Infosec requirements should be determined during requirements gathering and where relevant integrated into JIRA tickets as infosec non-functional requirements.
- Each system should have a comprehensive threat model documented with all relevant attack vectors called out (key compromise, network compromise, DDOS).
- This would include understanding the business model of those commercial attackers who would target us.
- Security focused dev should be familiar with the OWASP Top 10 vulnerabilities and the Common Weakness Enumeration Top 25 and validate all tickets with a security element against these:
- Un-validated/unstructured inputs into your system should be determined and risks presented to product stakeholder. These are vectors for injection attacks.
- Attacks may still exploit product weaknesses without directly targeting the product itself itself.
- eg. inserting an injection attack into one of your incoming requests, which then ends up being read by other systems, which then compromises a component in those systems, which then opens the door to further attacks etc.
- Sounds far-fetched, but commercial attackers (who are more proficient than your usual Anonymous, Hactivist, ‘Script Kiddie’ DDOS-er) will know how to perform complex, multi-system attacks like this.
- Action Points:
- Infosec review process integrated into workflow.
- Comprehensive threat model for project/product, including up and downstream components.
- Product stakeholders need to do one of the following: a) accept risks arising from threat model, b) escalate c) add tickets to remove risk
- Review of incoming data schema, seeing which parts are sensitive, which parts are toxic, and which parts are open to exploitation.
- Security developers should be completely familiar with and other Team members trained in OWASP Top 10 and CWE Top 25 security flaws.