Professional Documents
Culture Documents
PNPT
Muzammil Khan started his career as a Information Security
Engineer with expertise in Desktop, Web, Mobile, Networks
and ATM machines as well. Also, he has done some hands-on
in RedTeam Assessments, Malware Analysis and Exploit
Development. He is an active participant of International
and national CTF competitions like HTB Apocalypse, RedTeam
Village 29 Defcon, and got 1st Position in OS Exploitation
in Cyber Hackathon by Ignite.
OBJECTIVES
▪ Understand what SSDLC is and why it's important.
▪ During SDLC, security testing was introduced very late in the lifecycle.
▪ Bugs, flaws, and other vulnerabilities were identified late, making them far
more expensive and time-consuming to fix.
▪ In most cases, security testing was not considered during the testing phase,
so end-users reported bugs after deployment.
ARCHITECTURE REVIEW
PENTEST
MYSITE.COM
DESIGN DEPLOYEMENT
PHASE
PHASE
CODE
DB SERVER REVIEW
DEV
PHASE
WHY IS SECURE-SDLC IMPORTANT?
For example, in waterfall models, this sort of testing was carried out at the end
of the lifecycle, right before production; in more agile processes, we can
implement a "Security by Design" approach.
It would require redesigning, applying the changes and retesting to check it has
been remediated.
In a more agile approach, discussions on whether to prevent flaws like this, such
as deciding on parameterization during the planning phase, can avoid having to
roll back changes, and it only costs a planning discussion.
WHAT WE HAVE LEARNED SO FAR?
▪ Boosting security education and awareness: all stakeholders know each phase's
security recommendations and requirements.
▪ Flaws are detected early before deployment, reducing the risk of getting hacked
or disrupted.
▪ Costs are reduced, and speed increases, thanks to the early detection and
resolution of vulnerabilities. Business risk, brand reputation damage, and fines
that could lead to economic disaster for a company are prevented.
SSDLC PROCESSES
4.DEVELOPMENT
1.PLANNING [Code Review]
[Risk Assessment]
5.TESTING
[Code Review]
3.DESIGN/
PROTOTYPE
[Threat Modeling]
2.ANALYSIS
[Risk Assessment]
6.DEPLOYMENT
[Secure Configuration]
[Security Assessment]
7.MAINTENANCE
RISK ASSESSMENT
▪ During the early stages of SDLC, it is essential to identify security
considerations that promote a security by design approach when functional
requirements are gathered in the planning and requirements stages.
▪ Risk assessment is used to determine the level of the potential threat. Risk
identified in the risk assessment process can be reduced or eliminated by
applying appropriate controls during the risk mitigation process.
PERFORMING RISK ASSESSMENT
▪ The first step in the risk assessment process is to assume the software will be attacked
and consider the factors that motivate the threat actor. List out the factors such as the
data value of the program, the security level of companies who provide resources that the
code depends on, the clients purchasing the software, and how big is the software
distributed (single, small workgroup or released worldwide).
▪ The next step is risk evaluation. Include factors like the worst-case scenario if the
attacker has successfully attacked the software. You can demonstrate the worst-case
scenario to executives and senior engineers by simulating a ransomware attack. Determine
the value of data to be stolen, valuable data such as the user's identity, credentials to
gain control of the endpoints on the network, and data or assets that pose a lower risk.
▪ Some attacks only affect one or two users, but the Denial of Service attack will affect
thousands of users when a server is attacked. Moreover, thousands of computers may be
infected by the spread of worms. The last factor is the accessibility of the target.
Determine whether the target accepts requests across a network or only local access,
whether authentication is needed for establishing a connection, or if anyone can send
requests.
TYPES OF RISK ASSESSMENT
Threat modelling is best integrated into the design phase of an SDLC before any
code is written. Threat modelling is a structured process of identifying
potential security threats and prioritizing techniques to mitigate attacks so
that data or assets that have been classified as valuable or of higher risk
during risk assessment, such as confidential data, are protected.
Not all the methods have the same purpose; some focus on risk or privacy
concerns, while some are more customer-focused. It is essential to analyze which
way aligns more with the project or business.
STRIDE
DREAD
PASTA
THREAT MODELING - STRIDE
STRIDE is built upon the CIA triad principle (Confidentiality, Integrity &
Availability). Security professionals that perform STRIDE are looking to answer
"What could go wrong with this system".
SSDLC
Elevation of
Spoofing Privilege
Identity
Tampering Denial of
with Data Service
Repudiation Information
Disclosure
THREAT MODELING - DREAD
DREAD model also can be used in assessing, analyzing and finding the risk
probability by threat rating.
SSDLC
Discoverability
Damage
Affected Users
Reproducibility
Exploitability
THREAT MODELING - PASTA
PASTA involves the threat modelling process from analyzing threats to finding
ways to mitigate them, but on a more strategic level and from an attacker's
perspective.
QUESTIONS*
Q2. What threat modelling methodology is built upon the CIA triad?
STRIDE
Code Scanning or automated code reviews can leverage Static and Dynamic
Security testing technologies.
SAST
DAST IAST RASP
SCA
IAST testing occurs in real-time, just like DAST, while the application
runs in the staging environment. IAST can identify the line of code
causing security issues and quickly inform the developer for immediate
remediation. IAST checks the source code similar to SAST, but at the post-
build stage, unlike SAST, which occurs during development.
CODE REVIEW
RASP is deployed to a web or application server next to the main
application while running to monitor and analyze the inward and outward
traffic behavior. Immediately once an issue is found, RASP will send
alerts to the security team and immediately block access to the individual
making a request. When you deploy RASP, it will secure the whole
application against different attacks.
APPLICATION SECURITY TESTING TIMELINE
DAST
SAST
SECURITY ASSESSMENT
Like Penetration Testing & Vulnerability Assessments are a form of
automated testing that can identify critical paths of an application that
may lead to exploitation of a vulnerability.
SECURITY ASSESSMENT
Security testing
assesses a system, VULNERABILITY ASSESSMENT
software or web
application for Vulnerability
Assessments focus on PENETRATION TESTING
vulnerabilities and
other attack Finding Vulnerabilities,
but do not validate them It is extended by
vectors. testing/validating of
or simulate the findings
to prove they are vulnerabilities,
exploitable in reality. quantifying risks and
attempting to penetrate
systems.
OWASP
SSDLC
PHASE – 01 [BEFORE DEVELOPMENT]
1.1: Review Policies and Standards
Ensure that there are appropriate policies, standards, and documentation
in place. Documentation is extremely important as it gives development
teams guidelines and policies that they can follow.
▪ User Management
▪ Authentication
▪ Authorization
▪ Data Confidentiality
▪ Integrity
▪ Accountability
▪ Session Management
▪ Transport Security
▪ Tiered System Segregation
▪ Legislative and standards compliance (including Privacy, Government and Industry
standards)
PHASE – 02 [DEFINITION & DESIGN]
2.2: Review Design and Architecture
Applications should have a documented design and architecture. This
documentation can include models, textual documents, and other similar
artifacts. Identifying security flaws in the design phase is not only one
of the most cost-efficient places to identify flaws, but can be one of
the most effective places to make changes.
Having tested the requirements, analyzed the design, and performed code
review, it might be assumed that all issues have been caught. Hopefully
this is the case, but penetration testing the application after it has
been deployed provides a last check to ensure that nothing has been
missed.
After every change has been approved and tested in the QA environment and
deployed into the production environment, it is vital that the change is
checked to ensure that the level of security has not been affected by the
change. This should be integrated into the change management process.
DISCUSSION
THANK YOU!