SlideShare a Scribd company logo

Six key security engineering activities

Security Innovation
Security Innovation

This webcast (now in PDF version) will present six security engineering activities that can be leveraged to refine and extend their existing life cycle activities.

Technology
1 of 17
Download to read offline
Six Key Security Engineering Activities Jason Taylor CTO Security Innovation About Security Innovation • Application and Data Security Experts Seattle – 10+ years of research on security vulnerabilities – Hundreds of assessments on world’s most dominant software, applications and development environments – Solutions for all phases of SDLC: secure design, development, testing and deployment Boston • Products, Services & Training – Training/eLearning on secure coding, security testing, etc. – Application Security Assessment (black and white box) – Encryption for secure data transfer and communications 1
Agenda • Security Engineering overview • Six key Security Engineering Activities • How to adopt these activities incrementally to maximize your security ROI • Conclusion Security Engineering: What it is and what it entails • Integrating security into your lifecycle – Upfront security design, secure coding practices, and testing for security must all be an integral part of your application development processes • Identifying your objectives – Understanding early what the security objectives are for your application – Will play a critical role in shaping threat modeling, code reviews, and testing • Knowing your threats – Analyzing your application in a structured and systematic way to recognize its threats and vulnerabilities • Using an iterative approach – Some activities should be performed multiple times during the development process in order to maximize application security 2
Security Engineering: What it is and what it entails Threats, Vulnerabilities, Attacks & Countermeasures • Threat – Undesired event or potential occurrence – May or may not be malicious in nature – Might damage or compromise an asset or objective • Vulnerability – Weakness in some aspect or feature of a system that makes an exploit possible – Can exist at the network, host, or application level • Attack (or exploit) – An action taken that uses one or more vulnerabilities to realize a threat – Could be someone following through on a threat or exploiting a vulnerability • Countermeasures – Address vulnerabilities to reduce the probability of attacks or impacts of threats – Do not directly address threats but address the factors that define the threats – Range from improving application design, or improving your code, to improving an operational practice. 3
Six Key Security Activities • Identify Security Objectives to ensure security considerations in later phases • Apply Security Design Guidelines to reduce your application’s attack surface • Conduct Security Architecture and Design Reviews to identify security problems that can have multiplier effect in later phases • Create Threat Models that identify threats, attacks, vulnerabilities and countermeasures • Perform Security Code Reviews and Penetration Testing to uncover specific vulnerabilities • Conduct Security Deployment Reviews to ensure configuration and deployment problems are discovered before app is in production Activity #1: Identifying Security Objectives • Defined at beginning of development process • Identify goals and constraints that affect the confidentiality, integrity, and availability of your data and application • Are used to: – Filter the set of Design Guidelines that are applicable – Guide Threat Modeling – Scope and guide Architecture and Design reviews – Help set Code Review objectives – Guide security Test Planning and Execution – Guide Deployment Reviews if you don’t know what the objectives are for your application then it is difficult to be successful with any other security activity. 4
Identifying Security Objectives: Discovery Process • Discovery Process – an iterative process that is initially driven by an examination of the application’s requirements and usage scenarios. – by the end of the requirements and analysis phase you should have a first set of objectives that are not yet tied to design or implementation details – during design phase additional objectives will surface that are specific to the application architecture and design – during implementation phase you may discover a few additional objectives based upon specific technology or implementation choices that have an impact on overall application security – Each evolution of the security objectives will impact other security activities. The threat model, architecture and design review guidelines, and general code review guidelines should be revisited when your security objectives change. Identifying Security Objectives: Questions to Ask Objective Category Questions to ask Tangible assets to protect  Are there user accounts and passwords to protect?  Is there confidential user information (such as credit card numbers) that needs to be protected?  Is there sensitive intellectual property that needs to be protected?  Can this system be used as a conduit to access other corporate assets that need to be protected? Intangible assets to protect  Are there corporate values that could be compromised by an attack on this system?  Is there potential for an attack that may be embarrassing, although not otherwise damaging? Compliance requirements  Are there corporate security policies that must be adhered to?  Is there security legislation you must comply with?  Is there privacy legislation you must comply with?  Are there standards you must adhere to?  Are there constraints forced upon you by your deployment environment? Quality of service requirements  Are there specific availability requirements you must meet?  Are there specific performance requirements you must meet? 5
Identifying Security Objectives - Approach • Roles Matrix Objects User Permission Object Object Object Subjects creation modification creation removal read Admin x x Content Creator x x x Reader x Anonymous x • Derive from functional requirements Original Requirement Derived Security Objectives Administrator must be able to add users C – Protect user names and permissions from disclosure to a non- administrator and change user permissions through an I – Restrict non-administrator from adding users and changing user permissions administrator interface. A – Application is available so that the administrator is able to add users and change user permissions Each application server must be able to A – Application server is available for users serve 1000 concurrent users. Registered users must be able to C – Protect registered user credentials and other sensitive information from non- purchase books from the web user- administrators and non-registered users interface I – Restrict non-registered user from purchasing books from the Web user-interface I – Restrict registered users from obtaining books for the wrong price A – Web user interface is available for registered users to purchase books Activity #2: Apply Security Design Guidelines • Represent proven practices evolved over time to reduce risk • Reduce your risk by addressing common vulnerabilities, allowing you to focus on the unique aspects of your design • Each guideline must meet the following qualifications – Actionable. Associated with a vulnerability that can be mitigated through the guideline – Relevant. Associated with a vulnerability that is known to effect real applications – Impactful. Represent key engineering decisions that will have wide-ranging impact • Guidelines are categorized into a security frame – Describes the areas in which poor design can lead to security vulnerabilities – Allows the inclusion of additional guidelines or the refinement of existing guidelines based on newly discovered vulnerabilities 6
Activity #2: Applying Security Design Guidelines Design guidelines are organized by the common application vulnerability categories contained in the Security Frame Vulnerability Category Potential Problem Due to Bad Design Input / Data Validation Insertion of malicious strings in UI or public APIs. These attacks include command execution, cross -site scripting (XSS), SQL injection, and buffer overflow. Results can range from information disclosure to elevation of privilege and arbitrary code execution. Authentication Identity spoofing, password cracking, elevation of privileges, and unauthorized access. Authorization Access to confidential or restricted data, data tampering, and execution of unauthorized operations. Configuration Management Unauthorized access to administration interfaces, ability to update configuration data, and unauthorized access to user accounts and account profiles. Sensitive Data Confidential information disclosure and data tampering. Cryptography Access to confidential data or account credentials, or both. Exception Management Denial of service and disclosure of sensitive system-level details. Auditing and Logging Failure to spot the signs of intrusion, inability to prove a user's actions, and difficulties in problem diagnosis. Design Guidelines – Best Practices Category Guidelines Input / Data Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range. Authentication Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Management Use least privileged process and service accounts. Do not store credentials in clear text. Use strong authentication and authorization on administration interfaces. Do not use the Local Security Authority (LSA). Secure the communication channel for remote administration. Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls for sensitive data stores. Cryptography Do not develop your own. Use proven and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location. Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework. Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files. 7
Activity #3: Threat Modeling • Identify threats, attacks, and vulnerabilities that are relevant for your application • Determine countermeasures to mitigate vulnerabilities • Perform in the architecture and design phase, as soon as: – You understand your security objectives – You understand you application architecture • Update and improve iteratively: – When your security objectives change – When your design changes – During implementation, testing and deployment Threat Modeling – Activity Overview • progressively refine your threat model by repeatedly performing steps 2 through 5. You can add more detail as you move through your application development lifecycle and discover more about your application design. 8
Threat Modeling – Activity Summary Table Input Step Output  Business requirements Step 1: I  Key security objectives  Security policies identify security objectives  Compliance requirements  Deployment diagrams Step 2:  Whiteboard-style diagram with  Use cases Create an application overview end-to-end deployment scenario  Functional specifications  Key scenarios  Roles  Technologies  Application security mechanisms  Deployment diagrams Step 3:  Trust boundaries  Use cases Decompose your application  Entry points  Functional specifications  Exit points  Data flow diagrams  Data flows  Common threats Step 4:  Threat list Identify threats  Common vulnerabilities Step 5:  Vulnerability list Identify vulnerabilities Activity #4: Perform Architecture & Design Review • Goals: – Analyze application architecture and design from a security perspective – Expose the high-risk design decisions that have been made • Don’t rely solely on the use of design documentation – Use a combination of design documents, architecture experts and discussion to achieve the best results 9
Architecture & Design Review – Techniques • Use a question driven approach to expose the highest risk design decision • Use the security frame to dive into areas that reveal common mistakes • 3 pronged approach – Deployment and infrastructure. Review the design of your application in relation to the target deployment environment and the associated security policies. – Security frame. Review approach to critical areas in your application: authentication, authorization, input / data validation, exception management, and other areas – Tier-by-tier analysis. Walk through the logical tiers of your application, and evaluate security choices within your presentation, business, and data access layers Architecture & Design Review – Checklists • Checklists represent areas where mistakes are most often made • Evolve your checklists to include custom checks based your application’s architecture • Example input and data validation checklist: Check Description All entry points and trust boundaries are identified by the design. Input validation is applied whenever input is received from outside the current trust boundary. The design assumes that user input is malicious. Centralized input validation is used where appropriate. The input validation strategy that the application adopted is modular and consistent. The validation approach is to constrain, reject, and then sanitize input. (Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input.) Data is validated for type, length, format, and range. The design addresses potential canonicalization issues. Input file names and file paths are avoided where possible. The design addresses potential SQL injection issues. The design addresses potential cross-site scripting issues. The design does not rely on client-side validation. The design applies defense in depth to the input validation strategy by providing input validation across tiers. 10
Activity #5: Performing Security Code Reviews & Testing • Code Review – Critical leverage point to reduce the number of implementation errors – Can be performed on every check-in, every build, or some other interval that works for your development process – One of the most impactful steps you can take toward more secure code – While design bugs are the most expensive to fix, implementation bugs are the most common • Security Testing – Functional test techniques cannot uncover security bugs – Designed to understand what is the application NOT supposed to do – Specific attacks should be applied to uncover vulnerabilities Conducting the Code Review Methodology 1. Identify Code Review Iterative Process Objectives Inputs • Design documentation • Architecture diagram • Data flows 2. Perform • Usage scenarios Preliminary • Inspection questions Scan Outputs • Inspection questions 4. Review for 3. Review for • Prioritized list of problems to fix in Unique Issues Common Issues the code 11
Goals of the Code Review • Create/Update a list of inspection questions – what problems are possible in the technology • e.g. should you be looking for buffer overflows? – what problems are possible due to the design? • are there threat mitigations already in place? • Identify vulnerabilities – where in the code – under what conditions • Document a fix – how can the vulnerability be resolved Code Review Techniques • Control Flow Analysis – Step through logical conditions in the code – Look at a function and determines each branch condition. • loops, switch statements, if statements and try/catch blocks, etc – Understand the conditions under which each block will be executed • Data Flow Analysis – Trace data from the points of input to the points of output – For each input location determine how much you trust the source of input • When in doubt you should give it no trust. – Trace the flow of data to each possible output noting along the way any attempts at data validation 12
Common Hotspots • SQL Injection – Look for un-trusted input that can modify the semantics of a SQL query • Cross-Site Scripting – Look for user input echoed back as web content • Data Access – Look for plain-text data base connection strings and authentication to the database • Input and Data Validation – Look for client-side input validation, black-list techniques • Authentication – Look for weak passwords, credentials sent in clear-text, long or semi- random sessions Security Testing • Be sure to leverage your Threat Model for more focused and effective testing • Many flaws are caused by environment interaction – what if a resource is not available? – will we page that to disk? If so, when? • Many flaws are only discoverable after analyzing an applications environment – discover sensitive information by sniffing the network – uncover temporary files • Use automated tooling for low-hanging fruit • Use proven manual testing techniques for elusive bugs 13
Conducting Attacks Dependency Attacks Design Attacks • block access to libraries • try common default and test account names • manipulate registry values and passwords • force application to use corrupt files (write • expose unprotected test APIs protected, inaccessible, data errors...) and • connect to all ports file names • fake the source of data • replace files that the application reads from, • exploit loop conditions writes to, creates and executes • use alternate routes to accomplish the • force application to operate in stressed same task memory/disk space/network availability • force the system to reset values conditions Implementation Attacks User Interface Attacks • time of check and time of use • overflow input buffers • create files with the same name as files • examine all command line switches and protected with a higher classification input options • force all error messages • explore escape characters, character sets • look for temporary files and screen their and commands contents for sensitive information Activity #6: Deployment Review • Helps to ensure that application security is not compromised by poor configuration of the network or host. – even the most securely designed and implemented application can be compromised by an error during deployment • Covers configuration of both the network and the host 14
Deployment Review: Techniques • Use server security categories – Use Server Security Categories to help make deployment reviews for security systematic and repeatable • Break down your deployment review – You can use the categories to break down your application deployment for further analysis and to help identify vulnerabilities. • Review systematically. – By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis Server Security Categories Category Practices Patches and Patching and updating your server software is a critical first step. Updates Accounts Accounts allow authenticated users to access a computer. These accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Help to prevent brute force and dictionary attacks by using strong password policies, and then use auditing and alerts to detect logon failures. Auditing and Auditing is one of your most important tools for identifying intruders, attacks in progress, and Logging evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems. Files and Secure all files and directories with restricted permissions that only allow access to necessary Directories services and accounts. Use auditing to allow you to detect when suspicious or unauthorized activity occurs. Ports Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that a service that is not secured or that is unnecessary is not active on your server. Protocols Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication. Registry Many security-related settings are stored in the registry. As a result, you must secure the registry. You can do this by applying restricted Windows access control lists (ACLs) and by blocking remote registry administration. Services If the service is necessary, secure and maintain the service. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative. Shares Remove all unnecessary file shares. Secure any remaining shares with restricted permissions. 15
How Security Innovation can Help • Source Software Development Services – SDLC Process review – Design & Requirements Review – Code Review – Security Testing • eKnowledge products – Software and information security eLearning – Secure Development Knowledgebase and Guidance System • Data Encryption – Fastest, most secure cryptography available on the market eKnowledge Solutions for Secure Development & Code Review TeamMentor: Secure Development Guidance System – Out of the box secure development standards and best practices (maps to several compliance reqt’s) – How-to’s, how not-to’s, code snippets, attacks, checklists – Targeted, on-demand, context specific application security training – Dedicated section for software security engineering Software Security eLearning: – Creating Secure Code – How to Break Software Security – Fundamentals of Application Security – Introduction to Threat Modeling – Intro to Cryptography 16
Try eLearning for free http://elearning.securityinnovation.com Free eLearning Course for Attending Introduction to the SDL SDL for Management Introduction to Threat Modeling “Security Engineering Explained” Whitepaper jtaylor@securityinnovation.com 17

Recommended

Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...
Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...
Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...Mitch Ackles
 
Building The Right Network
Building The Right NetworkBuilding The Right Network
Building The Right NetworkCisco Canada
 
Erp-PMO
Erp-PMOErp-PMO
Erp-PMOSunayan Pal
 
wanderlust columbia
wanderlust columbiawanderlust columbia
wanderlust columbiaStanford University
 
Organization Chart & Project Responsibilities
Organization Chart & Project ResponsibilitiesOrganization Chart & Project Responsibilities
Organization Chart & Project ResponsibilitiesChris Garbett
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 

Recommended

Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...
Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...
Alphaserve Technologies Patent Pending Application Filed for “Business Workfl...Mitch Ackles
 
Building The Right Network
Building The Right NetworkBuilding The Right Network
Building The Right NetworkCisco Canada
 
Erp-PMO
Erp-PMOErp-PMO
Erp-PMOSunayan Pal
 
wanderlust columbia
wanderlust columbiawanderlust columbia
wanderlust columbiaStanford University
 
Organization Chart & Project Responsibilities
Organization Chart & Project ResponsibilitiesOrganization Chart & Project Responsibilities
Organization Chart & Project ResponsibilitiesChris Garbett
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Six key security engineering activities

  • 1. Six Key Security Engineering Activities Jason Taylor CTO Security Innovation About Security Innovation • Application and Data Security Experts Seattle – 10+ years of research on security vulnerabilities – Hundreds of assessments on world’s most dominant software, applications and development environments – Solutions for all phases of SDLC: secure design, development, testing and deployment Boston • Products, Services & Training – Training/eLearning on secure coding, security testing, etc. – Application Security Assessment (black and white box) – Encryption for secure data transfer and communications 1
  • 2. Agenda • Security Engineering overview • Six key Security Engineering Activities • How to adopt these activities incrementally to maximize your security ROI • Conclusion Security Engineering: What it is and what it entails • Integrating security into your lifecycle – Upfront security design, secure coding practices, and testing for security must all be an integral part of your application development processes • Identifying your objectives – Understanding early what the security objectives are for your application – Will play a critical role in shaping threat modeling, code reviews, and testing • Knowing your threats – Analyzing your application in a structured and systematic way to recognize its threats and vulnerabilities • Using an iterative approach – Some activities should be performed multiple times during the development process in order to maximize application security 2
  • 3. Security Engineering: What it is and what it entails Threats, Vulnerabilities, Attacks & Countermeasures • Threat – Undesired event or potential occurrence – May or may not be malicious in nature – Might damage or compromise an asset or objective • Vulnerability – Weakness in some aspect or feature of a system that makes an exploit possible – Can exist at the network, host, or application level • Attack (or exploit) – An action taken that uses one or more vulnerabilities to realize a threat – Could be someone following through on a threat or exploiting a vulnerability • Countermeasures – Address vulnerabilities to reduce the probability of attacks or impacts of threats – Do not directly address threats but address the factors that define the threats – Range from improving application design, or improving your code, to improving an operational practice. 3
  • 4. Six Key Security Activities • Identify Security Objectives to ensure security considerations in later phases • Apply Security Design Guidelines to reduce your application’s attack surface • Conduct Security Architecture and Design Reviews to identify security problems that can have multiplier effect in later phases • Create Threat Models that identify threats, attacks, vulnerabilities and countermeasures • Perform Security Code Reviews and Penetration Testing to uncover specific vulnerabilities • Conduct Security Deployment Reviews to ensure configuration and deployment problems are discovered before app is in production Activity #1: Identifying Security Objectives • Defined at beginning of development process • Identify goals and constraints that affect the confidentiality, integrity, and availability of your data and application • Are used to: – Filter the set of Design Guidelines that are applicable – Guide Threat Modeling – Scope and guide Architecture and Design reviews – Help set Code Review objectives – Guide security Test Planning and Execution – Guide Deployment Reviews if you don’t know what the objectives are for your application then it is difficult to be successful with any other security activity. 4
  • 5. Identifying Security Objectives: Discovery Process • Discovery Process – an iterative process that is initially driven by an examination of the application’s requirements and usage scenarios. – by the end of the requirements and analysis phase you should have a first set of objectives that are not yet tied to design or implementation details – during design phase additional objectives will surface that are specific to the application architecture and design – during implementation phase you may discover a few additional objectives based upon specific technology or implementation choices that have an impact on overall application security – Each evolution of the security objectives will impact other security activities. The threat model, architecture and design review guidelines, and general code review guidelines should be revisited when your security objectives change. Identifying Security Objectives: Questions to Ask Objective Category Questions to ask Tangible assets to protect  Are there user accounts and passwords to protect?  Is there confidential user information (such as credit card numbers) that needs to be protected?  Is there sensitive intellectual property that needs to be protected?  Can this system be used as a conduit to access other corporate assets that need to be protected? Intangible assets to protect  Are there corporate values that could be compromised by an attack on this system?  Is there potential for an attack that may be embarrassing, although not otherwise damaging? Compliance requirements  Are there corporate security policies that must be adhered to?  Is there security legislation you must comply with?  Is there privacy legislation you must comply with?  Are there standards you must adhere to?  Are there constraints forced upon you by your deployment environment? Quality of service requirements  Are there specific availability requirements you must meet?  Are there specific performance requirements you must meet? 5
  • 6. Identifying Security Objectives - Approach • Roles Matrix Objects User Permission Object Object Object Subjects creation modification creation removal read Admin x x Content Creator x x x Reader x Anonymous x • Derive from functional requirements Original Requirement Derived Security Objectives Administrator must be able to add users C – Protect user names and permissions from disclosure to a non- administrator and change user permissions through an I – Restrict non-administrator from adding users and changing user permissions administrator interface. A – Application is available so that the administrator is able to add users and change user permissions Each application server must be able to A – Application server is available for users serve 1000 concurrent users. Registered users must be able to C – Protect registered user credentials and other sensitive information from non- purchase books from the web user- administrators and non-registered users interface I – Restrict non-registered user from purchasing books from the Web user-interface I – Restrict registered users from obtaining books for the wrong price A – Web user interface is available for registered users to purchase books Activity #2: Apply Security Design Guidelines • Represent proven practices evolved over time to reduce risk • Reduce your risk by addressing common vulnerabilities, allowing you to focus on the unique aspects of your design • Each guideline must meet the following qualifications – Actionable. Associated with a vulnerability that can be mitigated through the guideline – Relevant. Associated with a vulnerability that is known to effect real applications – Impactful. Represent key engineering decisions that will have wide-ranging impact • Guidelines are categorized into a security frame – Describes the areas in which poor design can lead to security vulnerabilities – Allows the inclusion of additional guidelines or the refinement of existing guidelines based on newly discovered vulnerabilities 6
  • 7. Activity #2: Applying Security Design Guidelines Design guidelines are organized by the common application vulnerability categories contained in the Security Frame Vulnerability Category Potential Problem Due to Bad Design Input / Data Validation Insertion of malicious strings in UI or public APIs. These attacks include command execution, cross -site scripting (XSS), SQL injection, and buffer overflow. Results can range from information disclosure to elevation of privilege and arbitrary code execution. Authentication Identity spoofing, password cracking, elevation of privileges, and unauthorized access. Authorization Access to confidential or restricted data, data tampering, and execution of unauthorized operations. Configuration Management Unauthorized access to administration interfaces, ability to update configuration data, and unauthorized access to user accounts and account profiles. Sensitive Data Confidential information disclosure and data tampering. Cryptography Access to confidential data or account credentials, or both. Exception Management Denial of service and disclosure of sensitive system-level details. Auditing and Logging Failure to spot the signs of intrusion, inability to prove a user's actions, and difficulties in problem diagnosis. Design Guidelines – Best Practices Category Guidelines Input / Data Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range. Authentication Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources. Configuration Management Use least privileged process and service accounts. Do not store credentials in clear text. Use strong authentication and authorization on administration interfaces. Do not use the Local Security Authority (LSA). Secure the communication channel for remote administration. Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls for sensitive data stores. Cryptography Do not develop your own. Use proven and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location. Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework. Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files. 7
  • 8. Activity #3: Threat Modeling • Identify threats, attacks, and vulnerabilities that are relevant for your application • Determine countermeasures to mitigate vulnerabilities • Perform in the architecture and design phase, as soon as: – You understand your security objectives – You understand you application architecture • Update and improve iteratively: – When your security objectives change – When your design changes – During implementation, testing and deployment Threat Modeling – Activity Overview • progressively refine your threat model by repeatedly performing steps 2 through 5. You can add more detail as you move through your application development lifecycle and discover more about your application design. 8
  • 9. Threat Modeling – Activity Summary Table Input Step Output  Business requirements Step 1: I  Key security objectives  Security policies identify security objectives  Compliance requirements  Deployment diagrams Step 2:  Whiteboard-style diagram with  Use cases Create an application overview end-to-end deployment scenario  Functional specifications  Key scenarios  Roles  Technologies  Application security mechanisms  Deployment diagrams Step 3:  Trust boundaries  Use cases Decompose your application  Entry points  Functional specifications  Exit points  Data flow diagrams  Data flows  Common threats Step 4:  Threat list Identify threats  Common vulnerabilities Step 5:  Vulnerability list Identify vulnerabilities Activity #4: Perform Architecture & Design Review • Goals: – Analyze application architecture and design from a security perspective – Expose the high-risk design decisions that have been made • Don’t rely solely on the use of design documentation – Use a combination of design documents, architecture experts and discussion to achieve the best results 9
  • 10. Architecture & Design Review – Techniques • Use a question driven approach to expose the highest risk design decision • Use the security frame to dive into areas that reveal common mistakes • 3 pronged approach – Deployment and infrastructure. Review the design of your application in relation to the target deployment environment and the associated security policies. – Security frame. Review approach to critical areas in your application: authentication, authorization, input / data validation, exception management, and other areas – Tier-by-tier analysis. Walk through the logical tiers of your application, and evaluate security choices within your presentation, business, and data access layers Architecture & Design Review – Checklists • Checklists represent areas where mistakes are most often made • Evolve your checklists to include custom checks based your application’s architecture • Example input and data validation checklist: Check Description All entry points and trust boundaries are identified by the design. Input validation is applied whenever input is received from outside the current trust boundary. The design assumes that user input is malicious. Centralized input validation is used where appropriate. The input validation strategy that the application adopted is modular and consistent. The validation approach is to constrain, reject, and then sanitize input. (Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input.) Data is validated for type, length, format, and range. The design addresses potential canonicalization issues. Input file names and file paths are avoided where possible. The design addresses potential SQL injection issues. The design addresses potential cross-site scripting issues. The design does not rely on client-side validation. The design applies defense in depth to the input validation strategy by providing input validation across tiers. 10
  • 11. Activity #5: Performing Security Code Reviews & Testing • Code Review – Critical leverage point to reduce the number of implementation errors – Can be performed on every check-in, every build, or some other interval that works for your development process – One of the most impactful steps you can take toward more secure code – While design bugs are the most expensive to fix, implementation bugs are the most common • Security Testing – Functional test techniques cannot uncover security bugs – Designed to understand what is the application NOT supposed to do – Specific attacks should be applied to uncover vulnerabilities Conducting the Code Review Methodology 1. Identify Code Review Iterative Process Objectives Inputs • Design documentation • Architecture diagram • Data flows 2. Perform • Usage scenarios Preliminary • Inspection questions Scan Outputs • Inspection questions 4. Review for 3. Review for • Prioritized list of problems to fix in Unique Issues Common Issues the code 11
  • 12. Goals of the Code Review • Create/Update a list of inspection questions – what problems are possible in the technology • e.g. should you be looking for buffer overflows? – what problems are possible due to the design? • are there threat mitigations already in place? • Identify vulnerabilities – where in the code – under what conditions • Document a fix – how can the vulnerability be resolved Code Review Techniques • Control Flow Analysis – Step through logical conditions in the code – Look at a function and determines each branch condition. • loops, switch statements, if statements and try/catch blocks, etc – Understand the conditions under which each block will be executed • Data Flow Analysis – Trace data from the points of input to the points of output – For each input location determine how much you trust the source of input • When in doubt you should give it no trust. – Trace the flow of data to each possible output noting along the way any attempts at data validation 12
  • 13. Common Hotspots • SQL Injection – Look for un-trusted input that can modify the semantics of a SQL query • Cross-Site Scripting – Look for user input echoed back as web content • Data Access – Look for plain-text data base connection strings and authentication to the database • Input and Data Validation – Look for client-side input validation, black-list techniques • Authentication – Look for weak passwords, credentials sent in clear-text, long or semi- random sessions Security Testing • Be sure to leverage your Threat Model for more focused and effective testing • Many flaws are caused by environment interaction – what if a resource is not available? – will we page that to disk? If so, when? • Many flaws are only discoverable after analyzing an applications environment – discover sensitive information by sniffing the network – uncover temporary files • Use automated tooling for low-hanging fruit • Use proven manual testing techniques for elusive bugs 13
  • 14. Conducting Attacks Dependency Attacks Design Attacks • block access to libraries • try common default and test account names • manipulate registry values and passwords • force application to use corrupt files (write • expose unprotected test APIs protected, inaccessible, data errors...) and • connect to all ports file names • fake the source of data • replace files that the application reads from, • exploit loop conditions writes to, creates and executes • use alternate routes to accomplish the • force application to operate in stressed same task memory/disk space/network availability • force the system to reset values conditions Implementation Attacks User Interface Attacks • time of check and time of use • overflow input buffers • create files with the same name as files • examine all command line switches and protected with a higher classification input options • force all error messages • explore escape characters, character sets • look for temporary files and screen their and commands contents for sensitive information Activity #6: Deployment Review • Helps to ensure that application security is not compromised by poor configuration of the network or host. – even the most securely designed and implemented application can be compromised by an error during deployment • Covers configuration of both the network and the host 14
  • 15. Deployment Review: Techniques • Use server security categories – Use Server Security Categories to help make deployment reviews for security systematic and repeatable • Break down your deployment review – You can use the categories to break down your application deployment for further analysis and to help identify vulnerabilities. • Review systematically. – By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis Server Security Categories Category Practices Patches and Patching and updating your server software is a critical first step. Updates Accounts Accounts allow authenticated users to access a computer. These accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Help to prevent brute force and dictionary attacks by using strong password policies, and then use auditing and alerts to detect logon failures. Auditing and Auditing is one of your most important tools for identifying intruders, attacks in progress, and Logging evidence of attacks that have occurred. Configure auditing for your server. Event and system logs also help you to troubleshoot security problems. Files and Secure all files and directories with restricted permissions that only allow access to necessary Directories services and accounts. Use auditing to allow you to detect when suspicious or unauthorized activity occurs. Ports Services that run on the server listen to specific ports so that they can respond to incoming requests. Audit the ports on your server regularly to ensure that a service that is not secured or that is unnecessary is not active on your server. Protocols Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication. Registry Many security-related settings are stored in the registry. As a result, you must secure the registry. You can do this by applying restricted Windows access control lists (ACLs) and by blocking remote registry administration. Services If the service is necessary, secure and maintain the service. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative. Shares Remove all unnecessary file shares. Secure any remaining shares with restricted permissions. 15
  • 16. How Security Innovation can Help • Source Software Development Services – SDLC Process review – Design & Requirements Review – Code Review – Security Testing • eKnowledge products – Software and information security eLearning – Secure Development Knowledgebase and Guidance System • Data Encryption – Fastest, most secure cryptography available on the market eKnowledge Solutions for Secure Development & Code Review TeamMentor: Secure Development Guidance System – Out of the box secure development standards and best practices (maps to several compliance reqt’s) – How-to’s, how not-to’s, code snippets, attacks, checklists – Targeted, on-demand, context specific application security training – Dedicated section for software security engineering Software Security eLearning: – Creating Secure Code – How to Break Software Security – Fundamentals of Application Security – Introduction to Threat Modeling – Intro to Cryptography 16
  • 17. Try eLearning for free http://elearning.securityinnovation.com Free eLearning Course for Attending Introduction to the SDL SDL for Management Introduction to Threat Modeling “Security Engineering Explained” Whitepaper jtaylor@securityinnovation.com 17