1. How can you deliver a secure product?
Michael Furman, Security Architect

2. The Legend of SDL
● Steve Lipner
 Senior Director of Security Engineering Strategy for Microsoft
 Key person for the Microsoft SDL

3. What will we cover
today?
What is an SDL?
Why is an SDL important?
Sample: Tufin SDL
How can you deliver a secure product?

4. About Me
● >12 years in application security
● >8 years with Tufin – Lead Security Architect
● >20 years in software engineering
● www.linkedin.com/in/furmanmichael/
● ultimatesecpro@gmail.com
● Read my blog
https://ultimatesecurity.pro/tags/presentation/
● Follow me on twitter @ultimatesecpro
● I like to travel, read books and listen to music

5. About
● Market Leader in Security Policy Automation
● Tufin is used by >2000 enterprises
 To segment networks and connect applications
 On-prem networks, firewalls, cloud and K8S
● We are the Security Policy Company!

6. Journey to our SDL
● Resolving security issues? Easy for me!
● Creating a “security” process? Brand new for me!
● Soooo many things to manage ....
 Vulnerabilities discovered by customers
 CVEs
 Upgrading 3rd-party software
 Pen tests
 ... and all the other stuff I did not yet even know about
● Saved by the SDL!
● No need to reinvent the wheel
Picture is from the “Journey to the Center of the Earth” movie.

7. What is an SDL?
● SDL is the process for developing secure software
● Adds security controls in each development phase
SDL = Security Development Lifecycle

8. History of SDL
● Mail of Bill Gates
 From: Bill Gates
 To: to every full-time employee at Microsoft
 Sent: Tuesday, January 15, 2002 5:22 PM
 Subject: Trustworthy computing
● Microsoft shutdown Windows development to handle the security issues
● Microsoft SDL
 v 1.0 - 2004 (internal)
 v 3.2 - 2008 (public)
 v 5.2 - 2012 (recent)
…
Security: The data our software and services store on behalf of our customers
should be protected from harm and used or modified only in appropriate ways.
Security models should be easy for developers to understand and build into their applications.
Photo from yahoo.com

9. Why is an SDL important?
Why
SDL?
• Helps developers build secure software
• Ensures security is enabled out of the box
• Defines how to respond to discovered vulnerabilities

10. SolarWinds Attack - 2020
● First disclosure on December 8th by FireEye – first discovered SolarWinds customer
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-
chain-compromises-with-sunburst-backdoor.html
● Other SolarWinds customers breached: FireEye, U.S. Departments, Microsoft, Cisco, …
https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack
● Hackers viewed Microsoft source code
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
● Joint Statement by the FBI, the CISA, and the ODNI: This work indicates that a Threat,
likely Russian in origin, is responsible for most or all of the recently discovered, ongoing
cyber compromises of both government and non-governmental networks
https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-
fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-
intelligence-odni

11. SolarWinds Attack - Solorigate
● Microsoft’s analysis of the attack
https://www.microsoft.com/security/blog/2020/12/18/analyzing-
solorigate-the-compromised-dll-file-that-started-a-sophisticated-
cyberattack-and-how-microsoft-defender-helps-protect/
● The attackers inserted malicious code into DLL
● SolarWinds Orion Platform installed
● The backdoor activates
 Randomly between 12 to 14 days after installation
● Attackers ping the backdoor
● Gathering and sending info
● The backdoor runs commands from attackers
Image from microsoft.com

12. SolarWinds Attack - Solorigate
● > 18,000 SolarWinds customers received the malicious update
● > 1,000 experienced the backdoor ping
● > 200 were hacked
https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12
● US agencies
 The Office of the President of the United States
 The Department of Defense
 The US Army
 The Federal Reserve
 NASA
 The NSA
 The CDC
 The Department of Justice
● Major companies
 Visa
 AT&T
 PwC
 Lockheed Martin
 CBS
 Cisco
 Comcast
 Ernst & Young
 Hertz
 The New York Times

13. Software Development Life Cycle (SDLC)
Implementation
Requirements Design Verification Release

14. SDL - Shift Left
Implementation
Requirements Design Verification Release

15. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

16. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

17. Security Training
● Security awareness training for the
Development and QA teams
 The latest security threats, mitigations,
and technologies
 OWASP Top 10 best practices
● Security Champions

18. Security Training
● Q: How can a Security
Champion be successful?
● Tip: Identify and resolve
specific security issues
● Examples of investigations:
 Best way for us to handle
Content Security Policy (CSP)?
 Best way for us to prevent
XML External Entity (XXE) attack?
● Tufin success: OWASP meetup lecture
https://ultimatesecurity.pro/post/xxe-meetup/

19. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

20. Security Requirements
● Incorporated into the requirements stage of S/W development
● Why do we want to handle security early?
 Allows us to design a feature and to write test plans which incorporate security requirements
up front
 Saves time for all of us – developer time, QA time, documentation time

21. Design
● Designs of new features are done jointly by both development and security
teams

22. Security Requirements & Design
● Q: How can you ensure Dev & QA handle security?
● Tip: Make it easy - create a security checklist
● Examples
 New API?
• Make sure the API has proper authentication
• Make sure the API has proper authorization
• Implement input validation
 Confidential info not stored as plain text
• Use appropriate encryption or hash algorithms
 Confidential info not stored on a client side
 Confidential info not sent via HTTP GET method
 …

23. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

24. Static Application Security Testing (SAST)
● What is SAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least weekly
 Daily is the best option
● Your goal: Fix High issues immediately!

25. Software Updates
● All 3rd-party software is regularly updated
● Q: Can I ensure all 3rd-party software is
kept up-to-date without a tool?
 Open-source 3rd-party software
 Commercial 3rd-party software
● Tip: check that recommended upgrades
don’t introduce new vulnerabilities
● Your goal: upgrade to a version without
High or Critical issues!

26. Peer Reviews
● Mandatory for every code change
● Tip: ensure all code changes adhere
to security requirements
 Passwords are not stored in plain text
 Passwords are not stored on client side
 …

27. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

28. Internal Security Scans
● What are Internal Security Scans?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
 Depends on your release cycle
● Your goal: Fix High issues immediately!

29. Internal Security Scans
● Qualys SSL Labs Report – free service
https://www.ssllabs.com/ssltest/
● Tip: Ensure you check the “Do not show the results on the boards”
checkbox

30. Internal Security Scans

31. Dynamic Application Security Testing (DAST)
● What is DAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
 Depends on your release cycle
● Your goal: Fix High issues immediately!

32. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

33. External Security Tests
● Why External Security Tests?
● Tips:
 Scan at least annually
• Best each major release
 Ensure to create a valid test scope that covers all areas
• Web UI
• Infrastructure
 Ensure an External Test is added into R&D calendar
● Your goal: fix High issues immediately!
 Coordinate retest after your fixes

34. Tufin SDL
Implementation
Training Requirements Design Verification Release Response
Security
Design
Security
Classroom
Sessions
Security
Champions
Security
Requirements
SAST
Software
Updates
Peer Reviews
Internal
Security
Scans
DAST
External
Security
Tests
Vulnerabil
ity
Response
Policy

35. Vulnerability Response Policy
• A patch will be made available as soon as possible
CRITICAL
HIGH
MEDIUM
LOW
NOT
VULNERABLE
• A fix will be included in the upcoming release
• A fix will be included in a future release
• A fix may be included in a future release
• Nothing to fix

36. Vulnerability Response Policy
● Define a vulnerability response policy
 Document it
● Tip: the policy should be approved on the corporate level
 Affect sales, support, development

37. Rolling out an SDL
● First phase (minimal SDL)
 Vulnerability Response Policy
 Internal Security Scans
• Qualys SSL Labs Report
 Software Updates
• Using a tool
● Second Phase
 External Security Tests
● Third phase
 SAST
● Fourth phase
 DAST

38. Rolling out an SDL
● Ongoing
 Security Requirements & Design
 Security Training
 Security Champions
 Peer Reviews
● Further improvements
 https://www.microsoft.com/en-us/securityengineering/sdl/practices
 …

39. Selecting a tool for any SDL phase
● Perform POC
 Define requirements very well before the POC
● Tools can be commercial or open source
● Tools from the same provider is not essential

40. How can you deliver a secure product?
● Start to roll out an SDL in your organization
● Improve SDL on a regular basis

41. Take Aways
SDL - the framework that ensures secure
software
Roll out an SDL
... And follow it!!!
You will deliver a secure product!

42. Thank You
Contact me
www.linkedin.com/in/furmanmichael/
ultimatesecpro@gmail.com
https://ultimatesecurity.pro/
@ultimatesecpro