Alexey Sintsov@asintsov

DEFCON RUSSIA DC#7812

SDLCIMPLEMENT ME OR DIE

# SDLC…

-- History, introduction and blah-blah-blah skipped --

HOWTO:

• Secure design• Secure code• Stable product• …

QUALITY => Happy users/customers

# Stages

(c) Microsoft Corp.

# But…

• Agile• Agile• Agile• ….

Every Sprint Bucket Once

(c) Microsoft Corp.

# AgileWhy SDLC?

• Documentation• Testing• Tasks

It’s already included! Just add ‘Security requirements/tests’.

• Development through testing • Unit tests• Continues Integration • Acceptance tests

User wants to register his account through

web-form with login/password

Task 1Create DB structure

Task 2Add UI form

Task 3Add API for creating

account

Task X…

Security RequirementsSecurity GuidesRetrospective

Store passwords secure (crypto. Req.)

CSRF protection

ClickJacking protection

CAPTCHA

SQLi protection

Password req.

… etc … Security related tasks

User wants to register his account -

investigation

Security RequirementsSecurity GuidesRetrospective

RISK ANLYSES

User wants to register his account through

web-form with login/password

Task 1Create DB structure

Task XAdd second factor auth. mechanism

Task 2….

Security “things” – tasks can be better than stories!

# Wow it’s so easy…Let’s do it…

• Online services• API• Mobile Apps• Automotive

• Many different teams• Different frameworks and languages• Different attack surfaces and threats and risks• Agile• DevOps

# Impossible???

SDLC – not a strict “standard”, use it as pack of practices or what can be done,but HOW it can be done – it’s real state-of-art.

So…

• More security things goes to dev teams (responsibility)• Maximum automation• Manuals, guides and tools can be done by SecTeam• And etc: any fun can be done if it helps….

# Training• Internal events• External training sessions

Impossible to cover all threats, bugs and etc, especially if you have different teams that work with different technologies

• HERE Architecture and Technology camp • Typical issues, stories and best practices• HOWTO• CTF games

• HERE security support:• WIKI• IRC• Personal team trainings

# Security Requirements

General requirements:• Code style

• SQL requests (Prepared statements)• Input/Output validation• Mobile App req.• etc

• Data encryption• Algorithms• PKI and etc

• Security mitigations and mechanisms• HTTPOnly, X-Frame-Options• PIE, StackCanaries, NS bit…… and etc

Based on General requirements, each team produce own list of req. and then tasks!

# Guides

Patterns/Guides:• Code

• How to do auth. with captcha• How to read/upload files (work with FileSystem)• etc

• Sensitive data• How to do right logging• How to store personal data• What is personal data

• DevOps• How to deploy product with secret keys/service passwords….

Based on guides each team will code some general things with our security requirements.

# SelfCheck lists

Based on requirements we can provide more detailed self-check lists to teams:• Have you done SAST?• What hash alg do you use for storing passwords?• Are you logging auth. tokens/passwords/credit card numbers?• Do you have SSL?• Do you have HTTPOnly/Secure?• Is your service scanned by security scanner?

- Different check lists of Dev/DevOps, for design and architecture.

# Example of Model

SecTeam

Project Team 1

Project Team 2

Requirements

Guides

Tools

produce

• Requirements• Documentation• Design• Code• Security Tests• Requirements

• Documentation• Design• Code• Security Tests

checks

“SDLC” on AGILE

Final ReviewExploratory testingAnything else…

# HERE Security Team

• Requirements• Guides• Support for all Dev teams• Developing security tools and libs

• Fuzzers• Input validation lib for common frameworks• Security Scripts, like platform audit• Providing SecService to teams and work with vendors:

• WhiteHat• Retina • Veracode service• etc…

• GoLive review• Incident Response

# GoLive (SDLC FinalSecurityReview)• Threat/Risk Analysis• Architecture security review

• SAST • Encryption• Design, etc

• Engineering security review• DAST• Configurations• Logs , etc

• Privacy review• Personal data• Government requirements , etc

• Business continue review

# GoLive (SDLC FinalSecurityReview)What we want

• Teams understand our security requirements• Teams produce their own security requirements to their product• Teams follow our guides • Teams provides documentation, answered self-check lists

Teams runs all security and can do self checks

• Security knowledge stay in teams• After each GoLive review one team became more aware about security

# DevOps

# DevOps + SDLC

• Deployment as part of security process• Platform and configuration as a part of final product

PRODUCT OS Services Code

# HERE Platform Security as a part of SDLCWith help of DevOps:

Own Cloud platform with all security things

• Box configured secure by default:• SSH• Apache• Iptables• Patch Management for packages• Monitoring system • WAF • etc

• Latest Images• Control for security groups• MFA• Templates for all accounts• CloudTrail• Access Key rotation• Security scanning for all

instances• etc

+

MAXIMUM AUTOMATION

# SoWhat

• SDLC – not a kind of “standard” = just bunch of ideas and practices• You can’t download it and use, you need to understand your env.,

business requirements and implement what you want in any way it will work.• More checks and responsibilities for Dev. site.• Agile have enough places for implementing ‘security’, you do not need to

change something, but it requires more knowledge from teams• SecTeam – control, hack, develop sec tools and support Devs• DevOps – can be a big help for security process!

#FIN

alexey.sintsov@here.com @asintsov