Systems architecture with the functional safety/security emphasis
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Building application security with 0 money down (20)
Más de DefCamp (20)
Más reciente (20)
Building application security with 0 money down
- 1. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
- 2. Why this talk? Share experience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
- 3. Introduction 01 © 2018 Intralinks, Inc. l All Rights Reserved l 3
- 4. Microsoft SDL Steps © 2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
- 5. Microsoft SDL Steps (continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
- 6. Application Security Stages - Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
- 7. Beginning State Sincere ignorance © 2018 Intralinks, Inc. l All Rights Reserved l 7
- 8. Next State Vicious Cycle First assessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
- 9. Application Security Process Inception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
- 10. Attainable Goal 1 - Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
- 11. Attainable Goal 2 – Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
- 12. Attainable Goal 3 – Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
- 13. Process Inception Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
- 14. Steps to Maturity and Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
- 15. Maturity Goal 1 – Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
- 16. Maturity Goal 2 – Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
- 17. Maturity Goal 3 – Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
- 18. Maturity Goal 4 – Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
- 19. Process Maturity Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
- 20. Conclusion 05 © 2018 Intralinks, Inc. l All Rights Reserved l 20
- 21. Customized SDL Steps With Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
- 22. Ultimately, People Make The Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
- 23. Useful Links to Free Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
- 24. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
- 25. Thank You! @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 25 intralinks.com
