Unit 2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

UNIT 2

1. 8 principles of secure development and


deployment
 Secure development is everyone's concern

 Key Point: Everyone involved in building and running software should


prioritize security.
 Importance: Recognize that all team members play a role in identifying
and addressing security vulnerabilities.

 Keep your security knowledge sharp

 Key Point: Developers need ongoing training and understanding of


secure coding practices.
 Importance: Without knowledge of security risks and defenses, code is
more vulnerable to attacks.

 Produce clean & maintainable code

 Key Point: Write code that is clear, well-documented, and easy to


maintain.
 Importance: Complex code is harder to secure; clean code reduces
vulnerabilities and aids in maintenance.

 Secure your development environment

 Key Point: Ensure that the environment used for coding is secure.
 Importance: Insecure development environments can compromise the
security of the code produced.

 Protect your code repository

 Key Point: Safeguard the central repository where code is stored and
managed.
 Importance: Unauthorized access to the repository can lead to code
tampering and security breaches.

 Secure the build and deployment pipeline


 Key Point: Automate build, test, and deployment processes securely.
 Importance: Ensures that automated processes do not introduce
vulnerabilities into the codebase.

 Continually test your security

 Key Point: Regularly conduct security testing, ideally automated,


alongside development.
 Importance: Identifies and mitigates security weaknesses without
disrupting the development cycle.

 Plan for security flaws

 Key Point: Acknowledge that all code has vulnerabilities and establish a
process to manage them.
 Importance: Enables proactive identification, tracking, and mitigation of
security issues from discovery to resolution.

2. MSECURITY (SDL)
Microsoft's Security Development Lifecycle (SDL) is a rigorous framework designed to
integrate security throughout the entire software development and deployment process. Here's
a detailed breakdown of Microsoft's SDL based on the components and phases mentioned:

Components of Microsoft's SDL:

1. Training:
o Role-specific training is provided to developers and engineers to educate them
on security basics and recent trends in secure development. This ensures that
all team members are equipped to implement security measures effectively.
2. Requirements:
o Security and privacy requirements are defined at the outset of the software
development process. These requirements evolve throughout the product
lifecycle to adapt to changes in functionality and the threat landscape.
3. Design:
o Once requirements are established, the software design phase begins. Threat
models are created to identify, categorize, and assess potential security threats
according to risk levels. Threat models are continuously updated as the
software evolves.

4. Implementation:
o Developers start writing code based on the design and threat models.
Microsoft provides secure development tools to aid developers in
implementing security, privacy, and functional requirements effectively.
5. Verification:
o Before code can be released, thorough verification processes are in place to
ensure adherence to SDL standards. This includes:
 Static code analysis: Identifies potential security flaws in the source
code.
 Binary analysis: Assess vulnerabilities at the binary code level to
confirm readiness for production.
 Credential and secret scanner: Identifies exposure of credentials and
secrets in source code and configurations.
 Encryption scanning: Validates encryption practices.
 Fuzz testing: Tests APIs and parsers with unexpected data to detect
vulnerabilities.
 Configuration validation: Ensures production systems adhere to
security standards.
 Component Governance (CG): Checks for open-source software
vulnerabilities and legal obligations.
6. Release:
o Builds go through a Safe Deployment Process (SDP) where they are
progressively released to larger groups:
 Ring 0: Development team.
Ring 1: All Microsoft employees.
Ring 2: External users on targeted release channels.
Ring 3: Worldwide standard release.
o Builds remain in each ring for a specified period with high load periods to
ensure stability before moving to the next ring.
7. Response:
o After deployment, all Microsoft services are continuously monitored using a
proprietary near-real-time monitoring system. This system helps identify and
respond to potential security incidents promptly.

Benefits of Microsoft's SDL:

 Reduced Vulnerabilities: Integration of security throughout the development


lifecycle reduces the likelihood of vulnerabilities.
 Enhanced Quality: Improves overall software quality by addressing security issues
early.
 Cost Efficiency: Minimizes costs associated with security incidents and post-release
fixes.
 Customer Trust: Demonstrates commitment to security, enhancing customer trust
and satisfaction.

3. OWASP

(Open Worldwide Application Security Project (OWASP) is a non profit


foundation dedicated to improving software security. It operates under an “open
community” model,)
The another secure development process is the OWASP Comprehensive
Lightweight
Application Security Process, or CLASP. CLASP was originally developed as a
commercial
methodology by the source code analysis company Secure Software, but was
donated to OWASP in
2006 and made freely available. Like SDL, CLASP specifies development
lifecycle activities for teams
to perform in order to make more secure, resilient software; however, where
SDL categorizes these
activities by lifecycle phase (and SDL-Agile categorizes them by frequency),
CLASP categorizes them
by role. Each contributor to a CLASP project fits into one or more of these
seven roles:
• Project Manager
• Requirements Specifier
• Architect
• Designer
• Implementer
• Test Analyst
• Security Auditor

Roles in OWASP CLASP and Their Responsibilities

1. Project Manager:

The project manager is responsible for promoting awareness of security issues


both inside and outside the product team. When other teams within the
organization (such as Sales) put pressure on the product team to hurry their ship
date or to cram in new features, it's the project manager who stands up for
security to ensure that essential security activities don't fall by the wayside.

o Promotes security awareness within the team.


o Advocates for security considerations when pressured to meet
deadlines.
o Manages metrics related to security activities.
o Holds the team accountable for security tasks.
o Assesses and reports on the overall security posture of the
application and organization.
2. Requirements Specifier:
o Details security-relevant business requirements.
o Determines protection requirements for sensitive resources.
o Specifies misuse cases to highlight major security concerns.
o Works to ensure security requirements are integrated into the
project's functional requirements.
3. Architect:
o Designs network and application architecture with security in
mind.
o Specifies network security requirements (e.g., firewalls, VPNs).
o Identifies potential security implications of chosen technologies.
o Documents trust boundaries and interactions between system
components.
4. Designer:
o Ensures that security risks are mitigated in the application design.
o Selects technologies that meet security requirements.
o Documents the attack surface of the application.
o Provides guidance on integrating third-party software securely.
5. Implementer:
o Develops the application following established secure coding
practices.
o Identifies and reports new security risks during implementation.
o Documents security considerations related to deployment and end-
user responsibilities.
o Participates in security awareness training to stay updated on
secure coding practices.
6. Test Analyst:
o Creates and executes tests to validate security requirements.
o Uses automated tools to identify potential security vulnerabilities.
o Ensures that security testing is integrated into the overall testing
strategy.
o Reports security findings to the development team for remediation.
7. Security Auditor:
o Reviews the project to assess adherence to security requirements.
o Evaluates the adequacy of security measures throughout the
development lifecycle.
o Analyzes designs and implementations for potential security risks
and vulnerabilities.
o Provides recommendations for improving security posture based on
findings.

4. SAMM
SAMM, which stands for Software Assurance Maturity Model, is an open
framework designed to help organizations formulate and implement a strategy
for software security that is tailored to their specific risks and constraints. Here
are some simple points about SAMM:

SAMM Overview

1. Purpose:
o SAMM helps organizations improve their software security
practices by providing a structured framework.
o It guides organizations through a maturity model approach to
address software security from different perspectives.

Framework Structure:

 SAMM consists of three maturity levels, each representing progressively


more advanced practices and capabilities.
 It includes 12 security practices across four core business functions:
Governance, Construction, Verification, and Deployment.

SAMM's core principles:

1. Incremental Improvement:
o Slow Behavioral Change: Organizations change their security
practices gradually over time.
o Step-by-Step Progress: Make small improvements in security
regularly rather than trying to fix everything at once.
2. Flexibility and Customization:
o No One-Size-Fits-All: Recognize that each organization has
different risks and needs.
o Adapt to Your Context: Choose security practices that fit your
organization's unique situation and goals.
3. Prescriptive Guidance:
o Clear Steps: Security activities should be straightforward and easy
to understand.
o Measurable Goals: Aim for measurable improvements with
defined milestones.
core functions:

Governance

1. Strategy & Metrics:


o Define goals for software security.
o Collect metrics to measure security posture.
o Use metrics to guide improvements.
2. Policy & Compliance:
o Create security policies and standards.
o Ensure compliance with regulations and audits.
o Conduct regular security audits for verification.
3. Education & Guidance:
o Provide security training for developers.
o Offer guidance on best security practices.
o Foster a culture of security awareness.

Construction

1. Threat Assessment:
o Identify and analyze potential threats.
o Manage risks associated with software development.
2. Security Requirements:
o Integrate security needs into development phases.
o Define security features required from project start.
3. Secure Architecture:
o Design software with security as a priority.
o Control technologies to ensure secure designs.

Verification

1. Design Review:
o Review designs to ensure security mechanisms are adequate.
o Confirm designs meet security expectations.
2. Implementation Review:
o Check source code for vulnerabilities.
o Implement strategies to mitigate risks.
3. Security Testing:
o Test software in real environments for vulnerabilities.
o Establish minimum security standards for releases.

Operations

1. Issue Management:
oDevelop processes to handle vulnerabilities.
o Use issue data to enhance security practices.
2. Environment Hardening:
o Strengthen security of operating environments.
o Secure configurations of systems hosting software.
3. Operational Enablement:
o Provide security information for operators.
o Equip operational teams with tools for security maintenance.

Maturity Levels:

 Level 1 (Initial): Organizations have ad-hoc practices with minimal


formal processes.
 Level 2 (Defined): Basic software security practices are defined and
documented.
 Level 3 (Managed & Measurable): Practices are institutionalized and
measured for effectiveness.

5. SECURITY INCIDENT RESPONSE PLAN


Definition:

 An incident response plan (IRP) outlines procedures to detect, respond to,


and mitigate the impact of security incidents like data breaches, malware
attacks, and insider threats.

Importance:

 Minimizing Damage: Quickly identifying and responding to incidents


limits financial losses and reputational damage.
 Reducing Recovery Time: Clear procedures speed up recovery efforts,
minimizing downtime.
 Data Protection: Ensures swift action to protect sensitive information
from exposure.
 Compliance: Meets regulatory requirements, avoiding penalties for
mishandling security incidents.
Steps/Stages:

1. Prepare:
o Formulate an incident response team with defined roles (IT, legal,
PR).
o Develop policies outlining response procedures, communication
protocols, and reporting requirements.
2. Identify:
o Use monitoring tools (e.g., SIEM) to detect anomalies and
potential threats.
o Train employees to recognize phishing and other security risks.
3. Contain:
o Isolate affected systems to prevent further damage.
o Preserve evidence like log files for forensic analysis.
4. Eradicate:
o Remove malicious software and unauthorized access.
o Utilize tools like Endpoint Detection and Response (EDR) for real-
time threat elimination.
5. Recover:
o Restore systems to normal operations with minimal downtime.
o Validate recovery through testing and verification procedures.
6. Learn:
o Conduct a post-incident review to evaluate response effectiveness.
o Document findings and update incident response procedures based
on lessons learned.

Incident Response Technologies:

 SIEM (Security Information and Event Management): Monitors and


analyzes network data to detect and respond to security incidents.
 SOAR (Security Orchestration Automation & Response): Automates
incident response tasks to improve efficiency and reduce human error.
 EDR (Endpoint Detection and Response): Monitors endpoint devices
for malicious activities and facilitates rapid response.
 XDR (Extended Detection and Response): Integrates data from
multiple sources for comprehensive threat detection and response.
 UEBA (User Entity Behavior Analytics): Uses machine learning to
detect abnormal user behavior indicating potential threats.
 ASM (Attack Surface Management): Identifies and reduces
vulnerabilities in an organization's digital assets to mitigate cyber threats.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy