secure system development · 2018-05-17 · clasp best practices • treat security requirements...
TRANSCRIPT
![Page 1: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/1.jpg)
Chapter 12: Secure System Development
Raimundas Matulevičius University of Tartu, Estonia, [email protected]
Fundamentals of
Secure System Modelling Springer, 2017
![Page 2: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/2.jpg)
Goal
• Explain main activities for secure software development
• Overview three approaches for secure software development
2
![Page 3: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/3.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
3
![Page 4: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/4.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
4
• Emphasis on „building secure software” as opposed to „building security software”
![Page 5: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/5.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
5
![Page 6: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/6.jpg)
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
6
• Core security training
![Page 7: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/7.jpg)
7
• Establish security requirements
• Create quality gates/bug bars
• Perform security and privacy risk assessment
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 8: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/8.jpg)
8
• Establish design requirements
• Perform attack surface analysis/ reduction
• Use threat modelling
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 9: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/9.jpg)
9
• Use approved tools • Deprecate unsafe
functions • Perform static analysis
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 10: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/10.jpg)
10
• Perform dynamic analysis • Perform fuzz testing • Conduct attack surface
reviews
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 11: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/11.jpg)
11
• Create an incident response plan
• Conduct final security review
• Certify release and archive
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 12: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/12.jpg)
12
• Execute incidence response plan
Response
Microsoft Security Development Cycle http://www.microsoft.com/security/sdl/default.aspx
![Page 13: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/13.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
13
![Page 14: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/14.jpg)
Open Web Application Security Project OWASP
https://www.owasp.org/index.php/Main_Page • Collect resources
for Web applications – Top ten security flaws – Various security testing tools – Various security
control means • e.g., code review guide
• CLASP – Comprehensive Lightweight Application Security Process 14
OWASP Appsec Tutorial Series
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
– Basics – SQL Injection – Cross-site Scripting (XSS) – HTTP Strict Transport Security
![Page 15: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/15.jpg)
CLASP https://www.owasp.org/index.php/Main_Page
• Goal: – move security concerns into the early stages of the software
development lifecycle, whenever possible
• Set of process pieces that can be integrated into any software development process – Introduction to the Concepts behind CLASP to get started – Seven key Best Practices – High-level Security Services (authorisation, authentication, …) – Core Security Principles – Roles – Activities – Process engineering and roadmaps – Checklisted Coding Guidelines – Vulnerabilities that occur in source code – Searchable Vulnerability Checklist 15
![Page 16: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/16.jpg)
CLASP Best Practices
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure
development practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
16
![Page 17: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/17.jpg)
CLASP Best Practices
• People should consider security to be an important project goal
• Train all team members • Make people aware of security
setting • Institute accountability for
security issues • Appoint a project security
officer • Institute rewards for handling
of security issues
17
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 18: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/18.jpg)
CLASP Best Practices
• Security analysis of requirements and design – Threat modelling
• Source-level security review
• Security tests
18
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 19: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/19.jpg)
CLASP Best Practices
• Treat security requirements same way as functional requirements
• Define security policy • Identify attack surface • Identify resources and trust
boundaries • Identify misuse cases • Specify operational
environment
19
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 20: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/20.jpg)
CLASP Best Practices
• Annotate classes with security properties
• Apply principles of secure design
• Manage resources • Manage contracts and
interfaces
20
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 21: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/21.jpg)
CLASP Best Practices
• Address reported security issues
• Manage security issue disclosure process
21
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 22: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/22.jpg)
CLASP Best Practices
• Select metrics • Collect data • Evaluate results
22
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 23: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/23.jpg)
CLASP Best Practices
• Build operational security guide
• Specify database security configuration
23
• Institute awareness programs • Perform application
assessments • Capture security requirements • Implement secure development
practices • Build vulnerability remediation
procedures • Define and monitor metrics • Publish operational security
guidelines
![Page 24: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/24.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
24
![Page 25: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/25.jpg)
Seven Security Touchpoints G. McGraw, “Software Security: Building Security In”
25
“All software projects produce at least one artifact: source code”
![Page 26: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/26.jpg)
Seven Security Touchpoints G. McGraw, “Software Security: Building Security In”
26
“All software projects produce at least one artifact: source code”
1. Code review (tools) 2. Risk analysis 3. Penetration test 4. Risk-based security test
5. Abuse analysis 6. Security requirements 7. Security attacks * External analysis
![Page 27: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/27.jpg)
Code review (tools)
• Aim: catching implementation bugs early • Tool helps to achieve good code coverage • Aim for good, not perfect
27
![Page 28: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/28.jpg)
Risk analysis • Create description of
architecture – Start with one page – Forest-level view
• Attack resistance – Use checklists of known attacks – Example: Microsoft STRIDE
• Spoofing, Tampering, Repudiation, Info disclosure, Denial of service, Elevation of privilege
• Ambiguity analysis – Discover new risks – Find unclear parts in how the
system works – Trust, data sensitivity, threat
models • Weakness analysis
– Impact of external software dependencies
– Platform (hardware, OS) – Frameworks – Called services
28
Combine risks and consider business impact Rank risks
Find solutions
![Page 29: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/29.jpg)
Penetration test
• Use the source – Otherwise people send
time on reverse-engineering system
• Apply business priorities – Logic flaw vs. XSS flaw – XSS is important if it
contributes towards compromising business logic
• Use in-house QA department – They already know the
system – Use tools and training to
add security testing skills
• Test more than once
• Incorporate the findings back into development
29
Attack on a system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data
![Page 30: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/30.jpg)
Risk-based security test
• Test based on priorities – Architectural risks – Risks discovered during code review
• Test malicious input – Use fuzzing tool
30
![Page 31: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/31.jpg)
Abuse analysis and Security requirement
• Security is not a set of features • How system should react to illegitimate use • Like use cases, but with malicious users
31
![Page 32: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/32.jpg)
External analysis
• Unfortunately – Software architects, developers, and testers are
largely unaware of the software security problems • Good news
– They acknowledge that security problems exists! • Bad news
– Barely begun to apply the security solutions
32
![Page 33: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/33.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
33
![Page 34: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/34.jpg)
34
Comparison
![Page 35: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/35.jpg)
Comparison
35
• SSDL – Education and awareness – Project inception and release – Deployment and support activities
• OWASP CLASP – Project inception and release – Deployment and support activities – Analysis and requirements – Architectural and detailed design activities
• Seven Touchpoints – Implementation and testing
• e.g., three out of seven touchpoints are related to the testing activities.
– Analysis and requirements – Architectural and detailed design
[De Win et al., 2009]
![Page 36: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/36.jpg)
Outline
• Security system development processes – Microsoft secure system development lifecycle
– OWASP CLASP
– Seven touchpoints
– Comparison
• Security Approaches in Secure Systems Development Processes
36
![Page 37: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/37.jpg)
Sec
urity
App
roac
hes
in S
ecur
e S
yste
m D
evel
opm
ent
37
![Page 38: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/38.jpg)
Message to take home
• Emphasis on „building secure software” as opposed to „building security software”
• Major methodologies – Microsoft's Security Development Lifecycle – OWASP CLASP – Cigital's Security Touchpoints
38
![Page 39: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/39.jpg)
39
Final slide
• Don't do anything just because somebody else does • Apply the scientific method
– „a method of procedure that has characterized natural science since the 17th century, consisting in systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses.”
http://oxforddictionaries.com/
![Page 40: Secure System Development · 2018-05-17 · CLASP Best Practices • Treat security requirements same way as functional requirements • Define security policy • Identify attack](https://reader033.vdocuments.net/reader033/viewer/2022050401/5f7e805ca749d11c293ba2c4/html5/thumbnails/40.jpg)
40
Final slide
• Don't do anything just because somebody else does • Apply the scientific method
– „a method of procedure that has characterized natural science since the 17th century, consisting in systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses.”
http://oxforddictionaries.com/
Creativity – your key to secure software