24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
•
0 likes•337 views
'Secure Application Development Lifecycle' was presented on 25 march 2011 at InfoSecurity Belgium by David Tillemans, Information security expert at Smals. The presentation gives an insight how Security is not just a networking issue. It should be embedded into the entire software development process, from Requirements analysis and Design, through Code review and Testing setup, to Penetration testing.
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (7)
Similar to 24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
Similar to 24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02 (20)
More from Smals
More from Smals (20)
Recently uploaded
Recently uploaded (20)
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
- 2. 20/03/11 About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1660 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) High priority for ICT Security & Privacy 2
- 3. 20/03/11 Web Project Life Cycle • An idea? • Analysis of functional requirements • Design of the architecture • Implementation Writing of the source code Java C# ... Using a framework 3
- 4. 20/03/11 Web Project Life Cycle • Functional testing • Deployment in production • ... (2 years go by) • Hacker comes by Breaks the application gives advise publishes on the internet steals information steals money 4
- 5. 20/03/11 What about security ... • Idea? has no security requirements ... (if it is not a security solution) • Analysis of functional requirements Non-functional Architecture solves this ... • Design of the architecture Non-functional requirements Network infrastruture solves this ... • Developer Is not written in design & analysis No security guidelines 5
- 6. 20/03/11 What about security ... • Functional testing Tests are performed in the boundaries No security is considered in tests • Deployment to Production No security considered in deployment Network operations solves this ... 6
- 7. 20/03/11 What about security ... • Hacker comes by Analyses the security of the web application in relation to the business requirements Reviews the architecture Verifies the security in the development Checks the security of the deployment • Hacks the application Financial gain Awards Political reasons Exploit of resources 7
- 8. 20/03/11 Network solves security ? Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user 8
- 9. 20/03/11 Network solves security ? SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 9
- 10. 20/03/11 Secure Software Development LifeCycle Security Design Static Penetration requirements Review analysis testing (tools) Risk Risk-based analysis security tests Code Requirements Design Test plans Test Field and use cases results feedback Code Review 10
- 11. 20/03/11 Application Risk Analysis Requirement and Architecture documentation Goal of the External In- & Output Assets Service Factors Channels Threat Analysis Identification Data Flow Identification Threat Trust levels Analysis of the threats analysis Risk Analysis Risk Risk Identification analysis Ranking of Mitigations document 11
- 12. 20/03/11 How To • Security awareness and training program Analysts Security requirements -> Functional requirements Use cases vs misUse cases Architects & Developers Data Flow Diagram analysis Attack trees STRIDE methodology • Development guidelines publication • Code Review Automatic through tools Manual by penetration testers 12
- 13. 20/03/11 How To • Security Testing Automatic through tools Manual by penetration testers • Secure configuration • Technology Web application firewall • Human Resources Internal penetration testers (team) Perform reviews & controls • Need of management support ! 13
- 14. 20/03/11 Security Integration Processes • Clearly defined processes according to risks • 2 processes for the security analyses Express (BPMN) Application-Security-Express-v0.2.igx Inception Elaboration Construction Transition Production Revue Revue de securité sur Revue de securité sur Revue Configuration testes Revue optionelle securité sur les reports d'analyse les reports de test sécurité architecture feedback report de sécurité Security sécurité architecture, statique de code pénétration automatique Requirements V1 feedback report 1 jour Analist Requirements V1 req. V2 et 1/2 jour 1/2 jour Risc analysis 0,5 jour Risque 1,5 jour 1,5 jour Report de sécurité Verwerking CSM / CPL feedback Yes Verwerking Accepted feedback No Requirements V2 doc Analyste Requirements V1 doc RiSC V1 RiSC V2 TO&P Start SADV1 RiSC V1 Reports automatiques d'analyse statiques de code RiSC V2 SADV2 Architecte Création du Création du TO&P SADV1 - critèr SADV2 - critèr es non es non fonctionnels Reports automatiques fonctionnels des testes de pénétration Developer la solution Developer Définir les Définir les Test de Requirements / Requirements / penetration critères non- critères non- automatique fonctionnels fonctionnels (2 à 3 jour) SIC iDeploy Deployment Client Extended (BPMN) Security Analist Revue optionelle sécurité Requirements V1 0,5 jour Revue sécurité architecture Requirements V1 Risc analysis 1,5 jour feedback report Inception Revue securité sur architecture, req. V2 et Risque 1,5 jour feedback report Application-Security-Extended-v0.1.igx Elaboration Revue de securité sur les reports d'analyse statique de code 1/2 jour Configuration testes de sécurité 1 jour Construction Revue de securité sur les reports de test pénétration automatique 1/2 jour Revue manuel sur le project >5 jour Transition Production Report de sécurité Verwerking CSM / CPL feedback Yes Verwerking Accepted feedback No Requirements V2 doc Requirements V1 doc Analyste RiSC V1 RiSC V2 TO&P Start SADV1 RiSC V1 Reports automatiques d'analyse statiques de code RiSC V2 SADV2 Architecte Création du Création du TO&P SADV1 - critèr SADV2 - critèr es non es non Reports automatiques fonctionnels fonctionnels des testes de pénétration Developer la solution Developer Définir les Définir les Test de Requirements / Requirements / penetration critères non- critères non- automatique fonctionnels fonctionnels (2 à 3 jour) SIC iDeploy Deployment Client 14
- 15. 20/03/11 Resources … • OWASP Open Web Application Security Program • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 15
- 16. 20/03/11 Questions ? Thanks you! www.smals.be 16