development process for secure so2ware development
play

Development*Process*for*Secure* So2ware Development Processes ( - PowerPoint PPT Presentation

Mar 03, 2024 •251 likes •598 views

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

  1. Development*Process*for*Secure* So2ware

  2. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 492*

  3. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 493*

  4. Microsoft Security Development Cycle • http://www.microsoft.com/security/sdl/default.aspx 494*

  5. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 495*

  6. Open Web Application Security Project OWASP https://www.owasp.org/ – Injection • Collect resources – Cross-site Scripting ( XSS ) for Web applications – Broken authentication and session – Top ten security flaws management – Various security testing tools – Insecure direct object references – Cross-site request forgery (CSRF) – Various security control means – Security misconfiguration – Insecure cryptographic storage • e.g., code review guide – Failure to restrict URL access – Insufficient transport layer protection – Unvalidated redirects and forwards • CLASP – Comprehensive Lightweight Application Security Process 496*

  7. Open Web Application Security Project OWASP https://www.owasp.org/ – Injection • Collect resources – Cross-site Scripting ( XSS ) for Web applications – Broken authentication and session – Top ten security flaws management – Various security testing tools – Insecure direct object references – Cross-site request forgery (CSRF) – Various security https://www.owasp.org/index.php/ control means – Security misconfiguration OWASP_Appsec_Tutorial_Series – Insecure cryptographic storage • e.g., code review guide – Failure to restrict URL access – Insufficient transport layer protection – Unvalidated redirects and forwards • CLASP – Comprehensive Lightweight Application Security Process 497*

  8. CLASP https://www.owasp.org/index.php/Category:OWASP_CLASP_Project • Goal : – move security concerns into the early stages of the software development lifecycle, whenever possible • Set of process pieces that can be integrated into any software development process – Introduction to the Concepts behind CLASP to get started – Seven key Best Practices – High-level Security Services (authorisation, authentication, … ) – Core Security Principles – Roles – Activities – Process engineering and roadmaps – Checklisted Coding Guidelines – Vulnerabilities that occur in source code – Searchable Vulnerability Checklist 498*

  9. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security requirements • Implement secure development practices • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 499*

  10. CLASP Best Practices • Institute awareness • People should consider programs security to be an important project goal • Perform application • Train all team members assessments • Make people aware of • Capture security security setting requirements • Institute accountability for • Implement secure security issues development practices • Appoint a project security • Build vulnerability officer remediation procedures • Institute rewards for handling of security • Define and monitor metrics issues • Publish operational security guidelines 500*

  11. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Security analysis of requirements requirements and design • Implement secure – Threat modelling development practices • Source-level security review • Build vulnerability • Security tests remediation procedures • Define and monitor metrics • Publish operational security guidelines 501*

  12. CLASP Best Practices • Institute awareness programs • Treat security requirements • Perform application same way as functional assessments requirements • Capture security • Define security policy requirements • Identify attack surface • Implement secure • Identify resources and trust development practices boundaries • Build vulnerability • Identify misuse cases remediation procedures • Specify operational • Define and monitor metrics environment • Publish operational security guidelines 502*

  13. CLASP Best Practices • Institute awareness programs • Perform application assessments • Annotate classes with • Capture security security properties requirements • Apply principles of secure • Implement secure design development practices • Manage resources • Build vulnerability • Manage contracts and remediation procedures interfaces • Define and monitor metrics • Publish operational security guidelines 503*

  14. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Address reported security requirements issues • Implement secure • Manage security issue development practices disclosure process • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 504*

  15. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security requirements • Select metrics • Implement secure • Collect data development practices • Evaluate results • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 505*

  16. CLASP Best Practices • Institute awareness programs • Perform application assessments • Capture security • Build operational security requirements guide • Implement secure • Specify database security development practices configuration • Build vulnerability remediation procedures • Define and monitor metrics • Publish operational security guidelines 506*

  17. Development Processes ( Lecture outline ) • Emphasis on „building secure software” as opposed to „building security software” • Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security touchpoints • Building Security In Maturity Model – BSIMM 507*

  18. Seven Security Touchpoints G. McGraw, “Software Security: Building Security In” “All software projects produce at least one artifact: source code” 508*

  19. Seven Security Touchpoints G. McGraw, “Software Security: Building Security In” “All software projects produce at least one artifact: source code” 1. Code review (tools) 5. Abuse analysis 2. Risk analysis 6. Security requirements 3. Penetration test 7. Security attacks 4. Risk-based security test * External analysis 509*

  20. Code review (tools) • Aim: catching implementation bugs early • Tool helps to achieve good code coverage • Aim for good, not perfect 510*

  21. Risk analysis • Create description of • Ambiguity analysis architecture – Discover new risks – Start with one page – Find unclear parts in how the system works – Forest-level view – Trust, data sensitivity, threat • Attack resistance models – Use checklists of known attacks • Weakness analysis – Example: Microsoft STRIDE – Impact of external software • Spoofing, Tampering, dependencies Repudiation, Info disclosure, Denial of service, Elevation of – Platform (hardware, OS) privilege – Frameworks – Called services Combine risks and consider business impact Rank risks Find solutions 511*

  22. Penetration test Attack on a system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data • Use the source • Use in-house QA department – Otherwise people send time on reverse- – They already know the engineering system system • Apply business – Use tools and training to add security testing skills priorities • Test more than once – Logic flaw vs. XSS flaw – XSS is important if it contributes towards • Incorporate the findings compromising business back into development logic 512*

  23. Risk-based security test • Test based on priorities – Architectural risks – Risks discovered during code review • Test malicious input – Use fuzzing tool 513*

  24. Abuse analysis and Security requirement • Security is not a set of features • How system should react to illegitimate use • Like use cases, but with malicious users 514*

  25. 1. Input validation and 5 . Error Handling Representation 6. Code Quality 2. API Abuse 7. Encapsulation 3. Security Features 4. Time and State * Environment Seven Pernicious Kingdoms * 515 ** Tsipenyuk* et#al., *2005*

  26. External analysis • Unfortunately – Software architects, developers, and testers are largely unaware of the software security problems • Good news – They acknowledge that security problems exists! • Bad news – Barely begun to apply the security solutions 516*

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Secure and Dependable So2ware-Defined Networks Diego

Towards Secure and Dependable So2ware-Defined Networks Diego

Towards Secure and Dependable So2ware-Defined Networks Diego Kreutz, Fernando M. V. Ramos, Paulo Verssimo LaSIGE/FCUL, University of Lisbon SDN in short

561 views • 30 slides
Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka ,

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

565 views • 39 slides
MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product

MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product

MOTION IN VIRTUAL DEVELOPMENT PROCESS Lothar Teske Toulouse / 07.01.2005 Product Development Process Contents 1 Milestones 2 Development Partner 3 Network 4 Data Management 5 Synchronization Process 6 Development Tools 7 S ummary

892 views • 45 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek

Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek

Cyber Secure Innovation an Oxymoron? Method Park Process Insights - October 2018 Meg Novacek AGENDA 1. Product Development and Innovation 2. Embedded System Development 3. Automotive Cyber Security 4. Conflicts between Innovation &

504 views • 18 slides
CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting

CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting

CMP Process Development Techniques for New Materials Robert L. Rhoades, Ph.D. ECS 213 th Meeting (Phoenix, AZ) May 19-21, 2008 Outline Background and Industry Drivers Generalized Development Sequence CMP Process Development

418 views • 31 slides
The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent

The Development Consent Process The Role of Local Authorities / GLA The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance Pre-application Exam ination Pre-examination Recom m endation 1 Year + 1 Year Thames Tideway

432 views • 14 slides
Board of Education Headlines Budget Development Process Budget Development Process January 5,

Board of Education Headlines Budget Development Process Budget Development Process January 5,

Board of Education Headlines Budget Development Process Budget Development Process January 5, 2012 Board Policy effective and transparent oversight of the fi fiscal condition of the district and of the l diti f th di t i t d f th

887 views • 35 slides
The Development Consent Process Information event about the application process for Communities

The Development Consent Process Information event about the application process for Communities

The Development Consent Process Information event about the application process for Communities The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance Exam ination Pre-application Pre-examination Recom m endation 1 Year

372 views • 16 slides
The Development Consent Process Information about the application process Current Caseload of

The Development Consent Process Information about the application process Current Caseload of

The Development Consent Process Information about the application process Current Caseload of Nuclear Projects How to take part in the application process The Development Consent Process DEVELOPER PI NS SofS Decision Acceptance

208 views • 16 slides
You CAN Get There from Here: How to Use the Development Approval Process to Improve

You CAN Get There from Here: How to Use the Development Approval Process to Improve

You CAN Get There from Here: How to Use the Development Approval Process to Improve Transportation Options Silicon Valley: Transportation Choices and Healthy Communities Summit March 7, 2015 Development Review Program 1 Outline

430 views • 15 slides
Zoning Ordinance Districts and Development Standards Development Process Committee October 22,

Zoning Ordinance Districts and Development Standards Development Process Committee October 22,

Zoning Ordinance Districts and Development Standards Development Process Committee October 22, 2019 Casey Judge, Carmen Bishop, and Clarion Associates Todays Discussion Zoning and Overlay Districts Development Standards, Parking,

443 views • 19 slides
Innovative products process based development Innosoft Expertise Software development according

Innovative products process based development Innosoft Expertise Software development according

Innovative products process based development Innosoft Expertise Software development according to Computer vision CMMI practices Blockchain IoT Web / high-load systems Our team 20 young professionals We work hard, learn a lot and win

355 views • 22 slides
Software Development Processes The Processes Software Development Process: a Waterfall

Software Development Processes The Processes Software Development Process: a Waterfall

Software Development Processes The Processes Software Development Process: a Waterfall defined by Royce (seventies) structured and progressive refinement Introduced to address the software from idea to an actual system

433 views • 32 slides
Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview Qualifications Performance Strategy Experience CPAR 4/4 Secure Agile Respected Partner CMS, DOE Knowledge Sharing FedRAMP

197 views • 16 slides
the Convection-Permitting Model at JMA Tadashi Fujita, Yoshihiro Ishikawa, Yasutaka Ikuta, Kosuke

the Convection-Permitting Model at JMA Tadashi Fujita, Yoshihiro Ishikawa, Yasutaka Ikuta, Kosuke

Development of the Operational Data Assimilation System for Rapid and Frequent Updates of Forecast with the Convection-Permitting Model at JMA Tadashi Fujita, Yoshihiro Ishikawa, Yasutaka Ikuta, Kosuke Ono, Kensuke Ishii, Koichi Yoshimoto,

307 views • 15 slides
A Challenge Code for Maximizing the Entropy of PUF Responses Olivier Rioul 1 , Patrick Sol 1 ,

A Challenge Code for Maximizing the Entropy of PUF Responses Olivier Rioul 1 , Patrick Sol 1 ,

A Challenge Code for Maximizing the Entropy of PUF Responses Olivier Rioul 1 , Patrick Sol 1 , Sylvain Guilley 1 , 2 and Jean-Luc Danger 1 , 2 1 LTCI, CNRS, Tlcom ParisTech, Universit Paris-Saclay, 75 013 Paris, France. Email:

441 views • 42 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Transactions The most important

Ken Birman i Cornell University. CS5410 Fall 2008. Transactions The most important

Ken Birman i Cornell University. CS5410 Fall 2008. Transactions The most important reliability technology for client server systems Now start an in depth examination of the topic N t t i d th i ti f th t i How

701 views • 49 slides
"T "To a man with a hammer, ith h everything looks like a nail everything looks like

"T "To a man with a hammer, ith h everything looks like a nail everything looks like

Topic 9 Introduction to Recursion I t d ti t R i Underneath the Hood. "T "To a man with a hammer, ith h everything looks like a nail everything looks like a nail" -Mark Twain Mark Twain CS 307 Fundamentals of CS 307

369 views • 14 slides
Status Hardware development of SRS-based readout of Timepix3 at Bonn 2.7.2018 Bonn-Nikhef

Status Hardware development of SRS-based readout of Timepix3 at Bonn 2.7.2018 Bonn-Nikhef

Status Hardware development of SRS-based readout of Timepix3 at Bonn 2.7.2018 Bonn-Nikhef Meeting Scalable Readout System A generic readout system for laboratory and detector instrumentation developed and supported by the RD51 collaboration.

182 views • 7 slides
Full-Year Results 22 August 2013 Agenda Highlights of the Year Tom Gorman, CEO Analysis &

Full-Year Results 22 August 2013 Agenda Highlights of the Year Tom Gorman, CEO Analysis &

Full-Year Results 22 August 2013 Agenda Highlights of the Year Tom Gorman, CEO Analysis & Outlook Zlatko Todorcevski, CFO Strategic Context Tom Gorman, CEO 2 Key Messages Key messages Underlying Profit delivered within guidance

1.09k views • 61 slides
6 th Annual General Meeting 29 June 2018 Disclaimer This presentation shall be read in

6 th Annual General Meeting 29 June 2018 Disclaimer This presentation shall be read in

6 th Annual General Meeting 29 June 2018 Disclaimer This presentation shall be read in conjunction with A- HTRUSTs Annual Report for the financial year ended 31 March 2018 (FY 2017/18 ), a copy of which is available on www.sgx.com or

823 views • 38 slides
3Q 2011 Results 21 October 2011 Disclaimer This presentation may contain forward-looking

3Q 2011 Results 21 October 2011 Disclaimer This presentation may contain forward-looking

CapitaLand Group 3Q 2011 Results 21 October 2011 Disclaimer This presentation may contain forward-looking statements that involve risks and uncertainties. Actual future performance, outcomes and results may differ materially from those

1.04k views • 57 slides

More recommend