Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure develpment 2014

358 views

Published on

פיתוח מאובטח

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Secure develpment 2014

  1. 1. Secure Development Life Cycle (SDLC) Sigal Russin, CISO Senior Analyst at STKI sigalr@stki.info
  2. 2. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph What are you getting: 2 1 2 3 4 5 6
  3. 3. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph OSI Model 3
  4. 4. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph 4
  5. 5. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Buffer Overflow Buffer which crosses the volume of information allocated to it in a timely manner. It allows attackers to travel outside the buffer and overwrite important information to continue running the program. In many, utilizing this weakness allows running code injected by the attacker. 5
  6. 6. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • DOS- Denial Of Service Ping of death- Due to increased bandwidth browsing, this attack does not pose a risk. Local Denial of Service: "Stealing" all possible memory from the operating system, as well as prevention service by blocking the regular work with your computer. 6
  7. 7. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems Distributed Denial of Service: Many different points make one or more requests for a particular service any network and is usually carried out through many computers controlled by a single operator. • Code Injection Cross Site Scripting HTML/Javascript/ SQL injection The user can enter any code to run it through the software, and do whatever the spirit through the code they injected. 7
  8. 8. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Race Condition- Resource Condition Resource conflicts in software refers to the fact that the resource is used by more than one code divides the software (memory disposed). 8
  9. 9. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Myths  If no one knows about a problem, you can not take advantage of - security by obscurity.  Safe programming language - many high languages ​​provide the feeling that they are clean and devoid of problems but it can contain more security issues and bugs that exist in the world.  Passwords mashed in one way - files containing passwords scrambled. The attackers can not retrieve the password so they will read the information unidirectional scrambled and use the password itself.  Nothing can break the software  You can fix and solve problems "on the go" 9
  10. 10. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Assumptions  QA staff able to locate problems and fix them  The user would not hurt to information or Software Foundation  The program will only be used for its original target appropriate  Compiled code into machine language can not be interpreted  Coding of symbols machine language is a form of protection 10
  11. 11. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 11 Check out all the input you receive, including those from the command line, environment variables, and other data Do not mark only "bad“ input. Know also check what input "good." Prevent Buffer Overflow everywhere. Pay particular attention to long inputs and give them the opportunity to take over the functionality of your system.
  12. 12. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 12 Remember to build your program correctly - Prevent high privileges, reboot the system with parameters correct and safe, plan what you will do when there is a system failure prevented Race Conditions and Use Safe channels only. Use caution system calls to external libraries. Rebate information system carefully, only what is needed and nothing more. Do not expose data internal.
  13. 13. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Customers round table insights 13 (1‫פרויקטים‬‫גוף‬ ‫לידיעת‬ ‫מגיעים‬ ‫תמיד‬ ‫לא‬ ‫אשר‬ ‫מתוכננים‬ ‫לא‬ ‫המידע‬ ‫אבטחת‬. (2‫כדי‬ ‫תוך‬ ‫ואחרים‬ ‫כאלה‬ ‫נתונים‬ ‫לראות‬ ‫רשאים‬ ‫המפתחים‬ ‫האם‬ ‫הפיתוח‬ ‫תהליך‬?‫בערבול‬ ‫שימוש‬/‫נתונים‬ ‫מיסוך‬. (3‫הפיתוח‬ ‫אנשי‬ ‫לטענת‬,‫חוסמים‬ ‫המידע‬ ‫אבטחת‬ ‫אנשי‬‫לעתים‬ ‫שימוש‬‫בטכנולוגיות‬‫מסוימות‬‫חוסר‬ ‫בגלל‬ ‫או‬ ‫מוגזם‬ ‫חשש‬ ‫בגלל‬ ‫ידע‬‫מספק‬. (4‫צד‬ ‫מגורמי‬ ‫שמתקבל‬ ‫קוד‬‫שלישי‬.‫עושים‬ ‫מה‬?‫לא‬ ‫מקרה‬ ‫בשום‬ ‫מהאוויר‬ ‫ירדה‬‫מערכת‬‫שנמצאו‬ ‫אבטחה‬ ‫ליקויי‬ ‫בשל‬‫בה‬. (5‫סביבת‬ ‫לבין‬ ‫והפיתוח‬ ‫הבדיקות‬ ‫סביבת‬ ‫בין‬ ‫ההבדלים‬‫הייצור‬. ‫והבדיקות‬ ‫הפיתוח‬ ‫מאשר‬ ‫הייצור‬ ‫שרתי‬ ‫הקשחת‬.
  14. 14. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Vendors The Web Application Vulnerability Scanners Benchmark, 2012 http://sectooladdict.blogspot .co.il/2012/07/2012-web- application-scanner- benchmark.html 14
  15. 15. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Recommendations 1) Mixing of information security in all phases of the project - from the initial stages (sometimes stop project at this stage because of applicability or security risk) continued analysis phase, encoding to various stages of testing. 2) Automated testing tools during encoding. Ideally the code is tested all the time every day. 3) Dedicated Source survey depth testing phase the issue of information security. 4) Penetration code tests. 5) Procedures for developing information security "do and do not" on any technology. 6) Basic training of all developers and more advanced training for developers who are "Security trustees." 15
  16. 16. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Thank You! Sigalr@stki.info

×