Secure Software Secure Software Secure Software Secure Software Software Development Life Software Development Life Software Development Life Software Development Life
CycleCycleCycleCycle
Firoozeh RahimianFiroozeh RahimianFiroozeh RahimianFiroozeh RahimianUniversity of TulsaUniversity of TulsaUniversity of TulsaUniversity of TulsaTulsa, OklahomaTulsa, OklahomaTulsa, OklahomaTulsa, Oklahoma
• Secure Software developmentSecure Software developmentSecure Software developmentSecure Software development
• Project Management (PM)Project Management (PM)Project Management (PM)Project Management (PM)
• Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
• ChallengesChallengesChallengesChallenges
• Changes to PM and SDLC processesChanges to PM and SDLC processesChanges to PM and SDLC processesChanges to PM and SDLC processes
ObjectiveObjectiveObjectiveObjective
• Part of everyday lifePart of everyday lifePart of everyday lifePart of everyday life
• ComputersComputersComputersComputers
• Embedded devicesEmbedded devicesEmbedded devicesEmbedded devices
• ATMATMATMATM
• ShoppingShoppingShoppingShopping
• VehiclesVehiclesVehiclesVehicles
Software UsageSoftware UsageSoftware UsageSoftware Usage
• Current StateCurrent StateCurrent StateCurrent State– Security not a prioritySecurity not a prioritySecurity not a prioritySecurity not a priority
– Updates and patches are part are the normUpdates and patches are part are the normUpdates and patches are part are the normUpdates and patches are part are the norm
– Pass the issue down to the consumerPass the issue down to the consumerPass the issue down to the consumerPass the issue down to the consumer
• ChallengesChallengesChallengesChallenges– Companies cannot track cost due to security vulnerabilitiesCompanies cannot track cost due to security vulnerabilitiesCompanies cannot track cost due to security vulnerabilitiesCompanies cannot track cost due to security vulnerabilities
– Introduces additional cost to Software developmentIntroduces additional cost to Software developmentIntroduces additional cost to Software developmentIntroduces additional cost to Software development
Secure SoftwareSecure SoftwareSecure SoftwareSecure Software
• Business strategy plansBusiness strategy plansBusiness strategy plansBusiness strategy plans– Cutting costCutting costCutting costCutting cost
– Streamlining processesStreamlining processesStreamlining processesStreamlining processes
– Maintaining client baseMaintaining client baseMaintaining client baseMaintaining client base
– Improve market advantageImprove market advantageImprove market advantageImprove market advantage
– Maintain regulatory compliancesMaintain regulatory compliancesMaintain regulatory compliancesMaintain regulatory compliances
• Security requirements not part of the strategy Security requirements not part of the strategy Security requirements not part of the strategy Security requirements not part of the strategy planplanplanplan
Secure SoftwareSecure SoftwareSecure SoftwareSecure Software
• Companies utilize project management and Companies utilize project management and Companies utilize project management and Companies utilize project management and SDLC processes for more efficient/faster SDLC processes for more efficient/faster SDLC processes for more efficient/faster SDLC processes for more efficient/faster Software developmentSoftware developmentSoftware developmentSoftware development
• PM Methodology GoalsPM Methodology GoalsPM Methodology GoalsPM Methodology Goals– Manage cost, resources, and scope Manage cost, resources, and scope Manage cost, resources, and scope Manage cost, resources, and scope
– Manage risks and flawsManage risks and flawsManage risks and flawsManage risks and flaws
– Typically track functionality and related vulnerabilities/flaws Typically track functionality and related vulnerabilities/flaws Typically track functionality and related vulnerabilities/flaws Typically track functionality and related vulnerabilities/flaws
– Contingency plans to handle vulnerabilities/flaws that are not Contingency plans to handle vulnerabilities/flaws that are not Contingency plans to handle vulnerabilities/flaws that are not Contingency plans to handle vulnerabilities/flaws that are not fixedfixedfixedfixed
PM/SDLCPM/SDLCPM/SDLCPM/SDLC
• SDLC GoalsSDLC GoalsSDLC GoalsSDLC Goals– Ensure the delivery of high quality systemsEnsure the delivery of high quality systemsEnsure the delivery of high quality systemsEnsure the delivery of high quality systems
• return on investmentreturn on investmentreturn on investmentreturn on investment
• primary measure of successprimary measure of successprimary measure of successprimary measure of success
– Provide strong management controlsProvide strong management controlsProvide strong management controlsProvide strong management controls
• Accurately estimate how long a project will takeAccurately estimate how long a project will takeAccurately estimate how long a project will takeAccurately estimate how long a project will take
• Accurately estimate how many resources it will requireAccurately estimate how many resources it will requireAccurately estimate how many resources it will requireAccurately estimate how many resources it will require
• Accurately estimate how much it will costAccurately estimate how much it will costAccurately estimate how much it will costAccurately estimate how much it will cost
– Maximize productivityMaximize productivityMaximize productivityMaximize productivity
• scrap and rework is minimizedscrap and rework is minimizedscrap and rework is minimizedscrap and rework is minimized
• startstartstartstart----up time is minimizedup time is minimizedup time is minimizedup time is minimized
• use of offuse of offuse of offuse of off----thethethethe----shelf componentsshelf componentsshelf componentsshelf components
PM/SDLCPM/SDLCPM/SDLCPM/SDLC
• Phase 0 Phase 0 Phase 0 Phase 0 –––– developer trainingdeveloper trainingdeveloper trainingdeveloper training– Need to be educated and be aware of security Need to be educated and be aware of security Need to be educated and be aware of security Need to be educated and be aware of security
– Establish expectations, best practices, roles/responsibilitiesEstablish expectations, best practices, roles/responsibilitiesEstablish expectations, best practices, roles/responsibilitiesEstablish expectations, best practices, roles/responsibilities
• Phase 1 Phase 1 Phase 1 Phase 1 –––– Requirements gatheringRequirements gatheringRequirements gatheringRequirements gathering– Include security requirements as part of the scopeInclude security requirements as part of the scopeInclude security requirements as part of the scopeInclude security requirements as part of the scope
– Identify all security requirements (policies, standards, regulatory)Identify all security requirements (policies, standards, regulatory)Identify all security requirements (policies, standards, regulatory)Identify all security requirements (policies, standards, regulatory)
• Phase 2 Phase 2 Phase 2 Phase 2 –––– System DesignSystem DesignSystem DesignSystem Design– Technical/nonTechnical/nonTechnical/nonTechnical/non----technical security control requirements determinedtechnical security control requirements determinedtechnical security control requirements determinedtechnical security control requirements determined
– Implement threat modeling and design reviewsImplement threat modeling and design reviewsImplement threat modeling and design reviewsImplement threat modeling and design reviews
– Ensure soundness of design and architectureEnsure soundness of design and architectureEnsure soundness of design and architectureEnsure soundness of design and architecture
SDLC PhasesSDLC PhasesSDLC PhasesSDLC Phases
• Phase 3 Phase 3 Phase 3 Phase 3 –––– Development and unit testingDevelopment and unit testingDevelopment and unit testingDevelopment and unit testing– Static analysis, peer reviews, automated tools, security reviewsStatic analysis, peer reviews, automated tools, security reviewsStatic analysis, peer reviews, automated tools, security reviewsStatic analysis, peer reviews, automated tools, security reviews
– Developers do not test their own codeDevelopers do not test their own codeDevelopers do not test their own codeDevelopers do not test their own code
• Phase 4 Phase 4 Phase 4 Phase 4 –––– System TestingSystem TestingSystem TestingSystem Testing– Include security testing based on the requirementsInclude security testing based on the requirementsInclude security testing based on the requirementsInclude security testing based on the requirements
– Use security test casesUse security test casesUse security test casesUse security test cases
– Developers do not perform security testsDevelopers do not perform security testsDevelopers do not perform security testsDevelopers do not perform security tests
• Phase 5 Phase 5 Phase 5 Phase 5 –––– DeploymentDeploymentDeploymentDeployment– Change management processChange management processChange management processChange management process
– require approval from security expertsrequire approval from security expertsrequire approval from security expertsrequire approval from security experts
– Review all test cases and test resultsReview all test cases and test resultsReview all test cases and test resultsReview all test cases and test results
SDLC PhasesSDLC PhasesSDLC PhasesSDLC Phases
• Phase 6 Phase 6 Phase 6 Phase 6 –––– Documentation and trainingDocumentation and trainingDocumentation and trainingDocumentation and training– Documentation on proper use of SoftwareDocumentation on proper use of SoftwareDocumentation on proper use of SoftwareDocumentation on proper use of Software
– Training for maintenance/support staffTraining for maintenance/support staffTraining for maintenance/support staffTraining for maintenance/support staff
– Post measurement and trackingPost measurement and trackingPost measurement and trackingPost measurement and tracking
SDLC PhasesSDLC PhasesSDLC PhasesSDLC Phases
• Software is never staticSoftware is never staticSoftware is never staticSoftware is never static
• Flaws are inevitableFlaws are inevitableFlaws are inevitableFlaws are inevitable
• Utilize SDLC toUtilize SDLC toUtilize SDLC toUtilize SDLC to– Catch flaws before and after coding and during unit/system Catch flaws before and after coding and during unit/system Catch flaws before and after coding and during unit/system Catch flaws before and after coding and during unit/system
testingtestingtestingtesting
– Better identify and track security requirements related to Better identify and track security requirements related to Better identify and track security requirements related to Better identify and track security requirements related to software vulnerabilitiessoftware vulnerabilitiessoftware vulnerabilitiessoftware vulnerabilities
– Mechanism to track vulnerabilities after implementationMechanism to track vulnerabilities after implementationMechanism to track vulnerabilities after implementationMechanism to track vulnerabilities after implementation
ConclusionConclusionConclusionConclusion
• http://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_process
• http://en.wikipedia.org/wiki/Data_modelinghttp://en.wikipedia.org/wiki/Data_modelinghttp://en.wikipedia.org/wiki/Data_modelinghttp://en.wikipedia.org/wiki/Data_modeling
• http://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/A----DataDataDataData----CentricCentricCentricCentric----SecuritySecuritySecuritySecurity----ModelModelModelModel
• http://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/Ahttp://www.scribd.com/doc/10175233/A----DataDataDataData----CentricCentricCentricCentric----SecuritySecuritySecuritySecurity----ModelModelModelModel
• “Elevating the Discussion on Security Management “Elevating the Discussion on Security Management “Elevating the Discussion on Security Management “Elevating the Discussion on Security Management ---- The Data Centric The Data Centric The Data Centric The Data Centric Paradigm”, Tyrone Grandison*, Michael Bilger#, Luke O’ConnorParadigm”, Tyrone Grandison*, Michael Bilger#, Luke O’ConnorParadigm”, Tyrone Grandison*, Michael Bilger#, Luke O’ConnorParadigm”, Tyrone Grandison*, Michael Bilger#, Luke O’Connor----, Marcel , Marcel , Marcel , Marcel Graf +, Morton Swimmer+, MatthiasSchunter+, Andreas Wespi+, Nev Graf +, Morton Swimmer+, MatthiasSchunter+, Andreas Wespi+, Nev Graf +, Morton Swimmer+, MatthiasSchunter+, Andreas Wespi+, Nev Graf +, Morton Swimmer+, MatthiasSchunter+, Andreas Wespi+, Nev Zunic#Zunic#Zunic#Zunic#
• http://www.csoonline.com/article/618463/softwarehttp://www.csoonline.com/article/618463/softwarehttp://www.csoonline.com/article/618463/softwarehttp://www.csoonline.com/article/618463/software----securitysecuritysecuritysecurity----forforforfor----developers?page=1developers?page=1developers?page=1developers?page=1
• http://www.csoonline.com/article/596686/codehttp://www.csoonline.com/article/596686/codehttp://www.csoonline.com/article/596686/codehttp://www.csoonline.com/article/596686/code----securitysecuritysecuritysecurity----safecodesafecodesafecodesafecode----reportreportreportreport----highlightshighlightshighlightshighlights----bestbestbestbest----practicespracticespracticespractices
• http://www.benderrbt.com/Benderhttp://www.benderrbt.com/Benderhttp://www.benderrbt.com/Benderhttp://www.benderrbt.com/Bender----SDLC.pdfSDLC.pdfSDLC.pdfSDLC.pdf
ResourcesResourcesResourcesResources
