Upload
billy82
View
1.581
Download
5
Embed Size (px)
Citation preview
1
04/11/23
Building Security Into Your SDLC Methodology
Integral Business Solutions
11/16/2006
2
04/11/23
Discussion Terms• Methodology
• Software Development Lifecycle (SDLC)
• Secure Software Development Lifecycle (SSDLC)
• Agile Practices
• Integral Secure Agile Methodology (ISAM)
• Risk Management
• IT Frameworks
• Application Frameworks
• Tools
• What we learned
3
04/11/23
Is there a need
• Applications need to match the maturity of Infrastructure components
• “Bolting security” after development is complex and expensive than “baking in” during the life cycle.
• “Development Process should be held accountable for application security short comings”
– Howard Schmidt
4
04/11/23
Field of Reference
• Application Development• Application Integration• Certification and Accreditation
5
04/11/23
SDLC
• Wikipedia: – a framework for developing software successfully
• Have traditionally followed a set pattern
– Define->Design->Develop
• Evolved with methodologies over time
6
04/11/23
SDLC historyWaterfall Methodologies
• Very structured – one phase ends,
another begins
• Deliverables are extremely detailed
• Hand-offs occur between teams
with specific and disparate skills
– Traditional Analysts (only),
Developers, QA
• Accepted approach for developing
host-based applications
– Complex systems
– Inflexible languages and tools
– Largely static application logic
• Procedural systems
Spiral (Iterative) Methodologies
• Cyclical and adaptive
– One phase leads to another, but
there are continuous feedback loops
• Continuous change and
improvement is assumed
– Documentation is a key
• Matrix-based teams – mix of skills
and roles
• Emerged with advent of 4th
Generation Languages
• Object-Oriented Analysis and
Design
– Client-Server and web-based
systems
Agile Methodologies
• Lightweight approach – shifts the
focus from the process to
interaction – tenets include:
– Quick delivery of software (versus
extended planning)
– Massive collaboration (versus
contract formulation)
– Responsive change management
(versus structured procedures)
– Individual interaction (versus tools
automation)
• Examples include:
– Extreme Programming (XP)
– Feature-Driven Development
7
04/11/23
Secure SDLC
• SSDLC:
– Software development lifecycle process based on application security principles
adhering to a recognized standard and information privacy
– Focus on Risk, Compliance and C & A
– Includes activities designed to ensure compliance to the standard
– Requires security-related steps in application development procedures
– Integrated automated testing framework
• Automated unit test
• Regression test
• System integration test
• Performance test
• Threat and vulnerability audit
8
04/11/23
Integral Secure Agile Methodology (ISAM) ™
The Integral Secure Agile Methodology (ISAM) ™ is a collection of practices organized in a phased approach that provide the basis for an organization to ensure regulatory compliance, information security, and adherence to policy standards.
9
04/11/23
Formation Guidelines
• Created as a formulation of our "best practices" • Need for security and regulatory elements in application
development• “Securing” Software Development Lifecycle (SSDLC)
and related activities• Certification and Accreditation Objectives
10
04/11/23
Methodology Guidelines
• ISAM ™ adheres to the principles of the ISO 17799:2005 Information Security Management Standard developed by the International Organization for Standardization– Means the specific controls are derived from ISO 17799
• Provides flexibility to Introduce other control elements, policies and framework objectives
• Is a methodology to “Create or Modify” another methodology– Why ? Usually a fork lift approach of change is expensive and
not accepted– Incremental approach and absorbs the existing business and
standards objectives
11
04/11/23
ISAM Overview
Integral Secure Agile Methodology
(ISAM)™
Goal
Objective
Define
Design
Develop
Enhance
12
04/11/23
ISAM Phases
Goal Objective Define Design Develop
Long-RangePlan
Short-RangePlan
SolutionRequirements
SolutionDesign
SolutionDevelopment
Integral Secure Agile Methodology (ISAM) ™Phases
Enhance
13
04/11/23
ISAM Phase Detail
Enhance
Goal Objective Define Design Develop
Long-RangePlan
Short-RangePlan
SolutionRequirements
SolutionDesign
SolutionDevelopment
· Business Strategy· Competitive Survey· Business Trends· Core Competencies· IT Strategy· Security Policy· Business Continuity Plan
· Business Model· Stakeholders· Governance Structure· Initial Functionality· Systems Inventory· Analysis Approach· Organization· Readiness Assessment· Asset Inventory
· Prioritized Feature List· Functional Gap Analysis· Use Case Analysis· User Categorization· Storyboards· Component Diagrams· Architecture Diagrams· Activity Diagrams· Project Plan· Security Plan· Access Control Strategy
· Physical Architecture Diagrams
· Volumetrics· Logical and Physical
Data Models· User Interface Design· Class Diagrams· State Diagrams· Deployment Diagrams· Interface Integration Plan· Test Plan· Deployment Plan· Logical and Physical
Security Diagrams
· N-Tier Development· Unit Test· System Test· External Interface Test· Usability and Acceptance
Test· Performance Test· Deployment
· C&A Process· Regression Testing· Security Audit· Configuration Management· Acceptance Plan· Change Management· Program Management· Continuous Improvement· Monitoring Scheme
14
04/11/23
ISAM Goal Phase
Goal
Business Strategy - Understand the current business direction
and examine how technology can help drive it.
Competitive Survey - Analyze the competitive forces that will
impact technology direction of the business.
Business Trends - Recognize emerging trends that will shape
the business direction and technology approach.
Core Competencies - Assess historical and planned future business competencies relative to technology direction.
IT Strategy - Examine the information technology direction from a
business planning perspective.
Security Policy - Specify the business approach to securing information in its
systems, processes, and operating procedures.
Information Continuity Plan - Establish a plan to ensure business operations
in the event of a disruption to information systems.
ISO 17799 - 5.1.1 Security Policy Information Security Policy Information Security Policy Document
ISO 17799 - 15.1.4 Compliance Compliance with Legal Requirements Data Protection and Privacy of Personal Information
ISO 17799 - 14.1.3 Business Continuity Management Information Security Aspects of Business Continuity Developing and Implementing Continuity Plans Including Information Security
15
04/11/23
ISAM Objective Phase
Objective
Business Model -Analyze suggested technology approach relative
to operational business needs.
Stakeholders -Determine constituents in areas affected by
technology direction.
Governance Structure -Establish responsibility structure for
technology decisions.
Initial Functionality -Compile listing of core functionality for
technology implementation.
Systems Inventory -Categorize existing technology platforms
and solutions.
Analysis Approach - Define high-level plan to derive technology
solution requirements.
Organization Readiness Assessment -Outline potential pitfalls for solution development
and implementation.
ISO 17799 - 6.1.1Organization of Information SecurityInternal OrganizationManagement Commitment to Information Security
ISO 17799 - 7.2.1Asset ManagementInformation ClassificationClassification Guidelines
ISO 17799 - 7.1.1Asset ManagementResponsibility for AssetsInventory of Assets
ISO 17799 - 6.1.2Organization of Information SecurityInternal OrganizationInformation Security Coordination
ISO 17799 - 6.1.3Organization of Information SecurityInternal OrganizationAllocation of Information Security Responsibilities
Asset Inventory - Identify information assets and categorize each
according to regulatory impact, business criticality,and sensitivity.
16
04/11/23
ISAM Define Phase
Define
Prioritized Feature List - Examine the desired features of the solution,
categorized by low-medium-high risk, capability, difficulty, and implementation order.
Feature Gap Analysis -Detail the capability gaps in the initial
functionality of the solution.
Use Case Analysis -Describe the functional uses of the
information system.
User Categorization -Classify the makeup and structure of groups
of individuals who will interact with the system.Story Boards -
Detail scenarios for user interaction with the system.
Component Diagrams -Describe the high-level application components
of the solution.
Architecture Diagrams -Describe the infrastructure, interface and application
component environments and interactions.
ISO 17799 - 12.1.1Systems Acquisition, Development and MaintenanceSecurity Requirements of Information SystemsSecurity Requirements and Specification
ISO 17799 - 12.x.x Systems Acquisition, Development and Maintenance
Project Plans -Outline the sequential allocation of resources
to produce solution features in a given timeline.
Activity Diagrams -Describe the processing sequence of
functional solution components.
Security Plan -Specify control procedure for secure operation
of the solution from deployment through continuedoperation.
Access Control Strategy -Describe the approach to controlling access
to the system.
ISO 17799 - 11.1.1Access ControlBusiness Requirement for Access ControlAccess Control Policy
17
04/11/23
ISAM Design Phase
Design
Physical Architecture Diagrams – layout software solutions, hardware, and
network topology
Volumetrics -Examine volume levels for user
Interaction with the solution.
Logical and Physical Data Models -Describe data requirements in abstact and
concrete form.
User Interface Design -Develop prototypes of user interfaces
to the system.
Class Diagrams -Derive component software classes
from solution definition artifacts.
State Diagrams -Detail the system component runtime
states and transitions.
Deployment Diagrams -Outline deployment strategy for solution components.
ISO 17799 - 12.1.1Systems Acquisition, Development and MaintenanceSecurity Requirements of Information SystemsSecurity Requirements and Specification
ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance
Interface Integration Plan -Detail the solution's interactions with
external systems.
Test Plan -Establish procedures to validate system components through development and
deployment.
Deployment Plan -Establish procedures to ensure the
integrity of deployed system components.
Logical and Physical Security Diagrams -Outline security plan for protecting system
components and information.
ISO 17799 - 10.6.1Communications and Operations ManagementNetwork Security ManagementNetwork Controls
ISO 17799 - 10.3.1Communications and Operations ManagementSystem Planning and AcceptanceCapacity Management
ISO 17799 - 6.2.1Organization of Information SecurityExternal PartiesIdentification of Risks Related to External Parties
ISO 17799 - 10.8.xCommunications and Operations ManagementExchange of Information- Information Exchange Policies and Procedures- Physical Media in Transit- Electronic Messaging- Business Information Systems
18
04/11/23
ISAM Develop Phase
Develop
N-Tier Development -Develop application components partitioned
across appropriate infrastructure tiers.
Unit Test -Perform iterative application
component testing.
System Test -Perform integrated application
component tests.
External Interface Test -Test application interaction with
external entities.
Usability and Acceptance Test -Evaluate application interface components and
indicate acceptance by users.
ISO 17799 - 12.3.xSystems Acquisition, Development and MaintenanceCryptographic Controls- Policy of the Use of Cryptographic Controls- Key Management
Performance Test -Simulate application load to
validate volumetrics.
Deployment -Implement the completed solution in
its production infrastructure environment.
ISO 17799 - 12.2.xSystems Acquisition, Development and MaintenanceCorrect Processing in Applications- Input Data Validation- Control of Internal Processing- Message Integrity- Output Data Validation
ISO 17799 - 10.3.1Communications and Operations ManagementSystem Planning and AcceptanceCapacity Management
ISO 17799 - 12.4.xSystems Acquisition, Development and MaintenanceSecurity of System Files- Control of Operational Software- Protection of System Test Data- Access Control to Program Source Control
ISO 17799 - 12.6.1System Acquisition, Development and MaintenanceTechnical Vulnerability ManagementControl of Technical Vulnerabilities
ISO 17799 - 10.8.1Communications and Operations ManagementExchange of InformationInformation Exchange Policies and Procedures
ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance
19
04/11/23
ISAM Enhance Phase
Enhance
Security Audit -Check system components for
compliance with security standards.
Regression Testing -Test existing functionality when
changes are made to the solution.
Configuration Management -Maintain release integrity with
secure and controlled environments.
ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance
ISO 17799 - 10.6.1Communications and Operations ManagementNetwork Security ManagementNetwork Controls
ISO 17799 - 11.xAccess Control- Network Access Control- Operating System Access Control- Application and Information Access Control
ISO 17799 - 10.1.xCommunications and Operations ManagementOperational Procedures and Responsibilities- Documented Operating Procedures- Change Management- Segregation of Duties- Separation of Development, Test, and Operational Facilities
ISO 17799 - 12.4.xSystems Acquisition, Development and MaintenanceSecurity of System Files- Control of Operational Software- Protection of System Test Data- Access Control to Program Source Control
ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance
ISO 17799 - 15.2.2ComplianceCompliance with Security Policies and Standards, and Technical ComplianceTechnical Compliance Checking
ISO 17799 - 15.3.1ComplianceInformation Systems Audit ConsiderationsInformation Systems Audit Controls
Acceptance Plan - Outline criteria and define
procedures for user acceptanceof system changes.
Change Management -Manage changes through control
procedures
ISO 17799 - 10.1.2Communications and Operations ManagementOperational Procedures and ResponsibilitiesChange Management
ISO 17799 - 10.4.1Communications and Operations ManagementProtection Against Malicious and Mobile CodeControls Against Malicious Code
ISO 17799 - 12.5.xSystems Acquisition, Development and MaintenanceSecurity in Development and Support Processes- Change Control Procedures- Technical Review of Applications After Operating System Changes- Restrictions on Changes to Software Packages
Continuous Improvement -Maintain feedback loop through
system lifecycle.Monitoring Scheme -Proactively manage solution through
process, event, threat, and log monitoring.
ISO 17799 - 6.1.8Organization of Information SecurityInternal OrganizationIndependent Review of Information Security
ISO 17799 - 10.10.xCommunications and Operations ManagementMonitoring- Audit Logging- Monitoring System Use- Protection of Log Information- Administrator and Operator Logs- Fault Logging- Clock Synchronization
20
04/11/23
NIST – Security in System Development Life Cycle.
21
04/11/23
ISAM Develop Phase – NIST Inclusion
Develop
N-Tier Development -Develop application components partitioned
across appropriate infrastructure tiers.
Unit Test -Perform iterative application
component testing.
System Test -Perform integrated application
component tests.
External Interface Test -Test application interaction with
external entities.
Usability and Acceptance Test -Evaluate application interface components and
indicate acceptance by users.
ISO 17799 - 12.3.xSystems Acquisition, Development and MaintenanceCryptographic Controls- Policy of the Use of Cryptographic Controls- Key Management
Performance Test -Simulate application load to
validate volumetrics.
Deployment -Implement the completed solution in
its production infrastructure environment.
ISO 17799 - 12.2.xSystems Acquisition, Development and MaintenanceCorrect Processing in Applications- Input Data Validation- Control of Internal Processing- Message Integrity- Output Data Validation
ISO 17799 - 10.3.1Communications and Operations ManagementSystem Planning and AcceptanceCapacity Management
ISO 17799 - 12.4.xSystems Acquisition, Development and MaintenanceSecurity of System Files- Control of Operational Software- Protection of System Test Data- Access Control to Program Source Control
ISO 17799 - 12.6.1System Acquisition, Development and MaintenanceTechnical Vulnerability ManagementControl of Technical Vulnerabilities
ISO 17799 - 10.8.1Communications and Operations ManagementExchange of InformationInformation Exchange Policies and Procedures
ISO 17799 - 10.3.2Communications and Operations ManagementSystem Planning and AcceptanceSystem Acceptance
SP 800-36 Selecting Infosec ProductsSP 800-36
Selecting Infosec Products
Corresponds to NIST SDLC SP 800-36 Phase 3
SP 800-57 Key ManagementSP 800-57
Key Management
22
04/11/23
Observations
• Risk management during each phase is key– Can be challenging on an uncompleted cycle– Identification of mitigation points is tricky.
• Assistance to a C & A process can be “in-line”• Awareness is the driving factor• Collaboration helped awareness• Awareness brought in discipline• Discipline > Structure > Control
23
04/11/23
Risk Management Through IT Frameworks
• Structure• Process • Communication
The primary objective of a framework is to bring forth a governance with the most important following principles:
Frameworks like ITIL, COBIT seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels.
Information security should considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained in each phase.
24
04/11/23
IT Frameworks
• Policies - overall objectives an organization is attempting to achieve • Processes - what has to happen to achieve the objectives • Procedures - who does what and when to achieve the objectives • Work instructions - instructions for taking specific actions
A typical IT framework divides the overall Information security concept into:
25
04/11/23
IT Frameworks (cont.)
Initial Security Efforts and Baseline
Requirements SLA
Reporting ImplementationMonitoring
Analysis
OLAModifications
Define information security as a complete cyclical process with continuous review and improvement.
26
04/11/23
IT Frameworks (cont.)Frameworks improve on security by providing…
• Focus – Security is not a “cost center” any more. It is well aligned with the business requirements
• Structure – move away from “fire fighting” to a structured best practice• Continuous review
– The security reviews and functions are not static. Reviews, audits and assessments are done in a repeatable cyclic fashion, ensures that changes, modifications are duly analyzed for potential threats and vulnerabilities
– Periodic audits ensures how well goals and guiding principles are followed
– Ensures a positive motion in Information Security Maturity model for the enterprise
27
04/11/23
IT Frameworks (cont.)Frameworks improve on security by providing…
• Documented process and procedures ensures compliance and auditability (HIPAA, SOX)
• Framework enforces an SSDLC environment to adhere to several control processes like– Change Management– Configuration Management– Incident Management
• Measurable information security activity in each phase – ensures that the organization will not have “rushed” approach in decision making
• Defined roles and responsibilities – auditability and traceability• Defined communication process – e.g reporting
28
04/11/23
Risk Management - Application Frameworks
• Consistency – application code is written in a consistent manner that can more easily be audited and enhanced
• Repeatability – core application services are provided in a common and structured manner
• Conformance – framework modules are thoroughly tested before implementation, and continuously re-tested through the software regression test cycle
Application frameworks enhance the overall security concept by ensuring that applications are more robust and secure in the following ways:
The following discussion highlights some commonly used application frameworks with security implications and potential pros and cons.
29
04/11/23
Communication and CollaborationTo be successful in developing secure software the entire team must be aware of what is occurring within the architecture of the solution and the code base. Communication of change and traceability of change can be assisted by the introduction of tools to help automate this communication and collaboration.
Having a strong culture of collaboration and a methodology that enforces the communication is also key. Tools help facilitate and even can enforce the rules laid out but they will not guarantee compliance. That is where Audits enter in.
30
04/11/23
Awareness
• Formal Trainings were good but hard to find• Peer to Peer interaction• Automated detection and assessment tools
Awareness was the hardest to achieve. Different levels of skill and adaptability posed challenges. Once the effort was made, progression was much easier
31
04/11/23
Tools
Collaboration software
– Gforge – Collaboration and project management tool for tracking and communicating changes, bugs, enhancements to your source code. Has reporting and integrations with many 3rd party tools such as cvs, svn, MS Project, Eclipse IDE.
– Blogging software can be used to effectively communicate individual team member’s struggles and triumphs with project tasks. It is an effective way to gather unstructured data for later search and retrieval. Think of it as the electronic notebook for the development team.
– Wiki technologies – can be used in a similar fashion to blogging but wiki provides a quick and easy way to publish web base documentation with a structure for the team to use. Wikis can be secured so that only your team can view and edit.
There are many tools available that help your team communicate, collaborate, and ensure securely developed websites and traceability of changes to your systems.
32
04/11/23
Tools (cont.)Source Control Management (SCM)
– CVS – Industry standard for source code control and distributed project development.
– SVN – The next industry standard for source code control and distributed project development.
– ClearCase – Source code control from the Rational suite of products.
– Visual Source Safe – Microsoft SCM tool.
– Tortoise – Visual tool for interfacing with CVS and SVN repositories via the windows file explorer interface.
33
04/11/23
Tools (cont.)IDEs
– Eclipse – industry leading java development platform. IBMs IDE is developed upon the eclispse core. Many plugins available to help with development on PHP, .net, C, C++ language based projects.
– Visual Studio – industry leading MS language development platform. Excellent integration with the Microsoft product tool suite.
Virtualization
– VMWare – A system to virtualize Operating systems. Extremely helpful in server consolidation and enables organizations to create function specific computing environments with no extra investment. Also provides flexibility in the behavior of testing, QA etc.
34
04/11/23
Tools (cont.)Quality Assurance / Build Automation
– Ant – script based tool for build. Used to call many of the other QA/Build apps. Can be used to help ensure compliance. It is essentially a cross platform Make.
– Junit – unit level test. Used with Ant and Tinderbox to help provide traceability of code failures and complete regression test.
– Httpunit – unit level test for web interface. Used with Ant and Tinderbox to help provide traceability of code failures and complete regression test.
– Tinderbox - Tinderbox is a detective tool. It allows you to see what is happening in the source tree. It shows you who checked in what; what platforms have built successfully; what platforms are broken and exactly how they are broken (the build logs); and the state of the files that made up the build so you can figure out who broke the build, so you can do the most important thing, hold them accountable for their actions.
35
04/11/23
Tools (cont.)Quality Assurance / Build Automation
– Jmeter - Apache JMeter may be used to test performance both on static and dynamic resources (files, Servlets, Perl scripts, Java Objects, Databases and Queries, FTP Servers and more). It can be used to simulate a heavy load on a server, network or object to test its strength or to analyze overall performance under different load types. You can use it to make a graphical analysis of performance or to test your server/script/object behavior under heavy concurrent load.
– Loadrunner – A commercial based jmeter, the industry leader in the performance testing space. Obtain an accurate picture of end-to-end system performance. Verify that new or upgraded applications meet specified performance requirements. Identify and eliminate performance bottlenecks during the development lifecycle.
36
04/11/23
Tools (cont.)Auditing tools
– Ouncelabs - Ounce Labs helps our customers manage their software risk across the enterprise and down to the line of code.
– Watchfire Appscan - is the industry's first web application vulnerability scanning and reporting solution for the enterprise. Building on the market-leading AppScan technology, AppScan Enterprise provides centralized control with new advanced application scanning, remediation capabilities, executive security metrics and dashboards, key regulatory compliance reporting and seamless integration with the desktop version of AppScan.
– ARCWall – A system to provide central security policy enforcement for access control for databases. Also useful for auditing purposes to identify potential access control defects etc.
37
04/11/23
Concluding Remarks
• Conscious effort and buy-off from management and customer
– Systematic and some times intrusive changes
• Educating staff – awareness• Implementing Peer reviews• Automation Tools (Commercial and Open
Source)• Focus on testing – security test cases included
in functional, regression and performance testing
• Checkpoints through out the life cycle.
• Greater reduction of risk posture
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
$40,000
$45,000
0 50 100 150 200
Risk Rating
Co
st t
o R
edu
ce
Lower Left = Low Risk and Low Cost – Recommend FixLower Right = High Risk and Low Cost – Recommend FixUpper Left = Low Risk and High Cost – Recommend EvaluateUpper Right = High Risk and High Cost – Recommend Schedule
38
04/11/23
• Questions?