Alexey Sintsov @asintsov DEFCON RUSSIA DC#7812 SDLC IMPLEMENT ME OR DIE
Nov 01, 2014
Alexey Sintsov@asintsov
DEFCON RUSSIA DC#7812
SDLCIMPLEMENT ME OR DIE
# SDLC…
-- History, introduction and blah-blah-blah skipped --
HOWTO:
• Secure design• Secure code• Stable product• …
QUALITY => Happy users/customers
# Stages
(c) Microsoft Corp.
# But…
• Agile• Agile• Agile• ….
Every Sprint Bucket Once
(c) Microsoft Corp.
# AgileWhy SDLC?
• Documentation• Testing• Tasks
It’s already included! Just add ‘Security requirements/tests’.
• Development through testing • Unit tests• Continues Integration • Acceptance tests
User wants to register his account through
web-form with login/password
Task 1Create DB structure
Task 2Add UI form
Task 3Add API for creating
account
Task X…
Security RequirementsSecurity GuidesRetrospective
Store passwords secure (crypto. Req.)
CSRF protection
ClickJacking protection
CAPTCHA
SQLi protection
Password req.
… etc … Security related tasks
User wants to register his account -
investigation
Security RequirementsSecurity GuidesRetrospective
RISK ANLYSES
User wants to register his account through
web-form with login/password
Task 1Create DB structure
Task XAdd second factor auth. mechanism
Task 2….
Security “things” – tasks can be better than stories!
# Wow it’s so easy…Let’s do it…
• Online services• API• Mobile Apps• Automotive
• Many different teams• Different frameworks and languages• Different attack surfaces and threats and risks• Agile• DevOps
# Impossible???
SDLC – not a strict “standard”, use it as pack of practices or what can be done, but HOW it can be done – it’s real state-of-art.
So…
• More security things goes to dev teams (responsibility)• Maximum automation• Manuals, guides and tools can be done by SecTeam• And etc: any fun can be done if it helps….
# Training
• Internal events• External training sessions
Impossible to cover all threats, bugs and etc, especially if you have different teams that work with different technologies
• HERE Architecture and Technology camp • Typical issues, stories and best practices• HOWTO• CTF games
• HERE security support:• WIKI• IRC• Personal team trainings
# Security Requirements
General requirements:• Code style• SQL requests (Prepared statements)• Input/Output validation• Mobile App req.• etc
• Data encryption• Algorithms• PKI and etc
• Security mitigations and mechanisms• HTTPOnly, X-Frame-Options• PIE, StackCanaries, NS bit…… and etc
Based on General requirements, each team produce own list of req. and then tasks!
# Guides
Patterns/Guides:• Code• How to do auth. with captcha• How to read/upload files (work with FileSystem)• etc
• Sensitive data• How to do right logging• How to store personal data• What is personal data
• DevOps• How to deploy product with secret keys/service passwords….
Based on guides each team will code some general things with our security requirements.
# SelfCheck lists
Based on requirements we can provide more detailed self-check lists to teams:• Have you done SAST?• What hash alg do you use for storing passwords?• Are you logging auth. tokens/passwords/credit card numbers?• Do you have SSL?• Do you have HTTPOnly/Secure?• Is your service scanned by security scanner?
- Different check lists of Dev/DevOps, for design and architecture.
# Example of Model
SecTeam
Project Team 1
Project Team 2
Requirements
Guides
Tools
prod
uce
uses produce
• Requirements• Documentation• Design• Code• Security Tests• Requirements
• Documentation• Design• Code• Security Tests
checks
“SDLC” on AGILE
Final ReviewExploratory testingAnything else…
# HERE Security Team
• Requirements• Guides• Support for all Dev teams• Developing security tools and libs
• Fuzzers• Input validation lib for common frameworks• Security Scripts, like platform audit• Providing SecService to teams and work with vendors:
• WhiteHat • Retina • Veracode service• etc…
• GoLive review• Incident Response
# GoLive (SDLC FinalSecurityReview)• Threat/Risk Analysis• Architecture security review• SAST • Encryption• Design, etc
• Engineering security review• DAST• Configurations• Logs , etc
• Privacy review• Personal data• Government requirements , etc
• Business continue review
# GoLive (SDLC FinalSecurityReview)
What we want
• Teams understand our security requirements• Teams produce their own security requirements to their product• Teams follow our guides • Teams provides documentation, answered self-check lists
Teams runs all security and can do self checks
• Security knowledge stay in teams• After each GoLive review one team became more aware about security
# DevOps
# DevOps + SDLC
• Deployment as part of security process• Platform and configuration as a part of final product
PRODUCT OS Services Code
# HERE Platform Security as a part of SDLCWith help of DevOps:
Own Cloud platform with all security things
• Box configured secure by default:• SSH• Apache• Iptables• Patch Management for packages• Monitoring system • WAF • etc
• Latest Images• Control for security groups• MFA• Templates for all accounts• CloudTrail• Access Key rotation• Security scanning for all
instances• etc
+
MAXIMUM AUTOMATION
# SoWhat
• SDLC – not a kind of “standard” = just bunch of ideas and practices• You can’t download it and use, you need to understand your env.,
business requirements and implement what you want in any way it will work.• More checks and responsibilities for Dev. site.• Agile have enough places for implementing ‘security’, you do not need to
change something, but it requires more knowledge from teams• SecTeam – control, hack, develop sec tools and support Devs• DevOps – can be a big help for security process!
#FIN
[email protected] @asintsov