The Journey To A Secure Software Development Life Cycle

good afternoon two years ago I was given a task to design an elite implementation of it and I secure software the last cycle my talk today is inspired by push that I took and then posted her would take the most even mrs. Munt ask again I'm gonna give a quick introduction about myself that it will carve some useful standards after which I will cover the core building blocks in establishing the informal soft development lifecycle and I will cover how can add security layers on top of that so at the very ninety security and soft development over the past 20 years teams I have led some turbulent teams design development life cycles assistance companies with performing or

ability assessments and trish and testing source code are doing with regards to security what abilities I've assisted companies with complying with industry data security standards the application data secure standard I assisted companies information security management systems based on ISO 27001 and in my role as a manager at KPMG I would also regularly audit software cycles as part whether external or internal audit the first standard dimension is twenty-seven possible and those of you who are familiar with ISO 27001 you know that this is not actually a software development related standard this is the standard that guides you and how to implement a formal information security masking system so why is that important why's that the first standard

that one that I mentioned the reason is this in order to be able to establish a for lunch with yourself develop a life cycle we need a strong secure foundation and some of the things that we get for my sms implementation based on ISO 27001 including things such as accepted to conveying their support prior to security place your man information security policy we get the informal process for access control or management Elijah had to sit down and decide and document how she access be managed who was allowed to apply for access who sought to prove access what's the path once this has been documented it can actually be fired once a year of course when she asks another thing who's

related backups once you have formalized backups you documented how back theirs are being performed how is it apart from backups you talking about frequency so for key information systems so let's take an example as a source book depository for small company you might want to take a backup once a day other cases if you have 1500 150 200 developers who do once power on circuit to miss a minute or another cases you just want a separate server different geographical location disparate data between the two another thing that's very valuable is to have a business continuity plan so this again means that management with their budgets with risk assessments they decided the priority of the recovery of the IT

systems so in case there's a fire in your server room they know exactly how long it should take and again for a small company for it to take a couple of days let's say firing a server room to establish the network your domain controllers your production development testing environments and then controller bus operator is acceptable well in other cases when you have to developers Xbox it can cost you a lot of money those of you who have heard about ISO 27000 standards may have heard about the ISO 27000 standard series a disadvantage in ISO 27001 which is a requirement standard that defines requirements were establishing information masking system there's plenty of other 27,000 standards out there so this ISO

27000 tool gives you guidelines on how to implement the controls preference myself innocent person one magic - ten thousand five you guys do not perform risk assessments and there's plenty of other ISO 27000 standards but one thing I will mention is ISO 27000 period for this standard is independent of softer glow methodology and the gives a number of controls that you plug into herself development process and while doing that if you achieve one and two have already been published part of world wars schedules and was supposed to define these certification requirements and the idea was that they implemented a seven-person period or you could actually get your software development lifecycle certified to ISO 27000 34 just like you get your

information computer enhancement system certified 427 possible however part report has been cancelled I'm not sure if it's indefinite or not but even though you cannot get ISO 27000 third for assertive ideas a lot of companies are claiming compliance and this includes a lot of big companies including Microsoft there are a couple of others that if someone mention those of you that work for a company that handle came in card data such as critical numbers you need payment card industry data security standard if you're developing software numbers you need to compile the application data secure centered but if you are insulted moment company and you're not doing matter of those things you can still download those status for free go

through all the controls and select the ones that you like to influence what I like about the PCI DSS standards is that first of all they're free and the other thing is that you get control-z I get through the calls were still asleep controls second column explains how you can indepence each control and the third column gives thanks to an Assessor or an auditor how he should evaluate controls so they should give it pretty deep understanding on the controls in question and keep in mind that PCI and piya DSS of her free if you just wanna see a copy of ISO 27000 twenty seven thousand one and twenty seven thousand two you can have to pay a few hundred dollars if you want

to get a single copy of part one and two people applies over 27 thousand third floor that's gonna be a few hundred dollars so I always like the last tender that we mentioned it is the open structure generous maturity model it's been maintained by the open web application security projects they have a lot of cool other projects this includes one of them and what they've done is they've taken the software development process and had broken it down into four different business functions and that each business function has been broken down into three different security practices and for every security practice you get a questioner have implemented X have implemented Y and etc and based on the

response you're gonna get a score between 0 & 3 so this is good in two parts protocol first of all will tell us where we are today and the other part is you can actually set a goal for the future so please for one particular security practice that we call within the end of the year or next year we reached two and it actually tells us what it is that we need to do to implement it I do want to mention that that are plenty of other standards and guidelines out there that guide you in implementing and designing it for one secure software development cycle however I felt that a lot of people are usually familiar with these use these

there's no right way even though I live like my way but what I want to do now is I'm gonna cover decor building blocks and establishing if almost stopped development lifecycle and they want the way I want to do is is how to use an imaginary small medium-sized enterprise where the software development maturity level is at its infancy and I want to cover how I would slowly add to that process before I do that I do want to mention that prior for me going about this journey I did read a lot of articles relating to the issue and pretty much all of the articles are read they came up with the same number that you should expect the implementation

time to take between two and three years to establish a whole lot secure software development cycle in our case it was about a year and a half but you have to keep in mind there are a lot of things can that can play a part how many things have you already implemented how many software developers do you have how open are software developers to changes and also how loaded are yourself developers do you have a lot of under realistic deadlines people are familiar with that but what will inevitably happen when they start creating new processes or drinking there are some developers to use new tools is that it will slow down to software development during a certain period of

learning period but as it was in our days when the articles that I read there's always a positive return on investment so once everything's in place and start working like a machine you're really good I guess the only thing that I would add is that well if you decide to go on this journey then I recommend a long experience not to try to change too many things at the same time if you have 10 different things that you want to change just change one at the time let people adapt and what's going on ok so let's get back to our mentoring company I will talk about adventurous things so the first thing I want to do

is we're going to decide on the software development the dog and in our case we're going to choose add Chalmer new scrum the next step I want to do is formalize this so what I mean by formalize in my case I'm talking about documenting it or when I do automating point of view you want to design it so one coming I consider error the thing that I don't like see when people start formalizing things were documenting things is this such a document of all these unnecessary things so you don't need to document what is scrum you don't want to for PHS at what is wrong you should always assume that the person reading and documentation should have some basic

understanding so what you want to document is how are you going to implement scrum and this could be some basic things this could be what should be the composition of your scrum team like the number of people she always want to have one datums person always want to have one person that got assistant acts persistent why how long shooters principie should it be two weeks four weeks six weeks should the scrum team be allowed to select these the periods who is allowed to create a user story who's allowed to create a task who is allowed to add a test from already running sprints so what she decided on all this then you might want to digitize it once I did an audit of

financial institution Iceland and they had just recently inducted scrum I mean their head of IT he's really excited to something about how how this feat of saltycomb has increased he shows us the documents you go through the documents everything was really well and then he brings us into the offices on the subject offers and he shows us the whiteboard and it goes like yes so here could see we have these post-its and on the far left we have tasks thoroughly in this print that have not yet start the next call we have tasks over started the call after that we have a list of tasks that haven't started hit a roadblock and our house called the next one we have a

list of tasks they're being tested the final call a list of all the tasks that have been closed to have been tested past testing have been 5 most well ok this looks really good but tell us how to keep track of or change history and that he's like oh they didn't quite think of that so they just throw away the post-it notes so that's why I would say the second thing you want to do is you want to digitize your strongboard and there's plenty of tools out there like myself TFS comes to the digital scrum board you have grm you've column that your Trello because you want to be able to keep specially if you have

software that you're developing that is either performing financial transactions or creating information for people to base transactions on or healthcare related events you do you want to have a change history try to make sure nobody in there they shouldn't have the next thing I would do is select the source control system most of you will probably sort of control system in place but this is a chance to change it out even on theory you could change your social control system at any time during this implementation phase you'll be training your subject others to use new tools follow new processes so this is the ideal time to actually implement a new source control system so we're going to

kick subversion and of course every step every single step will be asking you to the subject all in the process who date our self development process document so I'm gonna stop but ideally it should be a live document so he can move some some rules in theirs and you want to do but if it doesn't work don't be afraid to go back remove it at something you so now we're gonna use subversion but how we're going to use it do we want all our soft developers to be working on the trunk or do you want are all of our software developers to branch and he singl change and then transfer into the top of the changes or doing one

also fraternity two offers to be always working on the talk except if they're making changes that they believe will break the software to do that brat shop crash back in these are simple questions but it's really useful to have an important decision of these things having them documented so this this sort of stuff just prevents misunderstanding and that's really a big part of why we're formalizing the process to begin with prevent misunderstanding just optimizing the entire process now one other thing that one mention is release versioning we actually have a problem with that Iceland in the past when I've been assisting companies with performing penetration testing I've found countless security abilities in software that they

bought from Icelandic software vendors what happens is they contact the song software under notify the officer to turn ability they get a really nice thank-you letter back a few weeks later they're gonna email saying hey you know thank you for not ratting us about the superior ability we've now fixed this but if you want to get latest version with if you want to get the security packages the only way to get the security update is you upgrade to the latest version and it's it's going to cost you a few tens of thousands of dollars so for a big company may not be a big deal but for small companies can be very painful so the police version

even some like most social control tools such as subversion you can actually tack a version of your software whenever you release it so yeah man version 1.1 1.0 2.0 2.1 and let's say a security one ability is discovered that applies to the entire line and assistance a one-liner that you need to take special injection or something then if you've done your release version 10 you can just check out every single version do this minor update create your binders get them to your clients and increase your client security and your reputation okay so now we've we've decided us off into our methodology we formalized it we've decided on sort of control system the next thing we want to do is we want

to connect the two there is no reason that I can think of the software blogger should be allowed to commit some source code without having it approved by either the business owner or scrum master and ideally you want to be able to success specially for sensitive software you want to be able to track every source code change to a particular task it was one case when I was working with software developer with over a decade of experience of self development but wasn't even to describe methodology and this software really enjoyed trying to increase performance of already running services so what he was once tasked with adding function to an already running service and he completed

the task which is fine that those changes went through testing went into production but that everything crashed so we had to do a rollback and when we started looking through things we found out that he had modified a different service his intention was optimized it but at the time we did not have alternatives we had not yet implemented automated testing so we did manual testing and was based on release notes so what have been changed so what we had to do is basically we had to check with a software developer and that mean check all the ourselves developers and just said you know we really appreciate it if you want to do optimization over services that's really positive

also if you see some security bugs or there's any software development box that's what fits what we want to just request that you talk to out of the business owner or the scrum master to get a task for that particular thing because we want to be able to track every code change to particular tasks and he got on board and I believe it was just one case where he got rejected to add heads added tasks when I'm already running sprint but he got afterwards so that was actually quite visible ideally you should have at least three different environment issue to have a social of departments testing environment reduction environments and if your production environment means

either internal or external users actively using it you might even want to have a fourth and what happens to the staging environment we had my issue as well the same developer at one point he had been given a task similarly he was asked to add a function to an already existing service which it did he was now he was creating tasks for everything extra so we were able to keep track of all changes and the implement is at the time he had administrative access both to the testing environment and to the production environment and he was requested to please put the binders in the testing environment and he got tested and he was set to put into

production partment our client started using this new function everything worked great a few weeks later another subject Albert was asked to add a new function to the same service he does the same thing goes for testing and at this time we still didn't have our automated tests up and running so they won't even be tested was based on the release notes and it passes testing a put into production and start getting phone calls our clients artists because where's this function that the and a few weeks ago so family was missing so we did a roll back sort of scratching our heads to try to go through the source code we could not find the the first function that was

added so after much dinging around great to find out that software developer had been doing some optimization exercise and checked out the source code for different directory that was usually worked in and he did the tasks that he was assigned to did that on that party directory and one who was asked to put those services into the testing environment he basically built it put the spiders there and what may even have happened is that he may even what he was asked to put this financial production he may have rebuilt the service vacations put that into production those fighters so not the actual incessant fires but I mean everything worked so it was the big issue then it was until we

decided to update it but the way we decided to solve this issue was we were able to set ministry of access to the testing environment and production environments and to send to it for separation of duties so had another person I've got the responsibility for putting our services into testing the testing wagons and the way that will be done they were checked out the latest source code build the binders put binders into testing environments when they would pass that would take those vitamins put them into the production wires and also something just keep in mind if you have sensitive data usually the production environment you don't want your software testers or your software developers to have access to

that and even in the testing environments don't want self developers to be accidentally interrupting tests so if you enforce through access control that's probably a smart idea so I'm going to cover how to add more security so what we've covered so far is basically we're formalizing things the way I look at it we've been adding a lot of security so far we've preventing misunderstandings we're preventing like potential downtime but now we actually come to add security layers to the lifecycle so once we have all those processes in place the next thing we did was we decided to start differentiating between bugs and security bugs and we updated the document like always happy to find if a critical security

is reported than the business owner and either a security architect or chief information security officer they have to decide how to respond to that vulnerability within 24 hours for other security bugs a decision has to make within three businesses okay so we whether the document but now we have to start training both our software developers and our testers to be able to identify what's a security bug from there's a different type of worker and how to evaluate them so the next thing that we did was the secure coding training and there's plenty of trainings out there you can find I believe all of us has some whole project has some videos that demonstrate all this top ten

you can probably find some free YouTube videos then you have some companies like code bashing you can buy access there and of course there's plenty of computer security companies that are happy to take your money to give you some training but what I would recommend is whatever training path you decide on you should adjust training to your environment if you're developing conduct Maps don't buy the class on PHP security coding practices in my experience the more you can associate with the environment that people already working in the easier it is for them to understand so they're doing done that get training duck nuts Java and also another interesting thing is this problem that didn't work in our case in

the beginning so the first time I did the secure coding training but in the future the next time you hold secure coding training try to use an input from the reported security bugs in my experience is much more useful to be able to say each of the security bugs they were discover a cure discovered in our software you know you did not saying you did that but you know this is something that happened with our company you want to explain that security one ability possibly explain why our ability my it's exported but the most important thing is he won't explain how to prevent it okay so what was this extra security letter has been added the next thing

that we did was we started a secure coding practices document and this is a good place to put security practices such as let's say input validation and ideally in my opinion it should be as easy to use as possible preferably you just want to have code snippets that you can copy/paste for your developers so input filtering or let's say that you were writing services for multiple companies that you know rollers work a little bit differently in newer would frequently have to do user authentication use them and password just decide on your also needs to be created this is how you're gonna do is just have a little is a little bit of text describing why it's important and

then just have a code snippet that you can copy/paste same thing with session management or anything that you file find applicable and whatever you security bug is discovered you can it's a good idea to look back secure coding practice document and evaluate is it possible of this security vulnerability would happen again or that it is somewhere else if yes put some text into your security code it practice document okay so we've added this extra later the next layer we're gonna have what we added was we added a design and design review later so what this means is whatever software developer was starting a sprint he would write a design document and what's not a complex

document so let's say that he was supposed to implement a function he was simply Bryant this is the expected input this is the expected output and this is what we're going to do and of course it was an entire service might be a few pages and this was turned out to be very useful it prevented a lot of misunderstanding there were cases where this is was not clear enough or actually broke down something incorrect or the software developer misunderstood something previously so once the subject all perhaps physicists decided to up imitated requested designer view meeting with the business owner and a security guard took the beginning we were able to prevent a lot of misunderstandings and

catch a lot of potential security when abilities before they got actually implemented okay so this that at the next player we decided to add threat modeling so I started training our sub developers inevitably our business course as well to perform threat modeling driven designer DVDs and they were started to go with microphone surprise the sense for spoofing tampering repudiation information leakage to that service that elevation or pillage and that turned out be quite useful it took us about probably five or six weeks at least until they were fully able to just do it themselves and that one we did is be requested if you didn't modification to some sensitive parts either of education-related or encryption related credit card

payment cards related or some following sensitive things you want you to know if I asked to bring them all security architect okay so once this was a place he had an auto later we started to do a secure code automate with focus and IT security and at least in our case wasn't quite realistic to do coding every sequel code was modified so the first thing we took is we did the risk assessment to try to evaluate work of an external actors actually add some inputs to our products and were you know where are sensitive places like of Education encryption having a sense of data and based on that whatever source code in those this was water fight we would do a code

article on those code changes and sometimes if we had extra time which was rare who would do a random code something else so the final final layer that we decided to was start doing penetration testing before releasing our products and a little bit of fussing as well and as I said he did understand this thing I was working word well internally but we I mean you should look into external factors as well so if you have clients you want to make sure that there's a communication channel between you and your clients to notify each other about security what abilities if you detect security mobility in your product you want to make sure that before you discover it we actually have

the contact information such as my dresses off the operational people if your client so if you could just have a simple mailing list you can send out emails to notify people about security liabilities another thing that you want to keep in mind is you want your clients and possibly other people to be able to let you know if they find us accoutered what ability in your software or your services so one thing you can do is you could have something on your website please notify me if you find security what abilities Thanks well obviously that could be misunderstood so some people might think oh you're just giving me like I'd love to try to pack your

stuff and just let you know to find something so try to be specific you might want to say you know you don't want you don't allow anyone to do reverse engineer oh yeah yeah yeah if you do however find security what abilities would really appreciate if you would notify us and something you also want to do was people sometimes forget is you want to include the expected time for you to respond to notifications so you should say I put there something that you can like stick to you should say like you're going to respond to security one of the limitations within 10 business days or 5 business days or something this one is well he might be consider

having an internal security portable sort of what ability max meant where you can map out the only security bugs and all the potential vulnerabilities you may want to look into establishing an incident response process so you can as you can plan ahead of time if you have the process in place like how you should do forensics how should communicate with law enforcement you might even want to set up a separate process for assisting your clients if they have a breach already discipline I guess the last thing that I would recommend considering are is a bug bounty and those of you who are not familiar with a bug bounty there are companies such as hacker one or buck

crowd and they have a huge social network with a huge network for security security researchers that either do security research full-time or part-time and have a full time job somewhere else and they establish a connection for their company with these individuals and it's very similar to the security notification that we mentioned earlier they'll actually healthy to map out what is allowed with servers or with services which software is within the scope you know our other vegetables allow cetera and then you will have to decide also on you know what sort of bounty so you come to offers just a name recognition I give up t-shirts or would you give out a hundred dollars for a cross-site

scripting ability five hundred dollars for SQL injection positive or monetary descent any give the more likely people are to look at your services but again you first of all you want to have your internals working really well and hopefully you found all the probabilities especially if you're going to do monetary compensation all my stuff it's good to get really expensive fast but also you want to make sure that once you get a report about one ability that you can actually react and fix it and ideally you should try to be able to fix it within 90 days that's what I want to cover so what's the question do we do some time estimation about the testing

implementation time yes so for example one of our problems was that we had a lot of deadlines to meet so we didn't have a lot of resources to create so to do manual testing a lot of things takes time but if you're able to automated so if you have a resources to first at the test and ideally whatever your if you have the time you have the resources whenever you create a new function you should ideally at least we gonna test them preferably in an automatic test as well like a functional test so if you do that that will up that should speed up time as well definitely and I think where you can save time is good and

there's even there are even tools out there like very code I'm not sure if you're familiar with that if you have the budget for those they do statistical analysis of your binaries you just compile uses them then you compile compile them with information and center to them and they will attempt to find you know as you know injections buffer overflows all these are different things of course they could not identify logical abilities but the very people what they do so if you do if you have the budget in each of us early on you can actually use that as sort of training for your employees so it all comes down to how much money you have

how fancy you can make your stuff yes we I mean for us it turned out to be very easy for some reason we're lucky you just everybody like we saw people in the idea and the way we did it is you just said we want you to document as little as possible that's the safety as a metric girl here whenever you farm like something like please don't look any text in there doesn't have to be there but just so that people can understand what you're talking about so the creating a design document or function shouldn't take more than half an hour and that the business owners were very accessible as well so that type played a big part if if

you're unable to get access to your business owners yeah that's where she and it can be difficult to work but the best way I found is basically education that the sooner you catch onto this because usually people are not intentionally doing this either they're they're being pressed with unrealistic deadlines they have original decided to see opens just going to take too long to do a new secure way you know return this tomorrow so you do have have to have my expense supports in order to do this as well at least in my experience if you get this award to do things practically unless there's some real big race with a nearby competitor it's usually always

worth waiting just in a few more days give the

yes it is before we already had a couple session with security so people who are visual we'd given some demonstrations or abilities so we'll certain understanding already in place so that was just like all strive like this that so life was part of chapters and I believe me downloaded the the cards that you can get from Microsoft like didn't work that well but it helped some people like looking through them but it was more just an exercise during those Katie and so the designer beginning set a bit longer in the beginning where he would just again like he would go through every single possible threats and he was a brainstorm remember you know this that

we discussed that was because of this sort of thing I could have like this something like this that could be in this code or disqualification those disks it is repeating a lot of the stuff of everybody coders your secure coding training and just trying to get people to think and we were doing two-week Sprint's so they're always so yeah that so people are always doing this threat bombing at least for a few weeks in that they were supposed to come here afterwards which I believe that Wallace did but our posters to get us into the minus s so I'm pretty sure we could have actually told that okay you don't have to do the threat welding now Saturday

meetings anymore this sounds like some point then actually they have the understanding what we decided to keep it in there anyway so we just did it pastor yes when he suppose is very bearable as well so the crap only have we did wasn't decide face but you should also be doing it after you look at your own system we sort of did that in the nutrition testing part that we always do it is just like repetitiveness again thing so yeah I think we're out of time so [Applause]