secure software development adoption strategy
TRANSCRIPT
Secure Software Development Secure Software Development Adoption StrategyAdoption Strategy
Narudom Roongsiriwong, CISSP
WhoAmI● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● Head of IT Security and Solution Architecture, Kiatnakin Bank PCL (KKP)
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter
● Consulting Team Member for National e-Payment project
● Contact: [email protected]
Background● June 2014 – Invitation from Kiatnakin Bank to discuss how to improve in-
house software security.
● August 2014 – 5-Day Training for KK developers about concept, requirement, design and implementation of the application security
● December 2014 – Joining KK as VP, Head of IT Security, no team member.
● January 2015 – First report on secure code review, Corporate Internet Banking system
● February 2015 – First release of KK secure coding guideline, adapted from OWASP Testing Guide, PCI DSS and other best practices
● March 2015 – KK SDLC regulation announcement, including secure development life cycle
● May 2015 – KK application log specification released
Application Security Training at KK, August 2014
What Are Application Security Risks?
Source: OWASP: Open Web Application Security Project
OWASP Top 10 2013 Risk
Source: OWASP: Open Web Application Security Project
Security controls cannot deal with broken business logic such as A2, A4 and A7
Security controls cannot deal with broken business logic such as A2, A4 and A7
Software weaknesses reduction down to zero is possible
Software weaknesses reduction down to zero is possible
Reduce Security Weaknesses vsIncrease Security Controls
Source: Patrick Thomas (twitter @coffeetocode)
Security as an Afterthought
Relative cost of security fixes, based on time of detection
Source: The National Institute of Standards and Technology (NIST)
Implementation Challenges
How Can We Start?
>>> Set the Goal
● Which level of secure software development we want to achieve?
– Minimal – OWASP Top 10 Proactive Controls
– Intermediate – Microsoft Security Development Lifecycle
– Expert – OpenSAMM (OWASP’s Software Assurance Maturity Model)
● Is that level sufficient for our business?
● How much our confidence to achieve that level?
Option#1: OWASP Top 10 Proactive ControlsC1: Verify for Security Early and Often
C2: Parameterize Queries
C3: Encode Data
C4: Validate All Inputs
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
Source: https://www.owasp.org/index.php/OWASP_Proactive_Controls
Option#2: Security Development Lifecycle
https://www.microsoft.com/en-us/sdl
Option#3: OWASP’s Software Assurance Maturity Model
Source: OWASP’s Software Assurance Maturity Model (OpenSAMM)
>>> Build A-Team
● Mentors
● Software Security Architects
● Security Designers
● Secure Code Reviewers
● Application Penetration Testers
>>> Establish Processes
● Embed security gates in the existing processes
– Project Kick Of
– Requirement Gathering
– Solution Design
– Architecture Review
– Incident Response
● Create additional processes
– Code Review
– Application Penetration Testing
– Production System Security Configuration Review
>>> Set Up Baseline
● Desired frameworks, for example
– Java: Spring + Hibernate
– .NET: MVC (Web), Entity Framework
● Development guidelines
– Secure software requirement
– Security patterns
– Standard application log specification
>>> Introduce Design Concept
● Need to Know
● Least Privilege
● Separation of Duties
● Defense in Depth
● Fail Secure / Fail Safe
● Economy of Mechanisms
● Complete Mediation
● Open Design
● Least Common Mechanisms
● Psychological Acceptability
● Leveraging Existing Components
Set Security Checkpoint
● Business Requirement Sign Of
● Solution Architect Review
● Code Review
● Application Penetration Testing
● Change Advisory Board
>>> Share Knowledge
>>> Lead the Change
The BigOpportunity
For Example: Using John P. Cotter’s“Eight Steps to Transforming Your Organization”
Lessons Learned
● Making developers know security is easier than making security persons know software development.
● Keys of secure software development adoption
– Repeat design concepts regularly
– Use security patterns
– Set security checkpoints
– Guide developers to fix security bugs
– Get top management supports