SlideShare a Scribd company logo

Bringing Security Testing to Development: How to Enable Developers to Act as Security Experts

Achim D. Brucker
Achim D. Brucker

Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.

Software
1 of 31
Download to read offline
Bringing Security Testing to Development How to Enable Developers to Act as Security Experts
Background: SAP SE • SAP SE – Business Software Vendor – Over 68000 employees – Worldwide development • Myself – Security Testing Strategist – Researcher – Working in the central Software Security Team 2
De-centralized Secure Development Model Central Security Expert Team • S2DL Owner • Organizes security trainings • Defines product standard ``Security'‘ • Defines risk and threat assessment methods • Defines security testing strategy • Selects and provides security testing tools • Validates products • Defines and executes response process Local Security Experts • Embedded into dev. teams • Organize local security activities • Support developers and architects • Support product owners/responsibles 3 Development Teams • Select technologies • Select development model • …
MOTIVATION
Vulnerability Distribution 0 500 1000 1500 2000 2500 3000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Code Execution DoS Overflow Memory Corruption Sql Injection XSS Directory Traversal Bypass something Gain Privileges CSRF 5 Source: www.cvedetails.com
When Do We Fix Bugs?
Microsoft’s SDL 7
RISK BASED SECURITY TESTING AS PART OF SAP’S S2DL
Our Start: SAST as Baseline ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8%  Mandatory since 2010 for all products  Multiple billons lines analyzed  Constant improvements: – tool configuration (e.g., based on feedback from development, validation, response) – new tools and methods Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity JavaScript, Ruby Checkmarx Checkmarx Others Fortify HP
Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems
Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) Coverity (C/C++)
Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) DOMinator Coverity (C/C++) HPWebInspect
Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Fortify (Java) DOMinator Checkmarx HPWebInspect
How To Select The Best Tools
Example: Security Test Plan • Mobile Device • Risk: Attacker might inject JavaScript (XSS) • Security Control 1: Use only UI5 controls • Assumption: SAP Kapsel with SMP and Afaria – Test: Static Code Analysis using Checkmarx » Justification: recommended tool » Expected Coverage: all client-side JavaScript code » Expected Effort: 10min per development day (ramp-up not included) • Security Control 2: use only SSL connections with valid certificates – Test 1: Static Code Analysis for finding non-https connections » Justification: low effort, already included in test for Security Control 1 » Expected Coverage: all client-side JavaScript code » Expected Effort: included in effort for scans for Security Control 1 – Test 2: Manual test with invalid certs (e.g., self-signed, own CA) » Justification: no automated tool available, self-signed certificates allowed during development » Expected Coverage: all https connections used for accessing the Web Server » Expected Effort: ½ day towards the end of development • Web Server / Web Application (…)
Example: Security Test Report • Mobile Device • Risk: Attacker might inject JavaScript (XSS) • Security Control 1: Use only UI5 controls • Assumption: SAP Kapsel with SMP and Afaria – Test: Static Code Analysis using Checkmarx » Result: no issues » Actual Coverage: all client-side JavaScript code » Actual Effort: total effort 2 days (15min per day, instead of expected 10) • Security Control 2: use only SSL connections with valid certificates – Test 1: Static Code Analysis for finding non-https connections » Result: exempted one issue » Actual Coverage: all client-side JavaScript code » Actual Effort: included in effort for scans for Security Control 1 – Test 2: Manual test with invalid certs (e.g., self-signed, own CA) » Expected Coverage: all https connections used for accessing the Web Server » Expected Effort: ½ day towards the end of development • Web Server / Web Application (…)
SAP’s S2DL
Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation – Check for “flaws” in the implementation of the S2DL – Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) • Note, penetration tests in productive environments are different: – They test the actual configuration – They test the productive environment (e.g., cloud/hosting)
How to Measure Success • Analyze the vulnerabilities reported by – Security Validation – External security researchers • Vulnerability not detected by our security testing tools – Improve tool configuration – Introduce new tools • Vulnerability detected by our security testing tools – Vulnerability in older software release – Analyze reason for missing vulnerability
How to Measure Success • Analyze the vulnerabilities reported by – Security Validation – External security researchers • Vulnerability not detected by our security testing tools – Improve tool configuration – Introduce new tools • Vulnerability detected by our security testing tools – Vulnerability in older software release – Analyze reason for missing vulnerability Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases
LESSONS LEARNED
Key Success Factor • A holistic security awareness program for – Developers – Managers
Key Success Factor • A holistic security awareness program for – Developers – Managers • Yes, security awareness is important - but
Key Success Factor • A holistic security awareness program for – Developers – Managers • Yes, security awareness is important - but Developer awareness is even more important!
Listen to Your Developers! • Building a secure system more difficult than finding a successful attack. • Do not expect your developers to become penetration testers (or security experts)! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness.
Security Testing for Developers • Security testing tools for developers, need to – Be applicable from the start of development – Automate the security knowledge – Be deeply integrated into the dev. env., e.g., • IDE (instant feedback) • Continuous integration – Provide easy to understand fix recommendations – Declare their “sweet spots”
Collaborate! Security experts need to collaborate with development experts to – Create easy to use security APIs (ever tried to use an SSL API securely) – Create languages and frameworks that make it hard to implement insecure systems – Explain how to program securely
CONCLUSION
Conclusion • Secure software development is a – Prerequisite for the secure and compliant operation: We need SecDevOps! – Risk of operating and maintaining IT systems • Security requires an end-to-end approach – Training of developers, architects, product owners – Security testing during development – Validation of your security testing efforts – Maintenance and security patch management • Developers are your most important ally - Make life easy for them
Thank You Contact Details: • Achim D. Brucker www.brucker.ch achim.brucker@sap.com • Stephen Hookings stephen.hookings@sap.com • Dimitar Yanev dimitar.yanev@sap.com 33
Bibliography • http://www.sap.com/security • Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. http://www.brucker.ch/bibliography/abstract/bachmann.ea-security-testing-2014 • Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. http://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014

Recommended

Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 

Recommended

Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
Nickleus Jimenez
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
DevSecCon
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
DevSecCon
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 

More Related Content

What's hot

Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

What's hot (20)

DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 

Viewers also liked

Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 

Viewers also liked (10)

[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 

Similar to Bringing Security Testing to Development: How to Enable Developers to Act as Security Experts

Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 

Similar to Bringing Security Testing to Development: How to Enable Developers to Act as Security Experts (20)

Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing Process
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
Achim D. Brucker
 

More from Achim D. Brucker (20)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 

Recently uploaded

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Bringing Security Testing to Development: How to Enable Developers to Act as Security Experts

  • 1. Bringing Security Testing to Development How to Enable Developers to Act as Security Experts
  • 2. Background: SAP SE • SAP SE – Business Software Vendor – Over 68000 employees – Worldwide development • Myself – Security Testing Strategist – Researcher – Working in the central Software Security Team 2
  • 3. De-centralized Secure Development Model Central Security Expert Team • S2DL Owner • Organizes security trainings • Defines product standard ``Security'‘ • Defines risk and threat assessment methods • Defines security testing strategy • Selects and provides security testing tools • Validates products • Defines and executes response process Local Security Experts • Embedded into dev. teams • Organize local security activities • Support developers and architects • Support product owners/responsibles 3 Development Teams • Select technologies • Select development model • …
  • 5. Vulnerability Distribution 0 500 1000 1500 2000 2500 3000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Code Execution DoS Overflow Memory Corruption Sql Injection XSS Directory Traversal Bypass something Gain Privileges CSRF 5 Source: www.cvedetails.com
  • 6. When Do We Fix Bugs?
  • 8. RISK BASED SECURITY TESTING AS PART OF SAP’S S2DL
  • 9. Our Start: SAST as Baseline ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8%  Mandatory since 2010 for all products  Multiple billons lines analyzed  Constant improvements: – tool configuration (e.g., based on feedback from development, validation, response) – new tools and methods Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity JavaScript, Ruby Checkmarx Checkmarx Others Fortify HP
  • 10. Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems
  • 11. Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) Coverity (C/C++)
  • 12. Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) DOMinator Coverity (C/C++) HPWebInspect
  • 13. Are We Done? • SAST Advantages – Early in Development – Wide range of vuln. Types – Good fix instructions • SAST Limitations – Quality depends on programming language used – Usually covers only one layer of the application stack Client Application Web Browser Server Application Runtime Container Backend Systems Fortify (Java) DOMinator Checkmarx HPWebInspect
  • 14. How To Select The Best Tools
  • 15. Example: Security Test Plan • Mobile Device • Risk: Attacker might inject JavaScript (XSS) • Security Control 1: Use only UI5 controls • Assumption: SAP Kapsel with SMP and Afaria – Test: Static Code Analysis using Checkmarx » Justification: recommended tool » Expected Coverage: all client-side JavaScript code » Expected Effort: 10min per development day (ramp-up not included) • Security Control 2: use only SSL connections with valid certificates – Test 1: Static Code Analysis for finding non-https connections » Justification: low effort, already included in test for Security Control 1 » Expected Coverage: all client-side JavaScript code » Expected Effort: included in effort for scans for Security Control 1 – Test 2: Manual test with invalid certs (e.g., self-signed, own CA) » Justification: no automated tool available, self-signed certificates allowed during development » Expected Coverage: all https connections used for accessing the Web Server » Expected Effort: ½ day towards the end of development • Web Server / Web Application (…)
  • 16. Example: Security Test Report • Mobile Device • Risk: Attacker might inject JavaScript (XSS) • Security Control 1: Use only UI5 controls • Assumption: SAP Kapsel with SMP and Afaria – Test: Static Code Analysis using Checkmarx » Result: no issues » Actual Coverage: all client-side JavaScript code » Actual Effort: total effort 2 days (15min per day, instead of expected 10) • Security Control 2: use only SSL connections with valid certificates – Test 1: Static Code Analysis for finding non-https connections » Result: exempted one issue » Actual Coverage: all client-side JavaScript code » Actual Effort: included in effort for scans for Security Control 1 – Test 2: Manual test with invalid certs (e.g., self-signed, own CA) » Expected Coverage: all https connections used for accessing the Web Server » Expected Effort: ½ day towards the end of development • Web Server / Web Application (…)
  • 18. Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation – Check for “flaws” in the implementation of the S2DL – Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) • Note, penetration tests in productive environments are different: – They test the actual configuration – They test the productive environment (e.g., cloud/hosting)
  • 19. How to Measure Success • Analyze the vulnerabilities reported by – Security Validation – External security researchers • Vulnerability not detected by our security testing tools – Improve tool configuration – Introduce new tools • Vulnerability detected by our security testing tools – Vulnerability in older software release – Analyze reason for missing vulnerability
  • 20. How to Measure Success • Analyze the vulnerabilities reported by – Security Validation – External security researchers • Vulnerability not detected by our security testing tools – Improve tool configuration – Introduce new tools • Vulnerability detected by our security testing tools – Vulnerability in older software release – Analyze reason for missing vulnerability Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases
  • 22. Key Success Factor • A holistic security awareness program for – Developers – Managers
  • 23. Key Success Factor • A holistic security awareness program for – Developers – Managers • Yes, security awareness is important - but
  • 24. Key Success Factor • A holistic security awareness program for – Developers – Managers • Yes, security awareness is important - but Developer awareness is even more important!
  • 25. Listen to Your Developers! • Building a secure system more difficult than finding a successful attack. • Do not expect your developers to become penetration testers (or security experts)! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness.
  • 26. Security Testing for Developers • Security testing tools for developers, need to – Be applicable from the start of development – Automate the security knowledge – Be deeply integrated into the dev. env., e.g., • IDE (instant feedback) • Continuous integration – Provide easy to understand fix recommendations – Declare their “sweet spots”
  • 27. Collaborate! Security experts need to collaborate with development experts to – Create easy to use security APIs (ever tried to use an SSL API securely) – Create languages and frameworks that make it hard to implement insecure systems – Explain how to program securely
  • 29. Conclusion • Secure software development is a – Prerequisite for the secure and compliant operation: We need SecDevOps! – Risk of operating and maintaining IT systems • Security requires an end-to-end approach – Training of developers, architects, product owners – Security testing during development – Validation of your security testing efforts – Maintenance and security patch management • Developers are your most important ally - Make life easy for them
  • 30. Thank You Contact Details: • Achim D. Brucker www.brucker.ch achim.brucker@sap.com • Stephen Hookings stephen.hookings@sap.com • Dimitar Yanev dimitar.yanev@sap.com 33
  • 31. Bibliography • http://www.sap.com/security • Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. http://www.brucker.ch/bibliography/abstract/bachmann.ea-security-testing-2014 • Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. http://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014