Introduction to the Secure SDLC


Hi, I’m Salta.
I hack. I don’t have a normal desk job. I work whenever I want and take advantage of others. You’re vulnerable and you don’t even know it. When Salta first started hacking
she was extremely successful in stealing data, money, taking down web applications, and breaking into user accounts. Why was Salta so successful?
[Salta] Because I’m a hacker. Many companies only consider security in
their applications as part of the quality assurance process after their
software has been fully developed towards the end of the software development
lifecycle, or SDLC. Teams may be using Agile, Waterfall SCRUM,
Test-Driven Development, Continuous Integration or any number of other practices during
the course of releasing new software but whatever methodology is used, it can
always be broken down into a few different phases: planning, defining,
designing, building, testing,
and deployment and maintenance. application security was only part of the testing phase this approach was a mess to say
the least. it resulted in a high number of undetected vulnerabilities improper
handling of private customer data an increased number of data breaches caused
by cyber security attacks and a more expensive software development lifecycle
the later that vulnerabilities are found when developing software the longer and
more expensive they are to fix aha I’m in however huh organizations got
wise to hackers like Salta and began to implement a secure SDLC wait what this
means that organizations added extra steps to their sdlc to incorporate
application security now salta has to be successful hacking with a variety of
application security measures in place these applications security measures add
security throughout the SDLC process and are the steps of governance design
implementation verification and operations these steps make up the
secure sdlc do you think I’m some kind of rookie there are multiple security
practices for each phase of the secure sdlc and while none of these phases are
a silver bullet the risks of salt of breaking into your systems are doing
damage are greatly reduced let’s touch briefly on each of the steps the first
step is governance in this space you prepare the ground rules and build a
process and training plan for example salta here is trying to find a simple
sequel injection to break into an account of acne company the part of
acnes a new governance process is to train developers and avoid this
vulnerability Acme’s entire developer team was on the same page and knew how
to code sequel statements securely rewarding salt as initial actions okay
so that didn’t work it’s okay I have many methods next we have secure
design here is a user login on acnes website salta tries to brute-force a
password PA SS wo Rd one two three Sparky 1997 salta makes five attempts
and is locked out while designing their software acme decided to add a lockout
feature to stop salta from being able to force her way in the design phase
identifies potential attacks and defines appropriate security requirements in
architecture to protect the services and data at the core of acnes login
application ok there’s always the open source software route ah salta saw an
announcement that there was a vulnerability in an open source package
that Acme uses salta is going to try to exploit this vulnerability but she finds
it has been patched during implementation the team built software
in a standardized repeatable manner they caught recorded analyzed and patched
open source vulnerabilities in the process they then upgraded to the latest
versions of open source software whose previous versions contained critical and
high-priority vulnerabilities let me guess you’re going to try a
vulnerability scanner next what do you know about that Acme ran their own
scanners during the verification phase to find in fix vulnerabilities in their
own software before deploying it they ran a number of
tests and selected the right static and dynamic application security testing
tools Psaltis scanner found no additional vulnerabilities aha
I’ve found something oh dear nice try but the vulnerability you just found
cannot be exploited because there’s a web application firewall or woth in
place during the operations phase Acme established a security response plan and
put in place additional protections including the laughs I wouldn’t quit
your day job this is just a setback new methods always come up you see that’s
the beauty of the secure sdlc each step ensures that well it’s always going to
be difficult for you and improvements made to each step make your job harder
subsequent trainings will go into each step of the secure sdlc in further
detail with tactics and strategies to implement and improve an application
security program can can I come to the trainings you

Leave a Reply

Your email address will not be published. Required fields are marked *