secure software development lifecycle
TRANSCRIPT
Daniel Kefer, Information Security, 1&1 Internet AG
SECURE SOFTWARE
DEVELOPMENT LIFECYCLE
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 2
Agenda
26.01.2015
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 3
Agenda
26.01.2015
Who Am I
26.01.20154 1&1 Internet AG
Daniel Kefer
Originally from the Czech Republic
Working in IT-Security since 2005
Security in development since 2008
2011 moved to Germany to work for 1&1
Focus on application security
1&1 – Member of United Internet AG
5 1&1 Group
1&1
Telecommunication
AG
100 %
United Internet
Ventures AG
100 %
5
Goldbach 14.96 %
Hi-media 10.50 %
fun 49 %
Virtual Minds 48.65 %
ProfitBricks 30.02 %
Open-Xchange 28.36 %
ePages 25.10 %
Uberall 25 %
Rocket Internet 8.18 %
Stand: 27. März 2014
SEDO
Holding GmbH
100 %
1&1
Internet AG
100 %
100 %
26/01/15
Locations
6 1&1 Group26/01/15
Motivated team
Around 7,800 employees, thereof approx.
2,000 in product management, development
and data centers
Sales strength
Approx. 3 million new customer contracts
p.a.
50,000 registrations for free services on a
daily basis
Operational excellence
46 million accounts in 11 countries
7 data centers
70,000 servers in Europe and USA
1&1: Internet services of United Internet AG
7 1&1 Group
Access Applications
Networks
User
equipment
Content
Standard
software
7
Stand: 19. November 2013
26/01/15
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 8
Agenda
26.01.2015
Three Common Approaches to Develop Applications (Security View)
26.01.20159 1&1 Internet AG
Intuitive approach
Reactive approach
Proactive approach
Intuitive Approach
26.01.201510 1&1 Internet AG
Pure best-effort approach
Relying on individual knowledge and experience of the team members
No security gates during the development
Typically leads to higher occurence of security incidents and negative PR
Reactive Approach
26.01.201511 1&1 Internet AG
Typically one security gate before the application rollout
Penetration test
Code review
Infrastructure configuration audit
A big step forward from the security point of view, but…
How effective it is to say „you‘ve done it wrong“ when the development is finished?
Typically increases the project costs and length
Security bugs: mistakes in the source code, „quite easy“ to fix
Security flaws: mistakes in the application design, very expensive to fix
The world gets more agile all the time… at what point should you test?
You don‘t usually find everything during a security audit!
Proactive Approach (Secure SDLC)
26.01.201512 1&1 Internet AG
You try to prevent security bugs before they‘re created
Cost of a bug during the development lifecycle:
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 13
Agenda
26.01.2015
What the World Does
26.01.201514 1&1 Internet AG
Overall Concepts
Process models: What should I do what at which point?
Maturity models: Do I do enough for security in the development?
Supportive Methodologies and Tooling
How do I perform architecture review?
Penetration testing tools
Checklists, cheat sheets
Development guides, testing guides
…
Process Models - Example
26.01.201515 1&1 Internet AG
Microsoft SDL
Development divided into 7 phases
Within every phase you should perform a couple of security-related
activities
2004: Microsoft SDL 1.0 Launch
26.01.201516 1&1 Internet AG
2005 Microsoft published first results they achieved using their SDL
Methodology
Maturity Models - Example
26.01.201517 1&1 Internet AG
Building Security Into Maturity Model (www.bsimm.com)
Project comparing regularly companies from different verticals and
measuring their security activities in software development in 112
activities
2013 (5th version) results – out of 67 firms:
44 have internal secure SDLC officially published
57 track results reached at previously defined security gates
36 require owner‘s security sign-off before deployment
31 enforce security gates (project not continuing until security requirements are met)
Supportive Methodologies and Tooling
26.01.201518 1&1 Internet AG
OWASP (Open Web Application Security Project) – www.owasp.org
The biggest resource regarding application security nowadays
Everything is open-source
Everybody can start his/her own security project
Examples:
OWASP Top Ten: The most widespread application vulnerabilities
OWASP Testing Guide: Methodology for penetration testing of applications
OWASP ASVS: Application Security Verification Standard
OWASP ESAPI: Security Library for JAVA, .NET, PHP…
OWASP Zed Attack Proxy: Testing tool
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 19
Agenda
26.01.2015
Main Goals
26.01.201520 1&1 Internet AG
We spend budget for security according to the real risk
Project teams shall have a trusted contact person guiding them through
security challenges
We actively learn from our mistakes steadily and also give the
opportunity to others to learn from our mistakes
KISS (Keep it simple stupid)! – build on currently lived processes and
tools as much as possible
System Classification – 3 Security Levels
26.01.201521 1&1 Internet AG
Low:
Systems not likely to be target of professional attackers
Mainly reputation risk in case of finding vulnerabilities
Requirements should target mainly quality of code and be aimed at quick wins
Medium:
Possible abuse of client personal data (incidents have to be reported to authorities)
We should have a solid confidence that security has been addressed and assessed
consistently and reasonably
High:
Systems essential for 1&1’s business and the ones with high compliance requirements
These systems should be ready to withstand also sophisticated attacks
Most focus on architectural and functional security
SDLC Requirements
Two types of requirements:
Lifecycle: Activities to be done during the lifecycle (e.g. penetration test)
Technical: Properties of the target system (e.g. login brute-force protection)
The concept:
Ever higher category inherits requirements from the lower one and adds new ones
Total counts of requirements:
Lifecycle req. Technical req.
Low 6 42
Medium 12 72
High 16 84
Lifecycle Requirements (vs. The 1&1 Project Lifecycle)
Low
Medium
High
The 1&1
Project
Lifecycle
Secure
SDLC
Classification
Security
guide
Security
trainings
Select
requirements
Automated
scan
Yellow Pages
Record
Security
workshop
Doc. review
3rd party
code
Penetration
test
Vulnerability
management
Lessons
learned
Threat model
Tailor
requirements
Code review
Configuration
review
Technical Requirements - Categories
26.01.201524 1&1 Internet AG
Based on OWASP Application Security Verification Standard
AuthenticationSession
ManagementAccess Control
Input ValidationOutput
EncodingCryptography
Error Handling and Logging
Data ProtectionCommunication
Security
Technical Requirements – Example (Brute-Force Protection)
ID AU-07
Criticality Low
Category Authentication
Technology Web Applications, Web Services
Description Brute force protection is provided after a system configurable number of invalid
login attempts occur against an account within a configurable period of time.
Specification
/Best Practise
More information on best practise:
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Reasoning Preventing successful brute force attacks on user credentials.
Functional Yes
Responsible Requirement Engineer
Deadline T2 (end of the design phase)
QA Responsible Test Manager
QA Activity Black box
QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)
QA Deadline T3 (before rollout)
Requirement States
26.01.201526 1&1 Internet AG
Relevant:
Yes/No
Does it make sense to implement the particular requirement?
In Scope:
Yes: The development team has to (or mustn‘t) do something
3rd party: The application relies on another service (e.g. authentication service)
Refused: It was decided not to implement the requirement
No: If not relevant.
Who Am I, Who Is 1&1
Motivation For Secure SDLC
What the World Does
What 1&1 Does
Future Plans
1&1 Internet AG 27
Agenda
26.01.2015
Future Plans
26.01.201528 1&1 Internet AG
Continue increasing the coverage of SDLC-guided projects
Train and establish a satellite of Security Guides
Continuous enhancement of the methodology
Agile methodologies, continuous integration/continuous delivery
Lessons learned from projects
Creation of an SDLC Tool
Department-specific project management methodologies
Different technologies
Transparency of common security measures
