Six Pillars Of Security, #1: Secure Application Development

5660-security-lock-and-key

Infosec requirements should be determined during requirements gathering and where relevant integrated into JIRA tickets as infosec non-functional requirements.

  • Each system should have a comprehensive threat model documented with all relevant attack vectors called out (key compromise, network compromise, DDOS).
    • This would include understanding the business model of those commercial attackers who would target us.
  • Security focused dev should be familiar with the OWASP Top 10 vulnerabilities and the Common Weakness Enumeration Top 25 and validate all tickets with a security element against these:
  • Un-validated/unstructured inputs into your system should be determined and risks presented to product stakeholder. These are vectors for injection attacks.
  • Attacks may still exploit product weaknesses without directly targeting the product itself itself.
    • eg. inserting an injection attack into one of your incoming requests, which then ends up being read by other systems, which then compromises a component in those systems, which then opens the door to further attacks etc.
    • Sounds far-fetched, but commercial attackers (who are more proficient than your usual Anonymous, Hactivist, ‘Script Kiddie’ DDOS-er) will know how to perform complex, multi-system attacks like this.
  • Action Points:
    • Infosec review process integrated into workflow.
    • Comprehensive threat model for project/product, including up and downstream components.
    • Product stakeholders need to do one of the following: a) accept risks arising from threat model, b) escalate c) add tickets to remove risk
    • Review of incoming data schema, seeing which parts are sensitive, which parts are toxic, and which parts are open to exploitation.
    • Security developers should be completely familiar with and other Team members trained in OWASP Top 10 and CWE Top 25 security flaws.
Advertisements

One thought on “Six Pillars Of Security, #1: Secure Application Development

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s