Application Security Design Principles What do you need to know?
Anshu Gupta Bio Director of Information Security at HelloSign, a leading esignature company. Served as a trusted advisor on information security issues to Fortune 500 companies at Ernst & Young and KPMG. Recently in senior security roles at Esurance (an AllState company) and Coupa Software.
& Hungry What are you up against Smart Hackers V
The problem Dev focus on feature & functionality
Application Lifecycle Upgrade Design Development Testing Deployment End of Life Maintenance
Application Security Methodology Know the threats Threat Modeling Incorporate security in your development lifecycle - Secure SDLC Secure the network, host and application
Threat Modeling - STRIDE and DREAD S Spoofing D Damage T Tampering R Reproducibility R Repudiation E Exploitability I Information Disclosure A Affected Users D Denial of Service D Discoverability E Escalation of Privileges Threat Identification Threat Rating There are other methodologies as well e.g. Trike, P.A.S.T.A. (Process for Attack Simulation and Threat Analysis)
Secure Software Development Lifecycle The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security & compliance requirements while reducing development cost.
Secure Software Development Lifecycle Training Requirements Design Implementation Verification Release Response
Secure Software Development Lifecycle Reference Microsoft Secure SDL- www.microsoft.com/sdl
Application Security Principles Defense in Depth Check at the Gate Authentication & Authorization Compartmentalize Principle of Least Privilege Secure Defaults Validate User Input Establish trust boundaries Fail Securely Reduce your Attack Surface Secure the Weakest Link
Defense in Depth Non-reliance on a single layer of security Assumption that one of your layers may be bypassed or compromised
Check at the Gate
Compartmentalize - Principle of Least Privilege Only permissions absolutely required for the purpose of the app should be granted Limit the damage from accident, error or unauthorized use
Secure by Default Out of box settings put the application in a secure state
Validate User Input Attackers primary weapon when targeting your application Assume all input is malicious unless proven otherwise
Establish Trust Boundaries Trust boundaries indicate where trust levels change from a data flow perspective.
Fail Securely When the application fails, it should fail to a state that rejects all subsequent security requests. Sensitive data should be inaccessible. - Errors should not expose internal system details which could aid hackers. - Expect and Plan for system failure
Reduce your attack surface
Secure the weakest link Copyright Anshu Gupta 2016. All rights reserved.
What can you do tomorrow? Apart from source code security analysis (SAST), dynamic application security testing (DAST) and penetration testing Ensure that there is security, compliance and privacy section in the Technical Design Document Sign off is obtained from security/compliance on the technical design document before development starts Develop a basic threat modeling or what can go wrong type of template for developers
What can you do tomorrow? Have Dev identify all the deprecated libraries in the code Ask Legal if they would like to initiate an audit of open source code/libraries in the code and have them pay for the audit Ask if any secrets are stored in the code and not in configuration files
What can you do tomorrow? Ensure there is a security checklist for developers in the code review checklist or the Defintion of Done template (if following Agile). Work with QA to make sure security test cases are part of testing by QA. Ensure QA is included in Secure Development training along with Developers. Ensure that a pre-deploy security checklist exists for DevOps/Operations teams which includes things like turning off test accounts, disabling stack trace etc. Have Dev managers report application security metrics around found, closed and open security issues to the Dev leadership (see my LinkedIn post on application security metrics)
Want to learn more about Threat Modeling
Contact Information tohimanshu@gmail.com www.linkedin.com/in/anshuguptapmp fromanshu
Thank You!