Notes from Seattle Java User Group meeting 4/17/2013
Secure Development Lifecycle...
Addresses 50% of vulnerabilities due to design flaws as well as 50% coding flaws
Best practices in all aspects of development Lifecycle
- QA
- CM
- Reporting processes
etc
Most important part of SDL is awareness - training and education
Annual training because attackers change constantly
Not every developer will be security expert but everyone needs to be aware
Recruit 1-2 members from each team to be SME
Requirements Phase
- what regulations apply
- quality assurance measures?
- security features required?
* confidentiality - encryption, authentication
* integrity - hashing, signatures
* accessibility - fail safe, hardening...throttling for DDOS
The last DDOS attack was due to spoofed addresses on DNS servers
Architecture and Design
- what does attacker have access to - minimize attack surface
- helps focus next task
Threat Modeling
- STRIDE defines possible attacks
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalated Privilege
- DREAD helps determine priorities
Damage Potential, Reproducibility, Exploitability, Affected Users, Discovery
Misuse test cases in addition to use cases.
* what happens if someone puts bad data in fields?
Threat mitigation
Spoofing - authentication
Tampering - integrity
Repudiation - nonrepudiation
...
Secure Development
Code repository
-- must have secure repository
-- role based access
-- version control
-- open source - run static code analysis on it, code review patches
Strict compiler settings
- all warnings fatal
- do not use deprecated stuff
Static Code Analysis (SAST)
- built in most IDEs
- finds Easter eggs, Trojans, back doors
- run third party code through analyzes as well
Testing and QA
* Fuzz Testing
- file fuzzing (will find 75% of vulnerabilities)
- Protocol fuzzing - provides resilience
* Dynamic Testing
- finds vulnerabilities in generated code and scripts
- exercises logic path dependencies
- JavaScript
* Penetration Testing
- many free tools
- often contracted to specialists
OWASP Top 10 for web applications
- automated tool that runs and tests for top 10 vulnerabilities
Install and Maintenance
All Jars should be signed
Java 1.7u17 will flax mixed signed jars where not all signed
Delivered/deployed secure as possible
When (not if) a vulnerability is reported
- incident response process
Implementing SDL
- define what you do now
- decide which tasks make sense
- add tasks that provide the most return first
- slowly add other
- multi-year process
- lifestyle change, celebrate accomplishments
--summary--
Secure coding not enough...design flaws contribute
SDL process helps
Be prepared to handle incidents after deployment
