An introduction to the
Secure Software Development
Lifecycle
Lone Star PHP Conference, Dallas TX
June 28th - 29th 2013
Fee...
Who am I?
Neal Anders
Senior Software Engineer at Infoblox
http://github.com/nanderoo
http://neal-anders.com
@nanderoo
Who are you?
Designers? Developers?
Dev-Ops? Sys-Admin?
Managers? Recruiters?
What do you mean...
Secure Software?
What does Secure Software mean?
Resilience?
Dependable?
Trustworthy?
Secure Software Assurance
"...the level of confidence that software is free
from vulnerabilities, either intentionally
des...
Secure Software Development
What is different about SSD/SDL?
- More than one flavor out there.
- Different approaches / fr...
Secure Software Development
Train Requirements Design
ImplementVerifyRelease
Respond
Secure Software Development
Initiate Develop
ImplementOperate
Dispose
Requirements & Design
What makes secure requirements different
- Front-loaded planning.
- Thinking about things other than...
Requirements & Design
Design aspects of secure software
- Redundancy
- Stability
- Graceful Fall-over/Failure
- And recove...
Requirements & Design
Threat Modeling and STRIDE
Spoofing * Tampering * Repudiation * Information Disclosure * Denial of S...
Requirements & Design
Session Hijacking > Employ SSL
Spoofing * Tampering * Repudiation * Information Disclosure * Denial ...
Requirements & Design
Fuzzing / Overflow > Limit Inputs
Spoofing * Tampering * Repudiation * Information Disclosure * Deni...
Requirements & Design
Data Access / Theft > Encrypt
Spoofing * Tampering * Repudiation * Information Disclosure * Denial o...
Requirements & Design
?customerid=* > Enforce Access Limits
Spoofing * Tampering * Repudiation * Information Disclosure * ...
Requirements & Design
Auto Refresh > Throttle / Firewall
Spoofing * Tampering * Repudiation * Information Disclosure * Den...
Requirements & Design
/?admin=true > Least Privilege
Spoofing * Tampering * Repudiation * Information Disclosure * Denial ...
Development & Testing
What is different about 'secure' development
- Requires you think about what may not be in
the specs...
Development & Testing
So, testing is more than 1-time unit tests
- You will be continually adding new cases
even after you...
Acceptance
More than a check list
- Now you are ready to release, right?
- Acceptance will run the gamut of all your
specs...
Acceptance
Validate with real-world data
- The best data is real data (but not always
possible).
- Fuzzing / brute force t...
Acceptance
Have this figured out before you get here
- What steps will you perform to validate?
- What remediations will b...
Least Privilege
The concept that... for a given task to be
completed, it should be accomplished in the
shortest amount of ...
Least Privilege
Rethinking how you design your app
- Traditional approach is to show everything.
- Prune back until someth...
Least Privilege
Flexible vs. strict permissions
- We often want to create a beautiful machine
with a versatile codebase.
-...
Least Privilege
Extensive logging and test cases
- Logging / Auditing often is an afterthought
- Work on logging and think...
Policies and Standards
Have them for your entire engineering org
- Specs, Designs, Code, Play Books.
- Set common / minimu...
Policies and Standards
Make code and documentation enforcements
- Automated as possible
- Part of your code review cycle
-...
Policies and Standards
Are part of your release cycle
- Good time to audit code
- Verify / sign / validate packaging
- If ...
Defensive Coding
When 1 line of code turns into many
- Thinking outside of the spec
- Red Teaming
- Validation of your thr...
Defensive Coding
php://memory demo (time permitting)
Operations
Push to production
- Prime operations personnel
- Perform phased rollout
- Have a rollback plan, test it.
- Pre...
Operations
Monitoring state
- Decide (early on) what measurements to take
- Establish baseline, deviance, historical
trigg...
Operations
Dealing with attempted break-ins
- What does normal state look like?
- Are there indicators that you can watch ...
Operations
An Intrusion - Now what?
- Don't Panic!
- Notify the right people.
- Take defensive measures.
- Enact your Risk...
Risk Mitigation
Handling Breaches / Exposure
- Role-play different scenarios and your
responses.
- Threats can come from e...
Risk Mitigation
Full Disclosure Planning
- Acknowledge the report of the "issue".
- Have a response ready for the person o...
Risk Mitigation
Reactive vs. Proactive
- You must be ready to react to changes in the
performance and operation of your
ap...
Bonus Round
Cleared Work
- Social Media
- Adverse Behavior
- Financial Status
- M.I.C.E.
M=money
I =ideology(patriotism/re...
Plugs
Check out
- Baltimore / D.C. PHP
- Surge Conf
- MDC3
- BlackHat / BSIDES / Defcon
- Your Local Hacker Space
Contact & Feedback
Email - Neal.Anders@Yahoo.com
Twitter - @nanderoo
Web - http://neal-anders.com/blog
Feedback - http://j...
Upcoming SlideShare
Loading in...5
×

Intro to-ssdl--lone-star-php-2013

1,940
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,940
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Intro to-ssdl--lone-star-php-2013

  1. 1. An introduction to the Secure Software Development Lifecycle Lone Star PHP Conference, Dallas TX June 28th - 29th 2013 Feedback - http://joind.in/8682
  2. 2. Who am I? Neal Anders Senior Software Engineer at Infoblox http://github.com/nanderoo http://neal-anders.com @nanderoo
  3. 3. Who are you? Designers? Developers? Dev-Ops? Sys-Admin? Managers? Recruiters?
  4. 4. What do you mean... Secure Software?
  5. 5. What does Secure Software mean? Resilience? Dependable? Trustworthy?
  6. 6. Secure Software Assurance "...the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner." - National Information Assurance Glossary; CNSS Instruction No. 4009
  7. 7. Secure Software Development What is different about SSD/SDL? - More than one flavor out there. - Different approaches / frameworks. - Microsoft "Security Development Lifecycle" - CERT/SEI Carnegie Mellon University - OWASP - SANS / NIST / IETF - BITS - Others
  8. 8. Secure Software Development Train Requirements Design ImplementVerifyRelease Respond
  9. 9. Secure Software Development Initiate Develop ImplementOperate Dispose
  10. 10. Requirements & Design What makes secure requirements different - Front-loaded planning. - Thinking about things other than 'features' - Requirements and risk measurements. - Design is not eye-candy and pixel pushing. - Sometimes at the expense of usability.
  11. 11. Requirements & Design Design aspects of secure software - Redundancy - Stability - Graceful Fall-over/Failure - And recovery! - Data Integrity - Information Assurance - Threat Modeling
  12. 12. Requirements & Design Threat Modeling and STRIDE Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  13. 13. Requirements & Design Session Hijacking > Employ SSL Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  14. 14. Requirements & Design Fuzzing / Overflow > Limit Inputs Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  15. 15. Requirements & Design Data Access / Theft > Encrypt Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  16. 16. Requirements & Design ?customerid=* > Enforce Access Limits Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  17. 17. Requirements & Design Auto Refresh > Throttle / Firewall Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  18. 18. Requirements & Design /?admin=true > Least Privilege Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege Internet App Server Database
  19. 19. Development & Testing What is different about 'secure' development - Requires you think about what may not be in the specs. - Error handling becomes the first step and second nature. - Testing becomes as much about making tests pass with expected behavior and pass with failed (but expected) behavior.
  20. 20. Development & Testing So, testing is more than 1-time unit tests - You will be continually adding new cases even after you release. - As vulnerabilities are found they should be included in your test cases. - When someone claims to have an exploit you can easily and quickly validate. - Testing with "fail gracefully" can be tricky.
  21. 21. Acceptance More than a check list - Now you are ready to release, right? - Acceptance will run the gamut of all your specs and tests and things you might not know about. - 3rd party / independent validation
  22. 22. Acceptance Validate with real-world data - The best data is real data (but not always possible). - Fuzzing / brute force tends to expose only a subset of issues. - Some of the same tools used during testing.
  23. 23. Acceptance Have this figured out before you get here - What steps will you perform to validate? - What remediations will be taken should something not pass? - Used assigned weights / values to potential weaknesses (garnered from threat modeling). - Measure the product / release as a whole.
  24. 24. Least Privilege The concept that... for a given task to be completed, it should be accomplished in the shortest amount of time, with the least amount of resources and permissions.
  25. 25. Least Privilege Rethinking how you design your app - Traditional approach is to show everything. - Prune back until something that isn't desired is gone. - Often leads to poor UX / escapes / vulnerabilities. - Instead, start with only what is needed. - You can end up writing more code, but it is more secure.
  26. 26. Least Privilege Flexible vs. strict permissions - We often want to create a beautiful machine with a versatile codebase. - But you can end up designing and building for what isn't required or desired. - Trouble caused by taking short cuts and... not knowing. - Diverse skill-sets, teamwork, code reviews, and properly vetted specs help make this easier.
  27. 27. Least Privilege Extensive logging and test cases - Logging / Auditing often is an afterthought - Work on logging and thinking about your design up front, make it transparent. - TDD / BDD approaches can be helpful. - Test cases should be clear and concise. - Recognizing what unexpected behavior looks like is key.
  28. 28. Policies and Standards Have them for your entire engineering org - Specs, Designs, Code, Play Books. - Set common / minimum levels of logging. - Document expected / desired failure modes. - Code reviews can become quite different. - How will you enforce them?
  29. 29. Policies and Standards Make code and documentation enforcements - Automated as possible - Part of your code review cycle - PHPDoc / Pod / Etc - Reference BUG-IDs, small changes in code.
  30. 30. Policies and Standards Are part of your release cycle - Good time to audit code - Verify / sign / validate packaging - If you 'bike-shed' during this time is a sign of poor implementation or understanding.
  31. 31. Defensive Coding When 1 line of code turns into many - Thinking outside of the spec - Red Teaming - Validation of your threat modeling! - It's ok to bring in help from outside your group. - DRY helps maintain sanity, makes changes easier.
  32. 32. Defensive Coding php://memory demo (time permitting)
  33. 33. Operations Push to production - Prime operations personnel - Perform phased rollout - Have a rollback plan, test it. - Pre-position monitoring and alerts
  34. 34. Operations Monitoring state - Decide (early on) what measurements to take - Establish baseline, deviance, historical triggers - Create a playbook - "Beach Certify" your app - Periodically review what you measure/monitor
  35. 35. Operations Dealing with attempted break-ins - What does normal state look like? - Are there indicators that you can watch for? - Annoyance or real threat? - Persistent? - What are they trying?Known vuln? 0-day?
  36. 36. Operations An Intrusion - Now what? - Don't Panic! - Notify the right people. - Take defensive measures. - Enact your Risk Mitigation Plan(s)
  37. 37. Risk Mitigation Handling Breaches / Exposure - Role-play different scenarios and your responses. - Threats can come from external or internal sources. - Sometimes things are found by accident. - Don't do anything to destroy evidence. - Be ready to bring in outside help. - It's audit time boys and girls.
  38. 38. Risk Mitigation Full Disclosure Planning - Acknowledge the report of the "issue". - Have a response ready for the person or group reporting. - Provide an outline / timeline of what they should expect and when. - Decide if/when to go public with the breach or vulnerability. - If a true issue, provide workarounds/fixes.
  39. 39. Risk Mitigation Reactive vs. Proactive - You must be ready to react to changes in the performance and operation of your application or service. - In order to do this you must proactively monitor the services you provide and the infrastructure it operates on. - Recognize expected vs observed behavioral deviations.
  40. 40. Bonus Round Cleared Work - Social Media - Adverse Behavior - Financial Status - M.I.C.E. M=money I =ideology(patriotism/religion) C=coercion E=ego
  41. 41. Plugs Check out - Baltimore / D.C. PHP - Surge Conf - MDC3 - BlackHat / BSIDES / Defcon - Your Local Hacker Space
  42. 42. Contact & Feedback Email - Neal.Anders@Yahoo.com Twitter - @nanderoo Web - http://neal-anders.com/blog Feedback - http://joind.in/8682
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×