SlideShare una empresa de Scribd logo

Secure Software Development Lifecycle

Descargar como PPTX, PDF
1&1
1&1

Vortrag im Rahmen des HdM-Day der Hochschule für Medien in Stuttgart (16.01.2015)

Software
1 de 29
Daniel Kefer, Information Security, 1&1 Internet AG SECURE SOFTWARE DEVELOPMENT LIFECYCLE
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG2 Agenda 26.01.2015
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG3 Agenda 26.01.2015
Who Am I 26.01.20154 1&1 Internet AG  Daniel Kefer  Originally from the Czech Republic  Working in IT-Security since 2005  Security in development since 2008  2011 moved to Germany to work for 1&1  Focus on application security
1&1 – Member of United Internet AG 5 1&1 Group 1&1 Telecommunication AG 100 % United Internet Ventures AG 100 % 5 Goldbach 14.96 % Hi-media 10.50 % fun 49 % Virtual Minds 48.65 % ProfitBricks 30.02 % Open-Xchange 28.36 % ePages 25.10 % Uberall 25 % Rocket Internet 8.18 % Stand: 27. März 2014 SEDO Holding GmbH 100 % 1&1 Internet AG 100 % 100 % 26/01/15
Locations 6 1&1 Group26/01/15
Motivated team  Around 7,800 employees, thereof approx. 2,000 in product management, development and data centers Sales strength  Approx. 3 million new customer contracts p.a.  50,000 registrations for free services on a daily basis Operational excellence  46 million accounts in 11 countries 7 data centers  70,000 servers in Europe and USA 1&1: Internet services of United Internet AG 7 1&1 Group Access Applications Networks User equipment Content Standard software 7 Stand: 19. November 2013 26/01/15
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG8 Agenda 26.01.2015
Three Common Approaches to Develop Applications (Security View) 26.01.20159 1&1 Internet AG  Intuitive approach  Reactive approach  Proactive approach
Intuitive Approach 26.01.201510 1&1 Internet AG  Pure best-effort approach  Relying on individual knowledge and experience of the team members  No security gates during the development  Typically leads to higher occurence of security incidents and negative PR
Reactive Approach 26.01.201511 1&1 Internet AG  Typically one security gate before the application rollout  Penetration test  Code review  Infrastructure configuration audit  A big step forward from the security point of view, but…  How effective it is to say „you‘ve done it wrong“ when the development is finished?  Typically increases the project costs and length  Security bugs: mistakes in the source code, „quite easy“ to fix  Security flaws: mistakes in the application design, very expensive to fix  The world gets more agile all the time… at what point should you test?  You don‘t usually find everything during a security audit!
Proactive Approach (Secure SDLC) 26.01.201512 1&1 Internet AG  You try to prevent security bugs before they‘re created  Cost of a bug during the development lifecycle:
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG13 Agenda 26.01.2015
What the World Does 26.01.201514 1&1 Internet AG  Overall Concepts  Process models: What should I do what at which point?  Maturity models: Do I do enough for security in the development?  Supportive Methodologies and Tooling  How do I perform architecture review?  Penetration testing tools  Checklists, cheat sheets  Development guides, testing guides  …
Process Models - Example 26.01.201515 1&1 Internet AG  Microsoft SDL  Development divided into 7 phases  Within every phase you should perform a couple of security-related activities
2004: Microsoft SDL 1.0 Launch 26.01.201516 1&1 Internet AG  2005 Microsoft published first results they achieved using their SDL Methodology
Maturity Models - Example 26.01.201517 1&1 Internet AG  Building Security Into Maturity Model (www.bsimm.com)  Project comparing regularly companies from different verticals and measuring their security activities in software development in 112 activities  2013 (5th version) results – out of 67 firms:  44 have internal secure SDLC officially published  57 track results reached at previously defined security gates  36 require owner‘s security sign-off before deployment  31 enforce security gates (project not continuing until security requirements are met)
Supportive Methodologies and Tooling 26.01.201518 1&1 Internet AG  OWASP (Open Web Application Security Project) – www.owasp.org  The biggest resource regarding application security nowadays  Everything is open-source  Everybody can start his/her own security project  Examples:  OWASP Top Ten: The most widespread application vulnerabilities  OWASP Testing Guide: Methodology for penetration testing of applications  OWASP ASVS: Application Security Verification Standard  OWASP ESAPI: Security Library for JAVA, .NET, PHP…  OWASP Zed Attack Proxy: Testing tool
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG19 Agenda 26.01.2015
Main Goals 26.01.201520 1&1 Internet AG  We spend budget for security according to the real risk  Project teams shall have a trusted contact person guiding them through security challenges  We actively learn from our mistakes steadily and also give the opportunity to others to learn from our mistakes  KISS (Keep it simple stupid)! – build on currently lived processes and tools as much as possible
System Classification – 3 Security Levels 26.01.201521 1&1 Internet AG  Low:  Systems not likely to be target of professional attackers  Mainly reputation risk in case of finding vulnerabilities  Requirements should target mainly quality of code and be aimed at quick wins  Medium:  Possible abuse of client personal data (incidents have to be reported to authorities)  We should have a solid confidence that security has been addressed and assessed consistently and reasonably  High:  Systems essential for 1&1’s business and the ones with high compliance requirements  These systems should be ready to withstand also sophisticated attacks  Most focus on architectural and functional security
SDLC Requirements  Two types of requirements:  Lifecycle: Activities to be done during the lifecycle (e.g. penetration test)  Technical: Properties of the target system (e.g. login brute-force protection)  The concept:  Ever higher category inherits requirements from the lower one and adds new ones  Total counts of requirements: Lifecycle req. Technical req. Low 6 42 Medium 12 72 High 16 84
Lifecycle Requirements (vs. The 1&1 Project Lifecycle) Low Medium High The 1&1 Project Lifecycle Secure SDLC Classification Security guide Security trainings Select requirements Automated scan Yellow Pages Record Security workshop Doc. review 3rd party code Penetration test Vulnerability management Lessons learned Threat model Tailor requirements Code review Configuration review
Technical Requirements - Categories 26.01.201524 1&1 Internet AG  Based on OWASP Application Security Verification Standard Authentication Session Management Access Control Input Validation Output Encoding Cryptography Error Handling and Logging Data Protection Communication Security
Technical Requirements – Example (Brute-Force Protection) ID AU-07 Criticality Low Category Authentication Technology Web Applications, Web Services Description Brute force protection is provided after a system configurable number of invalid login attempts occur against an account within a configurable period of time. Specification /Best Practise More information on best practise: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Reasoning Preventing successful brute force attacks on user credentials. Functional Yes Responsible Requirement Engineer Deadline T2 (end of the design phase) QA Responsible Test Manager QA Activity Black box QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004) QA Deadline T3 (before rollout)
Requirement States 26.01.201526 1&1 Internet AG  Relevant:  Yes/No  Does it make sense to implement the particular requirement?  In Scope:  Yes: The development team has to (or mustn‘t) do something  3rd party: The application relies on another service (e.g. authentication service)  Refused: It was decided not to implement the requirement  No: If not relevant.
 Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG27 Agenda 26.01.2015
Future Plans 26.01.201528 1&1 Internet AG  Continue increasing the coverage of SDLC-guided projects  Train and establish a satellite of Security Guides  Continuous enhancement of the methodology  Agile methodologies, continuous integration/continuous delivery  Lessons learned from projects  Creation of an SDLC Tool  Department-specific project management methodologies  Different technologies  Transparency of common security measures
Thank You For Your Attention! 26.01.201529 1&1 Internet AG daniel.kefer@1und1.de

Recomendados

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 

Recomendados

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 

Más contenido relacionado

La actualidad más candente

Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 

La actualidad más candente (20)

Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 

Similar a Secure Software Development Lifecycle

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile processZubair Rahim
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development Rogue Wave Software
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsIRJET Journal
 

Similar a Secure Software Development Lifecycle (20)

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC Models
 

Más de 1&1

1&1 KMU Studie
1&1 KMU Studie 1&1 KMU Studie
1&1 KMU Studie 1&1
 
Inhalte strukturieren für bessere User Experience und Maschinenlesbarkeit
Inhalte strukturieren für bessere User Experience und MaschinenlesbarkeitInhalte strukturieren für bessere User Experience und Maschinenlesbarkeit
Inhalte strukturieren für bessere User Experience und Maschinenlesbarkeit1&1
 
Erfahrungen aus einem Jahr Content Marketing
Erfahrungen aus einem Jahr Content MarketingErfahrungen aus einem Jahr Content Marketing
Erfahrungen aus einem Jahr Content Marketing1&1
 
Mehr Sichtbarkeit durch Google News und AMP
Mehr Sichtbarkeit durch Google News und AMPMehr Sichtbarkeit durch Google News und AMP
Mehr Sichtbarkeit durch Google News und AMP1&1
 
SEO & Content Marketing entlang der Customer Journey
SEO & Content Marketing entlang der Customer JourneySEO & Content Marketing entlang der Customer Journey
SEO & Content Marketing entlang der Customer Journey1&1
 
SEO Content: Eine Zeitreise
SEO Content: Eine ZeitreiseSEO Content: Eine Zeitreise
SEO Content: Eine Zeitreise1&1
 
Social Media bei 1&1
Social Media bei 1&1Social Media bei 1&1
Social Media bei 1&11&1
 
Camunda@1&1
Camunda@1&1Camunda@1&1
Camunda@1&11&1
 
Design Types
Design TypesDesign Types
Design Types1&1
 
HostingCon Europe: Grow your hosting business by better serving small businesses
HostingCon Europe: Grow your hosting business by better serving small businessesHostingCon Europe: Grow your hosting business by better serving small businesses
HostingCon Europe: Grow your hosting business by better serving small businesses1&1
 
Prinzipiensprachen
PrinzipiensprachenPrinzipiensprachen
Prinzipiensprachen1&1
 
1&1 New Hosting Products
1&1 New Hosting Products1&1 New Hosting Products
1&1 New Hosting Products1&1
 
1&1 Hosting Europe Media Event: Server Update
1&1 Hosting Europe Media Event: Server Update1&1 Hosting Europe Media Event: Server Update
1&1 Hosting Europe Media Event: Server Update1&1
 
1&1 Hosting Europe Media Event: New Top Level Domains
1&1 Hosting Europe Media Event: New Top Level Domains1&1 Hosting Europe Media Event: New Top Level Domains
1&1 Hosting Europe Media Event: New Top Level Domains1&1
 
DIY Web Builder: Apps and Social Media
DIY Web Builder: Apps and Social MediaDIY Web Builder: Apps and Social Media
DIY Web Builder: Apps and Social Media1&1
 
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)1&1
 
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine KampagneKundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne1&1
 
Website-Studie 2012
Website-Studie 2012Website-Studie 2012
Website-Studie 20121&1
 
Die neuen Features der 1&1 Do-It-Yourself Homepage im Überblick
Die neuen Features der 1&1 Do-It-Yourself Homepage im ÜberblickDie neuen Features der 1&1 Do-It-Yourself Homepage im Überblick
Die neuen Features der 1&1 Do-It-Yourself Homepage im Überblick1&1
 
IPv6 at 1&1
IPv6 at 1&1 IPv6 at 1&1
IPv6 at 1&1 1&1
 

Más de 1&1 (20)

1&1 KMU Studie
1&1 KMU Studie 1&1 KMU Studie
1&1 KMU Studie
 
Inhalte strukturieren für bessere User Experience und Maschinenlesbarkeit
Inhalte strukturieren für bessere User Experience und MaschinenlesbarkeitInhalte strukturieren für bessere User Experience und Maschinenlesbarkeit
Inhalte strukturieren für bessere User Experience und Maschinenlesbarkeit
 
Erfahrungen aus einem Jahr Content Marketing
Erfahrungen aus einem Jahr Content MarketingErfahrungen aus einem Jahr Content Marketing
Erfahrungen aus einem Jahr Content Marketing
 
Mehr Sichtbarkeit durch Google News und AMP
Mehr Sichtbarkeit durch Google News und AMPMehr Sichtbarkeit durch Google News und AMP
Mehr Sichtbarkeit durch Google News und AMP
 
SEO & Content Marketing entlang der Customer Journey
SEO & Content Marketing entlang der Customer JourneySEO & Content Marketing entlang der Customer Journey
SEO & Content Marketing entlang der Customer Journey
 
SEO Content: Eine Zeitreise
SEO Content: Eine ZeitreiseSEO Content: Eine Zeitreise
SEO Content: Eine Zeitreise
 
Social Media bei 1&1
Social Media bei 1&1Social Media bei 1&1
Social Media bei 1&1
 
Camunda@1&1
Camunda@1&1Camunda@1&1
Camunda@1&1
 
Design Types
Design TypesDesign Types
Design Types
 
HostingCon Europe: Grow your hosting business by better serving small businesses
HostingCon Europe: Grow your hosting business by better serving small businessesHostingCon Europe: Grow your hosting business by better serving small businesses
HostingCon Europe: Grow your hosting business by better serving small businesses
 
Prinzipiensprachen
PrinzipiensprachenPrinzipiensprachen
Prinzipiensprachen
 
1&1 New Hosting Products
1&1 New Hosting Products1&1 New Hosting Products
1&1 New Hosting Products
 
1&1 Hosting Europe Media Event: Server Update
1&1 Hosting Europe Media Event: Server Update1&1 Hosting Europe Media Event: Server Update
1&1 Hosting Europe Media Event: Server Update
 
1&1 Hosting Europe Media Event: New Top Level Domains
1&1 Hosting Europe Media Event: New Top Level Domains1&1 Hosting Europe Media Event: New Top Level Domains
1&1 Hosting Europe Media Event: New Top Level Domains
 
DIY Web Builder: Apps and Social Media
DIY Web Builder: Apps and Social MediaDIY Web Builder: Apps and Social Media
DIY Web Builder: Apps and Social Media
 
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)
Passwort-Sicherheit - WEB.DE Studie 2012 (Convios Consulting GmbH)
 
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine KampagneKundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne
Kundenzufriedenheitsoffensive bei 1&1 - mehr als eine Kampagne
 
Website-Studie 2012
Website-Studie 2012Website-Studie 2012
Website-Studie 2012
 
Die neuen Features der 1&1 Do-It-Yourself Homepage im Überblick
Die neuen Features der 1&1 Do-It-Yourself Homepage im ÜberblickDie neuen Features der 1&1 Do-It-Yourself Homepage im Überblick
Die neuen Features der 1&1 Do-It-Yourself Homepage im Überblick
 
IPv6 at 1&1
IPv6 at 1&1 IPv6 at 1&1
IPv6 at 1&1
 

Último

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 

Último (20)

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 

Secure Software Development Lifecycle

  • 1. Daniel Kefer, Information Security, 1&1 Internet AG SECURE SOFTWARE DEVELOPMENT LIFECYCLE
  • 2.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG2 Agenda 26.01.2015
  • 3.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG3 Agenda 26.01.2015
  • 4. Who Am I 26.01.20154 1&1 Internet AG  Daniel Kefer  Originally from the Czech Republic  Working in IT-Security since 2005  Security in development since 2008  2011 moved to Germany to work for 1&1  Focus on application security
  • 5. 1&1 – Member of United Internet AG 5 1&1 Group 1&1 Telecommunication AG 100 % United Internet Ventures AG 100 % 5 Goldbach 14.96 % Hi-media 10.50 % fun 49 % Virtual Minds 48.65 % ProfitBricks 30.02 % Open-Xchange 28.36 % ePages 25.10 % Uberall 25 % Rocket Internet 8.18 % Stand: 27. März 2014 SEDO Holding GmbH 100 % 1&1 Internet AG 100 % 100 % 26/01/15
  • 7. Motivated team  Around 7,800 employees, thereof approx. 2,000 in product management, development and data centers Sales strength  Approx. 3 million new customer contracts p.a.  50,000 registrations for free services on a daily basis Operational excellence  46 million accounts in 11 countries 7 data centers  70,000 servers in Europe and USA 1&1: Internet services of United Internet AG 7 1&1 Group Access Applications Networks User equipment Content Standard software 7 Stand: 19. November 2013 26/01/15
  • 8.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG8 Agenda 26.01.2015
  • 9. Three Common Approaches to Develop Applications (Security View) 26.01.20159 1&1 Internet AG  Intuitive approach  Reactive approach  Proactive approach
  • 10. Intuitive Approach 26.01.201510 1&1 Internet AG  Pure best-effort approach  Relying on individual knowledge and experience of the team members  No security gates during the development  Typically leads to higher occurence of security incidents and negative PR
  • 11. Reactive Approach 26.01.201511 1&1 Internet AG  Typically one security gate before the application rollout  Penetration test  Code review  Infrastructure configuration audit  A big step forward from the security point of view, but…  How effective it is to say „you‘ve done it wrong“ when the development is finished?  Typically increases the project costs and length  Security bugs: mistakes in the source code, „quite easy“ to fix  Security flaws: mistakes in the application design, very expensive to fix  The world gets more agile all the time… at what point should you test?  You don‘t usually find everything during a security audit!
  • 12. Proactive Approach (Secure SDLC) 26.01.201512 1&1 Internet AG  You try to prevent security bugs before they‘re created  Cost of a bug during the development lifecycle:
  • 13.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG13 Agenda 26.01.2015
  • 14. What the World Does 26.01.201514 1&1 Internet AG  Overall Concepts  Process models: What should I do what at which point?  Maturity models: Do I do enough for security in the development?  Supportive Methodologies and Tooling  How do I perform architecture review?  Penetration testing tools  Checklists, cheat sheets  Development guides, testing guides  …
  • 15. Process Models - Example 26.01.201515 1&1 Internet AG  Microsoft SDL  Development divided into 7 phases  Within every phase you should perform a couple of security-related activities
  • 16. 2004: Microsoft SDL 1.0 Launch 26.01.201516 1&1 Internet AG  2005 Microsoft published first results they achieved using their SDL Methodology
  • 17. Maturity Models - Example 26.01.201517 1&1 Internet AG  Building Security Into Maturity Model (www.bsimm.com)  Project comparing regularly companies from different verticals and measuring their security activities in software development in 112 activities  2013 (5th version) results – out of 67 firms:  44 have internal secure SDLC officially published  57 track results reached at previously defined security gates  36 require owner‘s security sign-off before deployment  31 enforce security gates (project not continuing until security requirements are met)
  • 18. Supportive Methodologies and Tooling 26.01.201518 1&1 Internet AG  OWASP (Open Web Application Security Project) – www.owasp.org  The biggest resource regarding application security nowadays  Everything is open-source  Everybody can start his/her own security project  Examples:  OWASP Top Ten: The most widespread application vulnerabilities  OWASP Testing Guide: Methodology for penetration testing of applications  OWASP ASVS: Application Security Verification Standard  OWASP ESAPI: Security Library for JAVA, .NET, PHP…  OWASP Zed Attack Proxy: Testing tool
  • 19.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG19 Agenda 26.01.2015
  • 20. Main Goals 26.01.201520 1&1 Internet AG  We spend budget for security according to the real risk  Project teams shall have a trusted contact person guiding them through security challenges  We actively learn from our mistakes steadily and also give the opportunity to others to learn from our mistakes  KISS (Keep it simple stupid)! – build on currently lived processes and tools as much as possible
  • 21. System Classification – 3 Security Levels 26.01.201521 1&1 Internet AG  Low:  Systems not likely to be target of professional attackers  Mainly reputation risk in case of finding vulnerabilities  Requirements should target mainly quality of code and be aimed at quick wins  Medium:  Possible abuse of client personal data (incidents have to be reported to authorities)  We should have a solid confidence that security has been addressed and assessed consistently and reasonably  High:  Systems essential for 1&1’s business and the ones with high compliance requirements  These systems should be ready to withstand also sophisticated attacks  Most focus on architectural and functional security
  • 22. SDLC Requirements  Two types of requirements:  Lifecycle: Activities to be done during the lifecycle (e.g. penetration test)  Technical: Properties of the target system (e.g. login brute-force protection)  The concept:  Ever higher category inherits requirements from the lower one and adds new ones  Total counts of requirements: Lifecycle req. Technical req. Low 6 42 Medium 12 72 High 16 84
  • 23. Lifecycle Requirements (vs. The 1&1 Project Lifecycle) Low Medium High The 1&1 Project Lifecycle Secure SDLC Classification Security guide Security trainings Select requirements Automated scan Yellow Pages Record Security workshop Doc. review 3rd party code Penetration test Vulnerability management Lessons learned Threat model Tailor requirements Code review Configuration review
  • 24. Technical Requirements - Categories 26.01.201524 1&1 Internet AG  Based on OWASP Application Security Verification Standard Authentication Session Management Access Control Input Validation Output Encoding Cryptography Error Handling and Logging Data Protection Communication Security
  • 25. Technical Requirements – Example (Brute-Force Protection) ID AU-07 Criticality Low Category Authentication Technology Web Applications, Web Services Description Brute force protection is provided after a system configurable number of invalid login attempts occur against an account within a configurable period of time. Specification /Best Practise More information on best practise: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Reasoning Preventing successful brute force attacks on user credentials. Functional Yes Responsible Requirement Engineer Deadline T2 (end of the design phase) QA Responsible Test Manager QA Activity Black box QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004) QA Deadline T3 (before rollout)
  • 26. Requirement States 26.01.201526 1&1 Internet AG  Relevant:  Yes/No  Does it make sense to implement the particular requirement?  In Scope:  Yes: The development team has to (or mustn‘t) do something  3rd party: The application relies on another service (e.g. authentication service)  Refused: It was decided not to implement the requirement  No: If not relevant.
  • 27.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG27 Agenda 26.01.2015
  • 28. Future Plans 26.01.201528 1&1 Internet AG  Continue increasing the coverage of SDLC-guided projects  Train and establish a satellite of Security Guides  Continuous enhancement of the methodology  Agile methodologies, continuous integration/continuous delivery  Lessons learned from projects  Creation of an SDLC Tool  Department-specific project management methodologies  Different technologies  Transparency of common security measures
  • 29. Thank You For Your Attention! 26.01.201529 1&1 Internet AG daniel.kefer@1und1.de

Notas del editor

  1. Number of employees UI: 6,700