Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digital Product Security

319 views

Published on

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.

During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

Published in: Software
  • Be the first to comment

Digital Product Security

  1. 1. Digital Product Security
  2. 2. Agenda • About me • Know your enemy first: Cyberattacks against modern business • Anatomy and security issues in Product Development • Tips and Tricks: Develop software security by design • How to get ROI • People, Process, Tools • References 2016
  3. 3. About me Security Consulting Lead @ SoftServe Manage Security Red Team OWASP Chapter Lead L'viv Penetration Tester Certified Ethical Hacker Researcher General summary: • 10+ years of experience in Information Security • 15+ years of UNIX systems network administration experience • 15+ years of MS Windows * administration experience • 4 years of Novell service and products administration experience • 1+ year of Oracle DB administration as a DBA • 15+ years in network infrastructure management Nazar Tymoshyk, Ph.D. CEH
  4. 4. Attack surface Attackers are targeting applications
  5. 5. Data breaches and cyber attacks in June 2016 (289,150,000+ records leaked) https://www.itgovernance.co.uk/blog/category/other-blogs/breaches-hacks/
  6. 6. Big names
  7. 7. Big names
  8. 8. Anatomy and security issues in Product Development
  9. 9. Developer • Focus on functional requirements • Knows about: • OWASP Top 10 • 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» Scott Hanselman «Risks are for managers, not developers» Unknown Security Officer • Focused on security requirements • Knows difference between vulnerability and attack • Focused on Toolset and it’s output • Focused on vulnerabilities
  10. 10. Application security testing tools are being sold as a solution to the problem of insecure software Many of the CWE vulnerability types, are design issues, or business logic issues. Why doesn’t code analysis resolve the problem?
  11. 11. Scanners Cannot THINK Security Scanner is not a panacea Looking for known, defined and predictable patterns Not searching for: • Logical defects • Rights separation • Complex attack vectors • Defects in architecture and design • Real Cryptography level • Etc. Scanners create the Illusion of SAFETY
  12. 12. Security AnalystQA Engineer VS In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, the security analysts team is concerned only with unexpected results, testing for the unknown, and looking for weaknesses
  13. 13. Tips and Tricks: Develop software security by design
  14. 14. Problems to Solve Determine activities that pay back faster during current state of the project Avoid inconsistent levels of security Minimize the cost of Security related issues Avoid repetitive security issues
  15. 15. Value Delivered • Reduced Cost of Security Issue Resolution • 3rd party evaluator during initial Penetration test didn’t find any serious security vulnerability • Delivered Secure Source Code, Secure Deployment, Secure Infrastructure • Application fully compliant (HIPAA, PCI, SOC, PII) • Metrics of security progress increased trust for key stakeholders and clients
  16. 16. vulnerability scanning / WAF security testing / dynamic analysis coding guidelines /code reviews/ static analysis security requirements / risk and threat analysis Secure SDLC Reactive ApproachProactive Approach Generic Approach for Security Build ProductionTestDesign
  17. 17. Than start process of re-Coding, re-Building, re-Testing, re-Auditing. How the security process looks in reality BACK to re-Coding, re-Building, re-Testing, re-Auditing Most Issues are found by security auditors prior to going live
  18. 18. How much time do you need to fix security issues in an app? • 4+ Weeks • 3-4 Weeks • 2-3 Weeks • 0-1 Week 82 percent of applications that were remediated to a satisfactory level did so in a week or less.
  19. 19. Simple ROI of Product security Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent unnecessary costs when fixing application security issues. The costs represented in this illustration are based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the application lifecycle is typical of what many organizations experience. Reduce costs by finding application vulnerabilities early* *Estimated costs based on IBM Global Business Services industry standards
  20. 20. How it should look How do you add Security in?With a proper Security Program the number of security defects should decrease from phase to phase
  21. 21. Case Study Analyze Current Practices Define Goals Define Roadmap Execute /Oversee /Adjust Discovery
  22. 22. Business Issue Client realized that most of his competitors had already beenhacked and his company could be the next target. He wanted to: • Stay compliant • Protect his Intellectual Property • Protect client data • Demonstrate excellence and high code quality • Avoid a data breach • Minimize security costs Drivers: Customer Request, Potential Issues Requestor: Security Department
  23. 23. Linear Integration Approach
  24. 24. Iteration Based Test Only Approach • After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-week Development cycle (iteration) will address the highest ranked items • Upon delivery of completed code, security testing is performed both manually and using automated testing tools • Results from manual and automated scans end up in the same backlog repository, to be reviewed and prioritized by Development Management
  25. 25. Approach Focus on: • Developing products in a secure way • Starting with right Security Requirements • Static Security Code Analysis • Dynamic Application Security Testing • Manual Security Testing on Final Security Review
  26. 26. Security Education • Define Security Guidelines for Dev & QA • Develop Test Cases for QA team • Regular (quarterly) Session with Dev Team to talk about recent vulnerabilities • Knowledge Sharing
  27. 27. Requirements Definition Stage • Identity Management (IdM), SSO and Security Control • Data Segregation • Data Security & Privacy • Availability • Network & Transport Security • Operation Security • Define Security Quality Gates
  28. 28. SAST/DAST Security Testing • Static Code Analysis • Static Application Security Testing • Dynamic Application Security Testing • Custom Automation Testing • SonarQube with latest rule set to validate for each check-in • Regular (sprint based) source code and application in runtime security scan with IBM AppScan • Final security audit - security SAST&DAST assessment with Veracode
  29. 29. Manual Security Testing - Scope
  30. 30. Manual Security Testing – Activity • Create Dev & QA guide applicable for the project • Create Test Cases for Grey Box testing • Execute tests and assist dev team with explaining root and mitigation approaches of identified issues • Validation of new functionality and periodic remediation for modification • Educate QA and Dev team
  31. 31. Incident Response Plan Plan response for security incidents in case of: • Malicious Code Injection • Unauthorized Access • Unauthorized Utilization of Services • Data Manipulation/Theft • Virus and other Threats • Aggressive Probes
  32. 32. Typical involvement 1-4st month – 1 FTE • Scoping and prioritization • Manual Testing critical functionality • Full source code scan and upgrade SonarQube 5nd month onwards – 0.25-0,5 FTE • Complete test of remaining functionality • Scan changes introduced during the sprint • Conduct Training and collaborate with QA and Dev Team during design and implementation
  33. 33. Continues Vulnerability Monitoring / Scanning Automatic scan & Static Code Review Dynamic Testing Risk assessment Risk assessment WAF Incident Response plan Firewall / VPN security Backup and Recovery Infrastructure Security Application Penetration testing Business security
  34. 34. Working with development team
  35. 35. Working with development team
  36. 36. Value • Certified security experts to control security of project • SoftServe utilize different set of tools to ensure coverage (IBM, Veracode, PortSwinger, OpenVAS) • Regulars scans that could be integrated to CI • Education and Case study based on defect severity for Dev and QA • Following Secure SDLC practices • And many more Full coverage7 20-40% time for testing/re-testing decrease1 Catch problems as soon as possible2 Avoid repetitive security issues3 Improve Security Expertise/Practices for current Team4 Continuous Automation & Integration5 Proactive Security Reporting6
  37. 37. After successful build we pack app to transfer to Security testing tool Detect exact line of bugged code
  38. 38. CI security integration Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  39. 39. High level vision Static Code Analysis Security Reports Dynamic Security testing CI tools Deploying applicationPull source code
  40. 40. Application Security Toolset
  41. 41. Demonstrate your security progress
  42. 42. Impress security auditors
  43. 43. USA HQ Toll Free: 866-687-3588 Tel: +1-512-516-8880 Ukraine HQ Tel: +380-32-240-9090 Bulgaria Tel: +359-2-902-3760 Germany Tel: +49-69-2602-5857 Netherlands Tel: +31-20-262-33-23 Poland Tel: +48-71-382-2800 UK Tel: +44-207-544-8414 EMAIL info@softserveinc.com WEBSITE: www.softserveinc.com Thank you!

×