Professional Documents
Culture Documents
Agenda
Course Introduction Secure Software Development Lifecycle Common Vulnerabilities And Mistakes Conclusion And Appendices
Security concerns:
The Insider The Outsider The Technology Nature
Defender works with time and cost constraints Overly/Improperly secured systems can be more difficult to use Complex and strong passwords can be difficult to remember Users prefer simple passwords
Do I need security
Many developers and management think that security does not add any value and is negative to the users experience Addressing vulnerabilities just before or after a product is released is very expensive
Security As an Afterthought
Agenda
Course Introduction Secure Software Development Lifecycle Common Vulnerabilities And Mistakes Conclusion And Appendices
Requirements Phase
Application Program Manager must take the initiative and document the following (in concert with the client):
What the application MUST be able to do What kind of data the application is to hold/process (e.g. SSNs and health information) The security requirements to be followed Any legal requirements the application MUST follow
Architecture Phase
Application Program Managers must take the initiative and document the following (in concert with the client):
The operating system(s) upon which the application is to operate Operating System constraints Memory constraints Processing power constraints The network environment Any other operational/architectural constraints and requirements
Design Phase
During the design phase, the Design Team should document the following:
The language(s) to be used Coding Standards and Guidelines The third party modules, libraries to be used How to secure data Data types, naming schemas, etc
These should detail HOW to accomplish the requirements while not exceeding the constraints and should be carefully examined
Implementation Phase
The Development Team should ensure that the code:
Follows the Coding Standards and Guidelines Follows the design documentation Does not allow a violation of the Byzantine Generals Problem Is well-written; methodically written; and adheres to all requirements, protocols, standards and best practices that are applicable for the system Is SAFE and SECURE
Test Phase
The Test Team should ensure that the system:
Never enters an unstable or unknown state Is free from input validation, logic, and other flaws Provides the appropriate levels of assurance for confidentiality, integrity, and availability Maintains adequate code coverage statistics Adheres to the requirements set forth in the previous phases
Deployment Phase
The Release Manager and Application Administrator should ensure that:
The source code and binaries are fully protected The software is distributed with appropriate security guidance The software is installed in accordance with all appropriate security guidance The software is operated in a secure manner
Agenda
Course Introduction Secure Software Development Lifecycle Common Vulnerabilities And Mistakes Conclusion And Appendices
Common Vulnerabilities
* Often Cited As Two Major Areas:
Design Implementation
* Other Areas:
Design Flaws
Design flaws often require significant redesign and redevelopment to resolve Example Design Flaws
Weak encryption or using encoding instead of encryption
Requires choosing a new encryption algorithm and can require a slew of changes especially in a clientserver model
Implementation Flaws
Implementation flaws may be hard to track down in large projects and may require substantial modifications to the source code Example Implementation Flaws
Poor adherence to multi-threading or multiprocessing development principles
May be extremely difficult to reproduce, track down, and then eliminate
Architecture Flaws
Architecture flaws normally dont become obvious until either during testing or once the system has been deployed, so they can become both embarrassing and impossible to get passed Example Architecture Flaws
Poor understanding of the requirements
If not caught soon enough, the system may not recover
Requirements Flaws
Requirements flaws, like architecture flaws occur in the beginning of the cycle, so impact the most phases in the cycle; if not caught early, these can be expensive to fix Example Requirements Flaws
Neglecting to spell out client requirements
If the clients requirements arent well known, the system cannot be properly constructed
Deployment Flaws
Deployment flaws may be the result of poor requirements or architecture, they may also be because of design flaws or implementation flaws, but often require a knowledge of the system to detect/remediate Example Deployment Flaws
Poor adherence to secure installation and operation guidance
If none is available, it must be created, otherwise it may be easy to fix unless this is required because of a bug in the software
Testing Flaws
Testing flaws allow immature code to be put into production environments, putting the production environment at risk Example Implementation Flaws
Failure to follow the requirements and test for adherence to the requirements
The tests may not be valid or may miss key bugs and requirements that were not adhered to
Session Summary
Course Introduction Secure Software Development Lifecycle Common Vulnerabilities And Mistakes Conclusion And Appendices