SlideShare a Scribd company logo

How to Enable Developers to Deliver Secure Code

Achim D. Brucker
Achim D. Brucker

The document discusses strategies to enable developers to produce secure code, emphasizing the importance of a comprehensive security development lifecycle (SDLC). Key components include training, risk identification, security measures, and various testing methodologies, aiming to empower developers while maintaining oversight from centralized security teams. It highlights the necessity of integrating security practices seamlessly into the development process and fostering a culture of security awareness among developers.

Technology
1 of 54
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
How to Enable Developers to Deliver Secure Code Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ March 15, 2017
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 18
How to Enable Developers to Deliver Secure Code
Example (LinkedIn, May 2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
Example (TalkTalk, October 2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
Example (Ashley Madison, July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
Secure Software Development Lifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 7 of 18
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 18
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
In 2010: Static Analysis Becomes Mandatory SAST tools used: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
De-Centralised Approach: Organisational Setup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 18
Security Team Focus: Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 18
How to Measure Success (and Identify White Spots) Listen to your developers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln. 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% “Success criteria:” Percentage of vulnerabilities not covered by currently used security testing tools increases, i.e., the used tools are used effectively! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 18
Key Success Factors A holistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
Listen to Your Developers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 18
Final remarks What works well: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value (e.g., as security integration test) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 18
Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
Bibliography Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 18
Document Classification and License Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18

More Related Content

Viewers also liked (20)

PPTX
How to apply for an ABS licence
Jonathon Bray
 
PPTX
Administração Cientifica | Questões Corrigidas
Danilo Mota
 
PDF
Visualizations with Empathy
Amanda Makulec
 
PDF
Turn complex to epic - Zelda goals planning
Alexandre Quach
 
PDF
Prekat. La Psicologia del Bienestar
Dr.Jose A Santos. +4500 contactos
 
PDF
C4 Logistics Services
Sebastien Barth
 
PPT
Rock art and IFRAO color card
Victor Reijs
 
PDF
Les actualités de la Roumanie pour le Mois de Mars 2017 de Eastrategies
Eastrategies - Bucarest, Roumanie
 
PDF
Opnieuw goed jaar voor firma Staf Coppens
Thierry Debels
 
PDF
40 propositions pour moderniser et simplifier le droit de l'environnement
Adm Medef
 
PPT
Introduction to Scrum - Hebrew
Dan-Eyal Gazit
 
PPTX
ASLA Makerspaces in the school library
Australian School Library Association
 
PDF
Como Desvendar Mentiras
andre rossiter
 
PPTX
Apache Spark and Object Stores —for London Spark User Group
Steve Loughran
 
PPT
аномалии бинокулярного зрения. Upgraded
Natalia Kaschenko
 
PPTX
Brief LoRaWAN Overview
Alper Yegin
 
PDF
ABAU 2017
Loudes Otero
 
PPTX
...Redes sociales
Jesús Velasco
 
PPTX
R. Villano - fotos (DE part 9)
Raimondo Villano
 
PDF
SPARQLでオープンデータ活用!
uedayou
 
How to apply for an ABS licence
Jonathon Bray
 
Administração Cientifica | Questões Corrigidas
Danilo Mota
 
Visualizations with Empathy
Amanda Makulec
 
Turn complex to epic - Zelda goals planning
Alexandre Quach
 
Prekat. La Psicologia del Bienestar
Dr.Jose A Santos. +4500 contactos
 
C4 Logistics Services
Sebastien Barth
 
Rock art and IFRAO color card
Victor Reijs
 
Les actualités de la Roumanie pour le Mois de Mars 2017 de Eastrategies
Eastrategies - Bucarest, Roumanie
 
Opnieuw goed jaar voor firma Staf Coppens
Thierry Debels
 
40 propositions pour moderniser et simplifier le droit de l'environnement
Adm Medef
 
Introduction to Scrum - Hebrew
Dan-Eyal Gazit
 
ASLA Makerspaces in the school library
Australian School Library Association
 
Como Desvendar Mentiras
andre rossiter
 
Apache Spark and Object Stores —for London Spark User Group
Steve Loughran
 
аномалии бинокулярного зрения. Upgraded
Natalia Kaschenko
 
Brief LoRaWAN Overview
Alper Yegin
 
ABAU 2017
Loudes Otero
 
...Redes sociales
Jesús Velasco
 
R. Villano - fotos (DE part 9)
Raimondo Villano
 
SPARQLでオープンデータ活用!
uedayou
 

Similar to How to Enable Developers to Deliver Secure Code (20)

PDF
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
PDF
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
PDF
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
PDF
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
PDF
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
PDF
The Future of Software Security Assurance
Rafal Los
 
PDF
Threat modelling & apps testing
Adrian Munteanu
 
PPT
Software Security Engineering
Marco Morana
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
Reduce Third Party Developer Risks
Kevo Meehan
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
PPTX
Intro to Security in SDLC
Tjylen Veselyj
 
PPTX
Digital Product Security
SoftServe
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software security engineering
AHM Pervej Kabir
 
PDF
Applicaiton Security - Building The Audit Program
Michael Davis
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
The Future of Software Security Assurance
Rafal Los
 
Threat modelling & apps testing
Adrian Munteanu
 
Software Security Engineering
Marco Morana
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Reduce Third Party Developer Risks
Kevo Meehan
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Intro to Security in SDLC
Tjylen Veselyj
 
Digital Product Security
SoftServe
 
Software security engineering
AHM Pervej Kabir
 
Software security engineering
AHM Pervej Kabir
 
Applicaiton Security - Building The Audit Program
Michael Davis
 
Ad

More from Achim D. Brucker (16)

PDF
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
PDF
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
PDF
Your (not so) smart TV is currently busy with taking down the Internet
Achim D. Brucker
 
PDF
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
PDF
The Evil Friend in Your Browser
Achim D. Brucker
 
PDF
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
PDF
Isabelle: Not Only a Proof Assistant
Achim D. Brucker
 
PDF
SAST for JavaScript: A Brief Overview of Commercial Tools
Achim D. Brucker
 
PDF
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
Achim D. Brucker
 
PDF
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
PDF
Model-based Conformance Testing of Security Properties
Achim D. Brucker
 
PDF
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
PDF
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
PDF
A Framework for Secure Service Composition
Achim D. Brucker
 
PDF
Extending Access Control Models with Break-glass
Achim D. Brucker
 
PDF
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Achim D. Brucker
 
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Achim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
Achim D. Brucker
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Model-based Conformance Testing of Security Properties
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Achim D. Brucker
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Achim D. Brucker
 
Ad

Recently uploaded (20)

PPTX
Talbott's brief History of Computers for CollabDays Hamburg 2025
Talbott Crowell
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PPTX
Essential Content-centric Plugins for your Website
Laura Byrne
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
Bharatiya Antariksh Hackathon 2025 Idea Submission PPT.pdf
ghjghvhjgc
 
PDF
Next Generation AI: Anticipatory Intelligence, Forecasting Inflection Points ...
dleka294658677
 
PDF
Software Development Company Keene Systems, Inc (1).pdf
Custom Software Development Company | Keene Systems, Inc.
 
PDF
NASA A Researcher’s Guide to International Space Station : Earth Observations
Dr. PANKAJ DHUSSA
 
PPTX
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
PDF
Evolution: How True AI is Redefining Safety in Industry 4.0
vikaassingh4433
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Survival Models: Proper Scoring Rule and Stochastic Optimization with Competi...
Paris Women in Machine Learning and Data Science
 
PDF
“ONNX and Python to C++: State-of-the-art Graph Compilation,” a Presentation ...
Edge AI and Vision Alliance
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PPTX
Manual Testing for Accessibility Enhancement
Julia Undeutsch
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PDF
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Talbott's brief History of Computers for CollabDays Hamburg 2025
Talbott Crowell
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
Essential Content-centric Plugins for your Website
Laura Byrne
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
Bharatiya Antariksh Hackathon 2025 Idea Submission PPT.pdf
ghjghvhjgc
 
Next Generation AI: Anticipatory Intelligence, Forecasting Inflection Points ...
dleka294658677
 
Software Development Company Keene Systems, Inc (1).pdf
Custom Software Development Company | Keene Systems, Inc.
 
NASA A Researcher’s Guide to International Space Station : Earth Observations
Dr. PANKAJ DHUSSA
 
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
Evolution: How True AI is Redefining Safety in Industry 4.0
vikaassingh4433
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Survival Models: Proper Scoring Rule and Stochastic Optimization with Competi...
Paris Women in Machine Learning and Data Science
 
“ONNX and Python to C++: State-of-the-art Graph Compilation,” a Presentation ...
Edge AI and Vision Alliance
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Manual Testing for Accessibility Enhancement
Julia Undeutsch
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
NLJUG Speaker academy 2025 - first session
Bert Jan Schrijver
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 

How to Enable Developers to Deliver Secure Code

  • 1. How to Enable Developers to Deliver Secure Code Achim D. Brucker [email protected] https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ March 15, 2017
  • 2. Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 18
  • 4. Example (LinkedIn, May 2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
  • 5. Example (TalkTalk, October 2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
  • 6. Example (Ashley Madison, July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
  • 7. Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 18
  • 8. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 9. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 10. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 11. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 12. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 13. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 14. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 15. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 16. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 17. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 18. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 19. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 20. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 21. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 18
  • 22. Secure Software Development Lifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 7 of 18
  • 23. Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 18
  • 24. Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
  • 25. Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 18
  • 26. In 2010: Static Analysis Becomes Mandatory SAST tools used: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 18
  • 27. A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 28. A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools Static: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman Dynamic: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codenomicon Defensics, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 29. A De-Centralised Application Security Approach Improving The Application Development Approache Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 18
  • 30. De-Centralised Approach: Organisational Setup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 18
  • 31. Security Team Focus: Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 18
  • 32. How to Measure Success (and Identify White Spots) Listen to your developers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 33. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln. 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 34. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 35. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 36. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 37. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 38. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 39. How to Measure Success (and Identify White Spots) Non-working performance indicators include: Absolute number of reported vulnerabilities Absolute number of fixed issues A new idea: Analyze the vulnerabilities reported by Security Validation External security researchers Two classes: Vulnerabilities that can be detected by used tools Investigate why issues was missed Vulnerabilities not detected by used tools if risk acceptable: nothing to do if risk not acceptable: improve tooling externally reported vuln.in scope not in scope of current security testing tools not acceptable risk new scope 100% “Success criteria:” Percentage of vulnerabilities not covered by currently used security testing tools increases, i.e., the used tools are used effectively! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 18
  • 40. Outline 1 Motivation 2 Secure Software Development 3 Enabling Developers: From (Mild) Pain to Success 4 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 18
  • 41. Key Success Factors A holistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 42. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 43. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 44. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 18
  • 45. Listen to Your Developers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 18
  • 46. Final remarks What works well: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value (e.g., as security integration test) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 18
  • 47. Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ [email protected] @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
  • 48. Bibliography Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 18
  • 49. Document Classification and License Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 18
  • 50. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 51. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 52. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 53. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18
  • 54. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 18