas Konrad SBA Research Floragasse 7, 1040 Vienna +43 664 889 272 17 tkonrad@sba-research.org