Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security-by-design : en intégrer toutes les bon...

Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages

Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages au salon MtoM Embedded Systems - Paris.

Alexis DUQUE

March 20, 2019
Tweet

More Decks by Alexis DUQUE

Other Decks in Technology

Transcript

  1. Secure by Design ▸ 1 - Introduction ▸ 2 –

    Risk Analysis ▸ 3 – DevSecOps ▸ 4 – DevSecOps @Rtone ▸ 5 – Return on Experience 2
  2. 7

  3. 8 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

    which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners
  4. 13

  5. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Customer Value ++ 18
  6. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 19
  7. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming FIST Action Group + WEEKLY Team Meeting 22
  8. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assesment (PIA) 24
  9. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 25 Risks Context Threat Scenarios Security Measures Feared Events
  10. 3. CONCEPTION 26 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>
  11. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 28
  12. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assesment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 31
  13. 32

  14. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 33
  15. 34

  16. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Bring Sec & Dev team together! 36
  17. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en- us/SDL/process/design.aspx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp- content/uploads/2018/03/SAFECode_Fundamental_Pra ctices_for_Secure_Software_Development_March_201 8.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 38
  18. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 39