You will learn what is Security Development Lifecycle (SDL).
You will understand why SDL is important.
You will dive in details of SDL and you will see tips for each SDL phase.
You will realize how to roll out an SDL in your organization.
Finally, you will have all skills to deliver a secure product.
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
The presentation shows what’s wrong with passwords.
Then it elaborates what is Two-Factor Authentication.
Finally, it demonstrates standard web API WebAuthn (Web Authentication).
The presentation were presented at OWASP Appsec IL 2018
https://appsecisrael2018.sched.com/event/FvfG/passwords-are-passe-webauthn-is-simpler-stronger-and-ready-to-go
This presentation will give an introduction to Isto followed by an overview of the Isto architecture.
We will look at the main Isto components, and the benefits of Isto.
Then, we will look at how to use the Istio mutual TLS (mTLS) for service-to-service authentication.
Finally, the presentation will include a demonstration which will show how Isto can be used to collect and monitor metrics from microservices.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
The presentation shows what’s wrong with passwords.
Then it elaborates what is Two-Factor Authentication.
Finally, it demonstrates standard web API WebAuthn (Web Authentication).
The presentation were presented at OWASP Appsec IL 2018
https://appsecisrael2018.sched.com/event/FvfG/passwords-are-passe-webauthn-is-simpler-stronger-and-ready-to-go
This presentation will give an introduction to Isto followed by an overview of the Isto architecture.
We will look at the main Isto components, and the benefits of Isto.
Then, we will look at how to use the Istio mutual TLS (mTLS) for service-to-service authentication.
Finally, the presentation will include a demonstration which will show how Isto can be used to collect and monitor metrics from microservices.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control #1 being the most important. This presentation is the second part which contains control #5 to #10 in the following controls
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
The enterprise attack surface has exploded in recent years. More users on more devices in more locations are able to access ever more sensitive enterprise applications. The result is that the number of targets for attackers has gone up dramatically.
The expanding attack surface has been dubbed a “Cyber House of Horrors,” as insider risks, aggressive social engineering, exploitation of outdated access controls, and a range of other security issues have come to the fore.
Join Certes Networks and Intellyx for a webinar to explore:
What factors are driving the expansion of the attack surface?
What types of attacks and exploits are taking advantage of these changes?
How are segmentation techniques and access controls evolving in response?
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
This presentation makes the case for adapting security requirements and processes to those used by developers. Specifically, it advocates the use of BDD (Given/When/Then) specifications to create self-verifying security requirements.
You've heard of infrastructure as code, with the BDD-Security framework, we can now write security-processes-as-code.
The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control #1 being the most important. This presentation is the second part which contains control #5 to #10 in the following controls
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
The cyber house of horrors - securing the expanding attack surfaceJason Bloomberg
The enterprise attack surface has exploded in recent years. More users on more devices in more locations are able to access ever more sensitive enterprise applications. The result is that the number of targets for attackers has gone up dramatically.
The expanding attack surface has been dubbed a “Cyber House of Horrors,” as insider risks, aggressive social engineering, exploitation of outdated access controls, and a range of other security issues have come to the fore.
Join Certes Networks and Intellyx for a webinar to explore:
What factors are driving the expansion of the attack surface?
What types of attacks and exploits are taking advantage of these changes?
How are segmentation techniques and access controls evolving in response?
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
Becoming Secure By Design: Questions You Should Ask Your Software VendorsSolarWinds
The next cyberattack is always around the corner, but you can use every minor incident to help you prepare for major ones. Designing your environment with security in mind at every step will help you better prepare, and you must make sure all those who contribute to your environment are equally secure, including your software partners.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space.
View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/
How to Perform Continuous Vulnerability ManagementIvanti
Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
How can you deliver a secure product
1. How can you deliver a secure product?
Michael Furman, Security Architect
2. The Legend of SDL
● Steve Lipner
Senior Director of Security Engineering Strategy for Microsoft
Key person for the Microsoft SDL
3. What will we cover
today?
What is an SDL?
Why is an SDL important?
Sample: Tufin SDL
How can you deliver a secure product?
4. About Me
● >12 years in application security
● >8 years with Tufin – Lead Security Architect
● >20 years in software engineering
● www.linkedin.com/in/furmanmichael/
● ultimatesecpro@gmail.com
● Read my blog
https://ultimatesecurity.pro/tags/presentation/
● Follow me on twitter @ultimatesecpro
● I like to travel, read books and listen to music
5. About
● Market Leader in Security Policy Automation
● Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls, cloud and K8S
● We are the Security Policy Company!
6. Journey to our SDL
● Resolving security issues? Easy for me!
● Creating a “security” process? Brand new for me!
● Soooo many things to manage ....
Vulnerabilities discovered by customers
CVEs
Upgrading 3rd-party software
Pen tests
... and all the other stuff I did not yet even know about
● Saved by the SDL!
● No need to reinvent the wheel
Picture is from the “Journey to the Center of the Earth” movie.
7. What is an SDL?
● SDL is the process for developing secure software
● Adds security controls in each development phase
SDL = Security Development Lifecycle
8. History of SDL
● Mail of Bill Gates
From: Bill Gates
To: to every full-time employee at Microsoft
Sent: Tuesday, January 15, 2002 5:22 PM
Subject: Trustworthy computing
● Microsoft shutdown Windows development to handle the security issues
● Microsoft SDL
v 1.0 - 2004 (internal)
v 3.2 - 2008 (public)
v 5.2 - 2012 (recent)
…
Security: The data our software and services store on behalf of our customers
should be protected from harm and used or modified only in appropriate ways.
Security models should be easy for developers to understand and build into their applications.
Photo from yahoo.com
9. Why is an SDL important?
Why
SDL?
• Helps developers build secure software
• Ensures security is enabled out of the box
• Defines how to respond to discovered vulnerabilities
10. SolarWinds Attack - 2020
● First disclosure on December 8th by FireEye – first discovered SolarWinds customer
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-
chain-compromises-with-sunburst-backdoor.html
● Other SolarWinds customers breached: FireEye, U.S. Departments, Microsoft, Cisco, …
https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack
● Hackers viewed Microsoft source code
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
● Joint Statement by the FBI, the CISA, and the ODNI: This work indicates that a Threat,
likely Russian in origin, is responsible for most or all of the recently discovered, ongoing
cyber compromises of both government and non-governmental networks
https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-
fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-
intelligence-odni
11. SolarWinds Attack - Solorigate
● Microsoft’s analysis of the attack
https://www.microsoft.com/security/blog/2020/12/18/analyzing-
solorigate-the-compromised-dll-file-that-started-a-sophisticated-
cyberattack-and-how-microsoft-defender-helps-protect/
● The attackers inserted malicious code into DLL
● SolarWinds Orion Platform installed
● The backdoor activates
Randomly between 12 to 14 days after installation
● Attackers ping the backdoor
● Gathering and sending info
● The backdoor runs commands from attackers
Image from microsoft.com
12. SolarWinds Attack - Solorigate
● > 18,000 SolarWinds customers received the malicious update
● > 1,000 experienced the backdoor ping
● > 200 were hacked
https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12
● US agencies
The Office of the President of the United States
The Department of Defense
The US Army
The Federal Reserve
NASA
The NSA
The CDC
The Department of Justice
● Major companies
Visa
AT&T
PwC
Lockheed Martin
CBS
Cisco
Comcast
Ernst & Young
Hertz
The New York Times
17. Security Training
● Security awareness training for the
Development and QA teams
The latest security threats, mitigations,
and technologies
OWASP Top 10 best practices
● Security Champions
18. Security Training
● Q: How can a Security
Champion be successful?
● Tip: Identify and resolve
specific security issues
● Examples of investigations:
Best way for us to handle
Content Security Policy (CSP)?
Best way for us to prevent
XML External Entity (XXE) attack?
● Tufin success: OWASP meetup lecture
https://ultimatesecurity.pro/post/xxe-meetup/
20. Security Requirements
● Incorporated into the requirements stage of S/W development
● Why do we want to handle security early?
Allows us to design a feature and to write test plans which incorporate security requirements
up front
Saves time for all of us – developer time, QA time, documentation time
21. Design
● Designs of new features are done jointly by both development and security
teams
22. Security Requirements & Design
● Q: How can you ensure Dev & QA handle security?
● Tip: Make it easy - create a security checklist
● Examples
New API?
• Make sure the API has proper authentication
• Make sure the API has proper authorization
• Implement input validation
Confidential info not stored as plain text
• Use appropriate encryption or hash algorithms
Confidential info not stored on a client side
Confidential info not sent via HTTP GET method
…
24. Static Application Security Testing (SAST)
● What is SAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least weekly
Daily is the best option
● Your goal: Fix High issues immediately!
25. Software Updates
● All 3rd-party software is regularly updated
● Q: Can I ensure all 3rd-party software is
kept up-to-date without a tool?
Open-source 3rd-party software
Commercial 3rd-party software
● Tip: check that recommended upgrades
don’t introduce new vulnerabilities
● Your goal: upgrade to a version without
High or Critical issues!
26. Peer Reviews
● Mandatory for every code change
● Tip: ensure all code changes adhere
to security requirements
Passwords are not stored in plain text
Passwords are not stored on client side
…
28. Internal Security Scans
● What are Internal Security Scans?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
29. Internal Security Scans
● Qualys SSL Labs Report – free service
https://www.ssllabs.com/ssltest/
● Tip: Ensure you check the “Do not show the results on the boards”
checkbox
31. Dynamic Application Security Testing (DAST)
● What is DAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
33. External Security Tests
● Why External Security Tests?
● Tips:
Scan at least annually
• Best each major release
Ensure to create a valid test scope that covers all areas
• Web UI
• Infrastructure
Ensure an External Test is added into R&D calendar
● Your goal: fix High issues immediately!
Coordinate retest after your fixes
35. Vulnerability Response Policy
• A patch will be made available as soon as possible
CRITICAL
HIGH
MEDIUM
LOW
NOT
VULNERABLE
• A fix will be included in the upcoming release
• A fix will be included in a future release
• A fix may be included in a future release
• Nothing to fix
36. Vulnerability Response Policy
● Define a vulnerability response policy
Document it
● Tip: the policy should be approved on the corporate level
Affect sales, support, development
37. Rolling out an SDL
● First phase (minimal SDL)
Vulnerability Response Policy
Internal Security Scans
• Qualys SSL Labs Report
Software Updates
• Using a tool
● Second Phase
External Security Tests
● Third phase
SAST
● Fourth phase
DAST
38. Rolling out an SDL
● Ongoing
Security Requirements & Design
Security Training
Security Champions
Peer Reviews
● Further improvements
https://www.microsoft.com/en-us/securityengineering/sdl/practices
…
39. Selecting a tool for any SDL phase
● Perform POC
Define requirements very well before the POC
● Tools can be commercial or open source
● Tools from the same provider is not essential
40. How can you deliver a secure product?
● Start to roll out an SDL in your organization
● Improve SDL on a regular basis
41. Take Aways
SDL - the framework that ensures secure
software
Roll out an SDL
... And follow it!!!
You will deliver a secure product!
Steve was elected to the National Cybersecurity Hall of Fame in 2015 and to the National Academy of Engineering in 2017.
The storyhttps://en.wikipedia.org/wiki/Microsoft_Security_Development_Lifecycle
Many other companies, including Cisco, Adobe, and Aetna, have since adopted Microsoft's SDL processes or created their ownhttps://www.microsoft.com/en-us/securityengineering/sdl/about
https://www.govtech.com/security/List-of-Hacked-Organizations-Tops-200-in-SolarWinds-Case.html The elimination of the attack can be very complicated task.Not enough to update the SolarWinds Orion Platform.Not enough to isolate the SolarWinds Orion Platform.Need to instigate entire network. Not clear what was added via the backdoor.
Who does not know your security champion?
Example:
You use Spring 4.1
A provider discovers 3 high CVEs and recommends to upgrade to 4.2
You upgraded to 4.2 and discover 2 other high CVEs
You have invested a lot of efforts but still have high CVEs!
After additional check you discover 4.3 is without high CVEs
You should be able to check CVE listbefore the upgrade and to be able to select 4.3