This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
2. Agenda
• About me
• Know your enemy first: Cyberattacks against modern business
• Anatomy and security issues in Product Development
• Tips and Tricks: Develop software security by design
• How to get ROI
• People, Process, Tools
• References
2016
3. About me
Security Consulting Lead @ SoftServe
Manage Security Red Team
OWASP Chapter Lead L'viv
Penetration Tester
Certified Ethical Hacker
Researcher
General summary:
• 10+ years of experience in Information Security
• 15+ years of UNIX systems network administration
experience
• 15+ years of MS Windows * administration
experience
• 4 years of Novell service and products administration
experience
• 1+ year of Oracle DB administration as a DBA
• 15+ years in network infrastructure management
Nazar Tymoshyk,
Ph.D. CEH
9. Developer
• Focus on functional requirements
• Knows about:
• OWASP Top 10
• 1 threat (DEADLINE fail)
• Concentrated on risks
«I know when I’m writing code I’m
not thinking about evil, I’m just
trying to think about functionality»
Scott Hanselman
«Risks are for managers, not
developers»
Unknown
Security Officer
• Focused on security requirements
• Knows difference between
vulnerability and attack
• Focused on Toolset and it’s output
• Focused on vulnerabilities
10. Application security testing tools are being sold
as a solution to the problem of insecure software
Many of the CWE vulnerability types, are design issues, or business logic issues.
Why doesn’t code analysis resolve the problem?
11. Scanners Cannot THINK
Security Scanner is not a panacea
Looking for known, defined and predictable patterns
Not searching for:
• Logical defects
• Rights separation
• Complex attack vectors
• Defects in architecture and design
• Real Cryptography level
• Etc.
Scanners create the Illusion of SAFETY
12. Security AnalystQA Engineer VS
In functional and performance
testing, the expected results
are documented before the
test begins, and the quality
assurance team looks at how
well the expected results
match the actual results
In security testing, the security
analysts team is concerned
only with unexpected results,
testing for the unknown, and
looking for weaknesses
14. Problems to Solve
Determine activities that pay back faster during current state
of the project
Avoid inconsistent levels of security
Minimize the cost of Security related issues
Avoid repetitive security issues
15. Value Delivered
• Reduced Cost of Security Issue Resolution
• 3rd party evaluator during initial Penetration test didn’t find any serious
security vulnerability
• Delivered Secure Source Code, Secure Deployment, Secure Infrastructure
• Application fully compliant (HIPAA, PCI, SOC, PII)
• Metrics of security progress increased trust for key stakeholders and clients
17. Than start process of re-Coding, re-Building, re-Testing, re-Auditing.
How the security process looks in reality
BACK to re-Coding, re-Building, re-Testing, re-Auditing
Most Issues are
found by security
auditors prior to
going live
18. How much time do you need to fix security
issues in an app?
• 4+ Weeks
• 3-4 Weeks
• 2-3 Weeks
• 0-1 Week
82 percent of applications that were remediated to a satisfactory
level did so in a week or less.
19. Simple ROI of Product security
Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent
unnecessary costs when fixing application security issues. The costs represented in this illustration are
based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the
application lifecycle is typical of what many organizations experience.
Reduce costs by finding application vulnerabilities early*
*Estimated costs based on IBM Global Business Services industry standards
20. How it should look
How do you add Security in?With a proper Security Program the
number of security defects should
decrease from phase to phase
22. Business Issue
Client realized that most of his competitors had already beenhacked and his
company could be the next target. He wanted to:
• Stay compliant
• Protect his Intellectual Property
• Protect client data
• Demonstrate excellence and high code quality
• Avoid a data breach
• Minimize security costs
Drivers: Customer Request, Potential Issues
Requestor: Security Department
24. Iteration Based Test Only Approach
• After the backlog of security
related items has been reviewed
and evaluated by Development
Management, a 2-week
Development cycle (iteration) will
address the highest ranked items
• Upon delivery of completed code,
security testing is performed both
manually and using automated
testing tools
• Results from manual and
automated scans end up in the
same backlog repository, to be
reviewed and prioritized by
Development Management
25.
26. Approach
Focus on:
• Developing products in a secure way
• Starting with right Security Requirements
• Static Security Code Analysis
• Dynamic Application Security Testing
• Manual Security Testing on Final Security Review
27. Security Education
• Define Security Guidelines for Dev & QA
• Develop Test Cases for QA team
• Regular (quarterly) Session with Dev Team to talk about recent vulnerabilities
• Knowledge Sharing
28. Requirements Definition Stage
• Identity Management (IdM), SSO and Security Control
• Data Segregation
• Data Security & Privacy
• Availability
• Network & Transport Security
• Operation Security
• Define Security Quality Gates
29. SAST/DAST Security Testing
• Static Code Analysis
• Static Application Security Testing
• Dynamic Application Security Testing
• Custom Automation Testing
• SonarQube with latest rule set to validate for each check-in
• Regular (sprint based) source code and application in runtime security
scan with IBM AppScan
• Final security audit - security SAST&DAST assessment with Veracode
31. Manual Security Testing – Activity
• Create Dev & QA guide applicable for the project
• Create Test Cases for Grey Box testing
• Execute tests and assist dev team with explaining root and mitigation
approaches of identified issues
• Validation of new functionality and periodic remediation for modification
• Educate QA and Dev team
32. Incident Response Plan
Plan response for security incidents in case of:
• Malicious Code Injection
• Unauthorized Access
• Unauthorized Utilization of Services
• Data Manipulation/Theft
• Virus and other Threats
• Aggressive Probes
33. Typical involvement
1-4st month – 1 FTE
• Scoping and prioritization
• Manual Testing critical functionality
• Full source code scan and upgrade SonarQube
5nd month onwards – 0.25-0,5 FTE
• Complete test of remaining functionality
• Scan changes introduced during the sprint
• Conduct Training and collaborate with QA and Dev Team during
design and implementation
37. Value
• Certified security experts to control
security of project
• SoftServe utilize different set of
tools to ensure coverage (IBM,
Veracode, PortSwinger, OpenVAS)
• Regulars scans that could be
integrated to CI
• Education and Case study based
on defect severity for Dev and QA
• Following Secure SDLC practices
• And many more Full coverage7
20-40% time for testing/re-testing decrease1
Catch problems as soon as possible2
Avoid repetitive security issues3
Improve Security Expertise/Practices for
current Team4
Continuous Automation & Integration5
Proactive Security Reporting6
38. After successful build we pack app to transfer to
Security testing tool
Detect exact line of bugged code
39. CI security integration Workflow
Dynamic tests with Security scanner
OWASP Top 10 Risk coverage
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards
40. High level vision
Static Code Analysis Security Reports Dynamic Security
testing
CI tools
Deploying applicationPull source code