Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Daniel Kefer, Information Security, 1&1 Internet AG
SECURE SOFTWARE
DEVELOPMENT LIFECYCLE
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG2
...
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG3
...
Who Am I
26.01.20154 1&1 Internet AG
 Daniel Kefer
 Originally from the Czech Republic
 Working in IT-Security since 20...
1&1 – Member of United Internet AG
5 1&1 Group
1&1
Telecommunication
AG
100 %
United Internet
Ventures AG
100 %
5
Goldbach...
Locations
6 1&1 Group26/01/15
Motivated team
 Around 7,800 employees, thereof approx.
2,000 in product management, development
and data centers
Sales s...
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG8
...
Three Common Approaches to Develop Applications (Security View)
26.01.20159 1&1 Internet AG
 Intuitive approach
 Reactiv...
Intuitive Approach
26.01.201510 1&1 Internet AG
 Pure best-effort approach
 Relying on individual knowledge and experien...
Reactive Approach
26.01.201511 1&1 Internet AG
 Typically one security gate before the application rollout
 Penetration ...
Proactive Approach (Secure SDLC)
26.01.201512 1&1 Internet AG
 You try to prevent security bugs before they‘re created
 ...
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG13...
What the World Does
26.01.201514 1&1 Internet AG
 Overall Concepts
 Process models: What should I do what at which point...
Process Models - Example
26.01.201515 1&1 Internet AG
 Microsoft SDL
 Development divided into 7 phases
 Within every p...
2004: Microsoft SDL 1.0 Launch
26.01.201516 1&1 Internet AG
 2005 Microsoft published first results they achieved using t...
Maturity Models - Example
26.01.201517 1&1 Internet AG
 Building Security Into Maturity Model (www.bsimm.com)
 Project c...
Supportive Methodologies and Tooling
26.01.201518 1&1 Internet AG
 OWASP (Open Web Application Security Project) – www.ow...
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG19...
Main Goals
26.01.201520 1&1 Internet AG
 We spend budget for security according to the real risk
 Project teams shall ha...
System Classification – 3 Security Levels
26.01.201521 1&1 Internet AG
 Low:
 Systems not likely to be target of profess...
SDLC Requirements
 Two types of requirements:
 Lifecycle: Activities to be done during the lifecycle (e.g. penetration t...
Lifecycle Requirements (vs. The 1&1 Project Lifecycle)
Low
Medium
High
The 1&1
Project
Lifecycle
Secure
SDLC
Classificatio...
Technical Requirements - Categories
26.01.201524 1&1 Internet AG
 Based on OWASP Application Security Verification Standa...
Technical Requirements – Example (Brute-Force Protection)
ID AU-07
Criticality Low
Category Authentication
Technology Web ...
Requirement States
26.01.201526 1&1 Internet AG
 Relevant:
 Yes/No
 Does it make sense to implement the particular requ...
 Who Am I, Who Is 1&1
 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans
1&1 Internet AG27...
Future Plans
26.01.201528 1&1 Internet AG
 Continue increasing the coverage of SDLC-guided projects
 Train and establish...
Thank You For Your Attention!
26.01.201529 1&1 Internet AG
daniel.kefer@1und1.de
Nächste SlideShare
Wird geladen in …5
×

von

Secure Software Development Lifecycle Slide 1 Secure Software Development Lifecycle Slide 2 Secure Software Development Lifecycle Slide 3 Secure Software Development Lifecycle Slide 4 Secure Software Development Lifecycle Slide 5 Secure Software Development Lifecycle Slide 6 Secure Software Development Lifecycle Slide 7 Secure Software Development Lifecycle Slide 8 Secure Software Development Lifecycle Slide 9 Secure Software Development Lifecycle Slide 10 Secure Software Development Lifecycle Slide 11 Secure Software Development Lifecycle Slide 12 Secure Software Development Lifecycle Slide 13 Secure Software Development Lifecycle Slide 14 Secure Software Development Lifecycle Slide 15 Secure Software Development Lifecycle Slide 16 Secure Software Development Lifecycle Slide 17 Secure Software Development Lifecycle Slide 18 Secure Software Development Lifecycle Slide 19 Secure Software Development Lifecycle Slide 20 Secure Software Development Lifecycle Slide 21 Secure Software Development Lifecycle Slide 22 Secure Software Development Lifecycle Slide 23 Secure Software Development Lifecycle Slide 24 Secure Software Development Lifecycle Slide 25 Secure Software Development Lifecycle Slide 26 Secure Software Development Lifecycle Slide 27 Secure Software Development Lifecycle Slide 28 Secure Software Development Lifecycle Slide 29
Nächste SlideShare
Secure Software Development Life Cycle
Weiter
Herunterladen, um offline zu lesen und im Vollbildmodus anzuzeigen.

1 Gefällt mir

Teilen

Herunterladen, um offline zu lesen

Secure Software Development Lifecycle

Herunterladen, um offline zu lesen

Vortrag im Rahmen des HdM-Day der Hochschule für Medien in Stuttgart (16.01.2015)

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Secure Software Development Lifecycle

  1. 1. Daniel Kefer, Information Security, 1&1 Internet AG SECURE SOFTWARE DEVELOPMENT LIFECYCLE
  2. 2.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG2 Agenda 26.01.2015
  3. 3.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG3 Agenda 26.01.2015
  4. 4. Who Am I 26.01.20154 1&1 Internet AG  Daniel Kefer  Originally from the Czech Republic  Working in IT-Security since 2005  Security in development since 2008  2011 moved to Germany to work for 1&1  Focus on application security
  5. 5. 1&1 – Member of United Internet AG 5 1&1 Group 1&1 Telecommunication AG 100 % United Internet Ventures AG 100 % 5 Goldbach 14.96 % Hi-media 10.50 % fun 49 % Virtual Minds 48.65 % ProfitBricks 30.02 % Open-Xchange 28.36 % ePages 25.10 % Uberall 25 % Rocket Internet 8.18 % Stand: 27. März 2014 SEDO Holding GmbH 100 % 1&1 Internet AG 100 % 100 % 26/01/15
  6. 6. Locations 6 1&1 Group26/01/15
  7. 7. Motivated team  Around 7,800 employees, thereof approx. 2,000 in product management, development and data centers Sales strength  Approx. 3 million new customer contracts p.a.  50,000 registrations for free services on a daily basis Operational excellence  46 million accounts in 11 countries 7 data centers  70,000 servers in Europe and USA 1&1: Internet services of United Internet AG 7 1&1 Group Access Applications Networks User equipment Content Standard software 7 Stand: 19. November 2013 26/01/15
  8. 8.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG8 Agenda 26.01.2015
  9. 9. Three Common Approaches to Develop Applications (Security View) 26.01.20159 1&1 Internet AG  Intuitive approach  Reactive approach  Proactive approach
  10. 10. Intuitive Approach 26.01.201510 1&1 Internet AG  Pure best-effort approach  Relying on individual knowledge and experience of the team members  No security gates during the development  Typically leads to higher occurence of security incidents and negative PR
  11. 11. Reactive Approach 26.01.201511 1&1 Internet AG  Typically one security gate before the application rollout  Penetration test  Code review  Infrastructure configuration audit  A big step forward from the security point of view, but…  How effective it is to say „you‘ve done it wrong“ when the development is finished?  Typically increases the project costs and length  Security bugs: mistakes in the source code, „quite easy“ to fix  Security flaws: mistakes in the application design, very expensive to fix  The world gets more agile all the time… at what point should you test?  You don‘t usually find everything during a security audit!
  12. 12. Proactive Approach (Secure SDLC) 26.01.201512 1&1 Internet AG  You try to prevent security bugs before they‘re created  Cost of a bug during the development lifecycle:
  13. 13.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG13 Agenda 26.01.2015
  14. 14. What the World Does 26.01.201514 1&1 Internet AG  Overall Concepts  Process models: What should I do what at which point?  Maturity models: Do I do enough for security in the development?  Supportive Methodologies and Tooling  How do I perform architecture review?  Penetration testing tools  Checklists, cheat sheets  Development guides, testing guides  …
  15. 15. Process Models - Example 26.01.201515 1&1 Internet AG  Microsoft SDL  Development divided into 7 phases  Within every phase you should perform a couple of security-related activities
  16. 16. 2004: Microsoft SDL 1.0 Launch 26.01.201516 1&1 Internet AG  2005 Microsoft published first results they achieved using their SDL Methodology
  17. 17. Maturity Models - Example 26.01.201517 1&1 Internet AG  Building Security Into Maturity Model (www.bsimm.com)  Project comparing regularly companies from different verticals and measuring their security activities in software development in 112 activities  2013 (5th version) results – out of 67 firms:  44 have internal secure SDLC officially published  57 track results reached at previously defined security gates  36 require owner‘s security sign-off before deployment  31 enforce security gates (project not continuing until security requirements are met)
  18. 18. Supportive Methodologies and Tooling 26.01.201518 1&1 Internet AG  OWASP (Open Web Application Security Project) – www.owasp.org  The biggest resource regarding application security nowadays  Everything is open-source  Everybody can start his/her own security project  Examples:  OWASP Top Ten: The most widespread application vulnerabilities  OWASP Testing Guide: Methodology for penetration testing of applications  OWASP ASVS: Application Security Verification Standard  OWASP ESAPI: Security Library for JAVA, .NET, PHP…  OWASP Zed Attack Proxy: Testing tool
  19. 19.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG19 Agenda 26.01.2015
  20. 20. Main Goals 26.01.201520 1&1 Internet AG  We spend budget for security according to the real risk  Project teams shall have a trusted contact person guiding them through security challenges  We actively learn from our mistakes steadily and also give the opportunity to others to learn from our mistakes  KISS (Keep it simple stupid)! – build on currently lived processes and tools as much as possible
  21. 21. System Classification – 3 Security Levels 26.01.201521 1&1 Internet AG  Low:  Systems not likely to be target of professional attackers  Mainly reputation risk in case of finding vulnerabilities  Requirements should target mainly quality of code and be aimed at quick wins  Medium:  Possible abuse of client personal data (incidents have to be reported to authorities)  We should have a solid confidence that security has been addressed and assessed consistently and reasonably  High:  Systems essential for 1&1’s business and the ones with high compliance requirements  These systems should be ready to withstand also sophisticated attacks  Most focus on architectural and functional security
  22. 22. SDLC Requirements  Two types of requirements:  Lifecycle: Activities to be done during the lifecycle (e.g. penetration test)  Technical: Properties of the target system (e.g. login brute-force protection)  The concept:  Ever higher category inherits requirements from the lower one and adds new ones  Total counts of requirements: Lifecycle req. Technical req. Low 6 42 Medium 12 72 High 16 84
  23. 23. Lifecycle Requirements (vs. The 1&1 Project Lifecycle) Low Medium High The 1&1 Project Lifecycle Secure SDLC Classification Security guide Security trainings Select requirements Automated scan Yellow Pages Record Security workshop Doc. review 3rd party code Penetration test Vulnerability management Lessons learned Threat model Tailor requirements Code review Configuration review
  24. 24. Technical Requirements - Categories 26.01.201524 1&1 Internet AG  Based on OWASP Application Security Verification Standard Authentication Session Management Access Control Input Validation Output Encoding Cryptography Error Handling and Logging Data Protection Communication Security
  25. 25. Technical Requirements – Example (Brute-Force Protection) ID AU-07 Criticality Low Category Authentication Technology Web Applications, Web Services Description Brute force protection is provided after a system configurable number of invalid login attempts occur against an account within a configurable period of time. Specification /Best Practise More information on best practise: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Reasoning Preventing successful brute force attacks on user credentials. Functional Yes Responsible Requirement Engineer Deadline T2 (end of the design phase) QA Responsible Test Manager QA Activity Black box QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004) QA Deadline T3 (before rollout)
  26. 26. Requirement States 26.01.201526 1&1 Internet AG  Relevant:  Yes/No  Does it make sense to implement the particular requirement?  In Scope:  Yes: The development team has to (or mustn‘t) do something  3rd party: The application relies on another service (e.g. authentication service)  Refused: It was decided not to implement the requirement  No: If not relevant.
  27. 27.  Who Am I, Who Is 1&1  Motivation For Secure SDLC  What the World Does  What 1&1 Does  Future Plans 1&1 Internet AG27 Agenda 26.01.2015
  28. 28. Future Plans 26.01.201528 1&1 Internet AG  Continue increasing the coverage of SDLC-guided projects  Train and establish a satellite of Security Guides  Continuous enhancement of the methodology  Agile methodologies, continuous integration/continuous delivery  Lessons learned from projects  Creation of an SDLC Tool  Department-specific project management methodologies  Different technologies  Transparency of common security measures
  29. 29. Thank You For Your Attention! 26.01.201529 1&1 Internet AG daniel.kefer@1und1.de
  • donovanrjohnson

    Oct. 8, 2015

Vortrag im Rahmen des HdM-Day der Hochschule für Medien in Stuttgart (16.01.2015)

Aufrufe

Aufrufe insgesamt

3.514

Auf Slideshare

0

Aus Einbettungen

0

Anzahl der Einbettungen

14

Befehle

Downloads

169

Geteilt

0

Kommentare

0

Likes

1

×