We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17
Secure Software Development
Dr. Asankhaya Sharma
SIT Nov 23, 2024 2 Secure Software Development • Consider security throughout the software development lifecycle – Requirements – Design – Implementation – Testing – Deployment
Nov 23, 2024 3
Requirements • Identify sensitive data and resources • Define security requirements for them – Confidentiality – Integrity – Availability • Consider threats and abuse cases that violate these requirements
Nov 23, 2024 4
Application Generic Specific • Common Best • Abuse/Misuse Cases Practices • Threat Models • Legal • Attacks • IT • Assets • Development
Design • Apply principles for secure software design – Prevent, mitigate and detect possible attacks • Security principles – Favor Simplicity – Trust with Reluctance – Defend in Depth
Nov 23, 2024 6
Nov 23, 2024 7 Implementation • Apply coding rules that implement secure design • Use automated code review techniques to find potential vulnerabilities components – Static Analysis – Symbolic execution
Nov 23, 2024 8
Nov 23, 2024 9 Testing • Penetration Testing to find potential flaws in the real system – Fuzz testing • Employ attack patterns
Nov 23, 2024 10
Different methodologies • BSIMM (Building Security In – Maturity Model) – http://bsimm.com • Microsoft Security Development Lifecycle – https://www.microsoft.com/en-us/sdl/ • OpenSAMM Software Assurance Maturity Model – http://opensamm.org
Nov 23, 2024 11
Nov 23, 2024 12 Continuous Delivery of Software
Nov 23, 2024 13
Nov 23, 2024 14 Continuous Security • Requires security automation • Integrate into CD environment and tools – Source code management systems • GitHub, Bitbucket etc. – Build systems • Travis CI, Jenkins etc. • Audit third party component and open-source library usage
Nov 23, 2024 15
Takeaways • Security practices should be built in during the software development process