Building Security Into Your SDLC Methodology

1
Building Security Into Your SDLC Methodology

• Integral Business Solutions
• 11/16/2006

2
Discussion Terms

• Methodology
• Software Development Lifecycle (SDLC)
• Secure Software Development Lifecycle (SSDLC)
• Agile Practices
• Integral Secure Agile Methodology (ISAM)
• Risk Management
• IT Frameworks
• Application Frameworks
• Tools
• What we learned

3
Is there a need

• Applications need to match the maturity of
  Infrastructure components
• Bolting security after development is complex
  and expensive than baking in during the life
  cycle.
• Development Process should be held accountable
  for application security short comings
• Howard Schmidt

4
Field of Reference

• Application Development
• Application Integration
• Certification and Accreditation

5
SDLC

• Wikipedia
• a framework for developing software successfully
• Have traditionally followed a set pattern
• Define-gtDesign-gtDevelop
• Evolved with methodologies over time

6
SDLC history

• Waterfall Methodologies
• Very structured one phase ends, another begins
• Deliverables are extremely detailed
• Hand-offs occur between teams with specific and
  disparate skills
• Traditional Analysts (only), Developers, QA
• Accepted approach for developing host-based
  applications
• Complex systems
• Inflexible languages and tools
• Largely static application logic
• Procedural systems

• Spiral (Iterative) Methodologies
• Cyclical and adaptive
• One phase leads to another, but there are
  continuous feedback loops
• Continuous change and improvement is assumed
• Documentation is a key
• Matrix-based teams mix of skills and roles
• Emerged with advent of 4th Generation Languages
• Object-Oriented Analysis and Design
• Client-Server and web-based systems

• Agile Methodologies
• Lightweight approach shifts the focus from the
  process to interaction tenets include
• Quick delivery of software (versus extended
  planning)
• Massive collaboration (versus contract
  formulation)
• Responsive change management (versus structured
  procedures)
• Individual interaction (versus tools automation)
• Examples include
• Extreme Programming (XP)
• Feature-Driven Development

7
Secure SDLC

• SSDLC
• Software development lifecycle process based on
  application security principles adhering to a
  recognized standard and information privacy
• Focus on Risk, Compliance and C A
• Includes activities designed to ensure compliance
  to the standard
• Requires security-related steps in application
  development procedures
• Integrated automated testing framework
• Automated unit test
• Regression test
• System integration test
• Performance test
• Threat and vulnerability audit

8
Integral Secure Agile Methodology (ISAM)
The Integral Secure Agile Methodology (ISAM)
is a collection of practices organized in a
phased approach that provide the basis for an
organization to ensure regulatory compliance,
information security, and adherence to policy
standards.
9
Formation Guidelines

• Created as a formulation of our "best practices"
• Need for security and regulatory elements in
  application development
• Securing Software Development Lifecycle (SSDLC)
  and related activities
• Certification and Accreditation Objectives

10
Methodology Guidelines

• ISAM adheres to the principles of the ISO
  177992005 Information Security Management
  Standard developed by the International
  Organization for Standardization
• Means the specific controls are derived from ISO
  17799
• Provides flexibility to Introduce other control
  elements, policies and framework objectives
• Is a methodology to Create or Modify another
  methodology
• Why ? Usually a fork lift approach of change is
  expensive and not accepted
• Incremental approach and absorbs the existing
  business and standards objectives

11
ISAM Overview
12
ISAM Phases
13
ISAM Phase Detail
14
ISAM Goal Phase
15
ISAM Objective Phase
16
ISAM Define Phase
17
ISAM Design Phase
18
ISAM Develop Phase
19
ISAM Enhance Phase
20
NIST Security in System Development Life Cycle.
21
ISAM Develop Phase NIST Inclusion
SP 800-57 Key Management
SP 800-36 Selecting Infosec Products
Corresponds to NIST SDLC SP 800-36 Phase 3
22
Observations

• Risk management during each phase is key
• Can be challenging on an uncompleted cycle
• Identification of mitigation points is tricky.
• Assistance to a C A process can be in-line
• Awareness is the driving factor
• Collaboration helped awareness
• Awareness brought in discipline
• Discipline gt Structure gt Control

23
Risk Management Through IT Frameworks
The primary objective of a framework is to bring
forth a governance with the most important
following principles

• Structure
• Process
• Communication

Frameworks like ITIL, COBIT seeks to ensure that
effective information security measures are taken
at strategic, tactical, and operational levels.

Information security should considered an
iterative process that must be controlled,
planned, implemented, evaluated, and maintained
in each phase.
24
IT Frameworks
A typical IT framework divides the overall
Information security concept into

• Policies - overall objectives an organization is
  attempting to achieve
• Processes - what has to happen to achieve the
  objectives
• Procedures - who does what and when to achieve
  the objectives
• Work instructions - instructions for taking
  specific actions

25
IT Frameworks (cont.)
Define information security as a complete
cyclical process with continuous review and
improvement.
26
IT Frameworks (cont.)

• Frameworks improve on security by providing
• Focus Security is not a cost center any more.
  It is well aligned with the business requirements
• Structure move away from fire fighting to a
  structured best practice
• Continuous review
• The security reviews and functions are not
  static. Reviews, audits and assessments are done
  in a repeatable cyclic fashion, ensures that
  changes, modifications are duly analyzed for
  potential threats and vulnerabilities
• Periodic audits ensures how well goals and
  guiding principles are followed
• Ensures a positive motion in Information Security
  Maturity model for the enterprise

27
IT Frameworks (cont.)

• Frameworks improve on security by providing
• Documented process and procedures ensures
  compliance and auditability (HIPAA, SOX)
• Framework enforces an SSDLC environment to adhere
  to several control processes like
• Change Management
• Configuration Management
• Incident Management
• Measurable information security activity in each
  phase ensures that the organization will not
  have rushed approach in decision making
• Defined roles and responsibilities auditability
  and traceability
• Defined communication process e.g reporting

28
Risk Management - Application Frameworks
Application frameworks enhance the overall
security concept by ensuring that applications
are more robust and secure in the following ways

• Consistency application code is written in a
  consistent manner that can more easily be audited
  and enhanced
• Repeatability core application services are
  provided in a common and structured manner
• Conformance framework modules are thoroughly
  tested before implementation, and continuously
  re-tested through the software regression test
  cycle

The following discussion highlights some commonly
used application frameworks with security
implications and potential pros and cons.
29
Communication and Collaboration
To be successful in developing secure software
the entire team must be aware of what is
occurring within the architecture of the solution
and the code base. Communication of change and
traceability of change can be assisted by the
introduction of tools to help automate this
communication and collaboration. Having a strong
culture of collaboration and a methodology that
enforces the communication is also key. Tools
help facilitate and even can enforce the rules
laid out but they will not guarantee compliance.
That is where Audits enter in.
30
Awareness
Awareness was the hardest to achieve. Different
levels of skill and adaptability posed
challenges. Once the effort was made,
progression was much easier

• Formal Trainings were good but hard to find
• Peer to Peer interaction
• Automated detection and assessment tools

31
Tools
There are many tools available that help your
team communicate, collaborate, and ensure
securely developed websites and traceability of
changes to your systems.

• Collaboration software
• Gforge Collaboration and project management
  tool for tracking and communicating changes,
  bugs, enhancements to your source code. Has
  reporting and integrations with many 3rd party
  tools such as cvs, svn, MS Project, Eclipse IDE.
• Blogging software can be used to effectively
  communicate individual team members struggles
  and triumphs with project tasks. It is an
  effective way to gather unstructured data for
  later search and retrieval. Think of it as the
  electronic notebook for the development team.
• Wiki technologies can be used in a similar
  fashion to blogging but wiki provides a quick and
  easy way to publish web base documentation with a
  structure for the team to use. Wikis can be
  secured so that only your team can view and edit.

32
Tools (cont.)

• Source Control Management (SCM)
• CVS Industry standard for source code control
  and distributed project development.
• SVN The next industry standard for source code
  control and distributed project development.
• ClearCase Source code control from the Rational
  suite of products.
• Visual Source Safe Microsoft SCM tool.
• Tortoise Visual tool for interfacing with CVS
  and SVN repositories via the windows file
  explorer interface.

33
Tools (cont.)

• IDEs
• Eclipse industry leading java development
  platform. IBMs IDE is developed upon the
  eclispse core. Many plugins available to help
  with development on PHP, .net, C, C language
  based projects.
• Visual Studio industry leading MS language
  development platform. Excellent integration with
  the Microsoft product tool suite.
• Virtualization
• VMWare A system to virtualize Operating
  systems. Extremely helpful in server
  consolidation and enables organizations to create
  function specific computing environments with no
  extra investment. Also provides flexibility in
  the behavior of testing, QA etc.

34
Tools (cont.)

• Quality Assurance / Build Automation
• Ant script based tool for build. Used to call
  many of the other QA/Build apps. Can be used to
  help ensure compliance. It is essentially a
  cross platform Make.
• Junit unit level test. Used with Ant and
  Tinderbox to help provide traceability of code
  failures and complete regression test.
• Httpunit unit level test for web interface.
  Used with Ant and Tinderbox to help provide
  traceability of code failures and complete
  regression test.
• Tinderbox - Tinderbox is a detective tool. It
  allows you to see what is happening in the source
  tree. It shows you who checked in what what
  platforms have built successfully what platforms
  are broken and exactly how they are broken (the
  build logs) and the state of the files that made
  up the build so you can figure out who broke the
  build, so you can do the most important thing,
  hold them accountable for their actions.

35
Tools (cont.)

• Quality Assurance / Build Automation
• Jmeter - Apache JMeter may be used to test
  performance both on static and dynamic resources
  (files, Servlets, Perl scripts, Java Objects,
  Databases and Queries, FTP Servers and more). It
  can be used to simulate a heavy load on a server,
  network or object to test its strength or to
  analyze overall performance under different load
  types. You can use it to make a graphical
  analysis of performance or to test your
  server/script/object behavior under heavy
  concurrent load.
• Loadrunner A commercial based jmeter, the
  industry leader in the performance testing space.
  Obtain an accurate picture of end-to-end system
  performance. Verify that new or upgraded
  applications meet specified performance
  requirements. Identify and eliminate performance
  bottlenecks during the development lifecycle.

36
Tools (cont.)

• Auditing tools
• Ouncelabs - Ounce Labs helps our customers manage
  their software risk across the enterprise and
  down to the line of code.
• Watchfire Appscan - is the industry's first web
  application vulnerability scanning and reporting
  solution for the enterprise. Building on the
  market-leading AppScan technology, AppScan
  Enterprise provides centralized control with new
  advanced application scanning, remediation
  capabilities, executive security metrics and
  dashboards, key regulatory compliance reporting
  and seamless integration with the desktop version
  of AppScan.
• ARCWall A system to provide central security
  policy enforcement for access control for
  databases. Also useful for auditing purposes to
  identify potential access control defects etc.

37
Concluding Remarks

• Conscious effort and buy-off from management and
  customer
• Systematic and some times intrusive changes
• Educating staff awareness
• Implementing Peer reviews
• Automation Tools (Commercial and Open Source)
• Focus on testing security test cases included
  in functional, regression and performance testing
• Checkpoints through out the life cycle.
• Greater reduction of risk posture

Lower Left Low Risk and Low Cost Recommend
Fix Lower Right High Risk and Low Cost
Recommend Fix Upper Left Low Risk and High Cost
Recommend Evaluate Upper Right High Risk and
High Cost Recommend Schedule
38

• Questions?