Secure Development

The way we build software and systems is rapidly evolving, becoming more and more automated and integrated. Today, developers can define an entire system architecture in code and tie it to tooling which will automate both testing and deployment.

These high level principles are intended to help development teams integrate security into their development process. The security controls should be a standard part of sprints.

Plan

# Activity Description Threshold
1 Security debt Plan fixing vulnerabilitites, replace old or vulnerable open source components. In every sprint
2 Threat modeling1 Update or re-assess threat model. During larger changes
3 Training2 Plan training in security principles and best-practices. When required

Code

# Activity Description Threshold
1 Version control Make sure all source code, build scripts, etc. are managed in Git or similar. Always
2 Secrets management Do not hardcode secrets in source code. Always
3 Code linting Use safe programming language constructs. When possible
4 Peer review Enforce peer review. Always

Build

# Activity Description Threshold
1 Hardened container image Perform build using a hardened container image. Always
2 SBOM3 Update the SBOM. Always
3 Artefact versioning Publish build to artefact repository and ensure versioning. Always

Test

# Activity Description Threshold
1 Static code analysis Perform static code analysis. Always
2 Software composition analysis Perform software composition analysis of open-source components. Always
3 Unit testing Perform unit testing. 80%
4 Dynamic code analysis Perform dynamic analysis. Always
5 Fuzz testing Perform fuzz testing. On critical source code
6 Load and performance testing Perform load and performance testing. Always

Release

# Activity Description Threshold
1 Vulnerablity scanning Scan the container image for known vulnerabilitites. Always
2 Secrets management Retrieve and inject secrets. Always
3 Certificate management Retrieve and inject certificate. Always
4 Digital signing Digitally sign the container image. Always
5 Artifact storage Store build artifacts in a repository and ensure versioning. Always
6 Penetrations test Perform penetration test (e.g. once a year). Always

Deploy

# Activity Description Threshold
1 Secrets management Retrieve and inject secrets. Always
2 RASP / WAF Enroll in RASP / WAF service. When required
3 Database changes Validate database changes. Always
4 Deploy Deploy to a hardened CNCF Kubernetes cluster or native environment. Always

Operate

# Digital verification Validate the digital signature. Threshold
1 Resilience verification Perform chaos (monkey) tests. At least twice per year
2 Vulnerability management Scan the runtime on a regular basis for known vulnerabilitites. In real-time or every week
3 Responsible disclosure Publish responsible disclosure policy. Always

Monitor

# Activity Description Threshold
1 Logging and monitoring Review and monitor logs for signs of malicious behaviour. Daily or automate
2 Incident response React and respond to incidents. All the time :-)

Footnotes


1

In every sprint, re-assess the current threat model by answering the following questions (https://owasp.org/www-community/Threat_Modeling):

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?

To help answer "what can go wrong" and thereby defined the right security requirements, the following guides from OWASP may serve as input:

  • https://owasp.org/www-project-application-security-verification-standard/
  • https://owasp.org/www-project-mobile-app-security/

For a more in-depth introduction, please refer to these guides from AWS:

  • https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/
  • https://catalog.workshops.aws/threatmodel/
2

Always consider when training junior developers, new hires, etc. is required. The best result is typically achieved when having regular dialogue with security champions and development teams.

The following free resources may serve as inspiration:

  • https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/migrated_content
  • https://application.security/
  • https://learn.snyk.io/

The following commercial services may be a better choice in Enterprises:

  • https://www.veracode.com/products/elearning
  • https://www.securecodewarrior.com/
  • https://www.synopsys.com/software-integrity/training.html
3

Read more about SBOMs here

  • https://research.nccgroup.com/2021/05/20/supply-chain-security-begins-with-secure-software-development/
  • https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/
  • https://snyk.io/learn/software-bill-of-materials/