Más contenido relacionado La actualidad más candente (20) Similar a Building application security with 0 money down (20) Building application security with 0 money down2. Why this talk?
Share experience:
• “Everything-as-code” means “most-of-the-things” can be fixed in code
• A good program can be started without major investment in tooling
• A good program cannot be established without smart investment in tooling
© 2018 Intralinks, Inc. l All Rights Reserved l 2
4. Microsoft SDL Steps
© 2018 Intralinks, Inc. l All Rights Reserved l 4
1. Training 2. Requirements 3. Design 4. Implementation
1. Core Security Training 1. Security and Privacy
Requirements
2. Quality Gates
3. Security And Privacy
Risk Assessments
1. Design Requirements
2. Attack Surface
Reduction
3. Threat Modeling
1. Use Approved Tools
2. Deprecate Unsafe
Functions
3. Static Analysis
5. Microsoft SDL Steps (continued)
© 2018 Intralinks, Inc. l All Rights Reserved l 5
5. Verification 6. Release 7. Response
1. Dynamic Analysis
2. Fuzz Testing
3. Attack Surface
Review
1. Incident Response
Plan
2. Final Security Review
3. Release Certification
1. Execute Incident
Response Plan
8. Next State
Vicious Cycle
First assessment
Fix critical issues
Second assessment
Fix critical issues
Third assessment
Fix critical issues
…
…
N-th assessment
Fix critical issues
© 2018 Intralinks, Inc. l All Rights Reserved l 8
10. Attainable Goal 1 - Find Glaring Issues
Step 1 - Test Production Instances
Free Tools:
- OWASP Zed Attack Proxy
- Openssl.com for quick check of TLS profiles
© 2018 Intralinks, Inc. l All Rights Reserved l 10
5. Verification
1. Dynamic Analysis
2. Fuzz Testing
3. Attack Surface
Review
11. Attainable Goal 2 – Fix Issues Under Own Control
Step 2 - Check Own Code
Free Tools:
- Dependency Checker for 3-rd party components (weekly)
- SonarQube for code analysis (nightly)
- Clair for docker container analysis (weekly)
© 2018 Intralinks, Inc. l All Rights Reserved l 11
4. Implementation
1. Use Approved Tools
2. Deprecate Unsafe
Functions
3. Static Analysis
12. Attainable Goal 3 – Catch Issues Before Coding Starts
Step 3 – Define Required Security Controls When Designing
and Perform Architectural Risk Analysis
Free Tools:
- Microsoft Threat Modeling Tool
© 2018 Intralinks, Inc. l All Rights Reserved l 12
3. Design
1. Design Requirements
2. Attack Surface
Reduction
3. Threat Modeling
13. Process Inception Checklist
© 2018 Intralinks, Inc. l All Rights Reserved l 13
Use special tickets to track vulnerabilities – it takes
some research to understand at which layer the fix
needs to be applied
Get stakeholder commitment to fix Critical issues
immediately
Get commitment to patch 3-rd party components
14. Steps to Maturity and Scaling
04
© 2018 Intralinks, Inc. l All Rights Reserved l 14
15. Maturity Goal 1 – Establish Continuous Assessment
Budget for Commercial Tooling
Evaluate and Implement 24/7 Dynamic Assessment Product
Scan Test Environments Before Promoting to Production
© 2018 Intralinks, Inc. l All Rights Reserved l 15
5. Verification
1. Dynamic Analysis
2. Fuzz Testing
3. Attack Surface
Review
16. Maturity Goal 2 – Integrate With Commercial Code Analysis Tools
Budget for Commercial Tooling
Scan for Viral Licenses
Scan for non-patched components
Perform Static code analysis for each build
© 2018 Intralinks, Inc. l All Rights Reserved l 16
4. Implementation
1. Use Approved Tools
2. Deprecate Unsafe
Functions
3. Static Analysis
17. Maturity Goal 3 – Enforce Security Gates
Define thresholds and fail builds for critical items
© 2018 Intralinks, Inc. l All Rights Reserved l 17
2. Requirements
1. Security and Privacy
Requirements
2. Quality Gates
3. Security And Privacy
Risk Assessments
18. Maturity Goal 4 – Invest in Training
Establish Formal Security Training for Engineers With
Yearly Re-certification
Train and Certify Security Champions to Scale The Security
Program
© 2018 Intralinks, Inc. l All Rights Reserved l 18
1. Training
1. Core Security Training
19. Process Maturity Checklist
© 2018 Intralinks, Inc. l All Rights Reserved l 19
Establish Cross-team committee to review security
issues
Establish Timelines for fixing all security issues
Low to Critical
Automate 3-rd party component patching
Establish metrics for executive level reporting
(Risk Management Committee)
21. Customized SDL Steps With Little Initial Investment
© 2018 Intralinks, Inc. l All Rights Reserved l 21
1. Production
Scanning
6. Security
Gates
Enforcement
3. Threat
Modeling
2. Code Analysis
4. Continuous
Assessment
5. Automated
Code Analysis
7. Secure
Coding Training
23. Useful Links to Free Tools
© 2018 Intralinks, Inc. l All Rights Reserved l 23
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.owasp.org/index.php/OWASP_Dependency_Check
https://www.sonarqube.org/
https://github.com/coreos/clair
https://www.microsoft.com/en-us/download/details.aspx?id=49168