SECURE SOFTWARE

DEVELOPMENT LIFECYCLE

Daniel Kefer, Information Security, 1&1 Internet AG

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

2 26.01.2015 1&1 Internet AG

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

3 26.01.2015 1&1 Internet AG

Who Am I

 Daniel Kefer

 Originally from the Czech Republic

 Working in IT-Security since 2005

 Security in development since 2008

 2011 moved to Germany to work for 1&1

 Focus on application security

4 26.01.2015 1&1 Internet AG

1&1 – Member of United Internet AG

1&1 United Internet

1&1
Telecommunication Ventures AG
Internet AG
AG 100 %
100 %
100 %

SEDO
Goldbach 14.96 %
Holding GmbH
100 % Hi-media 10.50 %
fun 49 %
Virtual Minds 48.65 %
ProfitBricks 30.02 %
100 % Open-Xchange 28.36 %
ePages 25.10 %
Uberall 25 %
Rocket Internet 8.18 %

5 26/01/15 1&1 Group Stand: 27. März 2014 5

Locations

6 26/01/15 1&1 Group

1&1: Internet services of United Internet AG

Access Applications

Motivated team
 Around 7,800 employees, thereof approx.
Networks 2,000 in product management, development Content
and data centers
Sales strength
 Approx. 3 million new customer contracts
p.a.
 50,000 registrations for free services on a
User daily basis Standard
equipment Operational excellence software
 46 million accounts in 11 countries
7 data centers
 70,000 servers in Europe and USA

Stand: 19. November 2013

7 26/01/15 1&1 Group 7

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

8 26.01.2015 1&1 Internet AG

Three Common Approaches to Develop Applications (Security View)

 Intuitive approach

 Reactive approach

 Proactive approach

9 26.01.2015 1&1 Internet AG

Intuitive Approach

 Pure best-effort approach

 Relying on individual knowledge and experience of the team members

 No security gates during the development

 Typically leads to higher occurence of security incidents and negative PR

10 26.01.2015 1&1 Internet AG

Reactive Approach

 Typically one security gate before the application rollout

 Penetration test
 Code review
 Infrastructure configuration audit

 A big step forward from the security point of view, but…

 How effective it is to say „you‘ve done it wrong“ when the development is finished?
 Typically increases the project costs and length
 Security bugs: mistakes in the source code, „quite easy“ to fix
 Security flaws: mistakes in the application design, very expensive to fix
 The world gets more agile all the time… at what point should you test?
 You don‘t usually find everything during a security audit!

11 26.01.2015 1&1 Internet AG

Proactive Approach (Secure SDLC)

 You try to prevent security bugs before they‘re created

 Cost of a bug during the development lifecycle:

12 26.01.2015 1&1 Internet AG

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

13 26.01.2015 1&1 Internet AG

What the World Does

 Overall Concepts
 Process models: What should I do what at which point?
 Maturity models: Do I do enough for security in the development?

 Supportive Methodologies and Tooling

 How do I perform architecture review?
 Penetration testing tools
 Checklists, cheat sheets
 Development guides, testing guides
 …

14 26.01.2015 1&1 Internet AG

Process Models - Example

 Microsoft SDL

 Development divided into 7 phases

 Within every phase you should perform a couple of security-related

activities

15 26.01.2015 1&1 Internet AG

2004: Microsoft SDL 1.0 Launch

 2005 Microsoft published first results they achieved using their SDL
Methodology

16 26.01.2015 1&1 Internet AG

Maturity Models - Example

 Building Security Into Maturity Model (www.bsimm.com)

 Project comparing regularly companies from different verticals and

measuring their security activities in software development in 112
activities

 2013 (5th version) results – out of 67 firms:

 44 have internal secure SDLC officially published
 57 track results reached at previously defined security gates
 36 require owner‘s security sign-off before deployment
 31 enforce security gates (project not continuing until security requirements are met)

17 26.01.2015 1&1 Internet AG

Supportive Methodologies and Tooling

 OWASP (Open Web Application Security Project) – www.owasp.org

 The biggest resource regarding application security nowadays

 Everything is open-source

 Everybody can start his/her own security project

 Examples:
 OWASP Top Ten: The most widespread application vulnerabilities
 OWASP Testing Guide: Methodology for penetration testing of applications
 OWASP ASVS: Application Security Verification Standard
 OWASP ESAPI: Security Library for JAVA, .NET, PHP…
 OWASP Zed Attack Proxy: Testing tool

18 26.01.2015 1&1 Internet AG

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

19 26.01.2015 1&1 Internet AG

Main Goals

 We spend budget for security according to the real risk

 Project teams shall have a trusted contact person guiding them through
security challenges

 We actively learn from our mistakes steadily and also give the
opportunity to others to learn from our mistakes

 KISS (Keep it simple stupid)! – build on currently lived processes and

tools as much as possible

20 26.01.2015 1&1 Internet AG

System Classification – 3 Security Levels

 Low:
 Systems not likely to be target of professional attackers
 Mainly reputation risk in case of finding vulnerabilities
 Requirements should target mainly quality of code and be aimed at quick wins

 Medium:
 Possible abuse of client personal data (incidents have to be reported to authorities)
 We should have a solid confidence that security has been addressed and assessed
consistently and reasonably

 High:
 Systems essential for 1&1’s business and the ones with high compliance requirements
 These systems should be ready to withstand also sophisticated attacks
 Most focus on architectural and functional security

21 26.01.2015 1&1 Internet AG

SDLC Requirements

 Two types of requirements:

 Lifecycle: Activities to be done during the lifecycle (e.g. penetration test)
 Technical: Properties of the target system (e.g. login brute-force protection)

 The concept:
 Ever higher category inherits requirements from the lower one and adds new ones

 Total counts of requirements:

Lifecycle req. Technical req.

Low 6 42
Medium 12 72
High 16 84
Lifecycle Requirements (vs. The 1&1 Project Lifecycle)

The 1&1
Project
Lifecycle

Security
guide
Select Automated Yellow Pages
Security requirements scan Record Low
trainings

Classification

Security 3rd party Vulnerability

Secure workshop code management
SDLC Medium
Penetration Lessons
Doc. review
test learned

Threat model Code review

High
Tailor Configuration
requirements review
Technical Requirements - Categories

 Based on OWASP Application Security Verification Standard

Session
Authentication Access Control
Management

Output
Input Validation Cryptography
Encoding

Error Handling Communication

Data Protection
and Logging Security

24 26.01.2015 1&1 Internet AG

Technical Requirements – Example (Brute-Force Protection)
ID AU-07

Criticality Low

Category Authentication

Technology Web Applications, Web Services

Description Brute force protection is provided after a system configurable number of invalid
login attempts occur against an account within a configurable period of time.
Specification More information on best practise:
/Best Practise https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Reasoning Preventing successful brute force attacks on user credentials.
Functional Yes

Responsible Requirement Engineer

Deadline T2 (end of the design phase)

QA Responsible Test Manager

QA Activity Black box

QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)

QA Deadline T3 (before rollout)

Requirement States

 Relevant:
 Yes/No
 Does it make sense to implement the particular requirement?

 In Scope:
 Yes: The development team has to (or mustn‘t) do something
 3rd party: The application relies on another service (e.g. authentication service)
 Refused: It was decided not to implement the requirement
 No: If not relevant.

26 26.01.2015 1&1 Internet AG

Agenda

 Who Am I, Who Is 1&1

 Motivation For Secure SDLC
 What the World Does
 What 1&1 Does
 Future Plans

27 26.01.2015 1&1 Internet AG

Future Plans

 Continue increasing the coverage of SDLC-guided projects

 Train and establish a satellite of Security Guides

 Continuous enhancement of the methodology

 Agile methodologies, continuous integration/continuous delivery
 Lessons learned from projects

 Creation of an SDLC Tool

 Department-specific project management methodologies
 Different technologies
 Transparency of common security measures

28 26.01.2015 1&1 Internet AG

Thank You For Your Attention!

daniel.kefer@1und1.de

29 26.01.2015 1&1 Internet AG