Agile and Secure Development

Security Services and approachService presentation

Nazar Tymoshyk, SoftServe, 2014

Typical problem on project

Typical Security Report delivered by Security Testing Team

Typical Security Report delivered by AUDITOR

How security process looks in reality

Than start process of re-Coding, re-Building, re-Testing, re-Auditing

3rd party or internal audit

Tone of

security

defects

BACK to re-Coding, re-Building, re-Testing, re-Auditing

TIME to FIX

How much time you need to fix security issues in app?

How it should look like

With proper Security Program number of

security defects should decrease from phase

to phase

Automated security

Tests

CIintegrated

ManualSecurity/penetration

Testing

OWASP methodology

Secure

Codingtrainings

RegularVulnerability

Scans

Minimize the costs of the Security related issues

Avoid repetitive security issues

Avoid inconsistent level of the security

Determine activities that pay back faster during current state of the project

Primary Benefits

Simple ROI of Product security

Ok, we will bay Security Tool and scan our

code…

Top AST Tools 2013Which one likes you?

Average Price near

$100K

Why code analysis do not resolve all problems?

Many of the CWE vulnerability types, are design issues, or business logic issues.

Application security testing tools are being sold as a solution to the problem of

insecure software.

55%45%

Ability of Security Tools to identify real vulnerability

Not Covered Claimed Coverage

13

Tools – At Best 12%

• MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695)

• They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

• Based on this new data from the CSA at the NSA, SAST has 12% vulnerability coverage

MITRE's study

Security Tooling – No Silver Bullet

Design Flaws Security Bugs

1. Occur during the architecture phase

2. High level

3. More expensive to remediate – requires

architectural changes

4. Requires human analysis to uncover

5. Logical defects

6. Rights separation

7. Complex attack vectors

8. Defects in architecture and design

9. Real Cryptography level

1. Occur curing the code phase

2. Code level - Looking for known, defined

and predictable patterns

3. Cheaper to remediate – requires code

changes

4. Can be identified using automated tools

Can be resolved by:

SoftServe Expert

Can be resolved by:

Security Tool (Veracode, IBM Appscan,,

HP Fortify SCA

Both security tooling and security assessments are required to address both types of vulnerabilities

QA Engineer Security Analyst

In functional and performance testing,

the expected results are documented

before the test begins, and the quality

assurance team looks at how well the

expected results match the actual results

In security testing, security

analysts team is concerned

only with unexpected results

and testing for the unknown

and looking for weaknesses.

VS.

Manual Pen testing

Manual penetration testing adds the benefit of specialized human expertise to our

automated static and dynamic analysis — and it uses the same methodology cyber-

criminals use to exploit application weaknesses such as business logic vulnerabilities.

Manual Penetration Testing involves one or more security experts performing tests

and simulating “in the wild” attacks. The goal of such testing is to determine the

potential for an attacker to successfully access and perform a variety of malicious

activities by exploiting vulnerabilities, either previously known or unknown, in the

software.

The results of this review will help strengthen the established security controls,

standards, and procedures to prevent unauthorized access to the organizational

systems, applications, and critical resources. As a result of SoftServe tests, the

SoftServe will prepare detailed work papers documenting the tests performed, a

report of SoftServe findings including recommendations for additional security

controls as required.

SoftServe MPT is designed to compliment and extend an automated assessment

What we propose

Agile Secure Development Lifecycly

•Every-Sprint practices: Essential security practices that should be performed in every release.

•Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.

•One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.

Microsoft SDL

Integrated Security process

Build

• Build code with special debug options

Deploy

• Pack build and code

• Deploy app to VM for test

Test Security

• Run code test

• Run Test dynamic web application from VM with security tools

Analyze

• Collect and format results

• Verify results

• Filter false positive / negative

• Tune scanning engine

• Fix defects

High level vision

Dynamic Security testingStatic Code Analysis

CI tools

Deploying application

Security Reports

Pull source code

Real project view

Dynamic Security testing

CI tools

Deploying application

Security Reports

Pull source code

We have best tools…IBM AppScan

license

Burp Suite

license

HP Fortify

certification

Partnership

with Veracode

Available SaaS

Identity & Security

…and Best Engineers

Ph.D in Security

SoftServe Expertise by Vendors

Mobile Security

Data Security

Cloud Security

Enterprise Security

SoftServe offer

• Certified security experts to control security on

project

• SoftServe utilize different set of tools to ensure

coverage (IBM, Veracode, PortSwinger, OpenVAS)

• Regulars scans that could be integrated to CI

• Education and Case study based on defect severity

for Dev and QA stuff

• Following Secure SDLC practices

• And many more

Annual development expense cost savings

Application

Development

Cost Savings

Vulnerability

Remediation Cost

Savings

Compliance & Pen

Testing Cost Savings

Application

Outsourcing Pay for

Performance

Streamline & minimize remediation costs for application development by identifying /fixing vulnerabilities at their origin

Lower costs associated with compliance testing fees and penetration testing

Decrease 3rd party development fees by incenting software security performance

The Benefit of SoftServe Internal Testing vs. 3rd Party

SoftServe Internal Testing 3rd Party Scan

1. Finds issues large and small

2. Reports and resolves issues

directly to development

3. Objective

4. Credentialed

5. Industry standard toolset

1. Finds issues large and small

2. Reports issues to managers

3. Objective

4. Credentialed

5. Industry standard toolset

6. Can be scheduled any time

7. Keeps up with the 2 week

development cycle

8. Regular QA and Dev Team

trainings

The Benefit of SoftServe Security Testing vs. 3rd Party

Benefit/Feature Description

Easy to start • Low initial cost

• Leverage internal resources to defray additional expense

• Maximizes assistance

• Maximizes internal resources and ongoing efforts

Provide more

actionable

information

• Focus on what really matters

• Validate your own internal processes and test procedures

Improve security

knowledge

• Security expertise within the solution

• Can assist in keeping test plans up to date

• Assist in validation of fixed items

• Stay on top of testing regression issues and new features

Increase technology

coverage

• Assurance in testing the latest technologies for the latest

vulnerabilities

• Increasing the speed and efficiency of building security into a

development lifecycle

Value

20-40% time for testing/re-testing decrease

Catch problems as soon as possible

Avoid repetitive security issues

Improve Security Expertise/Practices for current Team

Automation, Integration, Continuously

Proactive Security Reporting

Full coverage

How our security results might look like

False positive regression testing

After build succeed we pack app to transfer it to Security testing tool

We are able to detect line of bugged code

How your security results may look like

How your security results may look like

AppScan Source

How your security results may looks like

Thank you!

Thank You!Copyright © 2014 SoftServe, Inc.

Europe Headquarters

52 V. Velykoho Str.

Lviv 79053, Ukraine

Tel: +380-32-240-9090

Fax: +380-32-240-9080

E-mail: [email protected]

Website: www.softserveinc.com

US Headquarters

12800 University Drive, Suite 250

Fort Myers, FL 33907, USA

Tel: 239-690-3111

Fax: 239-690-3116

E-mail: [email protected]

Website: www.softserveinc.com