development process for secure so2ware development
play

Development*Process*for*Secure* So2ware Development Processes ( - PowerPoint PPT Presentation

Mar 03, 2024 •251 likes •598 views

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

  1. Development*Process*for*Secure* So2ware

  2. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 492*

  3. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 493*

  4. Microsoft Security Development Cycle • http://www.microsoft.com/security/sdl/default.aspx 494*

  5. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 495*

  6. Open Web Application Security Project OWASP https://www.owasp.org/ – Injection • Collect resources – Cross-site Scripting ( XSS ) for Web applications – Broken authentication and session – Top ten security flaws management – Various security testing tools – Insecure direct object references – Cross-site request forgery (CSRF) – Various security control means – Security misconfiguration – Insecure cryptographic storage • e.g., code review guide – Failure to restrict URL access – Insufficient transport layer protection – Unvalidated redirects and forwards • CLASP – Comprehensive Lightweight Application Security Process 496*

  7. Open Web Application Security Project OWASP https://www.owasp.org/ – Injection • Collect resources – Cross-site Scripting ( XSS ) for Web applications – Broken authentication and session – Top ten security flaws management – Various security testing tools – Insecure direct object references – Cross-site request forgery (CSRF) – Various security https://www.owasp.org/index.php/ control means – Security misconfiguration OWASP_Appsec_Tutorial_Series – Insecure cryptographic storage • e.g., code review guide – Failure to restrict URL access – Insufficient transport layer protection – Unvalidated redirects and forwards • CLASP – Comprehensive Lightweight Application Security Process 497*

  8. CLASP https://www.owasp.org/index.php/Category:OWASP_CLASP_Project • Goal : – move security concerns into the early stages of the software development lifecycle, whenever possible • Set of process pieces that can be integrated into any software development process – Introduction to the Concepts behind CLASP to get started – Seven key Best Practices – High-level Security Services (authorisation, authentication, … ) – Core Security Principles – Roles – Activities – Process engineering and roadmaps – Checklisted Coding Guidelines – Vulnerabilities that occur in source code – Searchable Vulnerability Checklist 498*

  9. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security requirements • Implement secure development practices • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 499*

  10. CLASP Best Practices • Institute awareness • People should consider programs security to be an important project goal • Perform application • Train all team members assessments • Make people aware of • Capture security security setting requirements • Institute accountability for • Implement secure security issues development practices • Appoint a project security • Build vulnerability officer remediation procedures • Institute rewards for handling of security • Define and monitor metrics issues • Publish operational security guidelines 500*

  11. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Security analysis of requirements requirements and design • Implement secure – Threat modelling development practices • Source-level security review • Build vulnerability • Security tests remediation procedures • Define and monitor metrics • Publish operational security guidelines 501*

  12. CLASP Best Practices • Institute awareness programs • Treat security requirements • Perform application same way as functional assessments requirements • Capture security • Define security policy requirements • Identify attack surface • Implement secure • Identify resources and trust development practices boundaries • Build vulnerability • Identify misuse cases remediation procedures • Specify operational • Define and monitor metrics environment • Publish operational security guidelines 502*

  13. CLASP Best Practices • Institute awareness programs • Perform application assessments • Annotate classes with • Capture security security properties requirements • Apply principles of secure • Implement secure design development practices • Manage resources • Build vulnerability • Manage contracts and remediation procedures interfaces • Define and monitor metrics • Publish operational security guidelines 503*

  14. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Address reported security requirements issues • Implement secure • Manage security issue development practices disclosure process • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 504*

  15. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security requirements • Select metrics • Implement secure • Collect data development practices • Evaluate results • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 505*

  16. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Build operational security requirements guide • Implement secure • Specify database security development practices configuration • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 506*

  17. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 507*

  18. Seven Security Touchpoints G. McGraw, “Software Security: Building Security In” “All software projects produce at least one artifact: source code” 508*

  19. Seven Security Touchpoints G. McGraw, “Software Security: Building Security In” “All software projects produce at least one artifact: source code” 1. Code review (tools) 5. Abuse analysis 2. Risk analysis 6. Security requirements 3. Penetration test 7. Security attacks 4. Risk-based security test * External analysis 509*

  20. Code review (tools) • Aim: catching implementation bugs early • Tool helps to achieve good code coverage • Aim for good, not perfect 510*

  21. Risk analysis • Create description of • Ambiguity analysis architecture – Discover new risks – Start with one page – Find unclear parts in how the system works – Forest-level view – Trust, data sensitivity, threat • Attack resistance models – Use checklists of known attacks • Weakness analysis – Example: Microsoft STRIDE – Impact of external software • Spoofing, Tampering, dependencies Repudiation, Info disclosure, Denial of service, Elevation of – Platform (hardware, OS) privilege – Frameworks – Called services Combine risks and consider business impact Rank risks Find solutions 511*

  22. Penetration test Attack on a system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data • Use the source • Use in-house QA department – Otherwise people send time on reverse- – They already know the engineering system system • Apply business – Use tools and training to add security testing skills priorities • Test more than once – Logic flaw vs. XSS flaw – XSS is important if it contributes towards • Incorporate the findings compromising business back into development logic 512*

  23. Risk-based security test • Test based on priorities – Architectural risks – Risks discovered during code review • Test malicious input – Use fuzzing tool 513*

  24. Abuse analysis and Security requirement • Security is not a set of features • How system should react to illegitimate use • Like use cases, but with malicious users 514*

  25. 1. Input validation and 5 . Error Handling Representation 6. Code Quality 2. API Abuse 7. Encapsulation 3. Security Features 4. Time and State * Environment Seven Pernicious Kingdoms * 515 ** Tsipenyuk* et#al., *2005*

  26. External analysis • Unfortunately – Software architects, developers, and testers are largely unaware of the software security problems • Good news – They acknowledge that security problems exists! • Bad news – Barely begun to apply the security solutions 516*

Recommend

Towards Secure and Dependable So2ware-Defined Networks Diego

Towards Secure and Dependable So2ware-Defined Networks Diego

Towards Secure and Dependable So2ware-Defined Networks Diego Kreutz, Fernando M. V. Ramos, Paulo Verssimo LaSIGE/FCUL, University of Lisbon SDN in short

561 views • 30 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product

MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product

MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product Development Process Contents 1 Milestones 2 Development Partner 3 Network 4 Data Management 5 Synchronization Process 6 Development Tools 7 S ummary

892 views • 45 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek

Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek

Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek AGENDA 1. Product Development and Innovation 2. Embedded System Development 3. Automotive Cyber Security 4. Conflicts between Innovation &

504 views • 18 slides
CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting

CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting

CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting (Phoenix, AZ) May 19-21, 2008 Outline Background and Industry Drivers Generalized Development Sequence CMP Process Development

418 views • 31 slides
The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance Pre-application Exam ination Pre-examination Recom m endation 1 Year + 1 Year Thames Tideway

433 views • 14 slides
Board of Education Headlines Budget Development Process Budget Development Process January 5,

Board of Education Headlines Budget Development Process Budget Development Process January 5,

Board of Education Headlines Budget Development Process Budget Development Process January 5, 2012 Board Policy effective and transparent oversight of the fi fiscal condition of the district and of the l diti f th di t i t d f th

887 views • 35 slides
The Development Consent Process Information event about the application process for Communities

The Development Consent Process Information event about the application process for Communities

The Development Consent Process Information event about the application process for Communities The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance Exam ination Pre-application Pre-examination Recom m endation 1 Year

372 views • 16 slides
The Development Consent Process Information about the application process Current Caseload of

The Development Consent Process Information about the application process Current Caseload of

The Development Consent Process Information about the application process Current Caseload of Nuclear Projects How to take part in the application process The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance

208 views • 16 slides
You CAN Get There from Here: How to Use the Development Approval Process to Improve

You CAN Get There from Here: How to Use the Development Approval Process to Improve

You CAN Get There from Here: How to Use the Development Approval Process to Improve Transportation Options Silicon Valley: Transportation Choices and Healthy Communities Summit March 7, 2015 Development Review Program 1 Outline

430 views • 15 slides
Zoning Ordinance Districts and Development Standards Development Process Committee October 22,

Zoning Ordinance Districts and Development Standards Development Process Committee October 22,

Zoning Ordinance Districts and Development Standards Development Process Committee October 22, 2019 Casey Judge, Carmen Bishop, and Clarion Associates Todays Discussion Zoning and Overlay Districts Development Standards, Parking,

443 views • 19 slides
Innovative products process based development Innosoft Expertise Software development according

Innovative products process based development Innosoft Expertise Software development according

Innovative products process based development Innosoft Expertise Software development according to Computer vision CMMI practices Blockchain IoT Web / high-load systems Our team 20 young professionals We work hard, learn a lot and win

355 views • 22 slides
Software Development Processes The Processes Software Development Process: a Waterfall

Software Development Processes The Processes Software Development Process: a Waterfall

Software Development Processes The Processes Software Development Process: a Waterfall defined by Royce (seventies) structured and progressive refinement Introduced to address the software from idea to an actual system

433 views • 32 slides
Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview Qualifications Performance Strategy Experience CPAR 4/4 Secure Agile Respected Partner CMS, DOE Knowledge Sharing FedRAMP

197 views • 16 slides
Improvement of software development process by moving from Rational Unified Process towards Agile

Improvement of software development process by moving from Rational Unified Process towards Agile

UNIVERSITY OF OSLO INF 5181 Process Improvement and Agile Methods in Systems Development Improvement of software development process by moving from Rational Unified Process towards Agile Unified Process Created by Anastasia Poroshina

470 views • 4 slides
The new GNSO Policy Development Process Objective The PDP-WT is

The new GNSO Policy Development Process Objective The PDP-WT is

The new GNSO Policy Development Process Objective The PDP-WT is responsible for developing a new GNSO policy development process that incorporates a working group approach and makes it more effective and

360 views • 17 slides
Quality by Design Process Development Michael Lowenborg Manager, R&D Formulation and Process

Quality by Design Process Development Michael Lowenborg Manager, R&D Formulation and Process

Quality by Design Process Development Michael Lowenborg Manager, R&D Formulation and Process Development DPT Laboratories, LTD Agenda What is QbD and Why do we use it? Process Development via Quality by Design Create a living

399 views • 38 slides
Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the talk Introduction to Aspect Oriented Programming Examples for uses of AOP for security AOP & Memory safety Future work 2 What is

870 views • 59 slides
Personal & Professional Development David Csiszar What is Personal Development? The

Personal & Professional Development David Csiszar What is Personal Development? The

Personal & Professional Development David Csiszar What is Personal Development? The process of creating an action plan based on awareness, values, reflection, goal-setting and planning for personal development within the context of a

428 views • 30 slides
The new GNSO Policy Development Process PDP WT Final Report Obj ective The PDP-WT is

The new GNSO Policy Development Process PDP WT Final Report Obj ective The PDP-WT is

The new GNSO Policy Development Process PDP WT Final Report Obj ective The PDP-WT is responsible for developing a new GNS O policy development process that incorporates a working group approach and makes it more effective and

619 views • 17 slides
Development April 22, 2020 2020/2021 Budget Development Agenda Budget Development Process

Development April 22, 2020 2020/2021 Budget Development Agenda Budget Development Process

2020/2021 Budget Development April 22, 2020 2020/2021 Budget Development Agenda Budget Development Process Alignment of Financial Resources A Provincial Perspective A Board Perspective Review of Key Budget Components

936 views • 34 slides
1 Overall Lecture Topics Industry Game Design Before We Proceed Artistic Content

1 Overall Lecture Topics Industry Game Design Before We Proceed Artistic Content

What to Expect These lectures are mainly about the process The Game Development of successfully bringing a game from idea to Process: delivery Major "players" in the process Introduction Steps in the development lifecycle

340 views • 5 slides

More recommend