Академический Документы
Профессиональный Документы
Культура Документы
DEVELOPMENT LIFECYCLE
Daniel Kefer
SEDO
Goldbach 14.96 %
Holding GmbH
100 % Hi-media 10.50 %
fun 49 %
Virtual Minds 48.65 %
ProfitBricks 30.02 %
100 % Open-Xchange 28.36 %
ePages 25.10 %
Uberall 25 %
Rocket Internet 8.18 %
Access Applications
Motivated team
Around 7,800 employees, thereof approx.
Networks 2,000 in product management, development Content
and data centers
Sales strength
Approx. 3 million new customer contracts
p.a.
50,000 registrations for free services on a
User daily basis Standard
equipment Operational excellence software
46 million accounts in 11 countries
7 data centers
70,000 servers in Europe and USA
Intuitive approach
Reactive approach
Proactive approach
Overall Concepts
Process models: What should I do what at which point?
Maturity models: Do I do enough for security in the development?
Microsoft SDL
2005 Microsoft published first results they achieved using their SDL
Methodology
Everything is open-source
Examples:
OWASP Top Ten: The most widespread application vulnerabilities
OWASP Testing Guide: Methodology for penetration testing of applications
OWASP ASVS: Application Security Verification Standard
OWASP ESAPI: Security Library for JAVA, .NET, PHP…
OWASP Zed Attack Proxy: Testing tool
Project teams shall have a trusted contact person guiding them through
security challenges
We actively learn from our mistakes steadily and also give the
opportunity to others to learn from our mistakes
Low:
Systems not likely to be target of professional attackers
Mainly reputation risk in case of finding vulnerabilities
Requirements should target mainly quality of code and be aimed at quick wins
Medium:
Possible abuse of client personal data (incidents have to be reported to authorities)
We should have a solid confidence that security has been addressed and assessed
consistently and reasonably
High:
Systems essential for 1&1’s business and the ones with high compliance requirements
These systems should be ready to withstand also sophisticated attacks
Most focus on architectural and functional security
The concept:
Ever higher category inherits requirements from the lower one and adds new ones
The 1&1
Project
Lifecycle
Security
guide
Select Automated Yellow Pages
Security requirements scan Record Low
trainings
Classification
Session
Authentication Access Control
Management
Output
Input Validation Cryptography
Encoding
Criticality Low
Category Authentication
Description Brute force protection is provided after a system configurable number of invalid
login attempts occur against an account within a configurable period of time.
Specification More information on best practise:
/Best Practise https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Reasoning Preventing successful brute force attacks on user credentials.
Functional Yes
QA Scenario https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)
Relevant:
Yes/No
Does it make sense to implement the particular requirement?
In Scope:
Yes: The development team has to (or mustn‘t) do something
3rd party: The application relies on another service (e.g. authentication service)
Refused: It was decided not to implement the requirement
No: If not relevant.
daniel.kefer@1und1.de