DefconRussia, profile picture
Uploaded byDefconRussia
PPTX, PDF1,092 views

Alexey Sintsov- SDLC - try me to implement

This document discusses implementing security best practices within an agile software development lifecycle (SDLC). It recommends that security requirements and testing be integrated into each sprint or iteration. The security team would provide requirements, guides, tools, and training to development teams. They would conduct a final security review before software releases. DevOps practices could help automate security processes and configuration of cloud platforms. The overall approach is to distribute security responsibilities to development teams with support from the centralized security team.

Embed presentation

Downloaded 15 times
Alexey Sintsov @asintsov DEFCON RUSSIA DC#7812 SDLC IMPLEMENT ME OR DIE
# SDLC… -- History, introduction and blah-blah-blah skipped -- HOWTO: • Secure design • Secure code • Stable product • … QUALITY => Happy users/customers
# Stages (c) Microsoft Corp.
# But… • Agile • Agile • Agile • …. Every Sprint Bucket Once (c) Microsoft Corp.
# Agile Why SDLC? • Documentation • Testing • Tasks It’s already included! Just add ‘Security requirements/tests’. • Development through testing • Unit tests • Continues Integration • Acceptance tests
User wants to register his account through web-form with login/password Task 1 Create DB structure Task 2 Add UI form Task 3 Add API for creating account Task X … Security Requirements Security Guides Retrospective Store passwords secure (crypto. Req.) CSRF protection ClickJacking protection CAPTCHA SQLi protection Password req. … etc …  Security related tasks
Security Requirements Security Guides Retrospective User wants to register his account - investigation RISK ANLYSES User wants to register his account through web-form with login/password Task 1 Create DB structure Task 2 …. Task X Add second factor auth. mechanism Security “things” – tasks can be better than stories!
# Wow it’s so easy… Let’s do it… • Online services • API • Mobile Apps • Automotive • Many different teams • Different frameworks and languages • Different attack surfaces and threats and risks • Agile • DevOps
# Impossible ??? SDLC – not a strict “standard”, use it as pack of practices or what can be done, but HOW it can be done – it’s real state-of-art. So… • More security things goes to dev teams (responsibility) • Maximum automation • Manuals, guides and tools can be done by SecTeam • And etc: any fun can be done if it helps….
# Training • Internal events • External training sessions Impossible to cover all threats, bugs and etc, especially if you have different teams that work with different technologies • HERE Architecture and Technology camp • Typical issues, stories and best practices • HOWTO • CTF games • HERE security support: • WIKI • IRC • Personal team trainings
# Security Requirements General requirements: • Code style • SQL requests (Prepared statements) • Input/Output validation • Mobile App req. • etc • Data encryption • Algorithms • PKI and etc • Security mitigations and mechanisms • HTTPOnly, X-Frame-Options • PIE, StackCanaries, NS bit… … and etc Based on General requirements, each team produce own list of req. and then tasks!
# Guides Patterns/Guides: • Code Based on guides each team will code some general things with our security requirements. • How to do auth. with captcha • How to read/upload files (work with FileSystem) • etc • Sensitive data • How to do right logging • How to store personal data • What is personal data • DevOps • How to deploy product with secret keys/service passwords ….
# SelfCheck lists Based on requirements we can provide more detailed self-check lists to teams: • Have you done SAST? • What hash alg do you use for storing passwords? • Are you logging auth. tokens/passwords/credit card numbers? • Do you have SSL? • Do you have HTTPOnly/Secure? • Is your service scanned by security scanner? - Different check lists of Dev/DevOps, for design and architecture.
# Example of Model SecTeam Project Team 1 Project Team 2 Requirements Guides Tools produce • Requirements • Documentation • Design • Code • Security Tests • Requirements • Documentation • Design • Code • Security Tests checks “SDLC” on AGILE Final Review Exploratory testing Anything else…
# HERE Security Team • Requirements • Guides • Support for all Dev teams • Developing security tools and libs • Fuzzers • Input validation lib for common frameworks • Security Scripts, like platform audit • Providing SecService to teams and work with vendors: • WhiteHat • Retina • Veracode service • etc… • GoLive review • Incident Response
# GoLive (SDLC FinalSecurityReview) • Threat/Risk Analysis • Architecture security review • SAST • Encryption • Design, etc • Engineering security review • DAST • Configurations • Logs , etc • Privacy review • Personal data • Government requirements , etc • Business continue review
# GoLive (SDLC FinalSecurityReview) What we want • Teams understand our security requirements • Teams produce their own security requirements to their product • Teams follow our guides • Teams provides documentation, answered self-check lists Teams runs all security and can do self checks • Security knowledge stay in teams • After each GoLive review one team became more aware about security
# DevOps
# DevOps + SDLC • Deployment as part of security process • Platform and configuration as a part of final product PRODUCT OS Services Code
# HERE Platform Security as a part of SDLC With help of DevOps: Own Cloud platform with all security things • Box configured secure by default: • SSH • Apache • Iptables • Patch Management for packages • Monitoring system • WAF • etc • Latest Images • Control for security groups • MFA • Templates for all accounts • CloudTrail • Access Key rotation • Security scanning for all instances • etc + MAXIMUM AUTOMATION
# SoWhat • SDLC – not a kind of “standard” = just bunch of ideas and practices • You can’t download it and use, you need to understand your env., business requirements and implement what you want in any way it will work. • More checks and responsibilities for Dev. site. • Agile have enough places for implementing ‘security’, you do not need to change something, but it requires more knowledge from teams • SecTeam – control, hack, develop sec tools and support Devs • DevOps – can be a big help for security process!
#FIN alexey.sintsov@here.com @asintsov

More Related Content

PPTX
Cisco IOS shellcode: All-in-one
byDefconRussia
 
PPT
Georgy Nosenko - An introduction to the use SMT solvers for software security
byDefconRussia
 
PPT
Much ado about randomness. What is really a random number?
byAleksandr Yampolskiy
 
PDF
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
byPositive Hack Days
 
PPTX
Secure coding for developers
bysluge
 
PDF
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
byPositive Hack Days
 
PDF
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
PDF
nosymbols - defcon russia 20
byDefconRussia
 
Cisco IOS shellcode: All-in-one
byDefconRussia
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
byDefconRussia
 
Much ado about randomness. What is really a random number?
byAleksandr Yampolskiy
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
byPositive Hack Days
 
Secure coding for developers
bysluge
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
byPositive Hack Days
 
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
nosymbols - defcon russia 20
byDefconRussia
 

What's hot

PPTX
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PPTX
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
byAndrey Karpov
 
PPT
Virtual platform
bysean chen
 
PPT
OWASP Much ado about randomness
byAleksandr Yampolskiy
 
PDF
Architecture for Massively Parallel HDL Simulations
byDVClub
 
PDF
Fuzzing: The New Unit Testing
byDmitry Vyukov
 
PDF
Работа с реляционными базами данных в C++
bycorehard_by
 
PPTX
1300 david oswald id and ip theft with side-channel attacks
byPositive Hack Days
 
PDF
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
byChong-Kuan Chen
 
PDF
Cgc2
byChong-Kuan Chen
 
PDF
clang-intro
byHajime Morrita
 
PPTX
Quality assurance of large c++ projects
bycorehard_by
 
PPTX
PVS-Studio is ready to improve the code of Tizen operating system
byAndrey Karpov
 
PDF
Антон Наумович, Система автоматической крэш-аналитики своими средствами
bySergey Platonov
 
PPTX
Do WAFs dream of static analyzers
byVladimir Kochetkov
 
PPTX
Эксплуатируем неэксплуатируемые уязвимости SAP
byPositive Hack Days
 
PPTX
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
byRootedCON
 
PDF
Boosting Developer Productivity with Clang
bySamsung Open Source Group
 
PDF
Bug fix sharing : where does bug come from
by宇 申
 
PPTX
C++17 now
bycorehard_by
 
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
byAndrey Karpov
 
Virtual platform
bysean chen
 
OWASP Much ado about randomness
byAleksandr Yampolskiy
 
Architecture for Massively Parallel HDL Simulations
byDVClub
 
Fuzzing: The New Unit Testing
byDmitry Vyukov
 
Работа с реляционными базами данных в C++
bycorehard_by
 
1300 david oswald id and ip theft with side-channel attacks
byPositive Hack Days
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
byChong-Kuan Chen
 
Cgc2
byChong-Kuan Chen
 
clang-intro
byHajime Morrita
 
Quality assurance of large c++ projects
bycorehard_by
 
PVS-Studio is ready to improve the code of Tizen operating system
byAndrey Karpov
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
bySergey Platonov
 
Do WAFs dream of static analyzers
byVladimir Kochetkov
 
Эксплуатируем неэксплуатируемые уязвимости SAP
byPositive Hack Days
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
byRootedCON
 
Boosting Developer Productivity with Clang
bySamsung Open Source Group
 
Bug fix sharing : where does bug come from
by宇 申
 
C++17 now
bycorehard_by
 

Viewers also liked

PPTX
Tyurin Alexey - NTLM. Part 1. Pass-the-Hash
byDefconRussia
 
PDF
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
byDefconRussia
 
PDF
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PDF
Георгий Зайцев - Reversing golang
byDefconRussia
 
PDF
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
byDefconRussia
 
PDF
Zn task - defcon russia 20
byDefconRussia
 
PPTX
Weakpass - defcon russia 23
byDefconRussia
 
PPT
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
byDefconRussia
 
PDF
static - defcon russia 20
byDefconRussia
 
PPTX
Attacks on tacacs - Алексей Тюрин
byDefconRussia
 
PDF
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
byDefconRussia
 
Tyurin Alexey - NTLM. Part 1. Pass-the-Hash
byDefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
byDefconRussia
 
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
HTTP HOST header attacks
byDefconRussia
 
Георгий Зайцев - Reversing golang
byDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
byDefconRussia
 
Zn task - defcon russia 20
byDefconRussia
 
Weakpass - defcon russia 23
byDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
byDefconRussia
 
static - defcon russia 20
byDefconRussia
 
Attacks on tacacs - Алексей Тюрин
byDefconRussia
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
byDefconRussia
 

Similar to Alexey Sintsov- SDLC - try me to implement

PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
Agile & Secure SDLC
byPaul Yang
 
PDF
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
byRaphael Denipotti
 
PDF
7.1. SDLC try me to implenment
bydefconmoscow
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPT
Lecture Course Outline and Secure SDLC.ppt
byDrBasemMohamedElomda
 
PDF
SDLC & DevSecOps
byIrina Kostina
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PPTX
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Security for devs
byAbdelrhman Shawky
 
PDF
ShiftGearsWithInformationSecurity.pdf
bySteven Carlson
 
PPTX
Owasp summit slides day 2
byDinis Cruz
 
PDF
Agile Secure Development
byBosnia Agile
 
PPTX
Security within Scaled Agile
byMark Underwood
 
The What, Why, and How of DevSecOps
byCprime
 
Agile & Secure SDLC
byPaul Yang
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
byRaphael Denipotti
 
7.1. SDLC try me to implenment
bydefconmoscow
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
byEryk Budi Pratama
 
AppSec in an Agile World
byDavid Lindner
 
Lecture Course Outline and Secure SDLC.ppt
byDrBasemMohamedElomda
 
SDLC & DevSecOps
byIrina Kostina
 
Software security engineering
byAHM Pervej Kabir
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
The Future of DevSecOps
byStefan Streichsbier
 
Software security engineering
byAHM Pervej Kabir
 
Security for devs
byAbdelrhman Shawky
 
ShiftGearsWithInformationSecurity.pdf
bySteven Carlson
 
Owasp summit slides day 2
byDinis Cruz
 
Agile Secure Development
byBosnia Agile
 
Security within Scaled Agile
byMark Underwood
 

More from DefconRussia

PDF
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
byDefconRussia
 
PDF
Miasm defcon russia 23
byDefconRussia
 
PPTX
Vadim Bardakov - AVR & MSP exploitation
byDefconRussia
 
PDF
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
byDefconRussia
 
PPTX
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
PDF
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
PDF
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
byDefconRussia
 
PPTX
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
PDF
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
byDefconRussia
 
PDF
Anton Alexanenkov - Tor and Botnet C&C
byDefconRussia
 
PDF
Nedospasov defcon russia 23
byDefconRussia
 
PDF
Tomas Hlavacek - IP fragmentation attack on DNS
byDefconRussia
 
PDF
Roman Korkikyan - Timing analysis workshop Part 2 Practice
byDefconRussia
 
PDF
Roman Korkikyan - Timing analysis workshop Part 1 Theory
byDefconRussia
 
PDF
Peter Hlavaty - DBIFuzz
byDefconRussia
 
PDF
Roman Korkikyan - Timing analysis workshop Part 2 Scary
byDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
byDefconRussia
 
Miasm defcon russia 23
byDefconRussia
 
Vadim Bardakov - AVR & MSP exploitation
byDefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
byDefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
byDefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
byDefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
byDefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
byDefconRussia
 
Anton Alexanenkov - Tor and Botnet C&C
byDefconRussia
 
Nedospasov defcon russia 23
byDefconRussia
 
Tomas Hlavacek - IP fragmentation attack on DNS
byDefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 2 Practice
byDefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 1 Theory
byDefconRussia
 
Peter Hlavaty - DBIFuzz
byDefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 2 Scary
byDefconRussia
 

Recently uploaded

PPTX
COMPUTER SECURITY MODELS - Frameworks that help organizations design secure s...
byAbhishek Sonker
 
PPTX
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
PDF
Major Agro Climatic Zones of India_fundamental of horticulture.pdf
bybisensharad
 
PPTX
An Detailed Overview of Menus in Odoo 18
byCeline George
 
PDF
Plant propagation_Macro & Micro_Horticulture.pdf
bybisensharad
 
PDF
Chapter 1 ICAR Intro_Horticulturte_FoH_.pdf
bybisensharad
 
PDF
Production Tech of Vegetables_Notes on PGR.pdf
bybisensharad
 
PPTX
The Ides Of March Throughout History-- not just Caesar but also . . .
byBob Mayer
 
PPTX
14 November 2025 The Impact of Digital Technologies on Students Learning
byEduSkills OECD
 
PDF
Sample Research Instruments for Initial Survey.pdf
byThelma Villaflores
 
PDF
MEDINIPUR QUIZ PREMIER LEAGUE PRACTICE QUIZ SET
bySaheb Mallik
 
PDF
EVOLUTION - Theories, Pre-Darwinism, Darwinism
byANAKHA JACOB
 
PDF
SHS_Core_CAE_Q3_LE1 FOR THIRD [FINAL].pdf
bydulaymd1904
 
PDF
Herniation Syndromes - Neuro Imaging Master Series
bySean M. Fox
 
PDF
Education Research in Ireland: Listening to all voices_Selina McCoy.pdf
byEconomic and Social Research Institute
 
PDF
the famous sun temple at konark, balck pagoda, orissa
byPrachiSontakke5
 
PPTX
TEACHING OF POETRY.pptx. The PPT helps and provides guidance on Lesson Planni...
byDr. Meeta Agrawal
 
PPTX
introduction to clinical pharmacology.pptx
byAneetaSharma15
 
PPTX
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 
PDF
TNTEU- BD1TL Unit - 3 THEORY OF CONSTRUCTIVISM AND LEARNER CENTERED
byDr Raja Mohammed T
 
COMPUTER SECURITY MODELS - Frameworks that help organizations design secure s...
byAbhishek Sonker
 
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
Major Agro Climatic Zones of India_fundamental of horticulture.pdf
bybisensharad
 
An Detailed Overview of Menus in Odoo 18
byCeline George
 
Plant propagation_Macro & Micro_Horticulture.pdf
bybisensharad
 
Chapter 1 ICAR Intro_Horticulturte_FoH_.pdf
bybisensharad
 
Production Tech of Vegetables_Notes on PGR.pdf
bybisensharad
 
The Ides Of March Throughout History-- not just Caesar but also . . .
byBob Mayer
 
14 November 2025 The Impact of Digital Technologies on Students Learning
byEduSkills OECD
 
Sample Research Instruments for Initial Survey.pdf
byThelma Villaflores
 
MEDINIPUR QUIZ PREMIER LEAGUE PRACTICE QUIZ SET
bySaheb Mallik
 
EVOLUTION - Theories, Pre-Darwinism, Darwinism
byANAKHA JACOB
 
SHS_Core_CAE_Q3_LE1 FOR THIRD [FINAL].pdf
bydulaymd1904
 
Herniation Syndromes - Neuro Imaging Master Series
bySean M. Fox
 
Education Research in Ireland: Listening to all voices_Selina McCoy.pdf
byEconomic and Social Research Institute
 
the famous sun temple at konark, balck pagoda, orissa
byPrachiSontakke5
 
TEACHING OF POETRY.pptx. The PPT helps and provides guidance on Lesson Planni...
byDr. Meeta Agrawal
 
introduction to clinical pharmacology.pptx
byAneetaSharma15
 
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 
TNTEU- BD1TL Unit - 3 THEORY OF CONSTRUCTIVISM AND LEARNER CENTERED
byDr Raja Mohammed T
 

Alexey Sintsov- SDLC - try me to implement

  • 1.
    Alexey Sintsov @asintsov DEFCON RUSSIA DC#7812 SDLC IMPLEMENT ME OR DIE
  • 2.
    # SDLC… --History, introduction and blah-blah-blah skipped -- HOWTO: • Secure design • Secure code • Stable product • … QUALITY => Happy users/customers
  • 3.
    # Stages (c)Microsoft Corp.
  • 4.
    # But… •Agile • Agile • Agile • …. Every Sprint Bucket Once (c) Microsoft Corp.
  • 5.
    # Agile WhySDLC? • Documentation • Testing • Tasks It’s already included! Just add ‘Security requirements/tests’. • Development through testing • Unit tests • Continues Integration • Acceptance tests
  • 6.
    User wants toregister his account through web-form with login/password Task 1 Create DB structure Task 2 Add UI form Task 3 Add API for creating account Task X … Security Requirements Security Guides Retrospective Store passwords secure (crypto. Req.) CSRF protection ClickJacking protection CAPTCHA SQLi protection Password req. … etc …  Security related tasks
  • 7.
    Security Requirements SecurityGuides Retrospective User wants to register his account - investigation RISK ANLYSES User wants to register his account through web-form with login/password Task 1 Create DB structure Task 2 …. Task X Add second factor auth. mechanism Security “things” – tasks can be better than stories!
  • 8.
    # Wow it’sso easy… Let’s do it… • Online services • API • Mobile Apps • Automotive • Many different teams • Different frameworks and languages • Different attack surfaces and threats and risks • Agile • DevOps
  • 9.
    # Impossible ??? SDLC – not a strict “standard”, use it as pack of practices or what can be done, but HOW it can be done – it’s real state-of-art. So… • More security things goes to dev teams (responsibility) • Maximum automation • Manuals, guides and tools can be done by SecTeam • And etc: any fun can be done if it helps….
  • 10.
    # Training •Internal events • External training sessions Impossible to cover all threats, bugs and etc, especially if you have different teams that work with different technologies • HERE Architecture and Technology camp • Typical issues, stories and best practices • HOWTO • CTF games • HERE security support: • WIKI • IRC • Personal team trainings
  • 11.
    # Security Requirements General requirements: • Code style • SQL requests (Prepared statements) • Input/Output validation • Mobile App req. • etc • Data encryption • Algorithms • PKI and etc • Security mitigations and mechanisms • HTTPOnly, X-Frame-Options • PIE, StackCanaries, NS bit… … and etc Based on General requirements, each team produce own list of req. and then tasks!
  • 12.
    # Guides Patterns/Guides: • Code Based on guides each team will code some general things with our security requirements. • How to do auth. with captcha • How to read/upload files (work with FileSystem) • etc • Sensitive data • How to do right logging • How to store personal data • What is personal data • DevOps • How to deploy product with secret keys/service passwords ….
  • 13.
    # SelfCheck lists Based on requirements we can provide more detailed self-check lists to teams: • Have you done SAST? • What hash alg do you use for storing passwords? • Are you logging auth. tokens/passwords/credit card numbers? • Do you have SSL? • Do you have HTTPOnly/Secure? • Is your service scanned by security scanner? - Different check lists of Dev/DevOps, for design and architecture.
  • 14.
    # Example ofModel SecTeam Project Team 1 Project Team 2 Requirements Guides Tools produce • Requirements • Documentation • Design • Code • Security Tests • Requirements • Documentation • Design • Code • Security Tests checks “SDLC” on AGILE Final Review Exploratory testing Anything else…
  • 15.
    # HERE SecurityTeam • Requirements • Guides • Support for all Dev teams • Developing security tools and libs • Fuzzers • Input validation lib for common frameworks • Security Scripts, like platform audit • Providing SecService to teams and work with vendors: • WhiteHat • Retina • Veracode service • etc… • GoLive review • Incident Response
  • 16.
    # GoLive (SDLCFinalSecurityReview) • Threat/Risk Analysis • Architecture security review • SAST • Encryption • Design, etc • Engineering security review • DAST • Configurations • Logs , etc • Privacy review • Personal data • Government requirements , etc • Business continue review
  • 17.
    # GoLive (SDLCFinalSecurityReview) What we want • Teams understand our security requirements • Teams produce their own security requirements to their product • Teams follow our guides • Teams provides documentation, answered self-check lists Teams runs all security and can do self checks • Security knowledge stay in teams • After each GoLive review one team became more aware about security
  • 18.
  • 19.
    # DevOps +SDLC • Deployment as part of security process • Platform and configuration as a part of final product PRODUCT OS Services Code
  • 20.
    # HERE PlatformSecurity as a part of SDLC With help of DevOps: Own Cloud platform with all security things • Box configured secure by default: • SSH • Apache • Iptables • Patch Management for packages • Monitoring system • WAF • etc • Latest Images • Control for security groups • MFA • Templates for all accounts • CloudTrail • Access Key rotation • Security scanning for all instances • etc + MAXIMUM AUTOMATION
  • 21.
    # SoWhat •SDLC – not a kind of “standard” = just bunch of ideas and practices • You can’t download it and use, you need to understand your env., business requirements and implement what you want in any way it will work. • More checks and responsibilities for Dev. site. • Agile have enough places for implementing ‘security’, you do not need to change something, but it requires more knowledge from teams • SecTeam – control, hack, develop sec tools and support Devs • DevOps – can be a big help for security process!
  • 22.

Editor's Notes

  • #3 СДЛЦ это – блабла кратко. Майкрософт конечно молодец, но не вдаваясь в детали о том, кто первый додумался о том, что о безопасности продукта нужно беспокоится на всех стадиях разными методами, давайте посмотрим зачем нам вообще СДЛЦ, прежде чем идти дальше. Мы хотим, что бы наш продукт был крутым, безопасным, стабильным и при это пользователи были довольны, в общем и целом эти вопросы, включая вопросы безопасности – это вопрос КАЧЕСТВА. То есть безопасность это одна их характеристик качественного продукта. Это спорное утверждение, но оно становится справедливым, если безопасность является одним из критериев определения «качественный продукт»
  • #4 Тут все понятно, в разработке есть шаги, на каждом шаге можно и нужно делать нечто крутое и полезное. Но…
  • #5 Это круто в теории, но на практике очень сложно, в основном из того, что современные методологии они все такие Скам и аджаил.. Хотя теже МС выпустили доку, как можно это все прикрутить и к аджайлу… но опять же, все в теории. К тому же, код это одно, а если мы говорим про тех кто пишет сервисы, АПИ всякие причем много и разного… то есть сложности
  • #9 Ну ок, раз МС говорит это просто и круто. Давайте прикинем… Опа, да у нас ж дофига всего и разного… а нас, секурити не так много…
  • #10 Все не просто, но если подойти к СДЛЦ не как к бумажному стандарту набору практик, а как к идеи, то можно реализовать многие вещи и действительно повысить качество продуктов…