The OWASP Foundation

http://www.owasp.org

Microsoft SDL in practice

Alex Thissen
Principal Architect, Achmea
[email protected] @alexthissen
Alex Thissen

 Architect with a focus on Microsoft technologies

and products
• Security
• Competencies
 Trainer/coach in software development
 Regional Director for The Netherlands
 Most Valuable Professional
for Visual C#
 Agenda
• Overview of Microsoft SDL
• Phases of SDL
• Implementing SDL at Achmea
• Lessons learned
• Questions and answers

|3
 Think security
• Force yourself to pay attention to
security during application development
• Security is often first victim

4
• Embedding security into software and
culture
• Platform agnostic approach
 Proven benefits
• Microsoft internal adoption
 Extensive experience with security
 Trustworthy computing

5
SDL optimization model
Achmea SDL optimization

Start Goal
Phases of Simplified SDL

8
Combining SDL and agile
• Requirements defined
by frequency, not phase
• Every-Sprint (most critical)
• One-Time (non-repeating)
• Bucket (all others)

9
Embedding SDL in process
• Guidance for process
changes
• Process template for
Visual Studio ALM
integration
 SDL
 MSF Agile with SDL
IMPLEMENTING SDL AT ACHMEA

11
 Focus at Achmea
• Emphasis on implementation at MScc
 Line-of-business apps
 Web portals
• Part of chain: bigger scope
• Embed SDL into “existing” development
process
 Sync with quality gates

12
Deliverables SDL for Achmea
 Training
• Online assessment and awareness
course
• Security expert training
• Roadshow for all MScc employees
• Focus on different phases in SDL for
different roles

14
 Requirements
• Business Impact
Analysis (BIA)
• Determines CIA rating
• Weighs in on initial
Architecture design and
documentation

15
 Design
• Combined Attack Surface Analysis and
Threat model
• Change design to reduce surface
• Threat models as part of architecture
• Use SDL Threat Modeling Tool
• Determine risks from STRIDE
• Part of security view of SAD

16
 Implementation
• Adopted Patterns &
Practices guidance
 Best practices
 Guidelines and checklists
 Tooling
• Included CAT.NET in build
• Watcher

17
 Verification
• BTOcc testplan adopted from OWASP
 Testing for OWASP Top 10
 ASVS testing
 Dynamic, static and manual penetration
testing

• Code reviews

18
 Release
• Final Security Review (FSR)
 Check on deliverables of previous phases
• Approval by Design Authority
• Ultimate quality gate

19
Response plan
• Incident response part of
other departments
 IT Operations (IDS,
monitoring)
 Security departments
• Close loop by applying
lessons learned

20
LESSONS LEARNED

21
 Taking hurdles
• Security as a hurdle
 “False positives”
• Break perception
 “Security takes time,
budget and in not cool”

• Missing or
sub-optimal tooling

22
 Visibility
• Make sure you have security experts
 Advocating security
 People to ask questions
• Pick people that like it
• Find management
that demands it

23
 Achievable goals
• Small steps
• Not all at once
• Prioritize and
pick from top 3

24
Continuous metrics
• Include security
metrics in build
• Tooling is essential
• Testing only at end
leads to disaster

25
Business and management
• Buy-in from management is essential
• Awareness at business is critical
• Don’t end in a showdown with business

26
 Ongoing training
• Training alone is not enough
• Offer help on-the-job
• Not just before but during project as well
• Fast-moving field of security, attacks,
vulnerabilities

27
 Responsibility
• Define clear roles
 Who does what?
• Sharing responsibility

28
WRAPPING UP

29
 Summary
• Embed security in your process
• It’s not easy
• Microsoft SDL turned out to be a good
choice
• OWASP initiatives helped a lot
• You’re never done

30
 Questions and Answers
&A

31
 Training Requirements Design Implementation Verification Release Response

Complete Specify Conduct Document

Security Sec/Priv Perform all Perform
Design Tools compilers, Dynamic runtime Response emergency
No Core No No all END
Trained? Reqs? subtasks Reqs? ID’d?
No
tools, flags Analysis?
No
verification Plan?
No
response
Training subtasks
& options tests procedures

Yes Yes Yes Yes

Yes Yes

Review all
Assign Consult Ban bad Fuzz all Final
Experts Unsafe Fuzz security &
No advisors & Security No advisors No functions No program Security No
ID’d? APIs? Tests? privacy
team leads for review & APIs interfaces Review?
activities

Yes Yes Yes Yes Yes

Validate
Define Perform models Archive all
Consult
Min minimum Static periodic TM/ASR against Release pertinent
No Privacy No advisors No No No
Reqs? security Analysis? static code Review? code Archive? technical
for review
criteria analysis complete data
project

Yes Yes Yes Yes Yes

Deliberate
Specify
Consult attack
Bug bug/work Pen Tests?
No Crypto No advisors No testing on
Track? tracking (Option)
for review critical
tool
components

Yes Yes Yes

Specify Layered
Quality quality Attack defenses &
No No
Gates? gates & Surface? least
bug bars privilege

Yes Yes

Use SRA/ Assess

Assessed Threat threats
No PRA to No
Risk? Models? using
codify risk
STRIDE

Yes Yes

32