Week 4.1 Building security into the software development lifecycle copy.pptx
- 1. Week 4 : SSDLC and Security Design Principles Building security into the software development lifecycle
- 2. Secure Software Development Life Cycle Azida Zainol A.Zainol@shu.ac.uk Department of Computing College of Business, Technology and Engineering Sheffield Hallam University
- 3. Outlines ● Software Development Lifecycle (SDLC)/Models ● DevOps ● Secure Software Development Lifecycle (SSDLC) ● Conclusion
- 4. Software Development Life Cycle
- 6. Your Turn •What is software development model? •Any example?
- 7. SDLC Models • Agile • Lean • Waterfall • Iterative • Spiral • DevOps
- 8. Integration of DevOps Benefits: 1. Faster Innovation 2. Implementation Failure Reduction 3. Better Communication/Collaborati on 4. Greater Competencies DevOps is a combination of software development (dev) and operations (ops). It is defined as a software engineering methodology which aims to integrate the work of development teams and operations teams by facilitating a culture of collaboration and shared responsibility. DevOps can be best explained as people working together to conceive, build and
- 9. Secure-Software Development Life Cycle
- 11. SECURE Software Development Life Cycle
- 12. Secure Software Development • Consider security throughout the software development lifecycle • Requirements • Design • Development • Testing • Deployment
- 13. Secure Software Development Life Cycle (SSDLC)
- 14. Phase 1 : Requirements • In this early phase, requirements for new features are collected from various stakeholders. It’s important to identify any security considerations for functional requirements being gathered for the new release. • Sample functional requirement: user needs the ability to verify their contact information before they are able to renew their membership. • Sample security consideration: users should be able to see only their own contact information and no one else’s.
- 15. Phase 2 : Design • This phase translates in-scope requirements into a plan of what this should look like in the actual application. Here, functional requirements typically describe what should happen, while security requirements usually focus on what shouldn’t. • Sample functional design: page should retrieve the user’s name, email, phone, and address from CUSTOMER_INFO table in the database and display it on screen. • Sample security concern: we must verify that the user has a valid session token before retrieving information from the database. If absent, the user should be redirected to the login page.
- 16. Phase 3 : Development • When it’s time to actually implement the design and make it a reality, concerns usually shift to making sure the code well-written from the security perspective. • There are usually established secure coding guidelines as well as code reviews that double-check that these guidelines have been followed correctly.
- 17. Development • Apply coding rules/practices that implement secure design
- 18. Development Coding Practice How to Implement It 1. Input validation: Never Trust User Input •Check data length •Validate characters set •Check data format •Use restrictions 2. Manage Authentication and Passwords •Use transport layer security (TLS) client authentication •Implement authentication error messages •Store, control and manage your passwords safely •Transmits passwords securely 3. Sanitize Data First, Then Send the Inputs to Other Systems •Use a whitelist (allowlist) •Use a blacklist (blocklist) •Escape inputs to keep things safe 4. Adopt the Principle of Least Privilege •Validate permissions on every request •Create tests to validate permissions before release •Periodically review permissions
- 19. Development Coding Practice How to Implement It 5. Architecture: Make It Unique and Secure •Use subsystems •Follow OWASP’ secure architecture (SA) practice •Load only secure plugins and libraries 6. Keep It Intuitive But Effective •Use a simple and small design •Don’t over-complicate your security controls •Be user-friendly 7. Deny Access by Default •Keep unauthenticated users out •Apply this policy to new user accounts too •Keep new features sealed 8. Go Deep With Your Defense: Create Multiple Security Layers •Configure the security settings of each application •Pair secure programming with secure runtime environments •Don’t forget authentication checkers
- 20. Development Coding Practice How to Implement It 9. Secure Your Work and Communication •Use strong, readily available encryption •Protect your database •Use trusted security certificates •Sign your code before releasing it 10. Check the Quality of Your Code and Follow Coding Standards •Review your code •Use effective quality assurance mechanisms •Use coding standards developed by international bodies •Prevent attacks with threat modeling
- 21. Development • Use automated code review techniques to find potential vulnerabilities components • Static Analysis • Symbolic execution
- 23. Phase 4 : Verification • The Verification phase is where applications go through a thorough testing cycle to ensure they meet the original design & requirements. • This is also a great place to introduce automated security testing using a variety of technologies. The application is not deployed unless these tests pass.
- 24. Verification • Verification at this phase may include: • Automated tests that express the critical paths of your application • Automated execution of application unit tests that verify the correctness of the underlying application • Automated deployment tools that dynamically swap in application secrets to be used in a production environment
- 25. Phase 5 : Maintenance and Evaluation • The story doesn’t end once the application is released. In fact, vulnerabilities that slipped through the cracks may be found in the application long after it’s been released. These vulnerabilities may be in the code developers wrote, but are increasingly found in the underlying open-source components that comprise an application. • Vulnerabilities at this stage may also come from other sources, such as external penetration tests conducted by ethical hackers or submissions from the public through what’s known as “bug bounty” programs.
- 26. Different methodologies • BSIMM (Building Security In – Maturity Model) • http://bsimm.com • Microsoft Security Development Lifecycle • https://www.microsoft.com/en-us/sdl/ • OpenSAMM Software Assurance Maturity Model • http://opensamm.org
- 28. Continuous Delivery of Software
- 30. Continuous Security • Requires security automation • Integrate into Continues Delivery (CD) environment and tools • A CD environment is a type of production environment in which ongoing automation and monitoring are implemented to improve and expedite development processes for integration and testing, and deployment and delivery. • Source code management systems • GitHub, Bitbucket etc. • Build systems • Travis CI, Jenkins etc. • Audit third party component and open-source library usage
- 31. Takeaways • Security practices should be built in during the software development process • Continuous delivery needs continuous security
- 32. Conclusion
- 33. Conclusion • Necessary to integrate the SSDLC • Cyber criminals’ efficiency is improving • The cyber threat is only going to get worse
- 34. 34 Carlos Eduardo da Silva (C.DaSilva@shu.ac.uk)
- 35. Questions?
Editor's Notes
- #7: Half (2019) identified six basic models of the SDLC and selection will be based organization objectives. The challenge will be the integration of security metrics to meet for the secure software development life cycle. Most importantly, model selection is not the sole consideration for software development success; a solid, competent team will successfully complete the project. Agile is rapidly accepted and based on the concept of fast failure. Identify and address small challenges before they evolve into larger, costly ones. Lean is based on lean manufacturing principles of eliminating waste to create customer value. Waterfall is considered the oldest of SDLC protocols and rarely used because of its rigidity; there is minimal room for revisions. The iterative model starts does not start with fully defined requirements, but implements software requirements and conducts perpetual testing and integrates improvements. The benefit is a working model early in the cycle. The spiral protocol has maximum flexibility and is similar to the iterative approach and constantly refines through repeated SLDC processes. DevOps is new on the SDLC landscape and is a combination of agile and lean protocols; developers and operations work together to accelerate innovation and higher quality products.
- #8: So I guess you are asking yourself why DevOps is so special until it has to have its own slide? What’s the big deal about this concept? Excellent question! DevOps brings a lot to the table, especially when talking about efficiencies in the secure software development life cycle. This is in addition to the unification of development teams and software development processes. Its primary benefit is enabling organizations to create and improve software applications faster then traditional methods. According to Chandu (2019) the integration of DevOps resulted in shorter development cycles for software and faster innovation. This means that the team’s innovative products are ready to use quicker than their competitors. Additionally, implementation failure and recovery times are reduced and code defects are easier to detect because of idea sharing and collaboration. DevOps encourages greater communication and cooperation, which maximizes taking advantage of shared competencies to accelerate development that is less prone to errors. The benefits of this approach is that DevOps teams require staff to be 35% less and IT costs to be 30% lower. This is all a big deal!
- #9: The Secure Software Development Life Cycle stresses the integration of security into all stages of the SDLC for a more secure software application depicted on this slide. The reasoning is that the cyber threat landscape has changed and cyber criminals are more innovative and efficient. Traditionally the testing phase emphasized security. Hanefi, and Kose, (2018) determined that successful software projects with the lowest error rates are predicated on a successful testing process. Furthermore, testing and successful project completion is directly correlated. Testing after the application build has resulted in numerous issues that were discovered late, if at all. It is more prudent to integrate security considerations across the SDLC to achieve vulnerability discovery and reduction resulting in a security emphasis from start to finish.
- #10: The idea of integrating security into software development from its genesis is gaining momentum, however many organizations are following the conventional software development life cycle. There are multiple variants of the software development lifecycle that adhere to ISO/IEC12207, but traditionally what you see on the slide is common: Requirements gathering and analysis, design, implementation, testing, and development. This traditional, phased approach does not usually integrate security until after the implementation phase when corrective actions are more costly if discovered. Each phase is distinct and the return on investment of integrating security from start to finish can pay huge dividends on the end product while meeting or exceeding stakeholder expectations. If security gaps are not discovered, vulnerabilities in hardware and software can be exploited by cyber criminals resulting in the inferior product that is responsible for managing a majority of the country’s democratic processes.
- #35: What are your questions?