Secure Development Workshop Notes

# Secure Development Workshop Notes [TOC] ## SDLC Overview ## Threat Modelling ![The four questions framework](https://tldrsec.com/assets/images/talks/all_appsec_cali_2019/seat_table_4qs.png "The four questions framework") #### Introduction to Microsoft® Security Development Lifecycle (SDL) Threat Modeling {%pdf https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf %} --- {%slideshare AdamEnglander/threat-modeling-for-dummies-cascadia-php-2018 %} {%slideshare NCC_Group/real-world-application-threat-modelling-by-example %} {%slideshare marco_morana/owasp-app-seceu2011version1 %} #### Examples * [DNS Security: Threat Modeling DNSSEC, DoT, and DoH](https://www.netmeister.org/blog/doh-dot-dnssec.html) #### Tools * [OWASP Threat Dragon](https://docs.threatdragon.org/) - An open source, online threat modelling tool from OWASP * Threagile * [threatspec](https://github.com/threatspec/threatspec) - continuous threat modeling, through code. > Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process. This is achieved by having developers and security engineers write threat modeling annotations as comments inside source code, then dynamically generating reports and data-flow diagrams from the code. This allows engineers to capture the security context of the code they write, as they write it. In a world of everything-as-code, this can include infrastructure-as-code, CI/CD pipelines, and serverless etc. in addition to traditional application code. > > ![](https://i.imgur.com/tlFXqK0.png) > > ![](https://i.imgur.com/G5173k0.png) > * [The Raindance Project](https://github.com/devsecops/raindance) - Project intended to make Attack Maps part of software development by reducing the time it takes to complete them. > Over the years, we all collect skills defending our software against attackers and learn the details necessary to make our software more resillient. The goal of this project is to figure out how to simplify attack modeling for developers by building out component parts and an inheritence model that can be referenced for common attack scenarios and security testing. Further, we are taking on the challenge of making it possible for a developer to spend 15 minutes developing an attack map that they can keep up to date as their software changes to fit within a continuous delivery process. This will be no small task and we will use what we know already to build out this capability day by day so that we can invite a community of practitioners to help us scale. > > We are calling this approach: Attack Maps. This methodology is not a replacement for other security modeling techniques but is necessary for the DevSecOps approach to function well in most organizations. The intention behind this work is to help value creators to quickly identify blast radius, asset composition, and provide controls for feedback (logging/instrumentation), access control (authentication), and data protection (encryption). > #### Additional Reading <iframe type="text/html" width="336" height="550" frameborder="0" allowfullscreen style="max-width:100%" src="https://read.amazon.com/kp/card?asin=B00IG71FAS&preview=inline&linkCode=kpe&ref_=cm_sw_r_kb_dp_SAHIEbN5ZZNPF" ></iframe> * [Threat Modeling: What, Why, and How?](https://misti.com/infosec-insider/threat-modeling-what-why-and-how) * Threat Modeling in the Enterprise * [Part 1: Understanding the Basics](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-1-understanding-the-basics/) * [Part 2: Understanding the Process](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-2-understanding-the-process/) * [Part 3: Understanding the Context](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-3-understanding-the-context/) * [Threat Modeling: 12 Available Methods](https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html) * [Uncover Security Design Flaws Using The STRIDE Approach](https://web.archive.org/web/20070303103639/http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx) * [Attack Trees](https://www.schneier.com/academic/archives/1999/12/attack_trees.html) * [PASTA Process for Attack Simulation and threat analysis (PASTA) Risk-centric Threat Modeling](https://securesoftware.blogspot.com/2012/09/rebooting-software-security.html) * [Some final thoughts on threat modeling...](https://blogs.msdn.microsoft.com/larryosterman/2007/10/01/some-final-thoughts-on-threat-modeling/) * [An introduction to approachable threat modeling](https://increment.com/security/approachable-threat-modeling/) * [Why You Should Care About Threat Modelling](https://community.arm.com/developer/ip-products/security/b/security-ip-blog/posts/why-you-should-care-about-threat-modelling) * Tactical Threat Modelling {%pdf https://safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf %} ### Threat Modelling Exercise ## Security Issues in Python Applications https://jacobian.org/2020/may/15/preventing-sqli/ https://github.com/anxolerd/dvpwa https://github.com/portantier/vulpy https://github.com/mpirnat/lets-be-bad-guys https://pypi.org/project/defusedxml/ https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html https://www.talosintelligence.com/reports/TALOS-2017-0305 https://blog.nelhage.com/2011/03/exploiting-pickle/ https://lincolnloop.com/blog/playing-pickle-security/ https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03 https://python-security.readthedocs.io/security.html https://medium.com/deepcode-ai/meet-the-tool-that-automatically-infers-security-vulnerabilities-in-python-code-d83e4151872f https://medium.com/@felsen88/python-secure-coding-guidelines-73c7ce1db86c https://www.slideshare.net/PiotrDyba/pyconpl-2017-with-python-secuirty https://speakerdeck.com/jmortega/testing-python-security-pyconweb https://www.slideshare.net/jmoc25/python-cryptography-security https://speakerdeck.com/tiran/pyconpl-2016-keynote-tales-from-python-security https://www.slideshare.net/TravisMcPeak/openstack-security-project https://www.slideshare.net/IMMUNIO/pycon-canada-2015-is-your-python-application-secure https://github.com/stamparm/DSVW https://github.com/lokori/flask-vuln https://github.com/JasonHinds13/hackable https://github.com/we45/Vulnerable-Flask-App https://smirnov-am.github.io/securing-flask-web-applications/ https://access.redhat.com/blogs/766093/posts/2592591 https://github.com/PyCQA/bandit https://bandit.readthedocs.io/en/latest/ https://nedbatchelder.com/blog/201302/war_is_peace.html https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html http://lucumr.pocoo.org/2011/2/1/exec-in-python/ https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html https://www.kevinlondon.com/2017/01/30/dangerous-python-functions-pt3.html https://github.com/python-security/pyt https://docs.openstack.org/security-guide/ https://github.com/tulpar/tulpar https://docs.google.com/presentation/d/1R-3eqlt31sL7_rj2f1_vGEqqb7hcx4vxX_L7E23lJVo/edit#slide=id.g3af0ae9b4b_3_306 https://github.com/Matir/pwnableweb https://github.com/ebranca/owasp-pysec/wiki/Security-Concerns-in-modules-and-functions https://flask.palletsprojects.com/en/1.0.x/security/ https://www.slideshare.net/IvanTsyganov/unsafe-python https://www.slideshare.net/AdamEnglander/practical-api-security-pycon-2018 https://www.slideshare.net/fredericharper/is-your-python-application-secure-pycon-canada-20151107 https://www.slideshare.net/jmoc25/testing-python-security-pycon-ie ### FIXME Exrecise ### DevSecOps The CI/CD place in the SDLC ### SAST/SCA Exrecise https://github.com/returntocorp/semgrep