Secure SDLC in mobile software development.
- 1. Secure SDLC in mobile software development
- 2. Mykhailo Antonishyn Application security expert I work in cyber security more than 5 years. Application security consultant at Access Softek Inc. Co-founder of ByteCode security team 4+ years experience in fintech. Telegram: @medwed_2015 Gmail: antonishin.mihail@gmail.com Speaker
- 3. SDLC vs S-SDLC Mobile development security process What tools using for security testing? How to integrate into existing processes? What additionally you can do? Agenda IMPLEMENT INTO CURRENT PROCESS TOOLS S-SDLC FOR MOBILE APPLICATIONS SDLC vs SECURE SDLC
- 4. SDLC vs Secure SDLC
- 5. Secure Software Development Lifecycle REQUIREMENTS ANALYSIS MAINTENNANCE • Monitoring issues • Response on emergency of applications • Accelerators SECURITY TESTING • Static and Dynamic Application Security Testing (SAST, DAST) • Composition Analysis • Bug tracking tool integration • Automated Self Serviced Dashboards • Accelerators RELEASE • Checks issues in docker containers • Checks and review CI/CD pipiline DEVELOPMENT • Static code analysis • Dependency checks • Check insecure functions and libraries • Use special plugins for security issues checks while debugging applications • Security Standards Compliance • Assess the current level of maturity • Identify Gaps • Create a roadmap for next level maturity • Security Policies and Processes DESIGN • Risks Assessment & Analysis • Threat Modelling • Attack Surface analysis
- 6. Requirements Analysis SECURITY STANDARDS AND POLICIES • ISO 27034 • GDPR • NIST 800-163 • NIAP • MASVS • Company strategy • Local security policies REQUIREMENTS • Time-line • Process and communications with teams • Security requirements for product • Response plan
- 7. Design RISK ASSESMENT AND ANALYSIS Risk assessment is the combined effort of identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation). THREAT MODELLING Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. ATTACK SURFACE ANALYSIS Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.
- 8. Development TOOLS DESCRIPTION DELIVERABLES • Report from SonarCube • Security issues while debugging applications • Integration of scanning tool into CI/CD pipeline A static code scan and dependency checks are the first step towards truly understanding where your products weaknesses lie, and how critical they might be to your business’ continuity and reputation.
- 9. Security Testing ATTACK GUIDES OWASP MSTG NIST 800-163 NIAP CRITICAL ISSUES Tools Users unawareness OWASP Mobile TOP 10 OWASP TOP 10 Wi-Fi weaknesses OWASP API Security TOP 10 SECURITY TESTING PROCESS Deploy testing environment Configure testing devices Build testing mobile application's SAST and DAST Reporting and Remediation Custom exploit development and exploitations A highly effective method of assessing security that demonstrates security weaknesses by modelling the actions that a real attacker would take
- 10. Release obtaining feedback from end-users in order to make appropriate tweaks confirming that the software in production meets customer and user needs according to the initial requirements conducting maintenance and support tasks FACTORS confirming that the software works as optimally in the production environment as it did in the development environment The release phase of the Software Development Life Cycle (SDLC) is traditionally associated with production, deployment, and post-production activities. In this phase, post-production tasks (after deployment) in traditional SDLC models do not greatly involve development engineers. Operations admins and security engineers typically complete most of thee functions, which may include software monitoring, security testing, incident response, etc. In the Secure Software Development Life Cycle (SSDLC), developers are responsible for completing additional security tasks, which - even in the post-production stage of the release phase - integrates security with development. DESCRIPTIONS
- 11. Maintenance • CONTINUOUS MONITORING AND LOGGING OF THE SOFTWARE • USING MONITORING TOOLS TO WATCH FOR SECURITY EVENTS AND TRENDS FOR ATTACK SIGNATURES • MONITOR 3RD PARTY LIBRARIES FOR EXTERNAL VULNERABILITIES
- 12. WHAT ELSE?
- 13. External Security Audits Automatic Scanning Vulnerability Assessment Penetration Testing Red Teaming Scope Defined by scanner OWASP Top 10 and beyond Defined by organization Identified by Red Team Objective Uncover many vulnerabilities Uncover many vulnerabilities false- positive free Penetrate into the system and meet specific goal Continuous simulation of real-world attack Threat Emulation Basic Basic Advanced Advanced and persistent Rules Defined by scanner Well defined and agreed Well defined and agreed Anything goes Employee Awareness Typically aware Typically aware Discussable Limited number Vulnerability Scanning Manual Testing Simulating Attackers Partially Social Engineering Physical/Wi-Fi netw. per request Required Security Maturity Just running application (DEV, UAT env.) Just running application (DEV, UAT env.) Production-Like infrastructure (Pre- PROD env.) Production Environment with Blue Team Typical Duration Recommended only as a part of other assessments 2 weeks 2-4 weeks Continuously Auto Scanning 2-3 days Vulnerability Assessment 2 weeks Penetration Testing 2-4 weeks Red Teaming Continuously D E P T H Recommended levels of security testing services according to Customer’s Maturity level of Security processes and posture:
- 14. Bug Bounty
- 15. Trainings • Security news of special technologies • Updates • Vulnerable and security library • Security plugins • Tools for security testing
- 16. Code Protection TOOLS CODE HARDERING RUNTIME APPLICATION SELF- PROTECTION CODE OPTIMIZTION Obfuscation of names of classes, fields and methods of arithmetic instructions, control flow, native code and library names, resources and SDK method calls Encryption of classes, strings, assets, resource files and native libraries Detection of debugging tools, emulators, rooted devices, hooking frameworks, root cloaking frameworks and tampering SSL pinning and Webview SSL pinning Certificate checks Removal of redundant code, logging code and metadata, unused resources and native libraries Code and resource optimization
- 17. Domains We work with tech start-ups & enterprises to achieve accelerated hyper growth / time to market, through 'software engineering excellence', providing access to the best emerging technology teams. Governance Banking FinTech eCommerce Telecom Energy Blockchain Automotive Crypto Health care
- 18. Q&A