Achim D. Brucker, profile picture
Uploaded byAchim D. Brucker
590 views

How to Enable Developers to Deliver Secure Code

The document discusses strategies to enable developers to produce secure code, emphasizing the importance of a comprehensive security development lifecycle (SDLC). Key components include training, risk identification, security measures, and various testing methodologies, aiming to empower developers while maintaining oversight from centralized security teams. It highlights the necessity of integrating security practices seamlessly into the development process and fostering a culture of security awareness among developers.

Embed presentation

Downloaded 23 times
How to Enable Developers to Deliver Secure Code Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ March 15, 2017
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 18
Example (LinkedIn, May 2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
Example (TalkTalk, October 2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
Example (Ashley Madison, July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
Secure Software Development Lifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 7 of 18
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 18
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
In 2010: Static Analysis Becomes Mandatory SAST tools used: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
De-Centralised Approach: Organisational Setup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 18
Security Team Focus: Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 18
How to Measure Success (and Identify White Spots) Listen to your developers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln. 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% “Success criteria:” Percentage of vulnerabilities not covered by currently used security testing tools increases, i.e., the used tools are used effectively! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 18
Key Success Factors A holistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Listen to Your Developers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 18
Final remarks What works well: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value (e.g., as security integration test) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 18
Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
Bibliography Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 18
Document Classification and License Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18

More Related Content

PPTX
PyConPL 2017 - with python: security
byPiotr Dyba
 
PDF
Developing Secure Software: Experiences From an International Software Vendor
byAchim D. Brucker
 
PDF
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
byAchim D. Brucker
 
PDF
Double Server Public Key Encryption with Keyword Search for Secure Cloud Storage
byijtsrd
 
PDF
Application Inspector SSDL Edition product
byValery Boronin
 
PDF
Protecting Digital Economy through Vulnerability Coordination Center
byGirindro Pringgo Digdo
 
PDF
A web content analytics
bycsandit
 
PPTX
Od codziennej higieny do strategicznej refaktoryzacji
byMichał Bartyzel
 
PyConPL 2017 - with python: security
byPiotr Dyba
 
Developing Secure Software: Experiences From an International Software Vendor
byAchim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
byAchim D. Brucker
 
Double Server Public Key Encryption with Keyword Search for Secure Cloud Storage
byijtsrd
 
Application Inspector SSDL Edition product
byValery Boronin
 
Protecting Digital Economy through Vulnerability Coordination Center
byGirindro Pringgo Digdo
 
A web content analytics
bycsandit
 
Od codziennej higieny do strategicznej refaktoryzacji
byMichał Bartyzel
 

Viewers also liked

PPTX
How to apply for an ABS licence
byJonathon Bray
 
PPTX
Administração Cientifica | Questões Corrigidas
byDanilo Mota
 
PDF
Visualizations with Empathy
byAmanda Makulec
 
PDF
Turn complex to epic - Zelda goals planning
byAlexandre Quach
 
PDF
Prekat. La Psicologia del Bienestar
byDr.Jose A Santos. +4500 contactos
 
PDF
C4 Logistics Services
bySebastien Barth
 
PPT
Rock art and IFRAO color card
byVictor Reijs
 
PDF
Les actualités de la Roumanie pour le Mois de Mars 2017 de Eastrategies
byEastrategies - Bucarest, Roumanie
 
PDF
Opnieuw goed jaar voor firma Staf Coppens
byThierry Debels
 
PDF
40 propositions pour moderniser et simplifier le droit de l'environnement
byAdm Medef
 
PPT
Introduction to Scrum - Hebrew
byDan-Eyal Gazit
 
PPTX
ASLA Makerspaces in the school library
byAustralian School Library Association
 
PDF
Como Desvendar Mentiras
byandre rossiter
 
PPTX
Apache Spark and Object Stores —for London Spark User Group
bySteve Loughran
 
PPT
аномалии бинокулярного зрения. Upgraded
byNatalia Kaschenko
 
PPTX
Brief LoRaWAN Overview
byAlper Yegin
 
PDF
ABAU 2017
byLoudes Otero
 
PPTX
...Redes sociales
byJesús Velasco
 
PPTX
R. Villano - fotos (DE part 9)
byRaimondo Villano
 
PDF
SPARQLでオープンデータ活用!
byuedayou
 
How to apply for an ABS licence
byJonathon Bray
 
Administração Cientifica | Questões Corrigidas
byDanilo Mota
 
Visualizations with Empathy
byAmanda Makulec
 
Turn complex to epic - Zelda goals planning
byAlexandre Quach
 
Prekat. La Psicologia del Bienestar
byDr.Jose A Santos. +4500 contactos
 
C4 Logistics Services
bySebastien Barth
 
Rock art and IFRAO color card
byVictor Reijs
 
Les actualités de la Roumanie pour le Mois de Mars 2017 de Eastrategies
byEastrategies - Bucarest, Roumanie
 
Opnieuw goed jaar voor firma Staf Coppens
byThierry Debels
 
40 propositions pour moderniser et simplifier le droit de l'environnement
byAdm Medef
 
Introduction to Scrum - Hebrew
byDan-Eyal Gazit
 
ASLA Makerspaces in the school library
byAustralian School Library Association
 
Como Desvendar Mentiras
byandre rossiter
 
Apache Spark and Object Stores —for London Spark User Group
bySteve Loughran
 
аномалии бинокулярного зрения. Upgraded
byNatalia Kaschenko
 
Brief LoRaWAN Overview
byAlper Yegin
 
ABAU 2017
byLoudes Otero
 
...Redes sociales
byJesús Velasco
 
R. Villano - fotos (DE part 9)
byRaimondo Villano
 
SPARQLでオープンデータ活用!
byuedayou
 

Similar to How to Enable Developers to Deliver Secure Code

PDF
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
byAchim D. Brucker
 
PDF
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
PDF
Industrial Challenges of Secure Software Development
byAchim D. Brucker
 
PDF
Integrating Application Security into a Software Development Process
byAchim D. Brucker
 
PDF
Protect Your Customers Data from Cyberattacks
bySAP Customer Experience
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
Threat modelling & apps testing
byAdrian Munteanu
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
Cyber security series Application Security
byJim Kaplan CIA CFE
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPTX
Intro to Security in SDLC
byTjylen Veselyj
 
PPTX
Digital Product Security
bySoftServe
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PDF
Applicaiton Security - Building The Audit Program
byMichael Davis
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
byAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
Industrial Challenges of Secure Software Development
byAchim D. Brucker
 
Integrating Application Security into a Software Development Process
byAchim D. Brucker
 
Protect Your Customers Data from Cyberattacks
bySAP Customer Experience
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
The Future of Software Security Assurance
byRafal Los
 
Threat modelling & apps testing
byAdrian Munteanu
 
Software Security Engineering
byMarco Morana
 
Cyber security series Application Security
byJim Kaplan CIA CFE
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
Intro to Security in SDLC
byTjylen Veselyj
 
Digital Product Security
bySoftServe
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
Applicaiton Security - Building The Audit Program
byMichael Davis
 

More from Achim D. Brucker

PDF
Usable Security for Developers: A Nightmare
byAchim D. Brucker
 
PDF
Formalizing (Web) Standards: An Application of Test and Proof
byAchim D. Brucker
 
PDF
Your (not so) smart TV is currently busy with taking down the Internet
byAchim D. Brucker
 
PDF
Combining the Security Risks of Native and Web Development: Hybrid Apps
byAchim D. Brucker
 
PDF
The Evil Friend in Your Browser
byAchim D. Brucker
 
PDF
Using Third Party Components for Building an Application Might be More Danger...
byAchim D. Brucker
 
PDF
Isabelle: Not Only a Proof Assistant
byAchim D. Brucker
 
PDF
SAST for JavaScript: A Brief Overview of Commercial Tools
byAchim D. Brucker
 
PDF
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
byAchim D. Brucker
 
PDF
Deploying Static Application Security Testing on a Large Scale
byAchim D. Brucker
 
PDF
Model-based Conformance Testing of Security Properties
byAchim D. Brucker
 
PDF
Service Compositions: Curse or Blessing for Security?
byAchim D. Brucker
 
PDF
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
byAchim D. Brucker
 
PDF
A Framework for Secure Service Composition
byAchim D. Brucker
 
PDF
Extending Access Control Models with Break-glass
byAchim D. Brucker
 
PDF
Security in the Context of Business Processes: Thoughts from a System Vendor'...
byAchim D. Brucker
 
Usable Security for Developers: A Nightmare
byAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
byAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
byAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
byAchim D. Brucker
 
The Evil Friend in Your Browser
byAchim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
byAchim D. Brucker
 
Isabelle: Not Only a Proof Assistant
byAchim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
byAchim D. Brucker
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
byAchim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
byAchim D. Brucker
 
Model-based Conformance Testing of Security Properties
byAchim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
byAchim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
byAchim D. Brucker
 
A Framework for Secure Service Composition
byAchim D. Brucker
 
Extending Access Control Models with Break-glass
byAchim D. Brucker
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
byAchim D. Brucker
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 

How to Enable Developers to Deliver Secure Code

  • 1.
    How to EnableDevelopers to Deliver Secure Code Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ March 15, 2017
  • 2.
    Outline 1 Motivation 2 SecureSoftware Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 18
  • 4.
    Example (LinkedIn, May2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
  • 5.
    Example (TalkTalk, October2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
  • 6.
    Example (Ashley Madison,July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
  • 7.
    Outline 1 Motivation 2 SecureSoftware Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 18
  • 8.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 9.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 10.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 11.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 12.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 13.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 14.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 15.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 16.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 17.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 18.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 19.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 20.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 21.
    A Path Towards(More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 22.
    Secure Software DevelopmentLifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 7 of 18
  • 23.
    Outline 1 Motivation 2 SecureSoftware Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 18
  • 24.
    Finding Security Vulnerabilities Manual Automatic RunningApplication Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
  • 25.
    Finding Security Vulnerabilities Manual Automatic RunningApplication Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
  • 26.
    In 2010: StaticAnalysis Becomes Mandatory SAST tools used: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 18
  • 27.
    A De-Centralised ApplicationSecurity Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 28.
    A De-Centralised ApplicationSecurity Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 29.
    A De-Centralised ApplicationSecurity Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 30.
    De-Centralised Approach: OrganisationalSetup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 18
  • 31.
    Security Team Focus:Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 18
  • 32.
    How to MeasureSuccess (and Identify White Spots) Listen to your developers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 33.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln. 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 34.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 35.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 36.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 37.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 38.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 39.
    How to MeasureSuccess (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% “Success criteria:” Percentage of vulnerabilities not covered by currently used security testing tools increases, i.e., the used tools are used effectively! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 40.
    Outline 1 Motivation 2 SecureSoftware Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 18
  • 41.
    Key Success Factors Aholistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 42.
    Key Success Factors Aholistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 43.
    Key Success Factors Aholistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 44.
    Key Success Factors Aholistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 45.
    Listen to YourDevelopers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 18
  • 46.
    Final remarks What workswell: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value (e.g., as security integration test) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 18
  • 47.
    Thank you foryour attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
  • 48.
    Bibliography Ruediger Bachmann andAchim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 18
  • 49.
    Document Classification andLicense Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 18
  • 50.
    Combining Multiple SecurityTesting Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 51.
    Combining Multiple SecurityTesting Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 52.
    Combining Multiple SecurityTesting Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 53.
    Combining Multiple SecurityTesting Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 54.
    Combining Multiple SecurityTesting Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18