Where and how to implement Security in Software Development

I am glad to see you live. I am even more glad to see that there are ladies among you. Honestly, I rarely see ladies at cyber security conferences. I will be glad to have more wishes for speakers next year. So, girls, the earth is on your shoulders. Now, what we will present with my colleague Jordan Popov is a very broad topic, part of the much broader cybersecurity domain - how to implement security in the software development life cycle. Since the topic is quite extensive, we have a very short time, we will start from the general to the private or maybe with things you know for the moment. Who are we? Me and Dania work at ScaleFocus. Dania is a security engineer, a very good programmer. He was,

still is, but we managed to catch him in the dark. I am in charge of monitoring the cybersecurity team and the entire business that is connected to clients and the sale of cybersecurity services in the company. As a background, I was a programmer for a very short time. I then went through quality assurance, automation, for about 10 months I was a DPO, so I also had access to various regulations. At one point we reached penetration testing and security, and in general it was love at first sight. We stayed for longer, we had the opportunity to develop it and to create a whole team, with which we continue to develop both services and knowledge. Ignorance is the root

cause of all difficulties. Last year I was a lecturer at another conference, which had diverse colleagues from this sector. We had developers, quality engineers, DevOps, network engineers and security, of course. When I asked them in their projects, in their companies they work in, if there are people who deal with security, someone who ensures the safety of the given development, product or what they do, They said no. I asked who is taking care of the safety? No one was. In general, when we don't have such people, and even if we do, we are responsible for the safety of the work of each one of us. Why is this happening is an interesting question. These are some

principles that I suggest to be adopted by everyone. The first one is Security as Everyone's Responsibility. Exactly what I wanted to say. Regardless of whether we have people who are involved in the security of the development we do, despite everything, the fulfillment of security remains in the commitments of each one of us. Even if we assume that we have a person, a security engineer who will help us, or a whole team, The work we do requires us to implement some security measures. The person who works with us in the team, who helps us, can give us directions, but NDA in the day cannot follow constantly every step of ours. Why? This is very important to understand, because in the teams in which in general

case software development takes place, everyone looks at their own direction. It is important to look at the big picture and to be able to see the whole vision for this project, how it will happen and, accordingly, where there would be problems. The second principle, which we will focus on, is prevention. I have an opinion that pen testing and security testing as a whole is something very complicated, but it is implemented at a very late stage, before a given product is released live or later. It is difficult to tackle all the problems, limiting a lot of things, including the knowledge of the person who does it, the access he has and eliminating all the problems leads to a slowdown of the entire delivery

of this project. And I would say that it is a much cheaper start than implementing security in the beginning. And the last thing, there is no 100% certainty, I am sure that everyone of you knows it, why I am saying it here, even if we do all the work in the ring, we will have problems again. The question is what problems and how many layers in defense we have put on our development. And here comes something very important, something I missed to say, that one of the main parts of my job, I deal with consultants of various large companies in healthcare, in the financial industry, in energy trading. It is very important how we will deal with this wonderful triangle, which most of you know, security, usability and

functionality. I will give a very simple example. Let's say that our company would like to implement a new website that is for the company. And, accordingly, they want it to be convenient for business, to be user-friendly, to have, accordingly, all kinds of settings so that it is easier to find our clients, so that our colleagues can use it more easily and, accordingly, to be secure. And now everyone is starting to move towards his side. I will say as a security specialist, let's say we have three different solutions or two in case it is easier to have a WordPress platform and let's say we have a A company that can deliver a custom solution, a very

well-built website, which is very secure, very well made, very expensive. And I will start to move to my part, here, for security. Yes, but this will make my colleagues' work much more difficult, who will really use this site. It is not user-friendly, it is very expensive and we will not have a budget. If they can't use it, it will be a shame that it is secure. And in general, we all always struggle to stay somewhere here and there in the middle. And the gap is very narrow. And it is not necessary for people who deal with security to make such decisions that are also useful for business. That is, I may want to make it

very secure, but if this will not benefit us from a business point of view, nor from the people who use it, we have to make some compromises that are useful for everyone. But even if this happens, even if we do everything like people, there comes a moment when the end user comes. Things we are not prepared for and we have to improvise at the moment. These are the simple principles that I believe if adopted in each team would have a very serious success. And since I said we will talk about the Software Development Life Cycle, this is an example picture of what a Software Development Life Cycle looks like. Now, depending on which methodology we are looking at, it is between 5

and 6 phases. This is how it looks standard. Basically, we implement security here in Testing and Integration and possibly in Implementation. This is what my colleague Svet was talking about. Yes, for example here is the part of DevSecOps, which became more popular, places where they are already starting to use software composition analysis, etc. But mainly from my experience working with various clients from various industries, different geographies, we are reaching the testing and integration phase and we expect miracles to happen. Very difficult. The concept here is that if we start from the very beginning to implement security, we can actually get the so-called Secure Software Development Life Cycle. What do I mean? At each of these phases, take it as an example,

I don't know how many I have seen, I will read them. This is not a silver bullet, that is, it is not necessary in this way to follow these recommendations. This is an example. Depending on the development, how big the product is, what one or more of these things will be used for, they could be implemented. The concept is to start from the very beginning. Still at the level of requirements and planning, when we are discussing, let's say, whether with your colleagues, what you will develop, or with a client if you work in services. It is very important to consider the so-called security requirements, which are often missed. In general, we have a person who comes and wants to get an app as an end user, but we as

specialists are obliged to help him and direct him to the right direction, what should this application have. There are many things to consider here. What assurance methodologies would we use, respectively, if this is a software for a specific industry, banking, healthcare, energy, government, etc. Standards and frameworks that this application would possibly fall under and we should think about it. Phase analysis, risk analysis, building checklists, security baseline, which I am sure my colleagues will explain better than me, but creating the minimum security requirements that are necessary for this product. In design you have heard 100%: Secure design principles, security control, threat modeling. That's why I will explain a little more. Policy and procedures, name element and access control list.

So, what do we have in mind here? We and my colleagues have seen amazing products for a lot of money, which are still in the design phase and include incredible security problems that cost the entire business, sanctions, and even catastrophic things can happen. And this is only because security comes at a later stage in this development. That's why it's very important when we design our own design to think about these things. Implementation. A lot of things can happen here. From the point of writing code, entering secure coding, policies, practices, trainings in teams, SAST, DAST, Software Composition Analysis, License Misalignments, DevSecOps, entering various tools in pipelines, as the world explained. from Jenkins or another server that is

used, Security Hardening and Secrets Management. Now, the colleague mentioned HashiCorp before me, I am a big fan of HashiCorp Vault with Secret Management, it is a great server, you can try to use it, this is one of the options.

Then, in Phase 5, we are already moving to security testing. I have combined them. It was called application testing. Whether people will do quality assurance, whether we will do it. In principle, everyone should do it. Dania will tell you as a developer, everyone should test the code before that. But this is how they are basically moving. Security bug handling. Specific procedures to be developed for this. And when the software is ready, We should not forget to take care of it, accordingly, patch management, upgrading policies, the policies we have created and monitoring, as well as constant assessment. Now, since there was a question from a colleague before about software build in Matzireo with FILE, last year we mainly dealt with a team to develop an internal platform

for cybersecurity and more specifically for providing visibility. From our experience we realized that what is happening is that in general we have no idea what is happening with our development on all levels. We have portions from here, from there, from there, from here and from there. What we tried to do is to collect information from several places. That is, this software was in material with files. by taking only their source code, analyzing it and providing information for vulnerabilities. This is software composition analysis. Another very important thing that is good to keep in mind if you don't do it and someone is engaged in software development, please start doing it. The licensing policy is used on

open source components. This is something that is included in the contracts with each one, but no one follows it because of lack of resources or capacity. And what we get is that we can make a software that is for sale purposes, we use open source components based on which we build our software, but we don't keep their licensing policy because they are not used for commercial use. This, when it comes to an unpleasant situation for us, would lead to serious sanctions and loopholes. This is part of the things that the software is doing, but my whole thought is that There are many "quins" that can be made here. It is not necessary that this whole thing you see can be enough for the

project you are working on, one, two or three. You may need more different things, but this is a vision of what the Secure Software Development Life Cycle could look like. And because of this, as you can see, there is a lot of information, we won't have the opportunity to discuss everything, but if anyone is interested in a specific topic, we are available if you want to discuss them afterwards. For now, we will focus on Threat Modeling and Security Hardening. Now, the colleague will start with Threat Modeling. I will continue with the fact that this is the person I call "the father". This is Adam Shostak. I think that's how he pronounced his last name, to

send me the person. For many years he was the manager of the Secure Software Development Lifecycle team at Microsoft. And this man actually modernized Threat Modeling as a concept in the last years. He is not a man who developed it as a theory back in the day, but he is a man who modernized it. And thanks to him we started to talk more and more and this thing to be implemented. The irony of the fate is that Adam has a book published in 2014 on this topic. I still don't see many people using this concept. What is Threat Modeling? For me, it is a great start, free for the whole team, who is engaged in

software development, to be able to enter security. What I told you, that it is important for each of us to be responsible for the security of his part. Even if we don't have a security person in the team, everyone can carry their own blood for security. Yes, Threat Modeling itself represents Starting with defining our requirements for security. Depending on how we got the information, we may not have it and we may have to create it. So it is very important to know what will be required from this development, which started at the beginning from a safety point of view. If we don't have it, then we will have a hard time implementing it. People who are engaged in software development will tell you

how difficult it is. Architecture changes have to be done in some cases. So we have to define our requirements. We make a diagram. The diagram is very important from experience, to say again. When the whole team participates, this is something that gives everyone the opportunity to see how things happen in this development. What I said at the beginning, if you are a developer, you look and it is a big project, let's say with microservices, different domains, 50 people, team. Everyone looks at his garden and looks at what he does. A diagram like this gives you the opportunity to see what your colleagues are doing, who they are communicating with, how things are happening, where we

might have any gaps. Because if we make a part of our development, we make sure that this part, this part, this part, the links between them remain and how they interact. So the diagram is very important and helps the whole team to understand what is happening. Then, when we all get together, this can be implemented as part of, for example, a process or whatever you follow, Waterfall, daily meetings you have, you can do it once a month, once every three months, as is convenient for you. But you start, you sit on this diagram and everyone has a different view. One view has a developer, another view has a network engineer, another view has a DevOps,

quality assurance person and everyone sees different problems that could appear in this development. From there, when we have these problems, the hard part is coming, at least for me, we start thinking how to mitigate them and what are the most possible to happen for us. We go back to the maxim I said, there is no 100% certainty, that is, we can't remove everything. What is the most possible to happen for us and what is the most adequate to remove towards the funds and the available resources we have, because removing such problems would be extra development work in the most general case. Accordingly, We come up with the ones we will change, mitigate them and finally validate them. And this whole concept is to turn in a

circle so that this development can constantly be compared with the new conditions that arise and the new types. Now, here I have given an example that the entire credit of Synopsys, I really like them as a whole and most of their products, This is an example diagram that explains trade modeling. You can see there is a whole article on how to make this trade model. If someone is not familiar with it, they can explain it. This is an example diagram with which you communicate, how you communicate, is the connection secure or not, who lives in our network, who is outside, where we have interaction with the user, What kind of traits could arise, what kind of agents or people could cause

these traits and what kind of controls could be implemented accordingly. Why do I think it is very useful to start doing threat modeling? will help each of us, even if you are dealing with security. For me personally, it helps a lot to identify all the problems and to prioritize the most important ones for your business case. If we develop a software for the financial industry, it will have specific categories. If we develop software for the healthcare industry, it will have other categories. It definitely reduces the time to market. Because this is something that comes in as part of the regular development and starts to minimize any problems from the point of view of security in the development.

It happens with all phases of the Secure Software Development Cycle, all colleagues are involved, that is, we will already have understanding from colleagues and we will have this bias for security. Adam, if you watch his interview, has a very cool thesis that I share with him. For the moment, it is still like this: "Security has no place on the table for decision making." What does this mean? In general, we make some decisions, whether it is about business or what we do, and in the end we think about security. As you can see, security is not a new topic, but we currently have the desire to start our security community in Bulgaria, which is after DevOps

and after Quality Assurance Community, as you know. The whole concept is that we are coming to the end, we are very important, but at the last moment they think about us. And the more people we find who will buy our idea, our colleagues, the easier it will be to spread the word, as we say. So, some useful materials. Everything you find on Adam is top. It doesn't work for Microsoft anymore, but I gave you a lesson on what RedModel Link looks like in 2021. It is not very different from 2014, unfortunately, as I said. His book. I gave you a link for Amazon, but I'm sure most of you are talented enough, if you are looking for it on the Internet, you will find it in Free of

Charge, even though it is illegal. And the most beautiful thing you can do, this is really free, I have given a free link for it, this is Elevated Privilege The Game, which Adam also made in order to popularize this type of modeling in the software development teams. If you have the desire to do this, but you don't know how to start, this game is a very cool option to get involved in the team, to play with the team, it will also increase your awareness, and you can improve your development. Another thing I want to say two words about, literally two words, that we are cutting off, is security hardening. Now I call it that. You may have a different opinion on the matter, but this is the so-called

practice in which we want to reduce the vulnerability and as a whole attack surface is at risk with our development. How is this possible? I hope you have heard about the so-called National Checklist Program, which is by NVD - National Vulnerability Database. This is a database with a lot of information about various operating systems, servers and all other products of large vendors, which are written by, I would say, MVD enthusiasts, who are familiar with them, various checklists with different regulations or good practices: CIS, NIST, Datastick, XCCDF and so on. But the concept here is that this thing has it for free. By the way, many people know about it and are clearly experiencing a problem

when the implementation comes. But to say that you have some Windows Server 2012, 2016, it doesn't matter. And you want to secure it, to hard it, you don't know how to configure it, you can log in here, look for the checklist with, for example, CIS or NIST or something else that you like. and to download it and use it in this server, but with this logic. Now, how would this thing look like? Since we don't have time to show it, I will just explain it. So, the first step, I am from the Balkans, right? Like you, we love free things, OpenSCAP, free tool, you can download OpenSCAP, which will help you with the downloaded checklist,

whether it is from NVD, and there is another place called Oval Repository. Has anyone heard of Oval? Ok, so it will be interesting. Oval Repository is a repository created by CIS in which files that if you run them on a different operating system or on a server, they would give you information about the valid vulnerabilities of this server. Generally speaking, this is what it is. You can find such oval images not only in the oval repository, but also in the official websites of the major vendors, whether it is Red Hat, Ubuntu or any other, they keep these files. The concept is that we install this tool OpenSCAP on the database, we install it on our machine,

let's say some Apache there, for example. We go to NVG, we download the appropriate checklist, which is, for example, by stick. No problem, we are not that many people. We go to Oval, we download the appropriate image, which is from the Oval repository. and we are already running them with our OpenSCAP. They already support different versions of languages and the whole scanning option. The outcome you actually get is not very good. I tried to make a screenshot of the two reports. You get two very detailed reports. What are your contributions to this machine? and how to configure it securely, where you have gaps, what is the risk associated with it, how to fix this thing with commands. Each thing is described in great detail. For me personally, this is

a win-win, but very few people apply it, although Free of Charge has existed for a long time. This is an easy way to secure the infrastructure of your software. And this is in general from me. Now Dani will present you a short demo. I will explain for the part that is related to how software development happens and what it is. He will show you how you can do a part of this. So, can you hear me? Yes. Ok, I have prepared a small demo for you. The whole idea is to illustrate what happens when the best practices are not observed in software development. The application is written in clean JavaScript. I used Java with Spring Framework for the backend. One

second. So, I actually chose to implement File Upload functionality. I chose this because, as you know, almost all modern web applications have it in some form. And the wrong implementation can lead to many problems, such as remote code execution, XSS, XXC, phishing, and so on. I've made it on levels. The first level is actually the Insecure implementation. The second level is the Secure implementation. And the third one I've named it Secure Star, because it's an upgrade, as you remember, level 2. I'll start with level 1. When opening, we see an upload form. As a whole, I've already said that the backend is Java. But with the Slapalyzer you can validate that it is actually a Java backend. Usually, I, like you, try to install a GSP file. I

have prepared for this purpose. I click on "Upload" and successfully, it has installed the file. I don't know if you can see it, but I actually have a direct link to the file, which is not a very good practice. Now I will open it. and it looks like we have JSP code running. I can try, for example, LS. You can see that I have code execution on the host machine. Overall, this implementation is quite hefty. Many of the things are very badly done. Now I will comment on them. What are the lessons learned from level 1? You should never write code before all the functional, technical and security requirements are specified. What is the view with this? If someone comes

and tells you that you need to write upload functionality, the first thing that should come to your mind is what files should be uploaded, do we have size restrictions? where we should store the files and for example which one should have access to these files. And many other questions depending on the case. At level 2 I tried exactly this, if I try to upload a new Shell GSP, this time it's a GARMI validation error, invalid file. For the purposes of the demo I have estimated that I will only receive PNG files. I will show you the other validations in code. First, the size is checked. It is important to put both minimum and maximum constraints on the size.

Then I have a simple validation of the extension and finally I check Magic Bytes. I guess most of you know what Magic Bytes are, but for those who don't know, I'll tell you. These are the first few bytes of a file that determine what it is. In the case of PNG, these are the first 8 bytes. In ASCII representation, there is the word PNG and some other non-printable ASCII characters. If we try to upload a valid file, Let's see if it works. This time I have success again, but instead of a direct link to the file, which I said is not good practice, I have this download button, which really pulls the file as an attachment.

In general, if you have the opportunity to implement files in this way, it is advisable to do so as an attachment, and not to display them online as it was in the previous case, the insecure version. Another thing I would like to draw your attention to is when storing the file. The first thing it does is to sanitize the name, remove all symbols that are not letters or numbers and we replace them with lowercase and finally we append the extension that should be valid. After that, something that I missed to say In the first option, why did this web shell work? Because the file was stored on the web root of the application. Accordingly, Tomcat embedded server of Spring Boot recognizes the GSP and executes commands.

This is a very bad practice to store files in the web root. In this case, I have just an additional folder in which this happens.

And for the final, the Secure Star option. Earlier someone mentioned the expression "fail fast", "fail early". I like it a lot and in general I don't think there is a need to do all these validations and sanitization of user input before the content itself is scanned. What do I have in mind if I try to upload this GSP file again? This time it doesn't have validation error, but malicious content. It detected that this is Trojan web shell remote shell. What I actually did is I integrated the backend with the VirusTotal API, because it's free and quite cool. And this way I make sure that I don't need to process a file that is obviously malicious. And yes, that's

what I wanted to show you.

Any questions? Yes, I'm listening. I'm just saying that I'm speaking louder. Yes, some of you used them less, others more. The tools are great, we used them in different projects, but maybe the way I wanted to... Oh, sorry. I'm asking if we have experience with automatic tools for Thread Modeling or if we use this concept more often, right? So, for the self-automatic tools, but to be used again on the basis of this concept, because they make the work easier. Why is this concept? It builds, besides everything else that will help you, for example, your colleagues to understand different things, it builds a secure culture in a team. What we talked about at the beginning, I think, was what

is my idea of security, what is the colleague's, what is the Lelia Zhivko's idea of security, so to speak. Everyone has a different common sense. And something that I think shouldn't be done, maybe it doesn't fit in my mind. Does this answer the question? Okay. You had it. Okay. The question is whether we have used and whether we have experience with tools that are used for security testing, mainly. Yes, in general, our team, Dan, me, the colleagues are there, and former colleagues. We are mainly engaged in pain testing and security testing. We use different tools. You have free options available, as someone mentioned Zap, I think it was you. I was a fan and still am a great fan of OSP, but

Zap gives me personally and for my colleagues very false positives. We use different tools depending on what we have in the company or our clients. Burp can be recommended as a very good solution for testing requests and responses. If you have more knowledge, you can use Fiddler. Any similar solution that progresses would have done its job. Nessus, Acunetix. NetSparker, what else? There are different vendors. In general, we have worked with more. It depends on what budget you have if you want to implement something like that and what you want to achieve. Because a research market for the whole toolset, whether for this or for something else, is quite a big place.

No, they can be implemented. For example, for paid tools, it depends on what license you buy and in general, it depends on what the model of work we do is. For example, for software development, we will necessarily include it in the part like the CI/CD process, which will run scans regularly, but it won't be just these. There will be scans, I mean, they are on a level that are changing. There will be UNIS tests, there may be various test suites created by automation engineers, respectively, there will be security testing, software composition analysis, aesthetic code analysis. By the way, there are free software composition analysis solutions, as well as for static code analysis. So, there is a

possibility for the market to do this without paid versions. Does this answer the question? Yes? Yes, yes. So the question is: "Until when can the developers, and I think all the colleagues working on the development, compromise with the security while the management is pressing the deadlines?" This is a tricky question that is hard to answer. Yes? You change the company. By the way, I will rephrase the responsibility. How do we feel after management forces us to do things that are not in harmony with our internal understanding of the development and its security? I will say it again from experience. The management and the technical people communicate in two different languages. It is very important to have either a colleague or yourself around

you who is a mediator and to be able to deal with the risks of the management in case you can't do it yourself, with whom you will go and tell him these are the risks if I do this, this, this and this. These are the possible consequences for you, for us as a company. I am not okay just as a person, a professional, to do it this way, but in the end of the day sometimes and I say it again from experience, we are used to doing things that we may not always agree with, but the business requires them. That's why it's exactly this balance that we are looking for all the time. I would

look for a solution that is suitable for both sides. That's how I will answer it. Or we are the same company, whatever. Yes. Other questions? Yes? Aha. From the point of view of what? From the point of view of what? - Yes, how do we exist? Are you asking specifically about the company? Because I don't want to promote the company in any way. We have a division at the moment, which was created recently, which deals with the subsequent if you will, application support as a whole, but it depends on the use case. When you create a software, even if you are a freelancer, your job can reach the point where you create a software and you go to the third party, where

they take the responsibility to take care of it. I like pen tests and all that stuff, but I'm not a fan of the only way you can make sure your company or development is doing well. I will pass this pen test to you now. I will write you a great report, but after 5 minutes I have already given it to you and I don't have the responsibility anymore. If a new zero comes out, a new attack, in the same way it is the software. You sell it to someone if you don't care for him, as I said with the car, it won't work. It will work only if it is in front of you. At least the car will die. Exactly.

Exactly. You are right here. There is a guarantee for the car, there is no development. That's why we talk about quality. It has become very modern in our geographical area, it has developed the sector, but we also talk about quality. Security is part of the quality of each one and what it delivers. Does it depend on the car if there is software? It depends on how you work. I have not heard of many companies that give a guarantee that after five years this software will work or something like that.

Okay, this is a controversial topic, because I'm sure that others are tired. I have nothing against continuing it now. Any other last questions? Okay, thank you for your attention.