SlideShare a Scribd company logo
1 of 48
Ron Clement
CISSP,MCSE,CCNA,CCAI,Security+
Information Security & the SDLC
 Information Security Principles
 Secure Software Development Life Cycle Touch points
    Risk Management
    Security Requirements
    Software Security Guidelines
    Threat Modeling
    Security Design
    Code Reviews
    Disposition
 Conclusion
Information Security Axioms
 “Security is combination of confidentiality,
  integrity and availability” [ITSEC91]
 “Security is a process, not a product!” [Bruce
  Schneier]
 “Software Security is not Security Software” [Gary
  McGraw]
 “Security is everybody’s problem”
 “Inside attacks are more powerful than externals”
What is Information Security?
 The protection of information and its critical elements,
  including systems and hardware that use, store, and
  transmit that information
 Necessary tools: policy, awareness, training, education,
  technology
Information Security Domains
A successful organization should have multiple layers of security in
place:

 Access control                     Operations security
 Network security                   Business continuity
 Risk management                     planning and disaster
 Applications security
                                      recovery planning
                                     Legal and regulatory
 Cryptography
                                      compliance
 Security Architecture &
                           Physical/environmental
  Design
                                       security
Security Core Principles
Confidentiality: "Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information…" A loss of confidentiality is the
unauthorized disclosure of Information. [F199-04]

Integrity: "Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity…" A loss of integrity is the unauthorized modification or
destruction of information. [F199-04]

Availability: "Ensuring timely and reliable access to and use of
information…" A loss of availability is the disruption of access to or use of
information or an information system. [F199-04]

Usability: “is a term used to denote the ease with which people can
employ a particular tool or other human-made object in order to
achieve a particular goal. Usability can also refer to the methods of
measuring usability and the study of the principles
HOW: Security Base Principles
HOW: Security Base Principles
To respect core principles we need:
 Identification: “is how a user tells a system who he or she
  is (for example, by using a username or User ID);
 Authentication: “is the process of verifying a user's
  claimed identity (for example, by comparing an entered
  password to the password stored on a system for a given
  username).”;
 Authorization: “defines a user's rights and permissions on
  a system. After a user (or process) is authenticated,
  authorization determines what that user can do on the
  system.”;
 Auditing: “an evaluation of an organization, system,
  process, project or product”.
Business Drivers
 Security is less expensive to implement if it is
  planned from the beginning
 Building security controls into the system, rather
  than adding them after the system is already built
  improves system performance
 Security becomes an enabling factor rather than a
  barrier to success by reducing the need for expensive
  reengineering and reprogramming
 It ensures success of certification and accreditation
  processes and keeps the project on schedule
HOW: Secure SDLC
Waterfall Model (old paradigm)   Iterative Model (new paradigm)
HOW: Secure SDLC
HOW: Secure SDLC
How: Secure SDLC
HOW: SSDLC Phases
 Start
    Analysis: security requirements, risk analysis, threat
     identification, threat impact probability, abuse cases and
     UML (unified modeling language) for software security,
     usability guidelines, traditional SDLC analysis;
    Design: risk analysis, UML for Software Security, usability
     guidelines, traditional SDLC design;
    Development: secure coding, risk based security tests, static
     analysis, traditional SDLC development;
    Test: risk analysis, penetration test (black- or white-box
     approach), risk mitigation, traditional SDLC test;
    Maintenance: risk analysis, penetration test, traditional
     SDLC maintenance.
 Back to start!
How: SSDLC tools and methodologies
 Software Security Tools:
  Analysis and Design: SecureUML, UMLSec;
  Static Analysis tools: FindBugs, OWASP CLASP,
   SLAM, Blast , RATS;
  Security Methodologies: Cigital Risk Analysis
   Methodology;
  OSSTMM - Open Source Security Testing
   Methodology Manual; OWASP Testing guide;
Software Risk Management
  Software Risk   Software Risk Analysis
  Management      Software Risk Mitigation
Excuses to underestimate security in the SDLC
 “We've reviewed the code, and there are no security
    bugs.”
    “We know it's the default, but the administrator can
    turn it off.”
    “If we don't run as administrator, stuff breaks.”
   “But we'll slip the schedule.”
    “It's not exploitable.”
    “But that's the way we've always done it.”
    “If only we had better tools….”
Excuses to underestimate security in the SDLC
 “No one will do that!”
 “Why would anyone do that?”
 “We've never been attacked.”
 “We're secure, we use cryptography.”
 “We're secure, we use ACLs.”
 “We're secure, we use a firewall.”
Web Application Security SDLC Elevator Pitch

Between 70% and 90% of web applications have
 serious vulnerabilities because
  …the average developer is still not trained well enough.
Embedding application security controls into
 development and deployment will
  Allow for higher uptime, less TCO
  Put YOU into risk control
Major Vulnerabilities in the
Application Space
   A1 – Injection
   A2 – Cross Site Scripting (XSS)
   A3 – Broken Authentication and Session Management
   A4 – Insecure Direct Object References
   A5 – Cross Site Request Forgery (CSRF)
   A6 – Security Misconfiguration (NEW)
   A7 – Failure to Restrict URL Access
   A8 – Unvalidated Redirects and Forwards (NEW)
   A9 – Insecure Cryptographic Storage
   A10 – Insufficient Transport Layer Protection
OWASP Top 10 - 2010
Software Security Guidelines
 Security Usability:
   what to do: security should impact minimally on system
    usability;
   why: applications that are too secure are not usable and
    will not be used;
   how: all security features have to be balanced with
    usability factors;
 Use “least privileges principle”:
   what to do: every application should be executed with
    minimum privileges to execute its tasks;
   why: least privileges principle limits the dangerousness of
    an application vulnerability exploitation;
   how: check and set only applications needed privileges;
Software Security Guidelines
 Confidentiality:
    what to do: personal information must be protected;
    why: unauthorized users should not access to confidential
     information;
    how: data and channel encryption; Identification, Authorization and
     Authentication guidelines;
 Integrity:
    what to do: protect application data from corruption activities;
    why: data is the highest value asset in Information Systems;
    how: use good access control policy and respect Identification,
     Identification, Authorization and Authentication guidelines;
 Availability:
    what to do: ensure applications are always available for the users'
     tasks and goals;
    why: mission critical application have to be always available;
    how: try to disconnect “resources” as network, peripherals, etc. and
     test applications; Identification, Authorization and Authentication
     guidelines;
Software Security Guidelines
 Identification & Authentication:
    what to do: identify and authenticate users or system to implement
     access control policies;
    why: identification and authentication are needed for the
     Authentication phase;
    how: something you: Know (1F*); Have (2F*); Are (3F*); Do (4F*);
 Authorization:
    what to do: authorize a user to “use” only objects he or she should use;
    why: authorization is needed for the Integrity of data and systems;
    how: adopt well-known access control policy as MAC, RBAC, DAC;
 Auditing & Logging:
    what to do: monitor applications activities;
    why: logs are useful to track activities and to detect errors and flaws;
    how: ensure auditing aspects are activated on the system;
Security Requirements to consider...
•Internally or externally hosted?
•Web-facing?
•Data Classification?
•Non-Public Information? (NPI)
•Data Flow?
•Third Party Access?
•Third Party Reviews? SAS-70?
•Related Entity Access?
•Legal /Regulatory Requirements? (PCI, GLBA, SOX,
SEC, OCC, etc)
•Public Access?
•Virtualization / Cloud Computing?
•Downstream Liability?
•Backup Requirements?
•Data offsite/Offshore/International?
Security Tasks In the SDLC
 Initiation                             Implementation
    Needs Determination                   –   Inspection and Acceptance
    Security Categorization
                                           –   System Integration
    Risk Assessment
                                           –   Certification & Accreditation
 Development/Acquisition
                                         Operations & Maintenance
    Risk Assessment
                                           –   Configuration Management
    Security Functional Requirements
      Analysis                                 and Control
    Security Assurance Requirements       –   Continuous Monitoring
      Analysis
                                         Disposition
    Cost Considerations
    Security Control Development
                                           –   Information Preservation
    Developmental Security Test and       –   Media Sanitization
      Evaluation                           –   Hardware and Software
    Acquisition specifications                Disposal
Initiation Phase
Initiation Phase
System Categorization
 System Description
 Need, purpose and mission
 Functional requirements
 Policy and architecture
 Network topology
 Information flow
 Security controls (either planned or already implemented)
 Physical and environmental security
 Boundary analysis and interconnections
 Component inventory
      Hardware
      Software
      External interfaces to other systems
      Data
      People
Initiation Phase
Risk Assessment
 Risk assessment is the process of analyzing threats to
  an information system and known vulnerabilities to
  determine the likelihood and impact of some
  anticipated loss. This risk analysis can then be used to
  design protective security controls that reduce these
  factors to acceptable levels.
 Pre-requisite to Risk Assessment is system
  categorization
Initiation Phase
Risk Assessment
 Part of a greater process called Risk Management.
 Risk Management begins with Risk Assessment and
  then moves into protecting the information system
  with Risk Mitigation (through security controls) and
  closes out with Evaluation and Assessment to confirm
  that the Risk Management process is actually working.
Initiation Phase
Vulnerability Identification
 A vulnerability is a weakness in a system or its
  protections that could be exercised, creating a breach
  in the security protection of the system. The goal of
  this step is to come up with a list of vulnerabilities that
  could be exercised by potential threat sources.
 Vulnerabilities can be identified from lists and
  advisories on common vulnerabilities and also by
  testing the system.
Initiation Phase
Vulnerability lists
 Databases – NIST National Vulnerability Database
 Vendor advisories – Google directory of computer security
  advisories and patches
 CIRT lists and bulletins
    US-CERT
    SANS Top 20
    SANS Internet Storm Center
System testing
 Vulnerability scanning
 Penetration testing
 Security controls assessment
 Previous risk assessment documentation
Requirements Analysis
 Used to identify the systems protection requirements
  through the use of a formal risk assessment process.
 Generates essential information needed to complete the
  system security plan.
 The risk assessment includes the following:
   Identification of threats and vulnerabilities
   The potential impact or magnitude of harm that a loss of
    confidentiality, integrity, or availability would have on assets,
    operations, image, reputation should there be a thereat of
    exploitation
   Consider potential inheritance of vulnerabilities from other
    systems
Security Functional Requirements Analysis
 Analysis should include laws and regulations such as:
    Privacy act
    PCI
    SOX
    GLBA
    Other regulations
 More than one risk assessment may be required as this
  phase of the SDLC progresses
Threat Modeling
  Understand the operating environment your
   application is heading into
  Identify, analyze and document (and thus hopefully
   mitigate) threats




34
Threats
 Natural threats                       Criminal
 Storms                                   Bribery, extortion
                                           System intrusion
    Floods
                                           Data compromise
    Tornadoes
                                        Terrorist
    Hurricanes
                                           Bribery, extortion
    Electrical storms                     System intrusion
 Earthquakes                              Data compromise
 Slides                                   Information warfare
    Landslide                             System disruption
                                           Organizational disruption
    Avalanche
                                        Industrial espionage
 Temperature extremes                     System intrusion
 Environmental threats                    Data compromise
    Power failures                        Organizational disruption
 Human threats                         Insiders
    Unintentional                         System intrusion
         Data compromise                  Data compromise
    Intentional                           Organizational disruption
       Hacker/cracker
             System intrusion
             Defacement
             Data compromise
Identifying threats – data flow diagrams

  contains the major processes, system boundaries
  .. interactions with external entities




36
Categorizing and Quantifying Threats
  Most known: Microsoft stride, dread
    spoofing, tampering, repudiation, information
     disclosure, denial of service, escalation of privileges
    damage potential, reproducibility, exploitability,
     affected users, discoverability




37
Threat Modeling
  Select mitigation strategy and techniques based on
   identified, documented and rated threats.
  Benefits:
      Prevent security design flaws
      Identify & address greatest risks
      Increased risk awareness and understanding
      Mechanism for reaching consensus
      Cost justification and support for needed controls
      Means for communicating results


38
Secure Design
      Principles (*)
           Secure the weakest link
           Practice defence in depth
           Fail securely
           Follow the principle of least privilege
           Compartmentalize
           Keep it simple
           Promote privacy
           Remember that hiding secrets is hard
           Be reluctant to trust
           Use your community resources
      Future proof security design!
     (*) Building Secure Software, Viega-McGraw


39
Design Reviews
  Better to find flaws early
  Security design reviews
     Check to ensure design meets requirements
     Also check to make sure you didn’t miss a requirement
  Assemble a team
     Experts in the technology
     Security-minded team members
     Do a high-level penetration test against the design
     Be sure to do root cause analysis on any flaws identified


40
Secure Coding Guideline
  Formalize best practices into secure coding guidelines
  well documented and enforceable coding standards
  Tune towards environment
  OWASP Secure Coding Guide can be reference
  can be used as a metric to evaluate source code




41
Code Review
  Security bugs subset of implementation bugs!
  Static / dynamic analysis tools
  Requires manual inspection
  Threat-based
  Check list driven
  Benefits:
      Improves code quality
      Prevents security bugs
      Increased developer awareness and understanding




42
The OWASP Testing Guide
 Part of an appsec body of knowledge…


Testing Principles            Information Gathering
Testing Process               Business Logic Testing
Custom Web Applications       Authentication Testing
   Black Box Testing          Session Management Testing
   Grey Box Testing           Data Validation Testing
Risk and Reporting            Denial of Service Testing
Appendix: Testing Tools       Web Services Testing
Appendix: Fuzz Vectors        Ajax Testing




43
Application Security Principles
    Minimize attack surface area
    Establish secure defaults
    Principle of Least privilege
    Principle of Defense in depth
    Fail securely
    Don't trust services
    Separation of duties
    Avoid security by obscurity
    Keep security simple
    Fix security issues correctly
44
Operations and Maintenance
Phase
 Establishing a change control process.
 Continuous Monitoring
 Application Vulnerability Scanning
 Penetration Testing
Disposal Phase
 Without correctly finishing up, all the previous
 defensive measures can be wasted. The following steps
 are taken to ensure correct disposal:
   Information preservation
   Media Sanitization
   Hardware and software disposal
   How is equipment/software retired?
Review/Conclusion
 Information Security Principles
 Secure Software Development Life Cycle Touch points
    Risk Management
    Security Requirements
    Software Security Guidelines
    Threat Modeling
    Security Design
    Code Reviews
    Disposition
References
[AHM04] A. Anton, P. Hope, G. McGraw, “Misuse and Abuses Cases: Getting Past the Positive”, IEEE
Security & Privacy, March 2004;
[CA06] Curphey, Araujo, “Web Application Security Assessment Tools”, IEEE Security and Privacy
archive, Volume 4 , Issue 4 (July 2006)
[CM04] B. Chess, G. McGraw, “Static Analysis for Security”, IEEE Security & Privacy, December
2004;
[ITSEC91] “Information Technology Security Evaluation Criteria”, Commission European
Communities, 1991;
[F199-04] Federal Information Processing Standard (fips) 199, “Standards for security
categorization of federal information and information systems”, 2004
[GW03] M.G. Graff, K.R. van Wyk, “Secure Coding: Principles & Practices”, O'ReillyPub, 2003;
[LH03] D. Le Blanc, M. Howard, “Writing secure code 2”, Microsoft Press, 2003;
[M04] G. McGraw, “Software Security”, IEEE Security & Privacy, February 2004;
[MP04] G. McGraw, B. Potter, “Software Security Testing”, IEEE Security & Privacy, May 2004;
[MV04] G. McGraw, D. Verdon, “Risk Analysis in Software Design”, IEEE Security & Privacy, April
2004;
[NIST04] NIST, “Security Considerations in the Information SDLC”, SP 800-64 Rev. 1, 2004;
[V04] Vaclav Rajlich, “Changing the paradigm of software engineering”,Communications of the
ACM archive,Volume 49 , Issue 8 (August 2006)

More Related Content

What's hot

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityAdri Jovin
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 

What's hot (20)

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Application Security
Application SecurityApplication Security
Application Security
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 

Similar to Information Security and the SDLC

CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfSidneyGiovanniSimas1
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan  pitwgDatabase development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioAkingbade Akinfenwa
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioBim Akinfenwa
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Frameworkssuser65fa31
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 

Similar to Information Security and the SDLC (20)

CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan  pitwgDatabase development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan pitwg
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Information Security Framework
Information Security FrameworkInformation Security Framework
Information Security Framework
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 

More from BDPA Charlotte - Information Technology Thought Leaders

More from BDPA Charlotte - Information Technology Thought Leaders (10)

2011 BDPA Charlotte Membership Packet
2011 BDPA Charlotte Membership Packet2011 BDPA Charlotte Membership Packet
2011 BDPA Charlotte Membership Packet
 
Mastering linkedIn Advanced Techniques and Insider Secrets BDPA National Pres...
Mastering linkedIn Advanced Techniques and Insider Secrets BDPA National Pres...Mastering linkedIn Advanced Techniques and Insider Secrets BDPA National Pres...
Mastering linkedIn Advanced Techniques and Insider Secrets BDPA National Pres...
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small business
 
Running an IT Consulting Firm
Running an IT Consulting FirmRunning an IT Consulting Firm
Running an IT Consulting Firm
 
Professional Development Toolkit
Professional Development ToolkitProfessional Development Toolkit
Professional Development Toolkit
 
Data Warehousing
Data WarehousingData Warehousing
Data Warehousing
 
Health Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program PresentationHealth Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program Presentation
 
How to Create a Business Plan by SCORE
How to Create a Business Plan by SCOREHow to Create a Business Plan by SCORE
How to Create a Business Plan by SCORE
 
How to Start a Small IT Consulting Firm
How to Start a Small IT Consulting FirmHow to Start a Small IT Consulting Firm
How to Start a Small IT Consulting Firm
 
BDPA Charlotte Information Technology Thought Leaders 2010 Membership Drive
BDPA Charlotte   Information Technology Thought Leaders  2010 Membership DriveBDPA Charlotte   Information Technology Thought Leaders  2010 Membership Drive
BDPA Charlotte Information Technology Thought Leaders 2010 Membership Drive
 

Recently uploaded

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 

Recently uploaded (20)

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 

Information Security and the SDLC

  • 2. Information Security & the SDLC  Information Security Principles  Secure Software Development Life Cycle Touch points  Risk Management  Security Requirements  Software Security Guidelines  Threat Modeling  Security Design  Code Reviews  Disposition  Conclusion
  • 3. Information Security Axioms  “Security is combination of confidentiality, integrity and availability” [ITSEC91]  “Security is a process, not a product!” [Bruce Schneier]  “Software Security is not Security Software” [Gary McGraw]  “Security is everybody’s problem”  “Inside attacks are more powerful than externals”
  • 4. What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
  • 5. Information Security Domains A successful organization should have multiple layers of security in place:  Access control  Operations security  Network security  Business continuity  Risk management planning and disaster  Applications security recovery planning  Legal and regulatory  Cryptography compliance  Security Architecture &  Physical/environmental Design security
  • 6. Security Core Principles Confidentiality: "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…" A loss of confidentiality is the unauthorized disclosure of Information. [F199-04] Integrity: "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…" A loss of integrity is the unauthorized modification or destruction of information. [F199-04] Availability: "Ensuring timely and reliable access to and use of information…" A loss of availability is the disruption of access to or use of information or an information system. [F199-04] Usability: “is a term used to denote the ease with which people can employ a particular tool or other human-made object in order to achieve a particular goal. Usability can also refer to the methods of measuring usability and the study of the principles
  • 7. HOW: Security Base Principles
  • 8. HOW: Security Base Principles To respect core principles we need:  Identification: “is how a user tells a system who he or she is (for example, by using a username or User ID);  Authentication: “is the process of verifying a user's claimed identity (for example, by comparing an entered password to the password stored on a system for a given username).”;  Authorization: “defines a user's rights and permissions on a system. After a user (or process) is authenticated, authorization determines what that user can do on the system.”;  Auditing: “an evaluation of an organization, system, process, project or product”.
  • 9. Business Drivers  Security is less expensive to implement if it is planned from the beginning  Building security controls into the system, rather than adding them after the system is already built improves system performance  Security becomes an enabling factor rather than a barrier to success by reducing the need for expensive reengineering and reprogramming  It ensures success of certification and accreditation processes and keeps the project on schedule
  • 10. HOW: Secure SDLC Waterfall Model (old paradigm) Iterative Model (new paradigm)
  • 14. HOW: SSDLC Phases  Start  Analysis: security requirements, risk analysis, threat identification, threat impact probability, abuse cases and UML (unified modeling language) for software security, usability guidelines, traditional SDLC analysis;  Design: risk analysis, UML for Software Security, usability guidelines, traditional SDLC design;  Development: secure coding, risk based security tests, static analysis, traditional SDLC development;  Test: risk analysis, penetration test (black- or white-box approach), risk mitigation, traditional SDLC test;  Maintenance: risk analysis, penetration test, traditional SDLC maintenance.  Back to start!
  • 15. How: SSDLC tools and methodologies Software Security Tools:  Analysis and Design: SecureUML, UMLSec;  Static Analysis tools: FindBugs, OWASP CLASP, SLAM, Blast , RATS;  Security Methodologies: Cigital Risk Analysis Methodology;  OSSTMM - Open Source Security Testing Methodology Manual; OWASP Testing guide;
  • 16. Software Risk Management Software Risk Software Risk Analysis Management Software Risk Mitigation
  • 17. Excuses to underestimate security in the SDLC  “We've reviewed the code, and there are no security bugs.”  “We know it's the default, but the administrator can turn it off.”  “If we don't run as administrator, stuff breaks.”  “But we'll slip the schedule.”  “It's not exploitable.”  “But that's the way we've always done it.”  “If only we had better tools….”
  • 18. Excuses to underestimate security in the SDLC  “No one will do that!”  “Why would anyone do that?”  “We've never been attacked.”  “We're secure, we use cryptography.”  “We're secure, we use ACLs.”  “We're secure, we use a firewall.”
  • 19. Web Application Security SDLC Elevator Pitch Between 70% and 90% of web applications have serious vulnerabilities because …the average developer is still not trained well enough. Embedding application security controls into development and deployment will Allow for higher uptime, less TCO Put YOU into risk control
  • 20. Major Vulnerabilities in the Application Space  A1 – Injection  A2 – Cross Site Scripting (XSS)  A3 – Broken Authentication and Session Management  A4 – Insecure Direct Object References  A5 – Cross Site Request Forgery (CSRF)  A6 – Security Misconfiguration (NEW)  A7 – Failure to Restrict URL Access  A8 – Unvalidated Redirects and Forwards (NEW)  A9 – Insecure Cryptographic Storage  A10 – Insufficient Transport Layer Protection OWASP Top 10 - 2010
  • 21. Software Security Guidelines  Security Usability:  what to do: security should impact minimally on system usability;  why: applications that are too secure are not usable and will not be used;  how: all security features have to be balanced with usability factors;  Use “least privileges principle”:  what to do: every application should be executed with minimum privileges to execute its tasks;  why: least privileges principle limits the dangerousness of an application vulnerability exploitation;  how: check and set only applications needed privileges;
  • 22. Software Security Guidelines  Confidentiality:  what to do: personal information must be protected;  why: unauthorized users should not access to confidential information;  how: data and channel encryption; Identification, Authorization and Authentication guidelines;  Integrity:  what to do: protect application data from corruption activities;  why: data is the highest value asset in Information Systems;  how: use good access control policy and respect Identification, Identification, Authorization and Authentication guidelines;  Availability:  what to do: ensure applications are always available for the users' tasks and goals;  why: mission critical application have to be always available;  how: try to disconnect “resources” as network, peripherals, etc. and test applications; Identification, Authorization and Authentication guidelines;
  • 23. Software Security Guidelines  Identification & Authentication:  what to do: identify and authenticate users or system to implement access control policies;  why: identification and authentication are needed for the Authentication phase;  how: something you: Know (1F*); Have (2F*); Are (3F*); Do (4F*);  Authorization:  what to do: authorize a user to “use” only objects he or she should use;  why: authorization is needed for the Integrity of data and systems;  how: adopt well-known access control policy as MAC, RBAC, DAC;  Auditing & Logging:  what to do: monitor applications activities;  why: logs are useful to track activities and to detect errors and flaws;  how: ensure auditing aspects are activated on the system;
  • 24. Security Requirements to consider... •Internally or externally hosted? •Web-facing? •Data Classification? •Non-Public Information? (NPI) •Data Flow? •Third Party Access? •Third Party Reviews? SAS-70? •Related Entity Access? •Legal /Regulatory Requirements? (PCI, GLBA, SOX, SEC, OCC, etc) •Public Access? •Virtualization / Cloud Computing? •Downstream Liability? •Backup Requirements? •Data offsite/Offshore/International?
  • 25. Security Tasks In the SDLC  Initiation  Implementation  Needs Determination – Inspection and Acceptance  Security Categorization – System Integration  Risk Assessment – Certification & Accreditation  Development/Acquisition  Operations & Maintenance  Risk Assessment – Configuration Management  Security Functional Requirements Analysis and Control  Security Assurance Requirements – Continuous Monitoring Analysis  Disposition  Cost Considerations  Security Control Development – Information Preservation  Developmental Security Test and – Media Sanitization Evaluation – Hardware and Software  Acquisition specifications Disposal
  • 27. Initiation Phase System Categorization  System Description  Need, purpose and mission  Functional requirements  Policy and architecture  Network topology  Information flow  Security controls (either planned or already implemented)  Physical and environmental security  Boundary analysis and interconnections  Component inventory  Hardware  Software  External interfaces to other systems  Data  People
  • 28. Initiation Phase Risk Assessment  Risk assessment is the process of analyzing threats to an information system and known vulnerabilities to determine the likelihood and impact of some anticipated loss. This risk analysis can then be used to design protective security controls that reduce these factors to acceptable levels.  Pre-requisite to Risk Assessment is system categorization
  • 29. Initiation Phase Risk Assessment  Part of a greater process called Risk Management.  Risk Management begins with Risk Assessment and then moves into protecting the information system with Risk Mitigation (through security controls) and closes out with Evaluation and Assessment to confirm that the Risk Management process is actually working.
  • 30. Initiation Phase Vulnerability Identification  A vulnerability is a weakness in a system or its protections that could be exercised, creating a breach in the security protection of the system. The goal of this step is to come up with a list of vulnerabilities that could be exercised by potential threat sources.  Vulnerabilities can be identified from lists and advisories on common vulnerabilities and also by testing the system.
  • 31. Initiation Phase Vulnerability lists  Databases – NIST National Vulnerability Database  Vendor advisories – Google directory of computer security advisories and patches  CIRT lists and bulletins  US-CERT  SANS Top 20  SANS Internet Storm Center System testing  Vulnerability scanning  Penetration testing  Security controls assessment  Previous risk assessment documentation
  • 32. Requirements Analysis  Used to identify the systems protection requirements through the use of a formal risk assessment process.  Generates essential information needed to complete the system security plan.  The risk assessment includes the following:  Identification of threats and vulnerabilities  The potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on assets, operations, image, reputation should there be a thereat of exploitation  Consider potential inheritance of vulnerabilities from other systems
  • 33. Security Functional Requirements Analysis  Analysis should include laws and regulations such as:  Privacy act  PCI  SOX  GLBA  Other regulations  More than one risk assessment may be required as this phase of the SDLC progresses
  • 34. Threat Modeling  Understand the operating environment your application is heading into  Identify, analyze and document (and thus hopefully mitigate) threats 34
  • 35. Threats  Natural threats  Criminal  Storms  Bribery, extortion  System intrusion  Floods  Data compromise  Tornadoes  Terrorist  Hurricanes  Bribery, extortion  Electrical storms  System intrusion  Earthquakes  Data compromise  Slides  Information warfare  Landslide  System disruption  Organizational disruption  Avalanche  Industrial espionage  Temperature extremes  System intrusion  Environmental threats  Data compromise  Power failures  Organizational disruption  Human threats  Insiders  Unintentional  System intrusion  Data compromise  Data compromise  Intentional  Organizational disruption  Hacker/cracker  System intrusion  Defacement  Data compromise
  • 36. Identifying threats – data flow diagrams  contains the major processes, system boundaries  .. interactions with external entities 36
  • 37. Categorizing and Quantifying Threats  Most known: Microsoft stride, dread  spoofing, tampering, repudiation, information disclosure, denial of service, escalation of privileges  damage potential, reproducibility, exploitability, affected users, discoverability 37
  • 38. Threat Modeling  Select mitigation strategy and techniques based on identified, documented and rated threats.  Benefits:  Prevent security design flaws  Identify & address greatest risks  Increased risk awareness and understanding  Mechanism for reaching consensus  Cost justification and support for needed controls  Means for communicating results 38
  • 39. Secure Design  Principles (*)  Secure the weakest link  Practice defence in depth  Fail securely  Follow the principle of least privilege  Compartmentalize  Keep it simple  Promote privacy  Remember that hiding secrets is hard  Be reluctant to trust  Use your community resources  Future proof security design! (*) Building Secure Software, Viega-McGraw 39
  • 40. Design Reviews  Better to find flaws early  Security design reviews  Check to ensure design meets requirements  Also check to make sure you didn’t miss a requirement  Assemble a team  Experts in the technology  Security-minded team members  Do a high-level penetration test against the design  Be sure to do root cause analysis on any flaws identified 40
  • 41. Secure Coding Guideline  Formalize best practices into secure coding guidelines  well documented and enforceable coding standards  Tune towards environment  OWASP Secure Coding Guide can be reference  can be used as a metric to evaluate source code 41
  • 42. Code Review  Security bugs subset of implementation bugs!  Static / dynamic analysis tools  Requires manual inspection  Threat-based  Check list driven  Benefits:  Improves code quality  Prevents security bugs  Increased developer awareness and understanding 42
  • 43. The OWASP Testing Guide Part of an appsec body of knowledge… Testing Principles Information Gathering Testing Process Business Logic Testing Custom Web Applications Authentication Testing Black Box Testing Session Management Testing Grey Box Testing Data Validation Testing Risk and Reporting Denial of Service Testing Appendix: Testing Tools Web Services Testing Appendix: Fuzz Vectors Ajax Testing 43
  • 44. Application Security Principles  Minimize attack surface area  Establish secure defaults  Principle of Least privilege  Principle of Defense in depth  Fail securely  Don't trust services  Separation of duties  Avoid security by obscurity  Keep security simple  Fix security issues correctly 44
  • 45. Operations and Maintenance Phase  Establishing a change control process.  Continuous Monitoring  Application Vulnerability Scanning  Penetration Testing
  • 46. Disposal Phase  Without correctly finishing up, all the previous defensive measures can be wasted. The following steps are taken to ensure correct disposal:  Information preservation  Media Sanitization  Hardware and software disposal  How is equipment/software retired?
  • 47. Review/Conclusion  Information Security Principles  Secure Software Development Life Cycle Touch points  Risk Management  Security Requirements  Software Security Guidelines  Threat Modeling  Security Design  Code Reviews  Disposition
  • 48. References [AHM04] A. Anton, P. Hope, G. McGraw, “Misuse and Abuses Cases: Getting Past the Positive”, IEEE Security & Privacy, March 2004; [CA06] Curphey, Araujo, “Web Application Security Assessment Tools”, IEEE Security and Privacy archive, Volume 4 , Issue 4 (July 2006) [CM04] B. Chess, G. McGraw, “Static Analysis for Security”, IEEE Security & Privacy, December 2004; [ITSEC91] “Information Technology Security Evaluation Criteria”, Commission European Communities, 1991; [F199-04] Federal Information Processing Standard (fips) 199, “Standards for security categorization of federal information and information systems”, 2004 [GW03] M.G. Graff, K.R. van Wyk, “Secure Coding: Principles & Practices”, O'ReillyPub, 2003; [LH03] D. Le Blanc, M. Howard, “Writing secure code 2”, Microsoft Press, 2003; [M04] G. McGraw, “Software Security”, IEEE Security & Privacy, February 2004; [MP04] G. McGraw, B. Potter, “Software Security Testing”, IEEE Security & Privacy, May 2004; [MV04] G. McGraw, D. Verdon, “Risk Analysis in Software Design”, IEEE Security & Privacy, April 2004; [NIST04] NIST, “Security Considerations in the Information SDLC”, SP 800-64 Rev. 1, 2004; [V04] Vaclav Rajlich, “Changing the paradigm of software engineering”,Communications of the ACM archive,Volume 49 , Issue 8 (August 2006)