Great Expectations: A Secure Software Story - Open Source North
•Download as PPTX, PDF•
0 likes•289 views
Everything we do is based on some expectation of a particular result. Do you know what is expected of you? Are expectations related to security, resiliency, and quality clearly articulated? When writing the story about secure software, expectations are critical; and clearly communicating them is just as critical. Security needs to be intertwined throughout the software development process with clear expectations and measurable goals. When we have a process that only includes security testing at the end of development; right before production, or even after deployment, what’s the expectation? Do we honestly expect to be able to test ourselves secure? It hasn’t worked for over a decade, so we need to reevaluate what we are doing.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Great Expectations: A Secure Software Story - Open Source North
Similar to Great Expectations: A Secure Software Story - Open Source North (20)
Recently uploaded
Recently uploaded (20)
Great Expectations: A Secure Software Story - Open Source North
- 1. Great Expectations: A Secure Software Story
- 3. “ An expectation is a belief about what will happen in the future.
- 5. “Expectations among people are often based on an implicit social contract. That is, without actually verbalizing expectations about give-and-take in a relationship, people construct stories in their heads about legitimate expectations of each other. So, people in a relationship have a "deal" in which the specifics of the deal are never really talked about. It is hard for someone to live up to your expectations when they don't know what they are, but you still might see this failure as a violation of your social contract. https://www.psychologytoday.com/us/blog/cui-bono/201802/the-psychology-expectations
- 6. Common Expectation The time to fix code defects is consistent throughout the development lifecycle. 6
- 8. Common Expectation Testing tools can find the same things as humans just faster. 8
- 10. Humans vs. Tools 10 ▸ Frequency of findings ▸ Context (or lack thereof) ▸ Natural Curiosity ▸ Scalability ▸ Consistency
- 11. Common Expectation Software Security needs a separate set of processes. 11
- 13. 13 • Scrum • Analysis • Planning • Design • Coding • Testing • Releases Business Analysis Define User Stories Refine Feature List -Business Requirements -User Requirements -Estimate -Scoping Sprint Planning Meeting Daily Work Sprint Review UX Workflow Design Coding Testing QA SDLC Threat Modeling Secure Design Principles IDE Tooling Security Automation Change Management Defect Tracker
- 15. Common Expectation If we build security gates, we can stop bad decisions in their tracks. 15
- 17. 17 • Scrum • Analysis • Planning • Design • Coding • Testing • Releases Business Analysis Define User Stories Refine Feature List -Business Requirements -User Requirements -Estimate -Scoping Sprint Planning Meeting Daily Work Sprint Review UX Workflow Design Coding Testing QA SDLC Threat Modeling Secure Design Principles IDE Tooling Security Automation Change Management Defect Tracker
- 18. Common Expectation Application design will grow organically from multiple sprints. 18
- 20. Secure Design Principles 20 ▸ Least-Privilege ▸ Default-Deny ▸ Economy of Mechanism ▸ Complete Mediation ▸ Open Design ▸ Separation of Concern ▸ Least Common Mechanism ▸ Psychological Acceptability ▸ Defense-in-Depth • And more… Resources: OWASP Security by Design Principles https://www.owasp.org/index.php/Security_by_Design_Principles IEEE Avoiding Common Security Design Flaws http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
- 22. Common Expectation Open source software is basically free and will save a ton of time. 22
- 23. “"We have about 750 million lines of open source code that participate in our scan projects, and identified 1.1 million defects -- and 650,000 defects have already been addressed.” – Coverity Scan
- 24. ““The average application had 147 different open source components -- and 67 percent of the applications used components with known vulnerabilities.” – Black Duck
- 25. ““There's also no standard way of documenting security on open source projects. In the top 400,000 public repositories on GitHub, only 2.4% had security documentation in place.” – CSO Online
- 26. Dependency Management 26 ▸ Central Repository ▹ Approval or Review Process ▹ Both Security and Legal ▸ Software Bill of Goods ▹ Understand which applications are reliant on which dependencies ▸ Dependency Scanning ▹ Commercial or Open Source Solutions ▸ Notifications ▹ When the next Struts vulnerability is released, do you know which teams/applications need to patch? https://safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
- 27. Common Expectation We sent developers through training, they know how to build secure software. 27
- 28. Common Expectation We can test ourselves secure with penetration testing at the end of the cycle. 28
- 29. Security Standards 29 ▸ Authentication ▹ Username ▹ Password, MFA ▹ Account Management ▸ Authorization ▹ Role-Based Access Control ▹ Attribute-Based Access Control ▹ Rule-Based Access Control ▸ Input Handling ▹ Test input for type, length, context ▹ Output encode contextually ▸ Privacy ▹ Need to know access to customer/client data ▸ Cryptography ▹ Standard algorithms, strengths, and modes ▹ What data to encrypt at rest/in transit ▸ Third-party libraries ▹ Maintain list of 3rd party dependencies ▹ Monitor updates to known dependencies • Logging/Audit ▹ Standard format ▹ Criteria for what to/not to log and when ▹ Criteria for who should review and when • Error and Exception Handling ▹ Criteria for error messages (include/not include) ▹ When to fail open/closed
- 30. Security Program 30 ▸ Need multiple components ▸ Adopt a risk-based approach ▸ Set expectations ▸ Educate ▸ Support
- 31. Application Catalog and Risk Categorization 31 ▸ Understand the inherent risk of an application ▹ Prioritize resources and security investments ▹ Gain a better understanding of the risk presented by the applications ▹ Process for completion and maintenance of application catalog ▸ Inherent Risk “…is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.” Gregory Monahan (2008). Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. John Wiley & Sons. ▸ 20-25 Question survey to measure: ▹ People ▹ Process ▹ Infrastructure ▹ Data
- 32. Security Story 32 Threat model List of threats and controls Design Review Verification of security control requirements Code Review Verification of existence and proper implementation Security Testing Verification of running implementation Software Integrity Verification of deployed application Evidence
- 33. Thank You! Questions? You can find me: @infosecdad or brian.glas@gmail.com 33
Editor's Notes
- My name is Brian Glas. I’ve worked as a Developer, Architect, Reverse Engineer, Incident Responder, Consultant, Manager, Director and other odds and ends. I’ve seen a lot of different things in the last 17 years. I like to have a bit of an idea who I’m talking to, how many people would say you’re a developer? Tester? Analyst? Management? What else? I really appreciate you spending close to an hour of your life to spend some time with me, especially since I’m standing between you and the end of your day :-D
- A lot has changed over the last 17 years of development, but there is also a good bit that hasn’t changed. And honestly won’t change. Like Expectations. Expectations frequently guide behavior and make it easier to predict what will happen next. People can develop expectations about a wide range of things. Examples of expectations include the belief that the sun will rise tomorrow or the assumption that your boss will give you a raise in six months. Expectations are determined by a combination of experience, cognitive processes, communication with others, and cultural norms. For example, if your boss gives you a raise every six months and indicates that he or she is pleased with your performance, you are much more likely to believe you will get a raise than if you have never gotten a raise or have been recently disciplined at work.
- For many of us, it is difficult to let go of the idea that expecting something to happen will make it happen. Unspoken expectations are almost guaranteed to go unfulfilled.
- The last real study on the cost to fix software defects in stages in the lifecycle was done by NIST in 2002. No one has done a legit study since that I have found.
- I worked as one of the leads for the OWASP Top 10 2017. I was responsible for the datacall and analysis. From all the data that was sent to us, this is a snippet of the bigger contributions. Huge thank you to the companies willing to contribute. Notice the white (or lack of green), that’s where a tool didn’t report that type of vuln even once in the dataset provided.
- It looks silly when you see it in a diagram. But this has been the expectation for years. You have development over here and security over there. Security is responsible for all things security – but it doesn’t work. At FedEx, we had 6 AppSec professionals for 2500 developers. Out job was to provide standards, guidance, tooling, processes, etc to the dev teams to be able to tackle security. Traditionally, we’ve also said that security defects need their own tracker… guess what’s not in the normal flow of work for a developer? Yup.
- Integrate into the existing processes…
- Work together… We were so bad at this, DevOps was born… At least that’s my theory. How do we get these teams to talk to each other? I know, we build a process and give it a catchy name and market it to death. But seriously, talk… communicate… build relationships… We know that is needed for hiring, why do we not translate that into day to day work? Have office hours, dedicated slack channel, work in the same JIRA or GitHub
- To answer your question, yes this is a spoof, but I’ve seen stuff legitimately approaching this…
- Then, if the problem is fixed, there's often no way to find and notify all of the users of the old code. "The open source community has no idea of who is using their components,"
- Security Standards should be technology agnostic. They should be fairly static, however, if vulnerabilities are found without a matching standard, consider updating them.
- Security Standards should be technology agnostic. They should be fairly static, however, if vulnerabilities are found without a matching standard, consider updating them.