Application Security Design Principles. What do you need to know?

Similar documents
Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Secure Development Processes

Threat Modeling For Secure Software Design

OWASP March 19, The OWASP Foundation Secure By Design

An Example of use the Threat Modeling Tool

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

How To Make Threat Modeling Work For You

*NSTAC Report to the President on the Internet of Things.

SANS Institute , Author retains full rights.

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

MIS Week 9 Host Hardening

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Development*Process*for*Secure* So2ware

How Threat Modeling Can Improve Your IAM Solution

Unit Level Secure by Design Approach

Threat Modeling Using STRIDE

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

C1: Define Security Requirements

Nick Coblentz, CISSP Senior Consultant, AT&T Consulting

Practical Guide to Securing the SDLC

THE ART OF SECURING 100 PRODUCTS. Nir

Instructions 1 Elevation of Privilege Instructions

Secure Application Development. OWASP September 28, The OWASP Foundation

McAfee Product Security Practices

UEFI and the Security Development Lifecycle

Practical Threat Modeling. SecAppDev 2018

Managed Application Security trends and best practices in application security

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Cyberspace : Privacy and Security Issues

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Using and Customizing Microsoft Threat Modeling Tool 2016

AGILE AND CONTINUOUS THREAT MODELS

CSWAE Certified Secure Web Application Engineer

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Security Governance and Management Scorecard

OpenbankIT: a banking platform for e- money management based on blockchain technology

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

ISO/IEC Common Criteria. Threat Categories

Secure Development Lifecycle

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

SDLC Maturity Models

LBI Public Information. Please consider the impact to the environment before printing this.

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

Gujarat Forensic Sciences University

Cryptography and Network Security Chapter 1

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Cyber Risks in the Boardroom Conference

Software Security Touchpoint: Architectural Risk Analysis

Oracle API Platform Cloud Service

Building Security Into Applications

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

In collaborazione con

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security: The Key to Affordable Unmanned Aircraft Systems

Effective Threat Modeling using TAM

Certified Secure Web Application Engineer

Security Policies and Procedures Principles and Practices

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

CS 356 Operating System Security. Fall 2013

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Securing Cloud Computing

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

New Guidance on Privacy Controls for the Federal Government

QuickBooks Online Security White Paper July 2017

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

Verasys Enterprise Security and IT Guide

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Protect your apps and your customers against application layer attacks

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Secure Product Design Lifecycle for Connected Vehicles

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Penetration Testing and Team Overview

Managing SaaS risks for cloud customers

Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India

Security!Maturity Oc O t c o t b o er r 20 2, 0,

Security Enhancements

Copyright 2016 EMC Corporation. All rights reserved.

Identifying unknown Vulnerabilities

WHO AM I? Been working in IT Security since 1992

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

Security and Architecture SUZANNE GRAHAM

Nebraska CERT Conference

Cryptography and Network Security

DevOps A How To for Agility with Security

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Transcription:

Application Security Design Principles What do you need to know?

Anshu Gupta Bio Director of Information Security at HelloSign, a leading esignature company. Served as a trusted advisor on information security issues to Fortune 500 companies at Ernst & Young and KPMG. Recently in senior security roles at Esurance (an AllState company) and Coupa Software.

& Hungry What are you up against Smart Hackers V

The problem Dev focus on feature & functionality

Application Lifecycle Upgrade Design Development Testing Deployment End of Life Maintenance

Application Security Methodology Know the threats Threat Modeling Incorporate security in your development lifecycle - Secure SDLC Secure the network, host and application

Threat Modeling - STRIDE and DREAD S Spoofing D Damage T Tampering R Reproducibility R Repudiation E Exploitability I Information Disclosure A Affected Users D Denial of Service D Discoverability E Escalation of Privileges Threat Identification Threat Rating There are other methodologies as well e.g. Trike, P.A.S.T.A. (Process for Attack Simulation and Threat Analysis)

Secure Software Development Lifecycle The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security & compliance requirements while reducing development cost.

Secure Software Development Lifecycle Training Requirements Design Implementation Verification Release Response

Secure Software Development Lifecycle Reference Microsoft Secure SDL- www.microsoft.com/sdl

Application Security Principles Defense in Depth Check at the Gate Authentication & Authorization Compartmentalize Principle of Least Privilege Secure Defaults Validate User Input Establish trust boundaries Fail Securely Reduce your Attack Surface Secure the Weakest Link

Defense in Depth Non-reliance on a single layer of security Assumption that one of your layers may be bypassed or compromised

Check at the Gate

Compartmentalize - Principle of Least Privilege Only permissions absolutely required for the purpose of the app should be granted Limit the damage from accident, error or unauthorized use

Secure by Default Out of box settings put the application in a secure state

Validate User Input Attackers primary weapon when targeting your application Assume all input is malicious unless proven otherwise

Establish Trust Boundaries Trust boundaries indicate where trust levels change from a data flow perspective.

Fail Securely When the application fails, it should fail to a state that rejects all subsequent security requests. Sensitive data should be inaccessible. - Errors should not expose internal system details which could aid hackers. - Expect and Plan for system failure

Reduce your attack surface

Secure the weakest link Copyright Anshu Gupta 2016. All rights reserved.

What can you do tomorrow? Apart from source code security analysis (SAST), dynamic application security testing (DAST) and penetration testing Ensure that there is security, compliance and privacy section in the Technical Design Document Sign off is obtained from security/compliance on the technical design document before development starts Develop a basic threat modeling or what can go wrong type of template for developers

What can you do tomorrow? Have Dev identify all the deprecated libraries in the code Ask Legal if they would like to initiate an audit of open source code/libraries in the code and have them pay for the audit Ask if any secrets are stored in the code and not in configuration files

What can you do tomorrow? Ensure there is a security checklist for developers in the code review checklist or the Defintion of Done template (if following Agile). Work with QA to make sure security test cases are part of testing by QA. Ensure QA is included in Secure Development training along with Developers. Ensure that a pre-deploy security checklist exists for DevOps/Operations teams which includes things like turning off test accounts, disabling stack trace etc. Have Dev managers report application security metrics around found, closed and open security issues to the Dev leadership (see my LinkedIn post on application security metrics)

Want to learn more about Threat Modeling

Contact Information tohimanshu@gmail.com www.linkedin.com/in/anshuguptapmp fromanshu

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback