secure software development adoption strategy
TRANSCRIPT
![Page 1: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/1.jpg)
Secure Software Development Secure Software Development Adoption StrategyAdoption Strategy
Narudom Roongsiriwong, CISSP
![Page 2: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/2.jpg)
WhoAmI● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● Head of IT Security and Solution Architecture, Kiatnakin Bank PCL (KKP)
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter
● Consulting Team Member for National e-Payment project
● Contact: [email protected]
![Page 3: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/3.jpg)
Background● June 2014 – Invitation from Kiatnakin Bank to discuss how to improve in-
house software security.
● August 2014 – 5-Day Training for KK developers about concept, requirement, design and implementation of the application security
● December 2014 – Joining KK as VP, Head of IT Security, no team member.
● January 2015 – First report on secure code review, Corporate Internet Banking system
● February 2015 – First release of KK secure coding guideline, adapted from OWASP Testing Guide, PCI DSS and other best practices
● March 2015 – KK SDLC regulation announcement, including secure development life cycle
● May 2015 – KK application log specification released
![Page 4: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/4.jpg)
Application Security Training at KK, August 2014
![Page 5: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/5.jpg)
What Are Application Security Risks?
Source: OWASP: Open Web Application Security Project
![Page 6: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/6.jpg)
OWASP Top 10 2013 Risk
Source: OWASP: Open Web Application Security Project
![Page 7: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/7.jpg)
Security controls cannot deal with broken business logic such as A2, A4 and A7
Security controls cannot deal with broken business logic such as A2, A4 and A7
Software weaknesses reduction down to zero is possible
Software weaknesses reduction down to zero is possible
Reduce Security Weaknesses vsIncrease Security Controls
![Page 8: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/8.jpg)
Source: Patrick Thomas (twitter @coffeetocode)
![Page 9: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/9.jpg)
Security as an Afterthought
Relative cost of security fixes, based on time of detection
Source: The National Institute of Standards and Technology (NIST)
Implementation Challenges
![Page 10: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/10.jpg)
How Can We Start?
![Page 11: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/11.jpg)
>>> Set the Goal
● Which level of secure software development we want to achieve?
– Minimal – OWASP Top 10 Proactive Controls
– Intermediate – Microsoft Security Development Lifecycle
– Expert – OpenSAMM (OWASP’s Software Assurance Maturity Model)
● Is that level sufficient for our business?
● How much our confidence to achieve that level?
![Page 12: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/12.jpg)
Option#1: OWASP Top 10 Proactive ControlsC1: Verify for Security Early and Often
C2: Parameterize Queries
C3: Encode Data
C4: Validate All Inputs
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
Source: https://www.owasp.org/index.php/OWASP_Proactive_Controls
![Page 13: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/13.jpg)
Option#2: Security Development Lifecycle
https://www.microsoft.com/en-us/sdl
![Page 14: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/14.jpg)
Option#3: OWASP’s Software Assurance Maturity Model
Source: OWASP’s Software Assurance Maturity Model (OpenSAMM)
![Page 15: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/15.jpg)
>>> Build A-Team
● Mentors
● Software Security Architects
● Security Designers
● Secure Code Reviewers
● Application Penetration Testers
![Page 16: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/16.jpg)
>>> Establish Processes
● Embed security gates in the existing processes
– Project Kick Of
– Requirement Gathering
– Solution Design
– Architecture Review
– Incident Response
● Create additional processes
– Code Review
– Application Penetration Testing
– Production System Security Configuration Review
![Page 17: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/17.jpg)
>>> Set Up Baseline
● Desired frameworks, for example
– Java: Spring + Hibernate
– .NET: MVC (Web), Entity Framework
● Development guidelines
– Secure software requirement
– Security patterns
– Standard application log specification
![Page 18: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/18.jpg)
>>> Introduce Design Concept
● Need to Know
● Least Privilege
● Separation of Duties
● Defense in Depth
● Fail Secure / Fail Safe
● Economy of Mechanisms
● Complete Mediation
● Open Design
● Least Common Mechanisms
● Psychological Acceptability
● Leveraging Existing Components
![Page 19: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/19.jpg)
Set Security Checkpoint
● Business Requirement Sign Of
● Solution Architect Review
● Code Review
● Application Penetration Testing
● Change Advisory Board
![Page 20: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/20.jpg)
>>> Share Knowledge
![Page 21: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/21.jpg)
>>> Lead the Change
The BigOpportunity
For Example: Using John P. Cotter’s“Eight Steps to Transforming Your Organization”
![Page 22: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/22.jpg)
Lessons Learned
● Making developers know security is easier than making security persons know software development.
● Keys of secure software development adoption
– Repeat design concepts regularly
– Use security patterns
– Set security checkpoints
– Guide developers to fix security bugs
– Get top management supports
![Page 23: Secure Software Development Adoption Strategy](https://reader034.vdocument.in/reader034/viewer/2022042515/587c3d411a28ab5a1d8b575d/html5/thumbnails/23.jpg)