Transcription
OWASP BeNeLux 201723/11/2017Secure Development: Models andBest PracticesBart De WinBart.DeWin@owasp.orgOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win1
OWASP BeNeLux 201723/11/2017Bart?Bart De Win, Ph.D. 20 years experience in secure softwaredevelopment Belgian OWASP chapter co-leader SAMM contributor, evangelist and co-leader Author of 60 publications Director & security consultant @PwC BE Bart.de.win@pwc.comOWASP Benelux 2017 - Secure Development TrainingThis training ? Software Assurance maturity models Secure Development in agile development Hands-on: SAMM analysis of your enterprise usingSAMM 1.5 Tips and tricks for practical SDLC Sneak preview of SAMM 2.0OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win2
OWASP BeNeLux 201723/11/2017Timing09h30 – 11h00:11h00 – 11h30:11h30 – 13h00 :13h00 – 14h00:14h00 – 15h30:15h30 – 16h00:16h00 – 17h30:Trainingcoffee breakTraininglunchTrainingcoffee breakTrainingOWASP Benelux 2017 - Secure Development TrainingRules of the House Turn off mobile phones Interactive training Specific discussions about company practices don’tleave this roomOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win3
OWASP BeNeLux 201723/11/2017Today’s Agenda1. Introduction to SDLC and SAMM2. Applying SAMMMethodologyAssessment GovernanceAssessment ConstructionAssessment VerificationAssessment OperationsSetting Improvement Targets3. Secure Agile development4. SDLC Tips and tricks5. Wrap-upOWASP Benelux 2017 - Secure Development TrainingApplication Security ProblemQuality(ISO25010)Software complexityTechnology stacksCostRequirements?SpeedofDelivery75% of vulnerabilities are application e DesignOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win4
OWASP BeNeLux 201723/11/2017Application Security SymbiosisOWASP Benelux 2017 - Secure Development TrainingApplication Security during lawsDeployMaintainCostOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win5
OWASP BeNeLux 201723/11/2017The State-of-Practice in Secure SoftwareDevelopmentAnalyseDesignImplementTest(Arch review)DeployPentestMaintainPenetrate &PatchProblematic, since: Focus on bugs, not flaws Penetration can cause major harm Not cost efficient No security assurance All bugs found ? Bug fix fixes all occurences ? (also future ?) Bug fix might introduce new security vulnerabilitiesOWASP Benelux 2017 - Secure Development TrainingSDLC prise-wide software security improvement program Strategic approach to assure software quality Goal is to increase systematicity Focus on security functionality and security hygieneOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win6
OWASP BeNeLux 201723/11/2017SDLC CornerstonesPeopleProcess Roles & Responsibilities Activities Deliverables Control GatesRiskTrainingKnowledgeTools &Components Standards & Guidelines Compliance Transfer methods Development support Assessment tools Management toolsSecAppDev 2013OWASP Benelux 2017 - Secure Development TrainingStrategic ?1. Organizations with a proper SDLC will experience an80 percent decrease in critical vulnerabilities2. Organizations that acquire products and serviceswith just a 50 percent reduction in vulnerabilitieswill reduce configuration management and incidentresponse costs by 75 percent each.OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win7
OWASP BeNeLux 201723/11/2017Does it really work ?OWASP Benelux 2017 - Secure Development TrainingSDLC-related initiativesTouchPointsMicrosoft SP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win8
OWASP BeNeLux 201723/11/2017So what about Waterfall ?OWASP Benelux 2017 - Secure Development TrainingSo what about Agile ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win9
OWASP BeNeLux 201723/11/2017Software AssuranceBut is Is NOT OWASP Benelux 2017 - Secure Development TrainingWhy a Maturity Model ?An organization’sbehavior changesslowly over timeChanges must beiterative whileworking towardlong-term goalsThere is no singlerecipe that worksfor allorganizationsA solution mustenable risk-basedchoices tailored tothe organizationGuidance relatedto securityactivities must beprescriptiveA solution mustprovide enoughdetails for nonsecurity-peopleOverall, must besimple, welldefined, andmeasurableOWASP SoftwareAssuranceMaturity Model(SAMM)https://www.owasp.org/index.php/OWASP SAMM ProjectOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win10
OWASP BeNeLux 201723/11/2017SAMM 101 – Introduction to the modelCore model documentOWASP Benelux 2017 - Secure Development TrainingSAMM Business Functions Start with the coreactivities tied to anyorganizationperforming softwaredevelopment Named generically, butshould resonate withany developer ormanagerOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win11
OWASP BeNeLux 201723/11/2017SAMM Security Practices From each of the Business Functions, 3 Security Practicesare defined The Security Practices cover all areas relevant to softwaresecurity assurance Each one is a ‘silo’ for improvementOWASP Benelux 2017 - Secure Development TrainingUnder each Security Practice Three successive Objectives under each Practice definehow it can be improved over timeThis establishes a notion of a Level at which anorganization fulfills a given Practice The three Levels for a Practice:OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win12
OWASP BeNeLux 201723/11/2017Check out this one.OWASP Benelux 2017 - Secure Development TrainingPer Level, SAMM defines. ObjectiveActivitiesResultsSuccess MetricsCostsPersonnelRelated LevelsOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win13
OWASP BeNeLux 201723/11/2017Applying the modelHow-to guideOWASP Benelux 2017 - Secure Development TrainingAssessment processOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win14
OWASP BeNeLux 201723/11/2017Assessment worksheetsOWASP Benelux 2017 - Secure Development TrainingIntermezzo – how to measureHowwell?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win15
OWASP BeNeLux 201723/11/2017Assessment ToolboxOWASP Benelux 2017 - Secure Development TrainingCreating Scorecards Gap analysisCapturing scores from detailedassessments versus expectedperformance levels Demonstrating improvementCapturing scores from before and afteran iteration of assurance programbuild-out Ongoing measurementCapturing scores over consistenttime frames for an assurance programthat is already in placeOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win16
OWASP BeNeLux 201723/11/2017Roadmap templates To make the “building blocks” usable,SAMM defines Roadmaps templatesfor typical kinds of organizations Independent Software Vendors Online Service Providers Financial Services Organizations Government Organizations Organization types chosen because They represent common use-cases Each organization has variations intypical software-induced risk Optimal creation of an assurance programis different for eachOWASP Benelux 2017 - Secure Development TrainingSAMM vs. BSIMMPrescriptivevs.DescriptiveOpen vs.ClosedLowWatermarkvs. HighWatermarkOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win17
OWASP BeNeLux 201723/11/2017Today’s Agenda1. Introduction to SDLC and SAMM2. Applying SAMMMethodologyAssessment GovernanceAssessment ConstructionAssessment VerificationAssessment OperationsSetting Improvement Targets3. Secure Agile development4. SDLC Tips and tricks5. Wrap-upOWASP Benelux 2017 - Secure Development TrainingBefore you begin Organizational Context Realistic Goals ? Scope ? Constraints (budget, timing, resources) Affinity with a particular model ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win18
OWASP BeNeLux 201723/11/2017What’s your Company Maturity ? In terms of IT strategy and application landscape In terms of software Development practices Analysis, Design, Implementation, Testing, Release, Maintenance Structured vs. ad-hoc development In terms of ITSM practices Configuration, Change, Release, Vulnerability -Mngt.CompanyMaturity FeasibilitySDLCProgramOWASP Benelux 2017 - Secure Development TrainingComplicating factors, anyone ? Different development teams Different technology stacks Business-IT alignment issues Outsourced development .OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win19
OWASP BeNeLux 201723/11/2017Continuous Improvement with SAMMQuick start guideOWASP Benelux 2017 - Secure Development TrainingPrepare1. PurposeEnsure a proper start of the project2. ActivitiesDefine the scope (uniform unit(s))Identify stakeholdersSpread the wordOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win20
OWASP BeNeLux 201723/11/2017Assess1. PurposeIdentify and understand the maturity ofthe 12 practices for the chosen scope2. ActivitiesEvaluate current practicesDetermine maturity levelOWASP Benelux 2017 - Secure Development TrainingSet The Target1. PurposeDevelop a target score to guide you infuture improvements2. ActivitiesDefine the targetEstimate overall impactOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win21
OWASP BeNeLux 201723/11/2017Define the plan1. PurposeDefine or update the plan to take youto the next level2. ActivitiesDetermine change scheduleDevelop/update the roadmap planOWASP Benelux 2017 - Secure Development TrainingImplement1. ObjectiveWork the plan2. ActivitiesImplement activitiesOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win22
OWASP BeNeLux 201723/11/2017Roll-out1. ObjectiveEnsure improvements are availableand effectively used2. ActivitiesEvangelize improvementsMeasure effectivenessOWASP Benelux 2017 - Secure Development TrainingOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win23
OWASP BeNeLux 201723/11/2017GovernanceBusiness FunctionOWASP Benelux 2017 - Secure Development Training12 Security PracticesOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win24
OWASP BeNeLux 201723/11/2017Strategy & Metrics1. Goal is to establish a software assurance framework within anorganisationFoundation for all other SAMM practices2. Characteristics:MeasurableAligned with business risk3. Driver for continuous improvement and financial guidanceVS.OWASP Benelux 2017 - Secure Development TrainingStrategy & MetricsOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win25
OWASP BeNeLux 201723/11/2017Policy & Compliance1. Goal is to understand and adhere to legal and regulatory requirementsTypically external in natureThis is often a very informal practice in organisations !2. CharacteristicsOrganisation-wide vs. project-specificScope3. Important driver for software security requirementsOWASP Benelux 2017 - Secure Development TrainingPolicy & ComplianceOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win26
OWASP BeNeLux 201723/11/2017Education & Guidance1. Goal is to disseminate security-oriented information to all stakeholdersinvolved in the software development lifecycleBy means of standards, trainings, 2. To be integrated with organisation training curriculumA once-of effort is not sufficientTeach a fisherman to fish3. Technical guidelines form the basis for several other practicesOWASP Benelux 2017 - Secure Development TrainingEducation & GuidanceOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win27
OWASP BeNeLux 201723/11/2017Assessment Exercise Use SAMM to evaluate thedevelopment practices in your own company Focus on Governance Business Function Applicable to both Waterfall and Agile models Using distributed sheets and questionnaires (toolbox)OWASP Benelux 2017 - Secure Development TrainingAssessment wrap-up What’s your company’s score ? What’s the average scores for the group ? Any odd ratings ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win28
OWASP BeNeLux 201723/11/2017ConstructionBusiness FunctionOWASP Benelux 2017 - Secure Development Training12 Security PracticesOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win29
OWASP BeNeLux 201723/11/2017Threat Assessment1. The goal of this practice is to focus on the attacker perspective of thingsTo make sure that security is not only functionality-drivenRemember that software security white black2. Very common practice in safety-critical systemsLess so in others3. This is where “the magic” kicks inYour imagination is the limitOWASP Benelux 2017 - Secure Development TrainingThreat AssessmentOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win30
OWASP BeNeLux 201723/11/2017Security Requirements1. Goal is to make security specification more explicitTurn security into a positively-spaced problem2. Source of security requirements Compliance Risk Functionality Quality3. Requirements should be specified in a S.M.A.R.T. wayOWASP Benelux 2017 - Secure Development TrainingSecurity RequirementsOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win31
OWASP BeNeLux 201723/11/2017Secure Architecture1. Key practice for securityPoor decisions at this step can have major impact,and are often difficult (or costly) to fix.2. CharacteristicsTake into account security principlesRisk is a factor of all components (incl. 3rd party)3. Use proven solutionsDon’t roll you own cryptoUse company standards and best practicesOWASP Benelux 2017 - Secure Development TrainingSecure ArchitectureOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win32
OWASP BeNeLux 201723/11/2017Assessment Exercise Use SAMM to evaluate thedevelopment practices in your own company Focus on Construction Business Function Applicable to both Waterfall and Agile models Using distributed sheets and questionnaires (toolbox)OWASP Benelux 2017 - Secure Development TrainingAssessment wrap-up What’s your company’s score ? What’s the average scores for the group ? Any odd ratings ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win33
OWASP BeNeLux 201723/11/2017VerificationBusiness FunctionOWASP Benelux 2017 - Secure Development Training12 Security PracticesOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win34
OWASP BeNeLux 201723/11/2017Design Review security assessment of attacksurface, software design andarchitecturesoftwaredesign securityreview lightweight activities formalinspection of data flows & securitymechanisms enforcement of baselineexpectations for conducting designassessments and reviewing findingsbefore releases are accepted.cross-checksecuritydesign bestpracticesensureknown risksare covered Assess and validate artifacts to understand protection mechanismsOWASP Benelux 2017 - Secure Development TrainingDesign ReviewOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win35
OWASP BeNeLux 201723/11/2017Implementation ReviewAssessment of source code:Start vulnerability discovery lightweight checklists inspect critical software related mitigation activities establish secure coding baselineImproveWill require tool investment: Language specific Basic open source toolingMature Automation Increase coverage / efficacy Integrate in development Produce audit evidence Test & production release gates Commercial tools maturingProcess & education important!OWASP Benelux 2017 - Secure Development TrainingImplementation ReviewOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win36
OWASP BeNeLux 201723/11/2017Security Testing Based on security & compliancerequirements / checklist of commonvulnerabilities Manual testing can be done, scaled withtooling: intercepting proxy and/orscannerDynamic securitytesting Detected defects will require validation,risk analysis & recommendations to fix Automate to repeat tests for each release Introduce security test-drivendevelopmentpenetrationtesting automationDetectvulnerabilities &misconfigurations Test results to be reported to & acceptedby owner for each deploymentOWASP Benelux 2017 - Secure Development TrainingSecurity TestingOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win37
OWASP BeNeLux 201723/11/2017Assessment Exercise Use SAMM to evaluate thedevelopment practices in your own company Focus on Verification Business Functions Applicable to both Waterfall and Agile models Using distributed sheets and questionnaires (toolbox)OWASP Benelux 2017 - Secure Development TrainingAssessment wrap-up What’s your company’s score ? What’s the average scores for the group ? Any odd ratings ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win38
OWASP BeNeLux 201723/11/2017OperationsBusiness FunctionOWASP Benelux 2017 - Secure Development Training12 Security PracticesOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win39
OWASP BeNeLux 201723/11/2017Issue ManagementPrepare for WHEN, not IF!Symptoms of malfunctioning SDLC handling vulnerability reports and operational incidents lightweight assignment of roles formal incident response &communication process Use vulnerability metrics and root-cause analysis to improve SDLC spoc per team & security response team communication & information flow is key! patch release process & responsible/legal disclosureOWASP Benelux 2017 - Secure Development TrainingIssue ManagementOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win40
OWASP BeNeLux 201723/11/2017Environment Hardening Underlying infrastructure hardening & patching Track (3rd party) libraries & componentsTOP-10 - A9 – Using Known Vulnerable Components Add WAF layer (virtual patching)ModSecurityMalicious web trafficLegitimate web trafficPort 80Web llWebServerOWASP Benelux 2017 - Secure Development TrainingEnvironment HardeningOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win41
OWASP BeNeLux 201723/11/2017Operational EnablementSupport users & operatorsSecurity documentation!Feed/document application security logs into SIEMLightweight documentation operational security guidesChange management & end to end deployment integrityEven more important for outsourced development!OWASP Benelux 2017 - Secure Development TrainingOperational EnablementOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win42
OWASP BeNeLux 201723/11/2017Assessment Exercise Use SAMM to evaluate thedevelopment practices in your own company Focus on Deployment Business Functions Applicable to both Waterfall and Agile models Using distributed sheets and questionnaires (toolbox)OWASP Benelux 2017 - Secure Development TrainingAssessment wrap-up What’s your company’s score ? What’s the average scores for the group ? Any odd ratings ?OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win43
OWASP BeNeLux 201723/11/2017Setting the Target/Roadmap1. Roadmap templates can provide direction for targetsWhat type of company are you ?2. Take into account the company’s risk appetite3. Only include activities where you see added value for thecompany, even for lower levels4. SAMM activities have dependencies – use them !5. Think about links with other practices in the companyE.g., training, release management, OWASP Benelux 2017 - Secure Development TrainingStaged RoadmapSecurity Practices/PhaseStrategy & metricsPolicy & ,522,5Security Requirements0,51,523Secure Architecture0,51,523Education & GuidanceThreat AssessmentDesign Review0122,5Code ent Hardening2,52,52,52,5Operational Enablement0,50,51,53Security TestingVulnerabilityTotal Effort per Phase7,57,57,5OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win44
OWASP BeNeLux 201723/11/2017Improvement Exercise Define a target for your company andthe phased roadmap to get there Focus on the most urgent/heavy-impact practices first Try balancing the complexity and effort of the different stepupsOWASP Benelux 2017 - Secure Development TrainingConclusion Applying SAMMLightweight assessment of 12 security practicesYour thoughts: Representative summary ? New insights learned ? Anything not covered ? OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win45
OWASP BeNeLux 201723/11/2017Today’s Agenda1. Introduction to SDLC and SAMM2. Applying SAMMMethodologyAssessment GovernanceAssessment ConstructionAssessment VerificationAssessment OperationsSetting Improvement Targets3. Secure Agile development4. SDLC Tips and tricks5. Wrap-upOWASP Benelux 2017 - Secure Development TrainingAgile Models: ScrumOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win46
OWASP BeNeLux 201723/11/2017Agile & Secure development: a mismatch?Agile Dev.SecuritySpeed & FlexibilityStable & RigorousShort cyclesExtra activitiesLimited documentationExtensive analysisFunctionality-drivenNon-functionalOWASP Benelux 2017 - Secure Development TrainingSecure Agile is enablement, rather than controlscalabilityOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win47
OWASP BeNeLux 201723/11/2017Secure Agile – Where’s the difference ?PeopleProcess Roles & Responsibilities Activities Deliverables Control GatesRiskTrainingKnowledgeTools &Components Standards & Guidelines Compliance Transfer methods Development support Assessment tools Management toolsSecAppDev 2013OWASP Benelux 2017 - Secure Development TrainingSecure Agile: general principles Make security a natural part of the process, but don’t overdo Lightweight, in-phase and iterative Preventive and detective controls Be involved at key moments in the process Leverage important agile concepts Small steps at a time (i.e. continuous improvement)OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win48
OWASP BeNeLux 201723/11/2017User Stories Capture security requirements, policiesand regulations in user stories Simple, concrete and actionable Reusable? Mark all user stories with security labels Integrate security into user stories as: Definition of Done Acceptance criteriaOWASP Benelux 2017 - Secure Development TrainingThreat Modelling & Abuser Stories Consider writing application security risks as stories Security stories: “As a developer, I want to prevent SQLi intomy application” Not a real user story (not relevant for product owner,but to help the development team) Never really finished Thinking like the bad guy: “User X should not have access tothis type of data” Think about what users don’t want to and can’t do,how to trust users, what data is involved, OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win49
OWASP BeNeLux 201723/11/2017Sprint Planning Features to be implemented per sprint are selected duringsprint planning. Ensure security tasks are not “stuck” on the backlog Presence of security-savvy person during sprintplanning Establish rules upfront to deal with security stories Security labels can be used to drive selectionOWASP Benelux 2017 - Secure Development TrainingExample: MS SDL-Agile Basic approach: Fit SDL tasks to the backlog as nonfunctional stories Non-Technical vs. Technical Requirement vs. Recommendation Each SDL task goes in one of three types of requirements:EverySprintBucketOneTimeOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win50
OWASP BeNeLux 201723/11/2017Example: Every-Sprint Requirements(excerpt) All team members must have had security training in thepast year All database access via parameterized queries Fix security issues identified by static analysis Mitigate against Cross-Site Request Forgery Update Threat models for new features Use Secure cookies over HTTPS Link all code with the /nxcompat linker option Encrypt all secrets such as credentials, keys and passwords Conduct internal security design reviewOWASP Benelux 2017 - Secure Development TrainingExample: Bucket Requirements (excerpt)Bucket A: Security Verification Perform fuzzing (network/ActiveX/File/RPC/ ) Manual and automated code review for high-risk code Penetration testingBucket B: Design Review Conduct a privacy review Complete threat model trainingBucket C: Planning Define or update the security/privacy bug bar Define a BC/DR planOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win51
OWASP BeNeLux 201723/11/2017Example: One-Time Requirements(excerpt) Create a baseline threat modelEstablish a security response planIdentify your team’s security expertUse latest compiler versionsOWASP Benelux 2017 - Secure Development TrainingSecurity testing Automated testing is an important element in agile qualitycontrol For security, this can be realized by: Unit testing (e.g., authorisation checks, logging, ) Regression testing Static analysis (SAST) based on coding guidelines Dynamic analysis (DAST) based on scenarios and/orvulnerability tests FuzzingOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win52
OWASP BeNeLux 201723/11/2017Thou shall use Iteration Zero Many agile projects start with an “Iteration Zero” toGet the team togetherChoose tools and frameworksGet to know the domain This is an opportunity for security too, to Assign security responsibles Select security tools Determine risk levelsOWASP Benelux 2017 - Secure Development TrainingSecure Agile process: key take-aways Ensure that security-savvy people are involved at importantphases: Sprint planning (to enhance/verify requirements) Development (daily follow-up) Review (to support acceptance) Retrospective (to improve dev. Practices for security) Different profiles can be distinguished: Security architect Security engineer Risk Manager/GovernanceOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win53
OWASP BeNeLux 201723/11/2017Secure Agile Tool Chain: general principles Secure agile is about enabling, rather than controlling Embedding security tools to support development Given short sprint cycles, automation is important. Good tools: Work continuously (to avoid developers beingblocked) Integrate well into developer’s world Avoid causing too much overhead or confusion Evaluate carefully which tools to implement (and which toavoid)OWASP Benelux 2017 - Secure Development TrainingSecure Coding Integrate security tools in the development IDE’s: Support for secure coding guidelines Static analysis tools Ensure common development environment: Programming run-time Security components (e.g., SSO IdP’s, .) Proper source control and versioningOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win54
OWASP BeNeLux 201723/11/2017Security testingDaily BeforereleasePer sprint Unit tests StaticAnalysis Regressiontests DynamicAnalysis PeerIntegrated with backlogs where appropriatereviews Fuzzing PenetrationtestingOWASP Benelux 2017 - Secure Development TrainingSecure Build Central build, using central configuration files Consider: Code signing Obfuscation OWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win55
OWASP BeNeLux 201723/11/2017Secure Deploy / DevOps Automated deploy, using central configuration files Consider: Random key generation Appropriate key/certificate protection (config files,key stores, ) Proper hardening of application servers Security appliance configuration (e.g., WAF) Security monitoring OWASP Benelux 2017 - Secure Development TrainingHybrid models Many companies are combining waterfall and agile Studies indicate better resulting quality For security, easier to hook into E.g., full architecture cycleOWASP Benelux 2017 - Secure Development TrainingSecure Development Training by Bart De Win56
OWASP BeNeLux 201723/11/2017Best Practices / Lessons Learned Use small steps at a time – the agile way Build on agile concepts (backlog, retrospective) Find a way to prioritize security in the planning Use automation as much as possible Review samples independent of project sprints Rely on security champions E.g., security requirements, design review, code review Agile should not be an excuse for not having documentationOWASP Benelux 2017 - Secure Development TrainingToday’s Agenda1. Introduction to SDLC and SAMM2. Applying SAMMMethodologyAssessment GovernanceAssessment ConstructionA
Best Practices Bart De Win Bart.DeWin@owasp.org OWASP Benelux 2017 - Secure Development Training . will reduce configuration management and incident response costs by 75 percent each. OWASP Benelux 2017 - Secure Development Training . The goal of this practice is to focus on the attacker perspective of things
