SlideShare a Scribd company logo

Developing Secure Software: Experiences From an International Software Vendor

Achim D. Brucker
Achim D. Brucker

At large enterprises, a security development life-cycle (SDLC) needs to support a large range of development models as well as a large range of programming techniques. I will present the SDLC of a large software vendor from the perspective of introducing security testing into the early steps of a software development life-cycle (i.e., enabling developers to use software testing tools).

Technology
1 of 62
Download to read offline
Secure Software Development on the Enterprise Level Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ Shift Left: The Incredible Impact Early Security Testing Makes January 19, 2017, London, UK
Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 26
Personal Background Eight year of enterprise secure software development: Member of the central security team, SAP SE (Germany) (Global) Security Testing Strategist Security Research Expert/Architect Work areas: Defining the risk-based Security Testing Strategy of SAP Introducing security testing tools (e.g., SAST, DAST) at SAP Identify white spots and evaluate and improve tools/methods Secure Software Development Life Cycle integration Applied security research ... Since 12/2015: Senior Lecturer, The University of Sheffield, UK Head of the Software Assurance & Security Research Team Available as consultant & (research) collaborations https://www.brucker.uk/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 4 of 26
SAP SE Leader in Business Software Cloud Mobile On premise Many different technologies and platforms, e.g., In-memory database and application server (Hana) Netweaver for ABAP and Java More than 25 industries 63% of the world’s transaction revenue touches an SAP system over 68 000 employees worldwide over 25 000 software developers Headquarters: Walldorf (Heidelberg), Germany c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 26
Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 26
Example (LinkedIn, May 2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
Example (TalkTalk, October 2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
Example (Ashley Madison, July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE ‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR ’1’=’1 ; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE ‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR TRUE ; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE TRUE; No password check! Root cause: a bug. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
Secure Software Development Lifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 26
Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 26
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 26
Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 26
In 2010: Static Analysis Becomes Mandatory SAST tools used at SAP: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all SAP products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 26
A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools SAST: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman DAST: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codinomicon Fuzzer, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools SAST: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman DAST: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codinomicon Fuzzer, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
De-Centralised Approach: Organisational Setup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 26
Security Team Focus: Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 26
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Newly Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 26
Key Success Factors A holistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
Listen to Your Developers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 26
Final remarks What works well: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value, e.g., as security integration test as “meta-test” for your secure development process (validation) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 23 of 26
Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
Bibliography Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 25 of 26
Document Classification and License Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 26 of 26

Recommended

How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Application Inspector SSDL Edition product
Application Inspector SSDL Edition productApplication Inspector SSDL Edition product
Application Inspector SSDL Edition productValery Boronin
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
A web content analytics
A web content analyticsA web content analytics
A web content analyticscsandit
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defenseajitdhumale
 

Recommended

How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Application Inspector SSDL Edition product
Application Inspector SSDL Edition productApplication Inspector SSDL Edition product
Application Inspector SSDL Edition productValery Boronin
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
A web content analytics
A web content analyticsA web content analytics
A web content analyticscsandit
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defenseajitdhumale
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Dependency check
Dependency checkDependency check
Dependency checkDavid Karlsen
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicDavid Solivan
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 

More Related Content

Viewers also liked

Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 

Viewers also liked (6)

Significance of metrics
Significance of metricsSignificance of metrics
Significance of metrics
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Dependency check
Dependency checkDependency check
Dependency check
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 

Similar to Developing Secure Software: Experiences From an International Software Vendor

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software securityDavid Klassen
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicDavid Solivan
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Building Generative AI-infused apps: what's possible and how to start
Building Generative AI-infused apps: what's possible and how to startBuilding Generative AI-infused apps: what's possible and how to start
Building Generative AI-infused apps: what's possible and how to startMaxim Salnikov
 

Similar to Developing Secure Software: Experiences From an International Software Vendor (20)

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
Ab cs of software security
Ab cs of software securityAb cs of software security
Ab cs of software security
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs Public
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Building Generative AI-infused apps: what's possible and how to start
Building Generative AI-infused apps: what's possible and how to startBuilding Generative AI-infused apps: what's possible and how to start
Building Generative AI-infused apps: what's possible and how to start
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glassAchim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
 

More from Achim D. Brucker (18)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 

Developing Secure Software: Experiences From an International Software Vendor

  • 1. Secure Software Development on the Enterprise Level Achim D. Brucker a.brucker@sheffield.ac.uk https://www.brucker.ch/ Software Assurance & Security Research Department of Computer Science, The University of Sheffield, Sheffield, UK https://logicalhacking.com/ Shift Left: The Incredible Impact Early Security Testing Makes January 19, 2017, London, UK
  • 2. Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 26
  • 3. Personal Background Eight year of enterprise secure software development: Member of the central security team, SAP SE (Germany) (Global) Security Testing Strategist Security Research Expert/Architect Work areas: Defining the risk-based Security Testing Strategy of SAP Introducing security testing tools (e.g., SAST, DAST) at SAP Identify white spots and evaluate and improve tools/methods Secure Software Development Life Cycle integration Applied security research ... Since 12/2015: Senior Lecturer, The University of Sheffield, UK Head of the Software Assurance & Security Research Team Available as consultant & (research) collaborations https://www.brucker.uk/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 4 of 26
  • 4. SAP SE Leader in Business Software Cloud Mobile On premise Many different technologies and platforms, e.g., In-memory database and application server (Hana) Netweaver for ABAP and Java More than 25 industries 63% of the world’s transaction revenue touches an SAP system over 68 000 employees worldwide over 25 000 software developers Headquarters: Walldorf (Heidelberg), Germany c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 26
  • 5. Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 26
  • 6.
  • 7. Example (LinkedIn, May 2016) 164 million email addresses and passwords from an attack in 2012, offered for sale May 2016 Compromised data: email addresses passwords
  • 8. Example (TalkTalk, October 2015) nearly 157,000 customer records leaked nearly 16,000 records included bank details more than 150,000 customers lost (home services market share fall by 4.4 percent in terms of new customers) Costs for TalkTalk: around any £60 million
  • 9. Example (Ashley Madison, July 2015) more than 30 million email addresses & much more Compromised data: Dates of birth Email addresses Ethnicities, Genders Sexual preferences Home addresses, Phone numbers Payment histories Passwords, Usernames, Security questions and answers Website activity Similar Leak: Mate1 in February 2016: 27 million records with even more personal details (e.g., drinking/drug habits, political views)
  • 10. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 11. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 12. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 13. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 14. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 15. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 16. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE ‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR ’1’=’1 ; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 17. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE ‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR TRUE ; c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 18. What’s the Problem? Authenticate without a password using “SQL Injection” Implementation (SQL, simplified): SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’; Let’s try: user “test” & password “secret”: SELECT * FROM ‘users ‘ WHERE ‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’; Let’s use “’ OR ’1’=’1” as password: SELECT * FROM ‘users ‘ WHERE TRUE; No password check! Root cause: a bug. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
  • 19. Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 26
  • 20. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 21. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Training Security awareness Secure programming Threat modelling Security testing Data protection and privacy Security expert curriculum (“Masters”) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 22. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Risk Identification Risk identification (“high-level threat modelling”) Threat modelling Data privacy impact assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 23. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Plan Security Measures Plan product standard compliance Plan security features Plan security tests Plan security response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 24. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Development Secure Programming Static code analysis (SAST) Code review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 25. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Testing Dynamic Testing (e.g., IAST, DAST) Manual testing External security assessment c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 26. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Validation (“First Customer”) Check for “flaws” in the implementation of the S2 DL Ideally, security validation finds: No issues that can be fixed/detected earlier Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: They test the actual configuration They test the productive environment (e.g., cloud/hosting) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 27. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Security Response Execute the security response plan Security related external communication Incident handling Security patches Monitoring of third party components c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 28. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 29. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 30. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 31. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 32. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 33. A Path Towards (More) Secure Software SAP’s Secure Software Development Lifecycle (S2DL) Training Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response Secure Software Security Validation Security Testing Secure Development Plan Security Measu res Risk Identification Training Security Resp onse c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
  • 34. Secure Software Development Lifecycle for Cloud/Agile Build Operate Define Release Release Decision Build Decision Risk Identification Plan Security Measures Secure Development Security Testing Security Validation Security Response c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 26
  • 35. Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 26
  • 36. Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 26
  • 37. Finding Security Vulnerabilities Manual Automatic Running Application Static Analysis Penetration Testing DAST, IAST Vulnerability Scanner SAST Manual Code Review c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 13 of 26
  • 38. In 2010: Static Analysis Becomes Mandatory SAST tools used at SAP: Language Tool Vendor ABAP CodeProfiler Virtual Forge Others Fortify HP Since 2010: SAST mandatory for all SAP products Within two years, multiple billions lines analysed Constant improvement of tool configuration Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 26
  • 39. A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 One Two SAST tools fit all VF CodeProfiler Fortify Blending of Security Testing Tools SAST: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman DAST: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codinomicon Fuzzer, BDD c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
  • 40. A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 Blending of Security Testing Tools SAST: SAP Netweaver CVA Add-on, Fortify, Synopsis Coverity, Checkmarx, Breakman DAST: HP WebInspect, Quotium Seeker Others: Burp Suite, OWASP ZAP, Codinomicon Fuzzer, BDD Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
  • 41. A De-Centralised Application Security Approach How SAP’s Application Development Approach Developed Over Time Governance & approvals De-centralized approach 2009 2016 Development Teams feel pushed Central Security Team Controls development teams Spends a lot time with granting exemptions Danger Only ticking boxes Development Teams are empowered are responsible Central Security Team Supports development teams Can focuses on improvements filling white spots tooling processes c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
  • 42. De-Centralised Approach: Organisational Setup Central security expert team (S2 DL owner) Organizes security trainings Defines product standard “Security” Defines risk and threat assessment methods Defines security testing strategy Selects and provides security testing tools Validates products Defines and executes response process Local security experts Embedded into development teams Organize local security activities Support developers and architects Support product owners (responsibles) Development teams Select technologies Select development model Design and execute security testing plan ... c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 26
  • 43. Security Team Focus: Security Testing for Developers Security testing tools for developers, need to Be applicable from the start of development Automate the security knowledge Be integrated into dev world, e.g., IDE (instant feedback) Continuous integration Provide easy to understand fix recommendations Declare their “sweet spots” security experts software Developer many cwe and/or technologies only few cwe and/or technologies generalist tools for security Experts specialist tools for security Experts specialist tools for developers generalist tools for developers https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/ c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 26
  • 44. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
  • 45. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
  • 46. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems SAST (Java) SAST (JavaScript) SAST (C/C++) ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
  • 47. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
  • 48. Combining Multiple Security Testing Methods and Tools Web Client Web Browser Server Application Runtime Container Backend Systems ToolA(e.g.,DAST) ToolB(e.g.,IAST) In-Browser Security Testing Tool SAST (Java) SAST (JavaScript) https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/ Risks of only using only SAST Wasting effort that could be used more wisely elsewhere Shipping insecure software Examples of SAST limitations Not all programming languages supported Covers not all layers of the software stack A comprehensive approach combines Static approaches (i.e., SAST) Dynamic approaches (i.e., IAST or DAST) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
  • 49. How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
  • 50. How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
  • 51. How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
  • 52. How to Measure Success (and Identify White Spots) Analyze the vulnerabilities reported by Security Validation External security researchers Vulnerability not detected by currently used methods Improve tool configuration Introduce new tools Vulnerability detected by our security testing tools Vulnerability in older software release Analyze reason for missing vulnerability Covered Not Covered Newly Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
  • 53. Outline 1 Background 2 Motivation 3 Secure Software Development 4 From (Mild) Pain to Success: My Experiences at SAP 5 Lesson’s Learned c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 26
  • 54. Key Success Factors A holistic security awareness program for Developers Managers c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
  • 55. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
  • 56. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
  • 57. Key Success Factors A holistic security awareness program for Developers Managers Yes, security awareness is important but Developer awareness is even more important! c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
  • 58. Listen to Your Developers And Make Their Life Easy! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. Building a secure system more difficult than finding a successful attack. Do not expect your developers to become penetration testers (or security experts)! Organisations can make it hard for developers to apply security testing skills! Don’t ask developers to do security testing, if their contract doesn’t allows it Budget application security activities centrally Educate your developers and make them recognised experts c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 26
  • 59. Final remarks What works well: Delegate power and accountability to development teams Multi-tiered model of security experts: local experts for the local implementation of secure development global experts that support the local security experts (champions): act as consultant in difficult/non-standard situations evaluate, purchase, and operate widely used security testing tools can mediate between development teams and response teams Strict separation of security testing supporting developers and security validation What does not work well: Forcing tools, processes, etc. on developers Penetration testing as “secure development” approach Penetration has its value, e.g., as security integration test as “meta-test” for your secure development process (validation) c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 23 of 26
  • 60. Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
  • 61. Bibliography Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. GI, March 2014. Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016. c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 25 of 26
  • 62. Document Classification and License Information c 2017 LogicalHacking.com, A.D. Brucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0). c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 26 of 26