All of our applications can be vulnerable to vulnerabilities in one way or another. This, in turn, can lead to financial losses and provoke leakage of customer data.
Why and what to defend against? What tools are there for this, including Open Source? What is the Secure Software Development Lifecycle? Alexander Kiverin, CTO at Ak Bars Digital Technologies, spoke about his company's experience at TechLead Conf 2020 Online. And we have prepared a transcript.
Why defend yourself? There is a clear answer to this question: application vulnerabilities can bring reputational or financial risks to the company (and possibly both). Therefore, safety is important for everyone. And what is worth defending against?
The applications developed by us, engineers, have several points where vulnerabilities are most often hidden:
Injections - SQL, LDAP, XPath;
Weak cryptography;
Insecure transmission of information;
Incorrect error handling;
Information disclosure;
Cross-Site Scripting (XSS);
Cross Site Request Forgery (CSRF);
;
.
SSDLC
« , ».
SDLC — Software Develop Life Cycle — , :
;
;
;
;
.
, Secure SDLC — .
. — , . — .
. .
SSDLC
Agile. - , , Scrum. SSDLC ?
, , .
:
;
( - );
;
;
;
feature freeze;
.
, , . .
(PBR)
« , ».
, , , .
, JIRA. : priority, severity, , ..
« ».
, , .
? , , . : , DFD (Data Flow Diagrams):
, , , . . , , . , . — , , .
« , “” ».
, . , , «» . , .
«» ?
Priority — , issues.
, , Severity (). , Severity (Critical, High, Medium, Low, Info). Severity , . , .
— Risk. — Severity, scoring:
Risk = Severity score = (Application score + Business Impact)/2
Risk Application score, :
Application score = InCode Severity score Nessus Severity score SonarQube Severity score
, Business Impact, , - , -, privacy . :
Business Impact = (Financial Damage + Reputation Damage + Non-Compliance + Privacy Violation)/4
Product Owner. Business Impact, , .
« , OWASP».
— OWASP — Open Web Application Security Project.
-. . , open source .
OWASP Top Ten :
(A1) Injection;
(A2) Broken Authentication;
(A3) Sensitive Data Exposure;
(A4) XML External Entities (XXE);
(A5) Broken Access Control;
(A6) Security Misconfiguration;
(A7) Cross-Site Scripting (XSS);
(A8) Insecure Deserialization;
(A9) Using Components w/ Known Vulnerabilities;
(A10) Insufficient Logging & Monitoring.
. .
:
(A1) .
- (ORM). , .
.
.
SQL, SQL, , .
(2) .
SHA256.
. , -, , -, , - , .
.
.
.
2FA. , .
(5) .
, , .
CORS. - , redirect’ . , . , CSRF .
( JWT-). (SSO-), .
. , , , , .
Rate limit. « N ». , DDoS-.
(6) :
.
.
.
, . - , .
(7) XSS ( JavaScript ).
.
Content Security Policy (CSP).
X-XSS-Protection.
ookies: HTTP-only, Secure, SameSite.
/ (, Microsoft AntiXSS).
(A10) .
OWASP , - . . .
PAN, CVV / CVC;
PIN ;
OTP;
cookie;
, ;
.
, . , .
Code Review
« , ».
-. , .
, :
Feature Freeze
« QA SAST DAST, , , ».
Feature Freeze , - , , - . . .
SAST-. , :
Solar APPscreener. ( : C#, JS, Java, Python). , .
SonarQube. . , dependency-check. . . , . community edition, .
Dependency Check. — . .
Trivy. . ( ).
, DAST- — Dynamic Application Security Testing — . DAST .
:
ZAP OWASP. . , . CI/CD.
Burp Suite. -.
Nessus. . , OpenVAS.
WFuzz. .
, . , , . , .
« , – ».
— . , — , - , .
DefectDojo, . , , , .
« – S1/S2 P1 ».
— ! (Severity) quality assurance ( ):
S1 (Blocker);
S2 (Critical);
S3 (Major);
S4 (Minor);
S5 (Trivial).
:
P1 Highest;
P2 High;
P3 Medium;
P4 Low;
P5 Lowest.
, S1/S2 P1 .
« , ».
, , Trivy, CI/CD pipeline . , CI/CD pipeline . , , ..
()
« , ».
— . , . , , , .
. , PCI DSS, , , .
CI/CD pipeline :
Recovery policy
« . . DevOps – CALMR».
— (Recovery). , .
. , Feature Freeze , - . : — , — .
Security Champions
« AppSec , . Security Champions».
, , Security Champions. , .
Security Champion — , , Quality Assurance , , .
, , . Quality Assurance , . .
, , .
Security Champion:
SSDLC
;
OWASP Top 10 Web and Mobile;
, .
, .
SecChamp :
– , ;
– ;
– ;
;
– , , ;
..
,
« knowledge base confluence , . , Security Champions ».
Security Champions , :
welcome guide;
;
;
;
;
- ;
;
.
, .
: . . , !
TechLead Conf 2021 — , — : 30 1 Radisson Slavyanskaya (). . . TechLead Conf 2020.
!