Secure Software Development Training

1
SECURIUM FOX offers cyber security consultancy
services with its expert and experienced team. We
are providing consulting services to prevent
cyber attacks, data leak and to ensure that our
customers are ready and safe against cyber
attacks, with more than 15 years of
experience.In addition to pentests and
consulting services, SECURIUM FOX prepares its
customers and field enthusiasts for real life
scenarios by providing trainings in the lab
environment which was prepared by themselves,
with its young, dynamic and constantly following
team.Everytime that hackers are in our lives,
there are always risks that we can face with a
cyber attack. Over the years cyber security has
become a critical precaution for all
organizations and companies after the effects and
number of attacks. SECURIUM FOX tests the weak
points of customers for possible attacks and
provides consulting services to eliminate these
weak points.SECURIUM FOX team also offers
support for the development of our country in
this field by supporting free events being
organized as a volunteer by the Octosec team.
ABOUT US
2

• SECURE SOFTWARE DEVELOPMENT TRAINING

3
A Step-by-Step Guide to Secure Software
Development

• Its a common practice among companies providing
  custom software development to disregard security
  issues at the early phases of software
  development lifecycle (SDLC). With such an
  approach, every succeeding phase inherits
  vulnerabilities of the previous one, and the
  final product cumulates multiple security
  breaches. As a result, your company will have to
  pay through the nose to close these breaches and
  enhance the software security in the future.
• Best practices of secure software development
  suggest integrating security aspect into each
  phase of SDLC, from the requirement analysis to
  the maintenance, regardless of the project
  methodology, waterfall or agile.
• A golden rule here is the earlier custom software
  providers integrate security aspect into an SDLC,
  the less money will be spent on fixing security
  vulnerabilities later on.

4
Requirement analysis stage

• Requirements set a general guidance to the whole
  development process, so security control starts
  that early. The two points to keep in mind to
  ensure secure software development while working
  with customers requirements are
• Employ a combination of use and misuse cases.
• The security consultants should foresee possible
  threats to the software and express them in
  misuse cases. Simultaneously, such cases should
  be covered by mitigation actions described in use
  cases.
• Example
• A misuse case An unauthorized user attempts to
  gain access to a customers application.
• The corresponding use case All such attempts
  should be logged and analyzed by a SIEM system.
• Conduct security risk assessment and create a
  risk profile
• When measuring security risks, follow the
  security guidelines from relevant authoritative
  sources, such as HIPAA and SOX In these, youll
  find additional requirements specific to your
  business domain to be addressed.
• At requirement analysis stage, security
  specialists should provide business analysts, who
  create the project requirements, with the
  applications risk profile. This document
  contains application surfaces that are sensitive
  to malicious attacks and security risks
  categorized by the severity level.

5
Design stage

• Secure design stage involves six security
  principles to follow
• Least privilege. Software architecture should
  allow minimal user privileges for normal
  functioning.
• Privilege separation. Specific actions in
  software (e.g., create, delete or modify certain
  properties) should be allowed to a limited number
  of users with higher privileges.
• Complete mediation. Every user access to the
  software should be checked for authority. That
  decreases the chances of privilege escalation for
  a user with limited rights.
• Multiple security layers. Applying this
  principle, youll eliminate the threat of a
  single point of security failure that will
  compromise the entire software. Its simple math
  the more defense layers your software has, the
  less are chances for a hacker to exploit its
  vulnerabilities.
• Secure failure. In case your software ceases to
  operate, it should fail to a secure state.
  Although the software is not available anymore,
  still it should preserve confidentiality and
  integrity. So, make sure youve designed secure
  defaults that deny access, undo all the changes
  and restore the system to a secure state in case
  of emergency.
• User-friendly security. Custom software design
  should incorporate security aspects in a way that
  doesnt hinder UX. If security mechanisms in the
  software are obtrusive, users are likely to turn
  them off.

6
Testing stage. Penetration testing

• Generally, the testing stage is focused on
  finding errors that dont allow the application
  to work according to the customers requirements.
  Its high time to check whether the developed
  product can handle possible security attacks by
  employing application penetration testing. This
  is the case when plenty is no plague. The
  operation should be performed in every build.
  Here, to drive down the cost, opt for automated
  penetration tests that will scan each build
  according to the same scenario to fish out the
  most critical vulnerabilities.
• In addition, exploratory pentesting should be
  performed in every iteration of secure software
  development lifecycle when the application enters
  the release stage. In this case, pentesters dont
  look for specific vulnerabilities. Instead,
  relying on their experience and intuition,
  engineers check the system for potential security
  defects.
• Its worth mentioning, that the personnel
  performing the testing should be trained on
  software attack methods and have the
  understanding of the software being developed.

7
Production and post-production stages

• The software is ready to be installed on the
  production system, but the process of secure
  software development isnt finished yet.
  Microsoft offers a set of practices to stick to
  after the product has finally seen the light
• Create an incidence response plan to address new
  threats. Identify appropriate security emergency
  contacts, establish security servicing plans for
  the third-party code and the code inherited from
  other groups within the organization.
• Conduct ultimate security review. It may uncover
  vulnerabilities missed during the previous
  checks. The final review should verify that all
  misuse cases and security risks defined at the
  requirement analysis stage were addressed.
• Certify and Archive the final product. Certifying
  helps to make sure that all the requirements to
  the software are met. Archiving, in its turn,
  helps to perform further maintenance operations.
• Be prepared to execute incidence response plan.
  Of course, all custom software vendors hope that
  the moment of incidence response will never come.
  Still, to uphold their good name, software
  development companies should be ready to swiftly
  implement the incidence response plan, should the
  product experience any security breach.

8
Security cost

• Undoubtedly, proper secure software development
  requires additional expenses and intensive
  involvement of security specialists. Still, its
  not rocket science, if implemented consistently,
  stage by stage. The additional cost of security
  in custom software development is not so high.
  Its integral parts are security aspect awareness
  of each teams member and additional testing
  throughout the software development process.

9

• With this training, developers will have
  information about all the weaknesses they should
  know. Thus, the application will be tightened
  during the development phase, providing
  advantages to the software team in terms of time
  and human resources.

10
You can always contact with SECURIUM FOX. You can
contact us through our email addresses or by
using the contact form on the side.

• INFO
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,
• Gurunanak Nagar,Patamata,Vijyawada,
• Andhra Pradesh -520010
• 9652038194
• 08666678997
• info_at_securiumfoxtechnologies.com

11

• info_at_securiumfoxtechnologies.com
• Andhra Pradesh Office
• 91 8666678997,91 91652038194
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,Gurunanak Nagar,Patamata,Vijaya
  wada,
• info_at_securiumfoxtechnologies.com
• UK Office
• 44 2030263164
• Velevate, Kemp House, 152 - 160,City Road,EC1V
  2NX
• London
• info_at_securiumfoxtechnologies.com
• Tamil Nadu Office
• 91 9566884661
• Kailash Nagar, Nagar, Tiruchirappalli, Tamil Nadu
  620019
• info_at_securiumfoxtechnologies.com

• Noida Office
• 91 (120) 4291672, 91 9319918771
• A-25, Block A,
• Second Floor,Sector - 3,
• Noida, India
• info_at_securiumfoxtechnologies.com
• USA Office
• 1 (315)933-3016
• 33 West,17th Street,
• New York,
• NY-10011, USA
• info_at_securiumfoxtechnologies.com
• Dubai Office
• 971 545391952
• Al Ansari Exchange, Ansar Gallery - Karama
  Branch, Hamsah-A Building - 3 A St - Dubai -
  United Arab Emirates