-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathSecure Software Development
191 lines (171 loc) · 5.44 KB
/
Secure Software Development
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
Module 1: Course Overview
Course Overview
Attack by scanning software used or created
b/c dev forgot to look at security during SDLC
Good practice and common security risk
Topics:
Different options models to follow SDLC
Five phases of software development
How are vulnerabilities created?
Module 2: What’s the Software Development Life Cycle (SDLC)?
Course Introduction
Wide surface of attack coming from many IOT devices
- (Rush to) connect a device without determining if there is any vulnerabilities in software
Digital Lust
Rapid adaptation of 3rd party software or in-house development for convenience
App start in simple environment
-> grow toinvolve different infrastructure, technology, business and workflow
Learning objectives:
What is SDLC?
Software Development Phases
Software Development Models - different ways to apply security during development
Software Vulnerabilities
Coding Best Practices
Security Web Testing
Module overview:
What's the prblem? - how security becomes an issue
Do we really need SDLC?
- Advantages / Disadvantages
- Benefits / Goals
What's the Problem?
New app that track users and monitors systems
- add more features
- link to AD -> link to HR app
- monitor:
Link to AD
Security
Mobile
Services
Changes
Remote
Updatees
Alerts
- Link to SQL
Each connection now has potential to be an attack vector
What is (typical) SDLC?
Planning -> Requirement analysis -> Design
-> Implementation -> Testing -> Maintenance
In terms of version:
Alpha -> Beta -> RC (Release candidate) -> RTM (Release to manufacturing) -> Patches / Service packs -> Revamp
More code changes & access as we move from one stage to the next
Who is involved? Each owns different types of resources and can create some types of attach vector force
Stackholders
Project Managers
Software Architect
Software Designer
Developer
Tester
Do You Really "Need" a SDLC
- helps to understand specific needs of different users or customers
- In-house development w/out consultation
Advantages / Disadvantages of NOT having SDLC
+ Easy to learn - save time in the short run
+ Easy to use - clear purpose / scope
- No clear start/stop with task
- Scales poorly
- Brittle code
- Does not match users needs
- Skip / ignore important tasks
Benefits of SDLC
Documentation:
TO DO, NOT TO DO, Warnings, clear vision of behavior
Maintenance:
Works for a long time
Clearly identify loop holes and avoid them with minimum cost
SDLC does:
Creates goals of each phase / setep
Marks clear steps to perform
Reviews work in organized manner
Produce tangiable item
Give direction for the next phase
Different lifecycles
- different steps, different time links associated to thme (months to years)
- help with conception to End of Life (EoL)
Summary
Problems w/ security and software development and How security becoming an issue
The need for SDLC (at least for 2+ person project)
- Advantages / Disadvantages
- Benefits and Goals
Module 3: Software Development Phases
Introduction
1. Planning Phase
2. Requirements Phase: requirements for security
3. Design Phase: Background items likes SQL servers or 3rd party services accounts utilized (if any)
4. Implementation Phase: white box perspective
5. Testing Phase: similar to implementation phase, from black box perspective
6. Deployment Phase:
how to push the product out
what account are used
what are client side requirements
7. Maintenance Phase
8. End-of-Life Phase
Planning Phase
Ideas to blueprint by:
senior team members
customers
marketing
industry domain expert
... to create basic project approach
Then,
Train devs and testers on importance of security
Acquire security analysis tool
... to ensure secure development environment
Requirement Phase
Design Phase
Implementation Phase
Testing Phase
Deployment Phase
Maintenance Phase
End-of-Life Phase
Summary
Module 4: Software Development Models
Introduction
Code-and-Fix
Waterfall
Agile
Iterative
Spiral
Summary
Module 5: Software Vulnerabilities
Introduction
How Does It Happen?
Input Validation
Buffer Overflow
Command Injection
Summary
Module 6: Coding Best Practices
Introduction to Coding Best Practices
What's the Goal Here?
Input Validation
Output Encoding
Authentication & Password Management
Session Management
Access Control
Cryptographic Practices
Error Handling & Logging
Data Protection
Communication Security
System Configuration
Database Security
File Management
Memory Management
General Coding Practices
Summary
Module 7: Code Reviews
Introduction to Coding Review
Why a Code Review?
Types of Reviews
Incorporate These 3 Outlines
Some Common Sense Tips
Summary
Module 8: Security Testing in Action
Introduction
Intercept Proxies
DEMO: Create a Hackable Web Server
DEMO: Burp Suite
DEMO: OWASP ZAP
Web Application Firewalls
DEMO: Nikto
Source Authenticity
Reverse Engineering
Module/Course Summary