secured development
DESCRIPTION
Presentation I gave on best practices for securing development at Kuwait InfoSec 2012.The only picture in the entire slide is thanks to XKCD.TRANSCRIPT
![Page 2: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/2.jpg)
TODAY’S TALK • 3 Ps of Info. Security
• Secure Development - Published Standards • Practical Best Practices – Implementation Guidelines
• S.I.T.A.T • Debunking Common Myths
![Page 3: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/3.jpg)
THREE P OF SECURITY • PEOPLE
• PROCESS • PERSISTANCE / PRACTICE
• SECURITY IS NOT = PRODUCT
![Page 4: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/4.jpg)
WHY DEVELOPMENT SECURITY? • MAJORITY of security vulnerabilities result from poor
code
• Great impact vs. minimal investment • Awareness at the basic, fundamental, core
• Reciprocal effect
• Best Use of Resources
![Page 5: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/5.jpg)
STANDARDS • SSE-CMM
• Systems Security Engineering – Capability Maturity Model • TSP-Secure
• Team Software Process for Secure Software Development • Microsoft Trustworthy Computing Software Development
Lifecyle
• SAMM
• Software Assurance Maturity Model • SSF
• Software Security Framework
![Page 6: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/6.jpg)
PRACTICAL IDEAS • Standardize
• Isolate • Testing & Peer Reviews
• Audits
• Tooling
![Page 7: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/7.jpg)
STANDARDIZE • Infrastructure
• What systems to use • What versions/patches to deploy
• Methodology
• Waterfall • Agile • Swimlanes • Kanban Boards • SDLC
• Deployment Automation
![Page 8: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/8.jpg)
ISOLATE • Development Stages
• Development • Testing • Staging • Production
• Isolate:
• Hardware • Connectivity • Credentials
• Centralized Credential Store (LDAP/AD/SSO/Federation) • Change Management Process
![Page 9: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/9.jpg)
TESTING • Software should be tested by the following:
• Developers • End Users • Dedicated QA/QC Team • Everyone in the company • CEO-only • Customer-only • My Boss
• One Good Test = Hours of Development time saved
• One Bad Test = Hours of Development time wasted
• Development Time = Money
![Page 10: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/10.jpg)
GOOD TESTS VS. BAD TESTS • Centralized Bug Database
• That everyone uses, not just developers • Good Tests = Good Bug Reports
• Repeatable • Example • Expected This, Got This • BugCam / ScreenCapture
• Bad Tests
• Bugs that can’t be reproduced • Backlog of bugs • Time wasted chasing non-software issues
![Page 11: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/11.jpg)
PEER / CODE REVIEWS • Creating a proper environment
• Peer Reviews vs. Testing • Implementation vs. Execution • Code / Algorithm Level • “Is there a better way to write this loop?” • Pool expertise together • Learning Environment
![Page 12: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/12.jpg)
TOOLING • Good Quality Tools = Good Quality Product
• Standardize on tooling and frameworks • Standard Documentation and bootstrapping
• Use a wiki/intranet • Geared towards developers • Centralize machine images
![Page 13: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/13.jpg)
ABOUT FRAMEWORKS • Software frameworks good:
• Set of rules that lead to benefits • “Batteries Included” • Save Development Time
• Common security headaches dealt with • Software frameworks bad:
• Black box – too much “magic” • Another thing to patch/maintain • Collateral damage
• Conclusion:
• Use the Right framework, not the Popular framework
![Page 14: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/14.jpg)
COMMON MYTHS • Complex passwords are secure passwords
• Closed Source vs. Open Source • 3rd Party Testing = Assurance
![Page 15: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/15.jpg)
COMPLEX PASSWORDS • Typical password requirements:
• 1 CAPITAL letter • 1 lowercase letter • 1 numeric character • 1 “special” character • 8 characters in length • Cannot repeat X passwords
• Opposite Effect
• People write down passwords • Repeat patterns (Apr@2012, May@2012)
![Page 16: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/16.jpg)
Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
![Page 17: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/17.jpg)
CLOSED SOURCE VS. OPEN SOURCE • Common Myths:
• Since its open, means hackers know the code • Anyone can find bugs and exploit them
• The Truth:
• More Eyes = More People to Fix the bug • If a bug is found, it is announced and quickly fixed • No more “zero day” exploits
![Page 18: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/18.jpg)
3RD PARTY TESTING • Myth
• They will test my code • They will tell me what’s wrong • If they say it passes, it is secure
• Truth
• Testing done against published vulnerabilities only • Report tells you what is wrong with your stack not with
your code. • Apache vulnerability • Windows patch missing
• Your code is evolving
![Page 19: Secured Development](https://reader038.vdocuments.net/reader038/viewer/2022100518/5587e5e6d8b42a302d8b4577/html5/thumbnails/19.jpg)
THANK YOU QUESTIONS
@BURHAN – HTTP://SPKR8.COM/S/15462