IK
Uploaded byIrina Kostina
PDF, PPTX105 views

SDLC & DevSecOps

The document discusses security best practices across the software development lifecycle (SDLC). It covers: - The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process. - Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered. - DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous

Embed presentation

Download as PDF, PPTX
Magnus Klaaborg Stubman, Improsec A/S Irina Kostina, Microsoft Security Development Lifecycle methodology & DevSecOps
Equifax breach 2017 Equifax's CEO and other executives resigned following a backlash over the hack at the company that compromised the data of 143 million people The thieves spent 76 days within Equifax's network before they were detected. $700 million to settle federal and state investigations $425 million to directly help consumers affected by the breach $1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the incident
In contrast with: SQL Injection : Extracts Starbucks Enterprise Accounting, Financial, Payroll Database Bounty : 4000$ https://hackerone.com/reports/531051
Development Methodologies SDLC Dev Test Deploy to ProductionDev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ?
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ? ?
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test Training Training
Development Methodologies SDLC Dev Test Deploy to ProductionDevTraining
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC How easy/hard is it to get rid of the solution?
Development Methodologies SDLC How easy/hard is it to get rid of the solution? How easy/hard is it to move the solution?
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time • Ask yourself: • What do you need? • What works in your organization?
Internal Quality Assurance (QA) SDLC • Definition of Done: • Implemented according to Standards • Unit test cases has been written for all functionality • Documented • Code reviewed by colleague • Documentation review by colleague • dependency-check reports 0 vulnerabilities
https://www.exploit-db.com/exploits/18329
Security – all or nothing?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over? • The most important step is the first! • Get started • Incremental improvements • Try, try and try again
Segmentation
Segmentation / Isolation / Separation
Simplicity
Simplicity Silver Bullets • Complex code • Hard to read
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest Expensive!
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning.
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning. • "What are we doing to prevent this from being abused/exploited?"
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting • Copenhagen: https://owasp.org/www-chapter-copenhagen/ • Aarhus: https://owasp.org/www-chapter-aarhus/
Silver Bullets - summarized SDLC • Segmentation • Simplicity • Culture
Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
#5 : Threat Modeling
Development Business requirements Operations Users Feedback loop
Identify defects as early as possible Development Business requirements Operations Users Feedback loop Monitor
Development Business requirements Operations UsersDevelopment Business requirements Incremental Threat Modeling DAST Operations Users Dedicated Pentesting Vulnerability Scanning Monitoring Periodic pentesting Validation SAST Fast feedback loop DevSecOps Secure Deployment https://azsk.azurewebsites.net/
Static Application Security Testing https://owasp.org/www-community/Source_Code_Analysis_Tools https://github.com/features/security + • Scales well (only needs the code) • Finds vulnerabilities earlier in the process •Highlights the precise source files, line numbers, subsections of lines - • Many types of security vulnerabilities are difficult to find automatically • High numbers of false positives • Frequently can’t find configuration issues, since they are not represented in the code •Difficult to ‘prove’ that an identified security issue is an actual vulnerability https://sonarcloud.io/
#10: Dynamic Application Security Testing - • Not highly scalable • No code visibility • Slow scans + • Technology independent • Low false positives • Identifies configuration issues https://docs.microsoft.com/en-us/previous-versions/software-testing/cc162782(v=msdn.10) https://www.g2.com/categories/dynamic-application-security-testing-dast https://marketplace.visualstudio.com/search?term=security&target=AzureDevOps&category=All%20categories&sortBy=Relevance
SAST DAST White box security testing The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. Requires source code. SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application. Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application. Finds vulnerabilities earlier in the SDLC. The scan can be executed as soon as code is deemed feature-complete. Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete. Less expensive to fix vulnerabilities. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Can’t discover run-time and environment-related issues. Since the tool scans static code, it can’t discover run-time vulnerabilities. Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. Supports all kinds of software. Examples include web applications, web services, and thick clients. Typically scans only apps like web applications and web services. DAST is not useful for other types of software.
Where do I start? aka.ms/sdlc Implement Use the implementers’ resources guides to create an implementation plan that advances your SDL maturity. Self-assess Review the self- assessment guide to assess your organization’s current SDL maturity level. Identify Identify where your organization falls on the SDL Optimization Maturity Model.
Thank you! Any questions?

More Related Content

PDF
DevOps and DevSecOps, Incident Management
byShriniKulkarni
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PPTX
Owasp summit slides day 2
byDinis Cruz
 
PDF
BSides Vienna 2015
byDaniel Liber
 
PDF
Outpost24 webinar - The economics of penetration testing in the new threat la...
byOutpost24
 
PDF
Owasp summit 2017
byDinis Cruz
 
PDF
AppSec is Eating Security
byAlex Stamos
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 
DevOps and DevSecOps, Incident Management
byShriniKulkarni
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Owasp summit slides day 2
byDinis Cruz
 
BSides Vienna 2015
byDaniel Liber
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
byOutpost24
 
Owasp summit 2017
byDinis Cruz
 
AppSec is Eating Security
byAlex Stamos
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 

What's hot

PDF
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
PDF
Building a Modern Security Engineering Organization
byZane Lackey
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
PDF
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
PPTX
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PPTX
Continuous Delivery (The newest)
byEduards Sizovs
 
PPTX
Software Craftsmanship Essentials
byEduards Sizovs
 
PDF
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PDF
Effective approaches to web application security
byZane Lackey
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PDF
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
KEY
The business case for contributing code
byZivtech, LLC
 
PPTX
Making disaster routine
byPeter Varhol
 
PPTX
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
byDevOps Indonesia
 
Building a Modern Security Engineering Organization
byZane Lackey
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
Continuous Delivery (The newest)
byEduards Sizovs
 
Software Craftsmanship Essentials
byEduards Sizovs
 
How to adapt the SDLC to the era of DevSecOps
byZane Lackey
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
Effective approaches to web application security
byZane Lackey
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 
Security at the Speed of Software Development
byDevOps.com
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
The business case for contributing code
byZivtech, LLC
 
Making disaster routine
byPeter Varhol
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 

Similar to SDLC & DevSecOps

PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
PPT
Software Security Engineering
byMarco Morana
 
PPT
Software Security in the Real World
byMark Curphey
 
PPTX
Microsoft Security Development Lifecycle
byRazi Rais
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPT
3830100.ppt
byazida3
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
DOCX
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
byCruzIbarra161
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
byMostafa Taghizade
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PDF
Agile Secure Development
byBosnia Agile
 
PPTX
Integrating Security Across SDLC Phases
byIshrath Sultana
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
KEY
Application Security Done Right
bypvanwoud
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
PPTX
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
Software Security Engineering
byMarco Morana
 
Software Security in the Real World
byMark Curphey
 
Microsoft Security Development Lifecycle
byRazi Rais
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
3830100.ppt
byazida3
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
byCruzIbarra161
 
AppSec in an Agile World
byDavid Lindner
 
ACS-security-2821-001 Lecture Note 13.pdf
byMostafa Taghizade
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Agile Secure Development
byBosnia Agile
 
Integrating Security Across SDLC Phases
byIshrath Sultana
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Application Security Done Right
bypvanwoud
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 

Recently uploaded

PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Website Redesign Vs Website Refresh, What’s Right for You in 2026?
byAnuj Kumar Singh
 

SDLC & DevSecOps

  • 1.
    Magnus Klaaborg Stubman, ImprosecA/S Irina Kostina, Microsoft Security Development Lifecycle methodology & DevSecOps
  • 2.
    Equifax breach 2017 Equifax'sCEO and other executives resigned following a backlash over the hack at the company that compromised the data of 143 million people The thieves spent 76 days within Equifax's network before they were detected. $700 million to settle federal and state investigations $425 million to directly help consumers affected by the breach $1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the incident
  • 3.
    In contrast with: SQLInjection : Extracts Starbucks Enterprise Accounting, Financial, Payroll Database Bounty : 4000$ https://hackerone.com/reports/531051
  • 4.
  • 5.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
  • 6.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ?
  • 7.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ? ?
  • 8.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
  • 9.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to Production Test Test Test
  • 10.
    Development Methodologies SDLC Dev TestDeploy to ProductionDev Dev Deploy to Production Test Test Test Training Training
  • 11.
    Development Methodologies SDLC Dev TestDeploy to ProductionDevTraining
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
    Development Methodologies SDLC How easy/hardis it to get rid of the solution?
  • 21.
    Development Methodologies SDLC How easy/hardis it to get rid of the solution? How easy/hard is it to move the solution?
  • 22.
    Development Methodologies -summarized SDLC • Your mileage may very – one size does not fit all
  • 23.
    Development Methodologies -summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability
  • 24.
    Development Methodologies -summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability
  • 25.
    Development Methodologies -summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time
  • 26.
    Development Methodologies -summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time • Ask yourself: • What do you need? • What works in your organization?
  • 27.
    Internal Quality Assurance(QA) SDLC • Definition of Done: • Implemented according to Standards • Unit test cases has been written for all functionality • Documented • Code reviewed by colleague • Documentation review by colleague • dependency-check reports 0 vulnerabilities
  • 32.
  • 33.
    Security – allor nothing?
  • 34.
    Security – allor nothing? • Cost • Productivity hit • Security hit • Horror stories?
  • 35.
    Security – allor nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over?
  • 36.
    Security – allor nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over? • The most important step is the first! • Get started • Incremental improvements • Try, try and try again
  • 37.
  • 39.
  • 41.
  • 44.
  • 45.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review
  • 46.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain
  • 47.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain • Hard to add new features
  • 48.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate
  • 49.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction
  • 50.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest
  • 51.
    Simplicity Silver Bullets • Complexcode • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest Expensive!
  • 53.
    Security as aCultural Phenomenon • Policies, guidelines from management → top-down approach
  • 54.
    Security as aCultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach
  • 55.
    Security as aCultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning.
  • 56.
    Security as aCultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning. • "What are we doing to prevent this from being abused/exploited?"
  • 57.
    Security as aCultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
  • 58.
    Security as aCultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
  • 59.
    Security as aCultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting • Copenhagen: https://owasp.org/www-chapter-copenhagen/ • Aarhus: https://owasp.org/www-chapter-aarhus/
  • 60.
    Silver Bullets -summarized SDLC • Segmentation • Simplicity • Culture
  • 61.
    Provide Training Ensure everyoneunderstands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
  • 62.
    Provide Training Ensure everyoneunderstands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
  • 63.
    #5 : ThreatModeling
  • 64.
  • 65.
    Identify defects as earlyas possible Development Business requirements Operations Users Feedback loop Monitor
  • 66.
  • 67.
    Static Application SecurityTesting https://owasp.org/www-community/Source_Code_Analysis_Tools https://github.com/features/security + • Scales well (only needs the code) • Finds vulnerabilities earlier in the process •Highlights the precise source files, line numbers, subsections of lines - • Many types of security vulnerabilities are difficult to find automatically • High numbers of false positives • Frequently can’t find configuration issues, since they are not represented in the code •Difficult to ‘prove’ that an identified security issue is an actual vulnerability https://sonarcloud.io/
  • 68.
    #10: Dynamic ApplicationSecurity Testing - • Not highly scalable • No code visibility • Slow scans + • Technology independent • Low false positives • Identifies configuration issues https://docs.microsoft.com/en-us/previous-versions/software-testing/cc162782(v=msdn.10) https://www.g2.com/categories/dynamic-application-security-testing-dast https://marketplace.visualstudio.com/search?term=security&target=AzureDevOps&category=All%20categories&sortBy=Relevance
  • 69.
    SAST DAST White boxsecurity testing The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. Requires source code. SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application. Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application. Finds vulnerabilities earlier in the SDLC. The scan can be executed as soon as code is deemed feature-complete. Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete. Less expensive to fix vulnerabilities. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Can’t discover run-time and environment-related issues. Since the tool scans static code, it can’t discover run-time vulnerabilities. Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. Supports all kinds of software. Examples include web applications, web services, and thick clients. Typically scans only apps like web applications and web services. DAST is not useful for other types of software.
  • 71.
    Where do Istart? aka.ms/sdlc Implement Use the implementers’ resources guides to create an implementation plan that advances your SDL maturity. Self-assess Review the self- assessment guide to assess your organization’s current SDL maturity level. Identify Identify where your organization falls on the SDL Optimization Maturity Model.
  • 72.