'Secure Application Development Lifecycle' was presented on 25 march 2011 at InfoSecurity Belgium by David Tillemans, Information security expert at Smals. The presentation gives an insight how Security is not just a networking issue. It should be embedded into the entire software development process, from Requirements analysis and Design, through Code review and Testing setup, to Penetration testing.
2. 20/03/11
About Smals vzw-asbl
One of Belgium's largest ICT-organisations:
1660 people
"ICT for Society"
Work: ex. Dimona-DmfA
Salary & labour prestations
Health: ex. eHealth-platform
Secure exchange of medical data in Belgium
Family life: ex. VESTA
Home care for elderly (financial / operational support)
High priority for ICT Security & Privacy
2
3. 20/03/11
Web Project Life Cycle
• An idea?
• Analysis of functional requirements
• Design of the architecture
• Implementation
Writing of the source code
Java
C#
...
Using a framework
3
4. 20/03/11
Web Project Life Cycle
• Functional testing
• Deployment in production
• ... (2 years go by)
• Hacker comes by
Breaks the application
gives advise
publishes on the internet
steals information
steals money
4
5. 20/03/11
What about security ...
• Idea?
has no security requirements ... (if it is not a security
solution)
• Analysis of functional requirements
Non-functional
Architecture solves this ...
• Design of the architecture
Non-functional requirements
Network infrastruture solves this ...
• Developer
Is not written in design & analysis
No security guidelines
5
6. 20/03/11
What about security ...
• Functional testing
Tests are performed in the boundaries
No security is considered in tests
• Deployment to Production
No security considered in deployment
Network operations solves this ...
6
7. 20/03/11
What about security ...
• Hacker comes by
Analyses the security of the web application in
relation to the business requirements
Reviews the architecture
Verifies the security in the development
Checks the security of the deployment
• Hacks the application
Financial gain
Awards
Political reasons
Exploit of resources
7
8. 20/03/11
Network solves security ?
Firewalls …
• Firewalls are always configured to allow web
traffic -> HTTP(S)
• Attacker appears to the web application as a
normal user
8
9. 20/03/11
Network solves security ?
SSL secures the application…
• Server-side SSL only guarantees
confidentiality on transport level
• Attacker also uses the SSL tunnel
9
10. 20/03/11
Secure Software Development LifeCycle
Security Design Static Penetration
requirements Review analysis testing
(tools)
Risk Risk-based
analysis security tests
Code
Requirements Design Test plans Test Field
and use cases results feedback
Code
Review
10
11. 20/03/11
Application Risk Analysis
Requirement and Architecture documentation
Goal of the External In- & Output
Assets
Service Factors Channels
Threat Analysis
Identification Data Flow Identification Threat
Trust levels Analysis of the threats analysis
Risk Analysis
Risk
Risk Identification analysis
Ranking of Mitigations document
11
12. 20/03/11
How To
• Security awareness and training program
Analysts
Security requirements -> Functional requirements
Use cases vs misUse cases
Architects & Developers
Data Flow Diagram analysis
Attack trees
STRIDE methodology
• Development guidelines publication
• Code Review
Automatic through tools
Manual by penetration testers
12
13. 20/03/11
How To
• Security Testing
Automatic through tools
Manual by penetration testers
• Secure configuration
• Technology
Web application firewall
• Human Resources
Internal penetration testers (team)
Perform reviews & controls
• Need of management support !
13
14. 20/03/11
Security Integration Processes
• Clearly defined processes according to risks
• 2 processes for the security analyses
Express (BPMN)
Application-Security-Express-v0.2.igx
Inception Elaboration Construction Transition Production
Revue Revue de securité sur Revue de securité sur
Revue Configuration testes
Revue optionelle securité sur les reports d'analyse les reports de test
sécurité architecture feedback report de sécurité
Security sécurité architecture, statique de code pénétration automatique
Requirements V1 feedback report 1 jour
Analist Requirements V1 req. V2 et 1/2 jour 1/2 jour
Risc analysis
0,5 jour Risque
1,5 jour
1,5 jour
Report de
sécurité
Verwerking
CSM / CPL feedback Yes
Verwerking
Accepted
feedback
No
Requirements V2 doc
Analyste Requirements V1 doc
RiSC V1 RiSC V2
TO&P
Start
SADV1 RiSC V1 Reports automatiques
d'analyse statiques de code
RiSC V2 SADV2
Architecte Création du Création du
TO&P SADV1 - critèr SADV2 - critèr
es non es non
fonctionnels Reports automatiques
fonctionnels
des testes de pénétration
Developer la
solution
Developer Définir les
Définir les Test de
Requirements /
Requirements / penetration
critères non-
critères non- automatique
fonctionnels
fonctionnels (2 à 3 jour)
SIC
iDeploy Deployment
Client
Extended (BPMN) Security
Analist
Revue optionelle
sécurité
Requirements V1
0,5 jour
Revue
sécurité architecture
Requirements V1
Risc analysis
1,5 jour
feedback report
Inception
Revue
securité sur
architecture,
req. V2 et
Risque
1,5 jour
feedback report
Application-Security-Extended-v0.1.igx
Elaboration
Revue de securité sur
les reports d'analyse
statique de code
1/2 jour
Configuration testes
de sécurité
1 jour
Construction
Revue de securité sur
les reports de test
pénétration automatique
1/2 jour
Revue manuel sur le project
>5 jour
Transition Production
Report de
sécurité
Verwerking
CSM / CPL feedback Yes
Verwerking
Accepted
feedback
No
Requirements V2 doc
Requirements V1 doc
Analyste RiSC V1 RiSC V2
TO&P
Start
SADV1 RiSC V1 Reports automatiques
d'analyse statiques de code
RiSC V2 SADV2
Architecte Création du Création du
TO&P SADV1 - critèr SADV2 - critèr
es non es non
Reports automatiques
fonctionnels fonctionnels
des testes de pénétration
Developer la
solution
Developer Définir les
Définir les Test de
Requirements /
Requirements / penetration
critères non-
critères non- automatique
fonctionnels
fonctionnels (2 à 3 jour)
SIC
iDeploy Deployment
Client
14
15. 20/03/11
Resources …
• OWASP
Open Web Application Security Program
• Books:
Software Security
Microsoft Secure Development Lifecycle
Enterprise Security Architecture
15