smals research 'secure application development lifecycle - an end to end methodology by david...
DESCRIPTION
Seminar 'Secure Application Development Lifecycle - An end to end methodology by David Tillemans (Smals) during Infosecurity.be 2011TRANSCRIPT
Auteur: David Tillemans
20/03/11
2
About Smals vzw-asbl
One of Belgium's largest ICT-organisations:
1660 people
"ICT for Society"
Work: ex. Dimona-DmfA Salary & labour prestations
Health: ex. eHealth-platform Secure exchange of medical data in Belgium
Family life: ex. VESTA Home care for elderly (financial / operational support)
High priority for ICT Security & Privacy
20/03/11
3
Web Project Life Cycle
• An idea?
• Analysis of functional requirements
• Design of the architecture
• Implementation
Writing of the source code
Java
C#
...
Using a framework
20/03/11
4
Web Project Life Cycle
• Functional testing
• Deployment in production
• ... (2 years go by)
• Hacker comes by
Breaks the application
gives advise
publishes on the internet
steals information
steals money
20/03/11
5
What about security ...
• Idea?
has no security requirements ... (if it is not a security solution)
• Analysis of functional requirements
Non-functional
Architecture solves this ...
• Design of the architecture
Non-functional requirements
Network infrastruture solves this ...
• Developer
Is not written in design & analysis
No security guidelines
20/03/11
6
What about security ...
• Functional testing
Tests are performed in the boundaries
No security is considered in tests
• Deployment to Production
No security considered in deployment
Network operations solves this ...
20/03/11
7
What about security ...
• Hacker comes by
Analyses the security of the web application in relation to the business requirements
Reviews the architecture
Verifies the security in the development
Checks the security of the deployment
• Hacks the application
Financial gain
Awards
Political reasons
Exploit of resources
20/03/11
8
Network solves security ? Firewalls …
• Firewalls are always configured to allow web traffic -> HTTP(S)
• Attacker appears to the web application as a normal user
20/03/11
9
Network solves security ? SSL secures the application…
• Server-side SSL only guarantees confidentiality on transport level
• Attacker also uses the SSL tunnel
20/03/11
10
Secure Software Development LifeCycle
Requirements
and use cases
Design Test plans Code
Test
results
Field
feedback
Security
requirements
Risk
analysis Risk-based
security tests
Static
analysis
(tools)
Penetration
testing Design
Review
Code
Review
20/03/11
11
Application Risk Analysis
Risk Analysis
Threat Analysis
Requirement and Architecture documentation
Goal of the
Service
In- & Output
Channels
External
Factors Assets
Identification
Trust levels
Data Flow
Analysis
Identification
of the threats
Threat
analysis
Risk
Ranking
Identification
of Mitigations
Risk
analysis
document
20/03/11
12
How To
• Security awareness and training program
Analysts Security requirements -> Functional requirements
Use cases vs misUse cases
Architects & Developers Data Flow Diagram analysis
Attack trees
STRIDE methodology
• Development guidelines publication
• Code Review
Automatic through tools
Manual by penetration testers
20/03/11
13
How To
• Security Testing
Automatic through tools
Manual by penetration testers
• Secure configuration
• Technology
Web application firewall
• Human Resources
Internal penetration testers (team)
Perform reviews & controls
• Need of management support !
20/03/11
14
Security Integration Processes
• Clearly defined processes according to risks
• 2 processes for the security analyses
Express (BPMN)
Extended (BPMN)
Application-Security-Express-v0.2.igx
Security
Analist
CSM / CPL
Analyste
TO&P
Architecte
TO&P
Developer
SIC
iDeploy
Client
Inception Elaboration Construction Transition Production
Start
SADV2
Création du
SADV1 - critèr
es non
fonctionnels
SADV1
Création du
SADV2 - critèr
es non
fonctionnels
Définir les
Requirements /
critères non-
fonctionnels
Requirements V1 doc
Définir les
Requirements /
critères non-
fonctionnels
Requirements V2 doc
Revue
sécurité architecture
Requirements V1
Risc analysis
1,5 jour
Revue
securité sur
architecture,
req. V2 et
Risque
1,5 jour
Developer la
solution
Revue de securité sur
les reports d'analyse
statique de code
1/2 jour
Test de
penetration
automatique
(2 à 3 jour)
Revue de securité sur
les reports de test
pénétration automatique
1/2 jour
Reports automatiques
d'analyse statiques de code
Reports automatiques
des testes de pénétration
Configuration testes
de sécurité
1 jour
Report de
sécurité
Deployment
RiSC V1
Verwerking
feedback
feedback report
feedback report
Verwerking
feedback
Revue optionelle
sécurité
Requirements V1
0,5 jour
RiSC V1
RiSC V2
RiSC V2
AcceptedYes
No
Application-Security-Extended-v0.1.igx
Security
Analist
CSM / CPL
Analyste
TO&P
Architecte
TO&P
Developer
SIC
iDeploy
Client
Inception Elaboration Construction Transition Production
Start
SADV2
Création du
SADV1 - critèr
es non
fonctionnels
SADV1
Création du
SADV2 - critèr
es non
fonctionnels
Définir les
Requirements /
critères non-
fonctionnels
Requirements V1 doc
Définir les
Requirements /
critères non-
fonctionnels
Requirements V2 doc
Revue
sécurité architecture
Requirements V1
Risc analysis
1,5 jour
Revue
securité sur
architecture,
req. V2 et
Risque1,5 jour
Developer la
solution
Revue de securité sur
les reports d'analyse
statique de code
1/2 jour
Test de
penetration
automatique
(2 à 3 jour)
Revue de securité sur
les reports de test
pénétration automatique
1/2 jour
Reports automatiques
d'analyse statiques de code
Reports automatiques
des testes de pénétration
Configuration testes
de sécurité
1 jour
Deployment
RiSC V1
Verwerking
feedback
feedback report
feedback report
Verwerking
feedback
Revue optionelle
sécurité
Requirements V1
0,5 jour
RiSC V1
RiSC V2
RiSC V2
AcceptedYes
No
Revue manuel sur le project
>5 jour
Report de
sécurité
20/03/11
15
Resources …
• OWASP
Open Web Application Security Program
• Books:
Software Security
Microsoft Secure Development Lifecycle
Enterprise Security Architecture
