SlideShare ist ein Scribd-Unternehmen logo

Secure SDLC in mobile software development.

Als PPTX, PDF herunterladen
M
Mykhailo Antonishyn

Agenda: - SDLC vs S-SDLC - Mobile development security process - What tools using for security testing? - How to integrate into existing processes? - What additionally you can do?

Mobil
1 von 18
Secure SDLC in mobile software development
Mykhailo Antonishyn Application security expert I work in cyber security more than 5 years. Application security consultant at Access Softek Inc. Co-founder of ByteCode security team 4+ years experience in fintech. Telegram: @medwed_2015 Gmail: antonishin.mihail@gmail.com Speaker
SDLC vs S-SDLC Mobile development security process What tools using for security testing? How to integrate into existing processes? What additionally you can do? Agenda IMPLEMENT INTO CURRENT PROCESS TOOLS S-SDLC FOR MOBILE APPLICATIONS SDLC vs SECURE SDLC
SDLC vs Secure SDLC
Secure Software Development Lifecycle REQUIREMENTS ANALYSIS MAINTENNANCE • Monitoring issues • Response on emergency of applications • Accelerators SECURITY TESTING • Static and Dynamic Application Security Testing (SAST, DAST) • Composition Analysis • Bug tracking tool integration • Automated Self Serviced Dashboards • Accelerators RELEASE • Checks issues in docker containers • Checks and review CI/CD pipiline DEVELOPMENT • Static code analysis • Dependency checks • Check insecure functions and libraries • Use special plugins for security issues checks while debugging applications • Security Standards Compliance • Assess the current level of maturity • Identify Gaps • Create a roadmap for next level maturity • Security Policies and Processes DESIGN • Risks Assessment & Analysis • Threat Modelling • Attack Surface analysis
Requirements Analysis SECURITY STANDARDS AND POLICIES • ISO 27034 • GDPR • NIST 800-163 • NIAP • MASVS • Company strategy • Local security policies REQUIREMENTS • Time-line • Process and communications with teams • Security requirements for product • Response plan
Design RISK ASSESMENT AND ANALYSIS Risk assessment is the combined effort of identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation). THREAT MODELLING Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. ATTACK SURFACE ANALYSIS Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.
Development TOOLS DESCRIPTION DELIVERABLES • Report from SonarCube • Security issues while debugging applications • Integration of scanning tool into CI/CD pipeline A static code scan and dependency checks are the first step towards truly understanding where your products weaknesses lie, and how critical they might be to your business’ continuity and reputation.
Security Testing ATTACK GUIDES OWASP MSTG NIST 800-163 NIAP CRITICAL ISSUES Tools Users unawareness OWASP Mobile TOP 10 OWASP TOP 10 Wi-Fi weaknesses OWASP API Security TOP 10 SECURITY TESTING PROCESS Deploy testing environment Configure testing devices Build testing mobile application's SAST and DAST Reporting and Remediation Custom exploit development and exploitations A highly effective method of assessing security that demonstrates security weaknesses by modelling the actions that a real attacker would take
Release obtaining feedback from end-users in order to make appropriate tweaks confirming that the software in production meets customer and user needs according to the initial requirements conducting maintenance and support tasks FACTORS confirming that the software works as optimally in the production environment as it did in the development environment The release phase of the Software Development Life Cycle (SDLC) is traditionally associated with production, deployment, and post-production activities. In this phase, post-production tasks (after deployment) in traditional SDLC models do not greatly involve development engineers. Operations admins and security engineers typically complete most of thee functions, which may include software monitoring, security testing, incident response, etc. In the Secure Software Development Life Cycle (SSDLC), developers are responsible for completing additional security tasks, which - even in the post-production stage of the release phase - integrates security with development. DESCRIPTIONS
Maintenance • CONTINUOUS MONITORING AND LOGGING OF THE SOFTWARE • USING MONITORING TOOLS TO WATCH FOR SECURITY EVENTS AND TRENDS FOR ATTACK SIGNATURES • MONITOR 3RD PARTY LIBRARIES FOR EXTERNAL VULNERABILITIES
WHAT ELSE?
External Security Audits Automatic Scanning Vulnerability Assessment Penetration Testing Red Teaming Scope Defined by scanner OWASP Top 10 and beyond Defined by organization Identified by Red Team Objective Uncover many vulnerabilities Uncover many vulnerabilities false- positive free Penetrate into the system and meet specific goal Continuous simulation of real-world attack Threat Emulation Basic Basic Advanced Advanced and persistent Rules Defined by scanner Well defined and agreed Well defined and agreed Anything goes Employee Awareness Typically aware Typically aware Discussable Limited number Vulnerability Scanning Manual Testing Simulating Attackers Partially Social Engineering Physical/Wi-Fi netw. per request Required Security Maturity Just running application (DEV, UAT env.) Just running application (DEV, UAT env.) Production-Like infrastructure (Pre- PROD env.) Production Environment with Blue Team Typical Duration Recommended only as a part of other assessments 2 weeks 2-4 weeks Continuously Auto Scanning 2-3 days Vulnerability Assessment 2 weeks Penetration Testing 2-4 weeks Red Teaming Continuously D E P T H Recommended levels of security testing services according to Customer’s Maturity level of Security processes and posture:
Bug Bounty
Trainings • Security news of special technologies • Updates • Vulnerable and security library • Security plugins • Tools for security testing
Code Protection TOOLS CODE HARDERING RUNTIME APPLICATION SELF- PROTECTION CODE OPTIMIZTION Obfuscation of names of classes, fields and methods of arithmetic instructions, control flow, native code and library names, resources and SDK method calls Encryption of classes, strings, assets, resource files and native libraries Detection of debugging tools, emulators, rooted devices, hooking frameworks, root cloaking frameworks and tampering SSL pinning and Webview SSL pinning Certificate checks Removal of redundant code, logging code and metadata, unused resources and native libraries Code and resource optimization
Domains We work with tech start-ups & enterprises to achieve accelerated hyper growth / time to market, through 'software engineering excellence', providing access to the best emerging technology teams. Governance Banking FinTech eCommerce Telecom Energy Blockchain Automotive Crypto Health care
Q&A

Empfohlen

Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 

Empfohlen

Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Performance Testing And Its Type | Benefits Of Performance Testing
Performance Testing And Its Type | Benefits Of Performance TestingPerformance Testing And Its Type | Benefits Of Performance Testing
Performance Testing And Its Type | Benefits Of Performance Testing
KostCare
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
What is pentest
What is pentestWhat is pentest
What is pentest
itissolutions
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 

Was ist angesagt? (20)

Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Security testing
Security testingSecurity testing
Security testing
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Performance Testing And Its Type | Benefits Of Performance Testing
Performance Testing And Its Type | Benefits Of Performance TestingPerformance Testing And Its Type | Benefits Of Performance Testing
Performance Testing And Its Type | Benefits Of Performance Testing
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 

Ähnlich wie Secure SDLC in mobile software development.

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 

Ähnlich wie Secure SDLC in mobile software development. (20)

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 

Mehr von Mykhailo Antonishyn

Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
 

Mehr von Mykhailo Antonishyn (10)

Arcantos - web applications pentest tools
Arcantos - web applications pentest toolsArcantos - web applications pentest tools
Arcantos - web applications pentest tools
 
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdfПравила_кибер_гигиены_при_работе_с_криптовалютами.pdf
Правила_кибер_гигиены_при_работе_с_криптовалютами.pdf
 
Правила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdfПравила_кибер_гигиены.pdf
Правила_кибер_гигиены.pdf
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Masters of transformation part 2
Masters of transformation part 2Masters of transformation part 2
Masters of transformation part 2
 
Masterstvo transformacii part 1
Masterstvo transformacii part 1Masterstvo transformacii part 1
Masterstvo transformacii part 1
 
Android application security assessment
Android application security assessmentAndroid application security assessment
Android application security assessment
 

Kürzlich hochgeladen

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
nishacall1
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
anilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
anilsa9823
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 

Kürzlich hochgeladen (7)

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 

Secure SDLC in mobile software development.

  • 1. Secure SDLC in mobile software development
  • 2. Mykhailo Antonishyn Application security expert I work in cyber security more than 5 years. Application security consultant at Access Softek Inc. Co-founder of ByteCode security team 4+ years experience in fintech. Telegram: @medwed_2015 Gmail: antonishin.mihail@gmail.com Speaker
  • 3. SDLC vs S-SDLC Mobile development security process What tools using for security testing? How to integrate into existing processes? What additionally you can do? Agenda IMPLEMENT INTO CURRENT PROCESS TOOLS S-SDLC FOR MOBILE APPLICATIONS SDLC vs SECURE SDLC
  • 5. Secure Software Development Lifecycle REQUIREMENTS ANALYSIS MAINTENNANCE • Monitoring issues • Response on emergency of applications • Accelerators SECURITY TESTING • Static and Dynamic Application Security Testing (SAST, DAST) • Composition Analysis • Bug tracking tool integration • Automated Self Serviced Dashboards • Accelerators RELEASE • Checks issues in docker containers • Checks and review CI/CD pipiline DEVELOPMENT • Static code analysis • Dependency checks • Check insecure functions and libraries • Use special plugins for security issues checks while debugging applications • Security Standards Compliance • Assess the current level of maturity • Identify Gaps • Create a roadmap for next level maturity • Security Policies and Processes DESIGN • Risks Assessment & Analysis • Threat Modelling • Attack Surface analysis
  • 6. Requirements Analysis SECURITY STANDARDS AND POLICIES • ISO 27034 • GDPR • NIST 800-163 • NIAP • MASVS • Company strategy • Local security policies REQUIREMENTS • Time-line • Process and communications with teams • Security requirements for product • Response plan
  • 7. Design RISK ASSESMENT AND ANALYSIS Risk assessment is the combined effort of identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation). THREAT MODELLING Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. ATTACK SURFACE ANALYSIS Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.
  • 8. Development TOOLS DESCRIPTION DELIVERABLES • Report from SonarCube • Security issues while debugging applications • Integration of scanning tool into CI/CD pipeline A static code scan and dependency checks are the first step towards truly understanding where your products weaknesses lie, and how critical they might be to your business’ continuity and reputation.
  • 9. Security Testing ATTACK GUIDES OWASP MSTG NIST 800-163 NIAP CRITICAL ISSUES Tools Users unawareness OWASP Mobile TOP 10 OWASP TOP 10 Wi-Fi weaknesses OWASP API Security TOP 10 SECURITY TESTING PROCESS Deploy testing environment Configure testing devices Build testing mobile application's SAST and DAST Reporting and Remediation Custom exploit development and exploitations A highly effective method of assessing security that demonstrates security weaknesses by modelling the actions that a real attacker would take
  • 10. Release obtaining feedback from end-users in order to make appropriate tweaks confirming that the software in production meets customer and user needs according to the initial requirements conducting maintenance and support tasks FACTORS confirming that the software works as optimally in the production environment as it did in the development environment The release phase of the Software Development Life Cycle (SDLC) is traditionally associated with production, deployment, and post-production activities. In this phase, post-production tasks (after deployment) in traditional SDLC models do not greatly involve development engineers. Operations admins and security engineers typically complete most of thee functions, which may include software monitoring, security testing, incident response, etc. In the Secure Software Development Life Cycle (SSDLC), developers are responsible for completing additional security tasks, which - even in the post-production stage of the release phase - integrates security with development. DESCRIPTIONS
  • 11. Maintenance • CONTINUOUS MONITORING AND LOGGING OF THE SOFTWARE • USING MONITORING TOOLS TO WATCH FOR SECURITY EVENTS AND TRENDS FOR ATTACK SIGNATURES • MONITOR 3RD PARTY LIBRARIES FOR EXTERNAL VULNERABILITIES
  • 13. External Security Audits Automatic Scanning Vulnerability Assessment Penetration Testing Red Teaming Scope Defined by scanner OWASP Top 10 and beyond Defined by organization Identified by Red Team Objective Uncover many vulnerabilities Uncover many vulnerabilities false- positive free Penetrate into the system and meet specific goal Continuous simulation of real-world attack Threat Emulation Basic Basic Advanced Advanced and persistent Rules Defined by scanner Well defined and agreed Well defined and agreed Anything goes Employee Awareness Typically aware Typically aware Discussable Limited number Vulnerability Scanning Manual Testing Simulating Attackers Partially Social Engineering Physical/Wi-Fi netw. per request Required Security Maturity Just running application (DEV, UAT env.) Just running application (DEV, UAT env.) Production-Like infrastructure (Pre- PROD env.) Production Environment with Blue Team Typical Duration Recommended only as a part of other assessments 2 weeks 2-4 weeks Continuously Auto Scanning 2-3 days Vulnerability Assessment 2 weeks Penetration Testing 2-4 weeks Red Teaming Continuously D E P T H Recommended levels of security testing services according to Customer’s Maturity level of Security processes and posture:
  • 15. Trainings • Security news of special technologies • Updates • Vulnerable and security library • Security plugins • Tools for security testing
  • 16. Code Protection TOOLS CODE HARDERING RUNTIME APPLICATION SELF- PROTECTION CODE OPTIMIZTION Obfuscation of names of classes, fields and methods of arithmetic instructions, control flow, native code and library names, resources and SDK method calls Encryption of classes, strings, assets, resource files and native libraries Detection of debugging tools, emulators, rooted devices, hooking frameworks, root cloaking frameworks and tampering SSL pinning and Webview SSL pinning Certificate checks Removal of redundant code, logging code and metadata, unused resources and native libraries Code and resource optimization
  • 17. Domains We work with tech start-ups & enterprises to achieve accelerated hyper growth / time to market, through 'software engineering excellence', providing access to the best emerging technology teams. Governance Banking FinTech eCommerce Telecom Energy Blockchain Automotive Crypto Health care
  • 18. Q&A