DevelopSec

training

by Leave a Comment

SDLC: Understanding your Roles

Application security should be on the mind of anyone that is part of the application design/build process. That means architects, developers, application owners, QA testers, business analysts and even end users. Everyone of these positions plays a role in the security of the applications. Depending on the organization, the roles can be quite different. You must understand the roles of these positions from a development perspective to really understand how they fit into the security aspect of the machine.

The first step in the process is to define and document each role in the SDLC. The goal is to understand each role’s relation to your SDLC. Usually the size of the development teams indicate the number of roles that may be implemented. Here are a few things to think about when you are defining your roles:

  • Who defines business requirements – Often times the requirements get spread across different teams. Ideally it is the application owner and business analysts working with end users to determine the requirements. However, often times many items are left up to the developers or database administrators to determine or define requirements. This is especially true around input validation or how data is stored.
  • Who directs the coding guidelines – In large enterprises it is common to see a centralized architecture group that defines coding guidelines across different teams. They may define if database access is limited to stored procedures or a specific ORM. In other situations it may be up to the individual developer. Is there a central input validation or output encoding framework?
  • Who determines database schema – When thinking about how data is stored, who defines the fields that are used, how they are protected (encrypted, hashed, plain text) and how the database is structured? Does the table layout make sense? Is it properly segmented?
  • Who tests the application – The quick response is the QA team, but developers are most likely responsible for testing as well. What about third parties, whether they be an internal security team, a client team or other 3rd party testing teams.

Understanding these roles and who is doing what is critical to maturing a secure SDLC program. Traditionally, the groups are often fairly separate, but as you start to look at the different questions you realize that many of these items are handled by multiple groups. It is that collaboration and communication that is also critical to maturing the SDLC.

The next step is to start identifying the people that are occupying these roles. What skillsets do they possess and do they line up with the role you just defined? This will ultimately lead to defining what training is required for each resource. Providing custom training that is specific to the groups needs is much more efficient and effective than just hosting a generic secure coding class. What if the group that needs training is QA or the business analysts? Developer training isn’t what is needed there. What if the group develops in .Net? A course written using Java will not be as effective.

Finally, we start to identify the processes for the SDLC from start to finish and look at what does and does not exist. From the processes that do exist, what role is responsible for that piece of the puzzle. There can be a lot of cogs in the development process, especially when we bring security into the picture. Think about things like static and dynamic analysis, which are part of most mature secure SDLCs. Do these exist, and if not, who will be the people involved with them when they are implemented?

Identifying the full process and what each role is doing is really the beginning of creating baselines for your program which we will cover in another post. This is critical because it provides a starting point so we can define where we are going. Like an asset inventory, you must understand the roles in the entire SDLC and what part they play. Once we start to truly understand our teams, we can start to make the adjustments needed to move forward in secure SDLC maturity.

by Leave a Comment

Ep. 1: Introduction to the Podcast

Hey everyone,

I have spent a lot of time working in application security and prior to that, development. Over the years, I have had a chance to reflect a bit on some of the security issues I saw as a developer and as a security practitioner. In an effort to help share some of this knowledge and experience, I am starting a podcast series focused on secure development.  The goal is for shorter, 10-20 minute, episodes. I hope you take a moment to take a listen.

Transcript:

Hi, and welcome to the very first episode of the DevelopSec podcast, where our goal is to help develop security awareness amongst the individuals out in the world.

I’m your host, James Jardine. If you don’t know who I am, I started off as a developer, I started getting into application security a few years back. And now I actually am a principal security consultant at secure ideas here in Jacksonville, Florida. And I spend most of my time dealing with security. And so one of the things I wanted to do with this podcast was take some of that knowledge from both the defense side and the attack side, and bring it together and help bring some of this information to people that just may not be getting it or people that are just trying to get into security, we have a real strong need for security to be made more available.

In the security industry, we have many cons that we go to. There’s a con every week, I think, someplace across the world, maybe multiple cons every week, where security professionals get together and talk about some of the concerns that we have. But most of the time, we don’t see developers coming to those type of cons. And if you go to a developer con, there’s usually very little security talk going on. And so we really need to start finding ways where we can reach out to the developer community, and not just developer community, but other people involved with the development of applications that are running applications. So that way, everybody’s under the same knowledge base regarding security and how to protect people’s information.

Privacy is a huge concern these days. And we see it all the time in the news, we have to think more of just the vulnerabilities that we see. But the data that we’re collecting, and what do we do with that data? How do we treat that data? And that’s something that we’re seeing all the time now being brought to light, for example, the healthcare.gov site that everybody’s been talking about for the past few months, and concerns around security around it. And, you know, the big question there as is, what type of access, could somebody have to my personal information? If they were to do something malicious to that site? Whether it be some sort of SQL injection or harvesting of information, somehow gathering my personal information? What could they possibly do? Could they steal my identity? Could they, you know, use my credit cards to run up a massive amount of debt? You know, I don’t know, we, you know, nobody’s seen an actual assessment against the site to know what’s there. But there’s been lots of talk about, what are the privacy issues? What are the security concerns, and one of the biggest pushes around that site?

Really, when we talk about security is the question of, are we building security into our applications, as we build them. Security is not something that we can just bolt on afterwards. And it works all effortlessly. We can’t just deploy a web application firewall, and we’re all good. There’s lots to go about when we’re talking about building a secure application. And we don’t always have to trade functionality for security, we can, if we understand security, build the application with both functionality and security in mind.

Now, if you watch the news lately, not only have we seen healthcare.gov in the spotlight, but we also saw a little bit closer to us Snapchat, they had an issue where somebody actually exploited their API that they have available to be able to enumerate all the usernames or a large portion of the usernames and their phone numbers and pulling that information out. Again, this is something where we have to think well, you know, what information was taken? What could they have done? You know, it was brought to them that, hey, you have this problem? And, you know, maybe their concern was, well, you know, we’re okay with that. That risk being out there. And then somebody went ahead and exploited it, you know, and pulled that information down to show them, hey, this is what could happen. And the constraints that you put in place were easily by passable, and a lot of times developers don’t understand how it is that we can easily bypass some of the constraints that they put in place to try to block some of these attacks.

So we saw Snapchat lose 4.6 million user names and phone numbers. Most recently, we had Neiman Marcus, just identify that I think they had a little over a million credit card numbers stolen And from a breach that they had really big in the news is the Target breach, talking 40 million credit card and debit card numbers that got scraped out of their systems. And this is a big concern. I mean, these big retailers are somebody that, you know, we almost have to go to, right. I mean, there’s not that many big big retailers that are giving us what we need.

So when we start seeing companies like this, getting breached, it raises that concern level. And, you know, I don’t know about the cyber side of target. I know my wife and I watched an episode a few years back talking about Target’s more physical security side where they have more than just a loss prevention individual within the stores, but a team of professionals that actually track down fraud going on in the stores, and going out and finding people that are defrauding the store. So they take security seriously. But without all the details of really what happened, it’s hard to say, could they have done more? What should have been done? Why didn’t they detect this? Right? There’s lots of questions around this. And it’s going to be costly, right? Any of these breaches cost money, it costs the individual their time of having to get a new credit card. Now we have to update if we have automatic payments going on any place, we have to update this information. Now. It’s not that huge of a time drain, I don’t think for myself anyway. But it is going to be something that I have to spend a little bit of time on going through an updating some of that information. Credit card companies have to issue new credit cards, that’s a cost. So we have to think about that target itself. Right now has, they’re offering up $5 million to develop a program to help educate users on security issues. So the users are more educated on what’s going on. Right. And this is a big key, this is what we need to do we need to start educating the public. Because one of the things that happened when this breach occurred is a lot of people didn’t know what to do. My credit card numbers have been stolen, what what do I need to do? Do I need to put credit monitoring on do I need to cancel my car? Do I need to do this? Do I need to do that? People didn’t really have an idea because this isn’t the first time this has been brought out. Right? We saw this in TJ Max a few years ago where huge number of credit cards were stolen. But because it doesn’t happen publicly as his largest this, a lot of times we will kind of forget, well, what do I do here? My credit card number was stolen? Do I need to worry about ID theft? You know, do I have to worry about the charges that get put on my card. And this is the stuff that we want to start help educating the general public on. We want to start educating developers and business analysts and project managers and project owners on what it is to think about security help start implementing security into our systems. Look at a lot of the systems these days that never really were internet connected before but now are starting to become internet connected. Think about your smart TVs. Most of the TVs now come with a way to connect to the internet, either via a cable or through Wi Fi. So that we can now stream Hulu and Apple TV and all these different services straight into our TV. Well, now our TVs connected out to the Internet, what type of security was placed on there to determine if that TV is properly secured? We don’t know. I don’t know what type of security testing is going on there. But that’s stuff we want to start thinking about. Because now that’s a new device on our network that if not done correctly, could be that easy gateway for an attacker to get into our home networks. You think about security systems, a lot of security systems now are network connected. All these different control panels that we have, looking at control systems, right? I have the Nest thermostat and the smoke detectors, both of which connect to my network. So that way I can view the information at any time. Again, I mean, this is a huge deal of how much we’re becoming connected. Do these type of systems offer auto update? Do they update? Can they be updated? What if there is a security flaw found in one of these devices? Do I have to go spend $250 to replace it? Or is there a way that I can up you know, upload a firmware fix? We’re not thinking about these because a lot of the people that are creating these type of systems never had to think about internet connectivity you actually had to be there at the device. So an attacker would have to breach physical security get to the device connect directly to it, to be able to manipulate it. And that’s starting to change. So we’re starting to see a whole new set of developers coming into the world of security, because now they’re starting to see, wait a minute, this stuff that I was doing wasn’t really a big concern, because it was in this special little sandbox over here. But now we’re connecting it to the world. Now I have to start thinking about this. So as security professionals, we’ve been saying for years about how bad security is and how we need to fix it. And we’re starting to see security get better in web applications. Not all of them. But we are starting to see some security get better. And some companies are really starting to take it seriously about developing secure applications. But then we start looking at mobile apps, we start looking at these control systems and security systems, right? Mobile devices are the same thing. We’re seeing a lot of new developers come on board, everybody in their brothers creating mobile apps these days. But they developed developing them securely. And we’re not really seeing that all very often because people just jumping in. And they’re not the same people that have been developing web apps or desktop apps for the past 10 or 15 years, listening to the story of, Hey, why are we not doing this securely? You have to do this securely. Here’s your vulnerabilities and just getting browbeaten. For the past few years, these are all new people that maybe never developed before, before mobile devices ever came out. And they’re just coming in developing apps real quick, and they don’t really understand development, they don’t understand how the system they’re developing on actually works. So it’s a whole new breed of developers coming in that now we have to reach out to and start explaining again, hey, here’s the fundamentals of security. Here are what the attackers goals are why the attacker is coming after you. Oftentimes we hear, Oh, well, my company is too small, nobody would want to attack me. But that’s not necessarily the case. Because one of the biggest things in doing red teaming or the attack side, right is pivoting. Do I want to go after a large bank that has a lot of money to spend on creating a really strong security system? Where do I want to go after the small mom and pop store that has a direct connection into that bank, who doesn’t have the money to spend on top notch security, right? They maybe at best have some guy that they call when they have ID problems to come help them with ID, but they’re not doing anything with security, then tie mobile into that another, you know, doing stuff on their iPads. They’re, they’re just out and about using public Wi Fi messing with systems because they haven’t been trained on how to do this. So that’s one of the biggest goals that we want to kind of break down and greet here is the idea of raising the awareness level of why we need more security awareness why developers need to be involved, why more than developers need to be involved? Because it’s not just developers. Why did the general public should be more aware of how information security works? It’s our information that we’re passing to all these different companies, we should have an understanding of what they do to protect it, depending on the sector they’re in? How are they required to protect that information? What are they doing to protect that information and start demanding information on how they’re protecting my information that I’m giving them. So while we do that, some of the things that we’re going to cover, we’ll talk about the OWASP, top 10 list, which if you haven’t seen the OWASP, top 10, you got to owasp.org OW asp.org. They’ve got lots of information regarding web application security. So they talk about different types of attacks, how you can remediate those attacks. It’s a great developer resource to really get involved with. We’re also going to talk about sans top 25 Most Dangerous software errors. We’ll talk about the OWASP mobile top 10 vulnerabilities that are out there. Since mobile’s really starting to become big, I’m sure we’ll start to see some information about cloud vulnerabilities and the top items there. But we want to discuss from both sides are one what is the attackers perspective? And what should the defender be doing to help protect against that? I often use the analogy when I teach classes that, you know, defense is in doing software and applications, mobile applications. It’s very similar to this idea of building this castle. And I always like the analogy of a castle because it’s easy and it’s very simple. But when I build my castle If I don’t understand the attacks that are coming at my castle, then I can’t really understand how I should build my my castle to protect it. So if I’m thinking that an attack is coming from the ground, and it’s going to be close up, then the idea of a moat comes in really well, because now it’s going to be harder, right? I can raise my drawbridge, it’ll be harder for the attacker to get to my actual Castle, because now they can’t get across that moat, right? They got to come up with some means to get across there makes it more difficult. Can we still get across it? Yes. But it makes it that much more difficult. You have to earn that, right? And then if we think, Well, what if they’re going to catapult stuff, right? Well, maybe it’s going to be hard to catapult in the clear, so maybe I want trees closer. Right. So that way, there’s not as much clearing for them to be able to launch their catapults to shoot stuff at us. Or maybe we don’t want them to be able to use the trees that are close by to chop them down to build the ladders and stuff like that to get up into our castle, maybe we want a bigger clearing. So they have to be further away. And we can see further away from our castle, what’s going on. So we can then adjust and say Oh, I see people coming at us from a mile out, I can adjust to that quicker than adjusting to somebody that just came from 50 yards away. So it’s understanding these type of attacks. And how the adversaries coming at you is how you can then start to figure out what what is our best way to defend against these different attacks. So we’re going to look at it from both sides of that, as we go through this series. Some of the other things we’ll talk about, we’ll talk about some of the tools that are used both by attackers and tools that can be used by defenders, because tools often help us understand how the attacker works. This is especially big I just did, I wrote up a post talking about passwords. And how oftentimes people misunderstand what a secure password is. Because, you know, they think that it’s a oh, well, it’s something that only I know, because it was from 40 years ago. And it was my cat’s name that died and anybody else that knew that cat is dead now. So nobody else would ever know that cat’s name. Well, the problem is, is that’s not how attackers really go about attacking a password. Rarely is it where you’re sitting at somebody’s desk, and you’re looking at their pictures, like you see on TV, and you’re like, oh, they have a picture of their daughter, let’s try the daughter’s name. And it works. That’s usually not how it works, right? A lot of times are using automated tools to brute force these accounts. And so when we start realizing the ways and the techniques that attackers go about it, we can then start to understand why certain passwords wouldn’t be a good idea, right? Your cat’s name or you know, the the first car you owned, or some just random word that you just recognize with and nobody else would have any idea. doesn’t make as much sense now, because the tool doesn’t care about that, right? The tool is doing these dictionary type attacks and other brute force attempts that don’t take any of that into consideration to try to break into these.

We’ll talk about the techniques, both manual and through the tools that the attackers can use, that the defenders that the developers can use things that we as customers can actually use at home of ways where we can protect ourselves. When we’re shopping online, when we’re making transactions, everything we’re doing, we want to cover and really raise awareness of security for everybody. It’s got a stronger focus on developers, too, because they’re the ones that are creating these applications that we’re using. But it’s just as important for customers to understand how security works and how they can be secure. Whether you decide you want to implement Password Manager of some sort. The idea of using two factor authentication on any of the sites that you have, that’ll help increase that strength of protecting your accounts, all things that we’re going to talk about throughout this series.

So that really kind of wraps up this first episode. Hopefully Each episode will stay somewhere around 20 minutes as this one’s falling into. If you have any recommendations or questions, I encourage you to send them you can send them to info at develop sec.com You can also find the podcast out at developsec.libsyn.com as well. And we’re on Twitter as at develop sec. So thank you for your time and I look forward to the next episode