SlideShare una empresa de Scribd logo

Security Shift Leftmost - Secure Architecture.pdf

Narudom Roongsiriwong, CISSP
Narudom Roongsiriwong, CISSP

Security shifting left addressed earlier security concerns in the software development life-cycle (that is, left in a left-to-right schedule diagram). The question is "Are the security concerns in software development life-cycle sufficient?". This presentation will introduce "Shifting Leftmost in Security" which focusing in Security Architecture. Software implementation in medium and large enterprise environments requires well defined architecture especially in security requirements. The scope in this presentation will cover secure application infrastructure and secure application design.

Tecnología
1 de 26
Descargar para leer sin conexión
Secure Architecture Secure Architecture Narudom Roongsiriwong, CISSP, CCSK Narudom Roongsiriwong, CISSP, CCSK March 20, 2022 March 20, 2022 SHIFT SHIFT SECURITY
SVP, Head of Digital Architecture Co-Chair, Hybrid Cloud Security Working Group APAC Research Advisory Council Member Consultant, Thailand Chapter Narudom Roongsiriwong Narudom Roongsiriwong
What Is “Shift Left” on Security? “By better integrating information security (InfoSec) objectives into daily work, teams can achieve higher levels of software delivery performance and build more secure systems. This idea is also known as shifting left, because concerns, including security concerns, are addressed earlier in the software development lifecycle (that is, left in a left-to-right schedule diagram).” Cloud Architecture Center → DevOps → Guides DevOps tech: Shifting left on security https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security
DevSecOps’ Security “Shift Left”
Benefits of Shifting Left Shifting Left Faster Delivery Improved Security Posture Reduced Costs Improved Security Integration Greater Business Success =
Security Activities in Software Development 1 2 3 4 5 Requirement Design Implementation Verification Release ● Incident Response Plan ● Final Security Review ● Dynamic/Fuzz Testing ● Attack Surface Review ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis ● Attack Surface Analysis ● Threat Modeling ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
Security Activities in Software Development 1 2 3 4 5 Requirement Design Implementation Verification Release ● Incident Response Plan ● Final Security Review ● Dynamic/Fuzz Testing ● Attack Surface Review ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis ● Attack Surface Analysis ● Threat Modeling ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
What is the Leftmost? 1 2 3 4 5 Release ● Incident Response Plan ● Final Security Review Verification ● Dynamic/Fuzz Testing ● Attack Surface Review Implementation ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis Design ● Attack Surface Analysis ● Threat Modeling Requirement ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
What is the Leftmost? 0 Architect
A Project The Enterprise
Architecting: Enterprise Application Infrastructure ● Identity and access management – Internal users – Customers ● Cryptographic and key management ● Data sharing platform ● Security requirement ● Security quality gate guideline ● Security patterns (design & integration patterns) ● Threat and vulnerability catalog
Identity and Access Management IAM & CIAM
Identity and Access Management IAM & CIAM
Identity and Access Management Federated Identity Management: Back Channel Assertion ● The subscriber is given an assertion reference to present to the RP, generally through the front channel. ● The assertion reference itself contains no information about the subscriber and SHALL be resistant to tampering and fabrication by an attacker.
Cryptographic and Key Management ● How can we encourage developers adopt Hardware Security Module (HSM) and key management process? ● How can we ensure that developers properly implement only approved cryptography algorithm? ● How can we help applications rotate keys properly and correctly? ● If we need stronger encryption algorithm or longer key length in the future, how can we migrate the encrypted data without application modification?
Real World Cryptography Implementation ● Cryptographic algorithms and parameters – Symmetric: 3DES, AES / Asymmetric: RSA, ECC – Key size – Initialization Vector (IV) / Starting Variable (SV) / Nonce – Mode: ECB, CBC, CFB, etc. – Padding ● Key controls and key management ● Key change/exchange procedures ● Cryptographic toolkits ● Random number/seed generators
Key Management Framework Generation Exchange Storage Rotation Archiving Destruction Key Usage
● SANS CWE Top 25 ● OWASP Top 10 – 2021 ● OWASP Mobile Top 10 ● OWASP Application Security Verification Standard (ASVS) Threat and Vulnerability Catalog
Architecting: Project Specific ● Architecture Risk Assessment – Architecture security review – Attack surface analysis – Threat modeling ● Security Architecture and Design – Security solutions in response to business and compliance requirements – Mitigation and controls in response to risk assessment ● Security Implementation ● Security Operations and Monitoring Integration
Attack Surface System’s Surface (e.g., API) Attacks Intuition Reduce the ways attackers can penetrate surface Increase system’s security A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
Attack Surface Analysis ● Attack Surface Analysis helps you to: – Identify what functions and what parts of the system you need to review/test for security vulnerabilities – Identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend – Identify when you have changed the attack surface and need to do some kind of threat assessment ● Goal attack surface analysis is to reduce the attack surface by: – Lower privilege – Turn features off – Defense in depth
What Is Threat Modeling? Threat modeling is an approach for analyzing the security system. It is a structured approach that enables you to identify, quantify, and address the security risks associated with a system.
Threat Model Typically Includes ● Description of the subject to be modeled ● Assumptions that can be checked or challenged in the future as the threat landscape changes ● Potential threats to the system ● Actions that can be taken to mitigate each threat ● A way of validating the model and threats, and verification of success of actions taken
Threat Modeling: Four Question Framework What are we working on? What can go wrong? What are we going to do about it? Did we do a good job?
Security Shift Leftmost - Secure Architecture.pdf

Recomendados

3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
SureLog SIEM Jobs
SureLog SIEM JobsSureLog SIEM Jobs
SureLog SIEM Jobs
Ertugrul Akbas
 
Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
Muhammad Alhalaby
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Php developer
Php developerPhp developer
Php developer
Ertugrul Akbas
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Risky project Enterprise
Risky project EnterpriseRisky project Enterprise
Risky project Enterprise
Intaver Insititute
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 

Recomendados

3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
SureLog SIEM Jobs
SureLog SIEM JobsSureLog SIEM Jobs
SureLog SIEM Jobs
Ertugrul Akbas
 
Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
Muhammad Alhalaby
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Php developer
Php developerPhp developer
Php developer
Ertugrul Akbas
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Risky project Enterprise
Risky project EnterpriseRisky project Enterprise
Risky project Enterprise
Intaver Insititute
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
Tom Nipravsky
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
Siemplify
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
Siemplify
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 

Más contenido relacionado

La actualidad más candente

us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
Tom Nipravsky
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 

La actualidad más candente (18)

A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 

Similar a Security Shift Leftmost - Secure Architecture.pdf

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
cscpconf
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 

Similar a Security Shift Leftmost - Secure Architecture.pdf (20)

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
 
Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Más de Narudom Roongsiriwong, CISSP

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
Narudom Roongsiriwong, CISSP
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 

Más de Narudom Roongsiriwong, CISSP (20)

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Security Shift Leftmost - Secure Architecture.pdf

  • 1. Secure Architecture Secure Architecture Narudom Roongsiriwong, CISSP, CCSK Narudom Roongsiriwong, CISSP, CCSK March 20, 2022 March 20, 2022 SHIFT SHIFT SECURITY
  • 2. SVP, Head of Digital Architecture Co-Chair, Hybrid Cloud Security Working Group APAC Research Advisory Council Member Consultant, Thailand Chapter Narudom Roongsiriwong Narudom Roongsiriwong
  • 3. What Is “Shift Left” on Security? “By better integrating information security (InfoSec) objectives into daily work, teams can achieve higher levels of software delivery performance and build more secure systems. This idea is also known as shifting left, because concerns, including security concerns, are addressed earlier in the software development lifecycle (that is, left in a left-to-right schedule diagram).” Cloud Architecture Center → DevOps → Guides DevOps tech: Shifting left on security https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security
  • 4.
  • 6. Benefits of Shifting Left Shifting Left Faster Delivery Improved Security Posture Reduced Costs Improved Security Integration Greater Business Success =
  • 7. Security Activities in Software Development 1 2 3 4 5 Requirement Design Implementation Verification Release ● Incident Response Plan ● Final Security Review ● Dynamic/Fuzz Testing ● Attack Surface Review ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis ● Attack Surface Analysis ● Threat Modeling ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
  • 8. Security Activities in Software Development 1 2 3 4 5 Requirement Design Implementation Verification Release ● Incident Response Plan ● Final Security Review ● Dynamic/Fuzz Testing ● Attack Surface Review ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis ● Attack Surface Analysis ● Threat Modeling ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
  • 9. What is the Leftmost? 1 2 3 4 5 Release ● Incident Response Plan ● Final Security Review Verification ● Dynamic/Fuzz Testing ● Attack Surface Review Implementation ● Use Approved Tools ● Deprecate Unsafe Functions ● Static Analysis Design ● Attack Surface Analysis ● Threat Modeling Requirement ● Establish Security Requirement ● Create Quality Gate ● Risk Assessment
  • 10. What is the Leftmost? 0 Architect
  • 12. Architecting: Enterprise Application Infrastructure ● Identity and access management – Internal users – Customers ● Cryptographic and key management ● Data sharing platform ● Security requirement ● Security quality gate guideline ● Security patterns (design & integration patterns) ● Threat and vulnerability catalog
  • 13. Identity and Access Management IAM & CIAM
  • 14. Identity and Access Management IAM & CIAM
  • 15. Identity and Access Management Federated Identity Management: Back Channel Assertion ● The subscriber is given an assertion reference to present to the RP, generally through the front channel. ● The assertion reference itself contains no information about the subscriber and SHALL be resistant to tampering and fabrication by an attacker.
  • 16. Cryptographic and Key Management ● How can we encourage developers adopt Hardware Security Module (HSM) and key management process? ● How can we ensure that developers properly implement only approved cryptography algorithm? ● How can we help applications rotate keys properly and correctly? ● If we need stronger encryption algorithm or longer key length in the future, how can we migrate the encrypted data without application modification?
  • 17. Real World Cryptography Implementation ● Cryptographic algorithms and parameters – Symmetric: 3DES, AES / Asymmetric: RSA, ECC – Key size – Initialization Vector (IV) / Starting Variable (SV) / Nonce – Mode: ECB, CBC, CFB, etc. – Padding ● Key controls and key management ● Key change/exchange procedures ● Cryptographic toolkits ● Random number/seed generators
  • 18. Key Management Framework Generation Exchange Storage Rotation Archiving Destruction Key Usage
  • 19. ● SANS CWE Top 25 ● OWASP Top 10 – 2021 ● OWASP Mobile Top 10 ● OWASP Application Security Verification Standard (ASVS) Threat and Vulnerability Catalog
  • 20. Architecting: Project Specific ● Architecture Risk Assessment – Architecture security review – Attack surface analysis – Threat modeling ● Security Architecture and Design – Security solutions in response to business and compliance requirements – Mitigation and controls in response to risk assessment ● Security Implementation ● Security Operations and Monitoring Integration
  • 21. Attack Surface System’s Surface (e.g., API) Attacks Intuition Reduce the ways attackers can penetrate surface Increase system’s security A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
  • 22. Attack Surface Analysis ● Attack Surface Analysis helps you to: – Identify what functions and what parts of the system you need to review/test for security vulnerabilities – Identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend – Identify when you have changed the attack surface and need to do some kind of threat assessment ● Goal attack surface analysis is to reduce the attack surface by: – Lower privilege – Turn features off – Defense in depth
  • 23. What Is Threat Modeling? Threat modeling is an approach for analyzing the security system. It is a structured approach that enables you to identify, quantify, and address the security risks associated with a system.
  • 24. Threat Model Typically Includes ● Description of the subject to be modeled ● Assumptions that can be checked or challenged in the future as the threat landscape changes ● Potential threats to the system ● Actions that can be taken to mitigate each threat ● A way of validating the model and threats, and verification of success of actions taken
  • 25. Threat Modeling: Four Question Framework What are we working on? What can go wrong? What are we going to do about it? Did we do a good job?