Documente Academic
Documente Profesional
Documente Cultură
y Practices
Integrating Security into the SDLC
Robert A. Martin
Sean Barnum
May 2011 HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS).
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Form Approved
Report Documentation Page OMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,
including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington
VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it
does not display a currently valid OMB control number.
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF
ABSTRACT OF PAGES RESPONSIBLE PERSON
a. REPORT b. ABSTRACT c. THIS PAGE Same as 19
unclassified unclassified unclassified Report (SAR)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Planning for Software Security
Balancing
g perspective
p p is that of the attacker
Strive to understand the exact nature of the threat that the
software is likely to face so as to focus defensive efforts on
areas of highest risk.
It is fundamentally an extension of
good quality practices
5
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Traditional Quality Assurance
Requirements
R i t R
Reviews
i
Design Reviews
Test Strategy,
Code Reviews RequirementsDesign
Review Review
Code
Review
Planning &
Execution
Traditional Testing
6
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Extending Traditional QA to Include
Security
Security Requirements
Capture and Analysis
including Abuse Cases
Architectural Risk Analysis
Secure Code
Review
Risk-based
Security Testing
Penetration Testing
7
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
What New Dimensions does Security Bring?
8
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Software Security Critical Lessons
9
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Bottom Up Software Security Actions
10
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Top-Down Software Security Actions
11
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
BSIMM Software Security Framework
Four domains
Twelve
T l practices
ti
An archaeology grid
See informIT article at http://bsi-mm.com
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
OpenSAMM
SAMM O..m.w
Smftwarc
Or\rlopmrn1
BuSiot-Ss Funwons
Verification
S.Mlty Proa!cet
Strategy & Education & Security Design Security Environment
Metrics Guidance Requirements Review Testing Hardening
A Homeland 13
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
W Security
Microsoft Secure Development Lifecycle HS SEDI
Homeland Secu~ty Systems Engineering and
Development Institute
-
Training ~
Requirements .. . ....
Establish Security Establish Design Use Approved Dynamic Incident
Requirements Requirements Tools Analyis Re5pome Plan
Core Security Create Quality Analyze Attack Deprecate Unsafe Fuzz Final Serurity Execute Incident
Training Gates I Bug Bars Surface Functions Testing Review Rl!spon5l! Pl;m
Homeland The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
14
Security
Best Practices Reprise
15
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Summary
Evolutionary not Revolutionary
Security is an extension of Quality Assurance
Requires more Inside
Inside-Out
Out analysis
Think like an attacker
Risk Management is essential
Think bottom-up (tactically) and top-down (strategically)
Understand your context to know where you want to go
Understand your current state to know how to get there
Build and follow a roadmap for gradual evolution
16
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Resources
Resources available with practice specifications
Build Security In website (DHS)
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html/
p y g y
Software Assurance Self Assessment (BSIMM, SAFECode, MS SDL, etc.)
https://buildsecurityin.us-cert.gov/swa/proself_assm.html
Software Security Engineering: A Guide for Project Managers (Book)
http://www.softwaresecurityengineering.com/
Open Web Application Security Project (OWASP)
http://www.owasp.org
http://www owasp org
Sean B
S Barnum
MITRE
sbarnum@mitre.org
@ g
18
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.