You will learn what is Security Development Lifecycle (SDL).
You will understand why SDL is important.
You will dive in details of SDL and you will see tips for each SDL phase.
You will realize how to roll out an SDL in your organization.
Finally, you will have all skills to deliver a secure product.
How to Troubleshoot Apps for the Modern Connected Worker
How can you deliver a secure product
1. How can you deliver a secure product?
Michael Furman, Security Architect
2. The Legend of SDL
● Steve Lipner
Senior Director of Security Engineering Strategy for Microsoft
Key person for the Microsoft SDL
3. What will we cover
today?
What is an SDL?
Why is an SDL important?
Sample: Tufin SDL
How can you deliver a secure product?
4. About Me
● >12 years in application security
● >8 years with Tufin – Lead Security Architect
● >20 years in software engineering
● www.linkedin.com/in/furmanmichael/
● ultimatesecpro@gmail.com
● Read my blog
https://ultimatesecurity.pro/tags/presentation/
● Follow me on twitter @ultimatesecpro
● I like to travel, read books and listen to music
5. About
● Market Leader in Security Policy Automation
● Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls, cloud and K8S
● We are the Security Policy Company!
6. Journey to our SDL
● Resolving security issues? Easy for me!
● Creating a “security” process? Brand new for me!
● Soooo many things to manage ....
Vulnerabilities discovered by customers
CVEs
Upgrading 3rd-party software
Pen tests
... and all the other stuff I did not yet even know about
● Saved by the SDL!
● No need to reinvent the wheel
Picture is from the “Journey to the Center of the Earth” movie.
7. What is an SDL?
● SDL is the process for developing secure software
● Adds security controls in each development phase
SDL = Security Development Lifecycle
8. History of SDL
● Mail of Bill Gates
From: Bill Gates
To: to every full-time employee at Microsoft
Sent: Tuesday, January 15, 2002 5:22 PM
Subject: Trustworthy computing
● Microsoft shutdown Windows development to handle the security issues
● Microsoft SDL
v 1.0 - 2004 (internal)
v 3.2 - 2008 (public)
v 5.2 - 2012 (recent)
…
Security: The data our software and services store on behalf of our customers
should be protected from harm and used or modified only in appropriate ways.
Security models should be easy for developers to understand and build into their applications.
Photo from yahoo.com
9. Why is an SDL important?
Why
SDL?
• Helps developers build secure software
• Ensures security is enabled out of the box
• Defines how to respond to discovered vulnerabilities
10. SolarWinds Attack - 2020
● First disclosure on December 8th by FireEye – first discovered SolarWinds customer
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-
chain-compromises-with-sunburst-backdoor.html
● Other SolarWinds customers breached: FireEye, U.S. Departments, Microsoft, Cisco, …
https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack
● Hackers viewed Microsoft source code
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
● Joint Statement by the FBI, the CISA, and the ODNI: This work indicates that a Threat,
likely Russian in origin, is responsible for most or all of the recently discovered, ongoing
cyber compromises of both government and non-governmental networks
https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-
fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-
intelligence-odni
11. SolarWinds Attack - Solorigate
● Microsoft’s analysis of the attack
https://www.microsoft.com/security/blog/2020/12/18/analyzing-
solorigate-the-compromised-dll-file-that-started-a-sophisticated-
cyberattack-and-how-microsoft-defender-helps-protect/
● The attackers inserted malicious code into DLL
● SolarWinds Orion Platform installed
● The backdoor activates
Randomly between 12 to 14 days after installation
● Attackers ping the backdoor
● Gathering and sending info
● The backdoor runs commands from attackers
Image from microsoft.com
12. SolarWinds Attack - Solorigate
● > 18,000 SolarWinds customers received the malicious update
● > 1,000 experienced the backdoor ping
● > 200 were hacked
https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12
● US agencies
The Office of the President of the United States
The Department of Defense
The US Army
The Federal Reserve
NASA
The NSA
The CDC
The Department of Justice
● Major companies
Visa
AT&T
PwC
Lockheed Martin
CBS
Cisco
Comcast
Ernst & Young
Hertz
The New York Times
17. Security Training
● Security awareness training for the
Development and QA teams
The latest security threats, mitigations,
and technologies
OWASP Top 10 best practices
● Security Champions
18. Security Training
● Q: How can a Security
Champion be successful?
● Tip: Identify and resolve
specific security issues
● Examples of investigations:
Best way for us to handle
Content Security Policy (CSP)?
Best way for us to prevent
XML External Entity (XXE) attack?
● Tufin success: OWASP meetup lecture
https://ultimatesecurity.pro/post/xxe-meetup/
20. Security Requirements
● Incorporated into the requirements stage of S/W development
● Why do we want to handle security early?
Allows us to design a feature and to write test plans which incorporate security requirements
up front
Saves time for all of us – developer time, QA time, documentation time
21. Design
● Designs of new features are done jointly by both development and security
teams
22. Security Requirements & Design
● Q: How can you ensure Dev & QA handle security?
● Tip: Make it easy - create a security checklist
● Examples
New API?
• Make sure the API has proper authentication
• Make sure the API has proper authorization
• Implement input validation
Confidential info not stored as plain text
• Use appropriate encryption or hash algorithms
Confidential info not stored on a client side
Confidential info not sent via HTTP GET method
…
24. Static Application Security Testing (SAST)
● What is SAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least weekly
Daily is the best option
● Your goal: Fix High issues immediately!
25. Software Updates
● All 3rd-party software is regularly updated
● Q: Can I ensure all 3rd-party software is
kept up-to-date without a tool?
Open-source 3rd-party software
Commercial 3rd-party software
● Tip: check that recommended upgrades
don’t introduce new vulnerabilities
● Your goal: upgrade to a version without
High or Critical issues!
26. Peer Reviews
● Mandatory for every code change
● Tip: ensure all code changes adhere
to security requirements
Passwords are not stored in plain text
Passwords are not stored on client side
…
28. Internal Security Scans
● What are Internal Security Scans?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
29. Internal Security Scans
● Qualys SSL Labs Report – free service
https://www.ssllabs.com/ssltest/
● Tip: Ensure you check the “Do not show the results on the boards”
checkbox
31. Dynamic Application Security Testing (DAST)
● What is DAST?
● Q: Any benefit to scan on each commit?
● Tip: Scan at least monthly
Depends on your release cycle
● Your goal: Fix High issues immediately!
33. External Security Tests
● Why External Security Tests?
● Tips:
Scan at least annually
• Best each major release
Ensure to create a valid test scope that covers all areas
• Web UI
• Infrastructure
Ensure an External Test is added into R&D calendar
● Your goal: fix High issues immediately!
Coordinate retest after your fixes
35. Vulnerability Response Policy
• A patch will be made available as soon as possible
CRITICAL
HIGH
MEDIUM
LOW
NOT
VULNERABLE
• A fix will be included in the upcoming release
• A fix will be included in a future release
• A fix may be included in a future release
• Nothing to fix
36. Vulnerability Response Policy
● Define a vulnerability response policy
Document it
● Tip: the policy should be approved on the corporate level
Affect sales, support, development
37. Rolling out an SDL
● First phase (minimal SDL)
Vulnerability Response Policy
Internal Security Scans
• Qualys SSL Labs Report
Software Updates
• Using a tool
● Second Phase
External Security Tests
● Third phase
SAST
● Fourth phase
DAST
38. Rolling out an SDL
● Ongoing
Security Requirements & Design
Security Training
Security Champions
Peer Reviews
● Further improvements
https://www.microsoft.com/en-us/securityengineering/sdl/practices
…
39. Selecting a tool for any SDL phase
● Perform POC
Define requirements very well before the POC
● Tools can be commercial or open source
● Tools from the same provider is not essential
40. How can you deliver a secure product?
● Start to roll out an SDL in your organization
● Improve SDL on a regular basis
41. Take Aways
SDL - the framework that ensures secure
software
Roll out an SDL
... And follow it!!!
You will deliver a secure product!
Steve was elected to the National Cybersecurity Hall of Fame in 2015 and to the National Academy of Engineering in 2017.
The storyhttps://en.wikipedia.org/wiki/Microsoft_Security_Development_Lifecycle
Many other companies, including Cisco, Adobe, and Aetna, have since adopted Microsoft's SDL processes or created their ownhttps://www.microsoft.com/en-us/securityengineering/sdl/about
https://www.govtech.com/security/List-of-Hacked-Organizations-Tops-200-in-SolarWinds-Case.html The elimination of the attack can be very complicated task.Not enough to update the SolarWinds Orion Platform.Not enough to isolate the SolarWinds Orion Platform.Need to instigate entire network. Not clear what was added via the backdoor.
Who does not know your security champion?
Example:
You use Spring 4.1
A provider discovers 3 high CVEs and recommends to upgrade to 4.2
You upgraded to 4.2 and discover 2 other high CVEs
You have invested a lot of efforts but still have high CVEs!
After additional check you discover 4.3 is without high CVEs
You should be able to check CVE listbefore the upgrade and to be able to select 4.3