SlideShare a Scribd company logo

Security Patterns for Software Development

Narudom Roongsiriwong, CISSP
Narudom Roongsiriwong, CISSP

The document summarizes security patterns for software development. It begins with introducing the speaker and their background in information security. It then defines security patterns as design patterns that can achieve security goals like confidentiality, integrity, and availability. The document outlines different approaches to incorporating security like using UML/OCL models, vulnerability analysis, and model-driven security. It discusses the value of patterns and why they are useful for security. The main body provides examples of security patterns, including encrypting messages, microservice access control, federation and assertions, strong authentication, and pinning.

Technology
1 of 27
Download to read offline
Security Patterns for Software Development Narudom Roongsiriwong, CISSP OWASP Meeting, July 30, 2020
WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Head of IT Security, Kiatnakin Bank PLC (KKP) ● Committee Member, Thailand Banking Sector CERT (TB-CERT) ● APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific ● Consultant, OWASP Thailand Chapter ● Committee Member, National Digital ID Project, Technical Team ● Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia ● Contact: narudom@owasp.org
What Is Security Patterns Design patterns those can be applied to achieve goals in the area of security Classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity and availability. Additionally, one can create a new design pattern to specifically achieve some security goal such as non- repudiation
Approach to Software Development UML/OCL Models, Security Patterns Model Checking and Composability of Systems Vulnerability Analysis, Code Examination, Best Practices Theoretical Analysis of Security Model- Driven Security Code Based Security Verification Certification Certification
Value of Patterns ● Reusable solutions, but maybe not directly, usually require tailoring ● Encapsulate experience and knowledge of designers (best practices) ● Free of errors after a while ● Need to be cataloged to be useful ● Used as guidelines for design ● Good to evaluate systems and standards ● Useful for teaching
Why Security Patterns ● Gaps in knowledge ● Gaps in coverage ● Risks that are complicated and subtle ● Broad range of issues ● Different kinds of expert knowledge
Basic Knowledge of Cryptography ● The following security patterns heavily based on cryptography. ● Two cryptography categories – Encryption – Hashing
Types of Cryptography Secret Writing Confidentiality Control Masking Overt Covert Encryption Hashing Steganography Digital Watermarking
Symmetric Asymmetric Speed Very fast and efficient in encrypting large volumes of data Computationally intensive and much slower Key Exchange & Management Both the sender and the receiver must have a mechanism in place to share the key without compromising its secrecy. Exchange public key freely but management including identification requires a public key infrastructure (PKI) in some format such as X.509 or blockchain Scalability Not very scalable, the number of keys required depends on the number of users or parties involved in secure transaction. Only two keys needed per user: one that is private and held by the sender and the other that is public Nonrepudiation Does not provide proof of origin The sender cannot deny sending the message when the message has been encrypted using the private key of the sender Encryption
Two Usage of Asymmetric Encryption Confidentiality assurance in asymmetric key cryptography Encrypt Decrypt Plaintext PlaintextCipher Text Bob’s Public Bob’s Private Decrypt Encrypt BobAlice Alice’s Private Alice’s Public Proof of origin assurance in asymmetric key cryptography Encrypt Decrypt Plaintext PlaintextCipher Text Bob’s Public Bob’s Private Decrypt Encrypt BobAlice Alice’s Private Alice’s Public Accountability
● Condenses arbitrary message to fixed size – h = H(M) ● Usually assume hash function is public ● Hash used to detect changes to message ● Well-know hash functions: SHA-1, SHA-2 (SHA-256, SHA-512), SHA-3 Hashing
Examples of Security Patterns
Pattern#1: Sending Encrypted Message or File Data Encrypt key using receiver’s public key RSA Encrypted Message Encrypt Decrypt Encrypt data using random key q4fzNeBCRSYqv Encrypted Key Generate Random Key Data TIakvAQkCu2u Random Key Encrypted Message Data q4fzNeBCRSYqv Encrypted Key Decrypt data using key Decrypt using receiver’s private key RSA TIakvAQkCu2u Data ● Use OpenPGP Standard ● Combine strength of symmetric (fast) and asymmetric (recipient only) cryptography ● For multiple recipients, each of their public keys is used to encrypt a copy of the same secret (symmetric key) ● Support libraries https://www.openpgp.org/soft ware/developer/
Pattern#2: Microservice Architecture Access Control ● Problems – Access control logic needs to be handled in each microservice – A microservice only handles a single business logic thus the global access control logic should not be placed in the microservice implementation – HTTP is a stateless protocol – Access control schemes need to be considered to ensure the security of the application
Pattern#2: Microservice Architecture Access Control Microservices API Gateway Service Service Service Service Identity Provider Log TLS
Pattern#2: Microservice Architecture Access Control :Client :API Gateway :Identity Provid... :Service authenticate return access token authenticate return access token call { access token } service response validate token return authentication service response call service Viewer does not support full SVG 1.1
Pattern#3: Federation and Assertion ● Federation: a process that allows for the conveyance of authentication attributes and subscriber attributes across networked systems ● NIST SP800-63c ● Two types of assertion presentation – Back channel presentation (recommended) – Front channel presentation IdP = Identity Provider, RP = Relying Party
Pattern#3: Federation and Assertion Back Channel Assertion ● The subscriber is given an assertion reference to present to the RP, generally through the front channel. ● The assertion reference itself contains no information about the subscriber and SHALL be resistant to tampering and fabrication by an attacker.
Pattern#3: Federation and Assertion NDID – Out of Band Assertion ● NDID – National Digital Identity ● The subscriber tells the RP which IdP for assertion. ● The RP will send the request message the IdP for assertion. ● The IdP will ask the subscriber authentication/approval with the request message ● If the subscriber confirms, the assertion will be sent to the RP
Pattern#4: Strong Authentication FIDO Protocol is one of this pattern implementation But we can implement our own way
Pattern#4: Strong Authentication – Registration
Pattern#4: Strong Authentication – Authentication
Pattern#4: Strong Authentication – Transaction
Pattern#4: Strong Authentication – Deregistration
Pattern#5: Pinning ● What's the problem – Applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation ● What Is Pinning – The process of associating a host with their expected X.509 certificate or public key by associated or 'pinned' them to the host ● How Do You Pin – To harden the channel, the program would take advantage of the OnConnect callback offered by a library, framework or platform. In the callback, the program would verify the remote host's identity by validating its certificate or public key
Pattern#5: Pinning – What Should Be Pinned Public Certificate Public Key Hash of Certificate Information (full or partial) Reference: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
Security Patterns for Software Development

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesFaizan Shaikh
 

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesFaizan Shaikh
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Chapter 1 Introduction to Security
Chapter 1 Introduction to SecurityChapter 1 Introduction to Security
Chapter 1 Introduction to SecurityDr. Ahmed Al Zaidy
 
E commerce Security
E commerce Security E commerce Security
E commerce Security Wisnu Dewobroto
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Securityanjuselina
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
An Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key AgreementAn Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key Agreementijtsrd
 
Encryption in Cryptography
Encryption in CryptographyEncryption in Cryptography
Encryption in CryptographyUttara University
 

More Related Content

What's hot

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Chapter 1 Introduction to Security
Chapter 1 Introduction to SecurityChapter 1 Introduction to Security
Chapter 1 Introduction to SecurityDr. Ahmed Al Zaidy
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Securityanjuselina
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 

What's hot (20)

CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Chapter 1 Introduction to Security
Chapter 1 Introduction to SecurityChapter 1 Introduction to Security
Chapter 1 Introduction to Security
 
E commerce Security
E commerce Security E commerce Security
E commerce Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Security
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022100+ Cyber Security Interview Questions and Answers in 2022
100+ Cyber Security Interview Questions and Answers in 2022
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing Attacks
 
Network security
Network securityNetwork security
Network security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Firewall
FirewallFirewall
Firewall
 

Similar to Security Patterns for Software Development

An Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key AgreementAn Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key Agreementijtsrd
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)irjes
 
Single Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationSingle Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationArun S M
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersMukesh Singh
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL CertificateCheapSSLUSA
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSCAdv Prashant Mali
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
Skyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver04
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptxkamalakantas
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Design of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure CommunicationDesign of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure CommunicationIRJET Journal
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Data security for any organization by using public key infrastructure compone...
Data security for any organization by using public key infrastructure compone...Data security for any organization by using public key infrastructure compone...
Data security for any organization by using public key infrastructure compone...eSAT Journals
 

Similar to Security Patterns for Software Development (20)

An Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key AgreementAn Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key Agreement
 
Encryption in Cryptography
Encryption in CryptographyEncryption in Cryptography
Encryption in Cryptography
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
Single Sign-On & Strong Authentication
Single Sign-On & Strong AuthenticationSingle Sign-On & Strong Authentication
Single Sign-On & Strong Authentication
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vanda
 
Cryptography
Cryptography Cryptography
Cryptography
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSC
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Skyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless Security
 
Cyber security workshop talk.pptx
Cyber security workshop talk.pptxCyber security workshop talk.pptx
Cyber security workshop talk.pptx
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Design of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure CommunicationDesign of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure Communication
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Data security for any organization by using public key infrastructure compone...
Data security for any organization by using public key infrastructure compone...Data security for any organization by using public key infrastructure compone...
Data security for any organization by using public key infrastructure compone...
 

More from Narudom Roongsiriwong, CISSP

How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19Narudom Roongsiriwong, CISSP
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 

More from Narudom Roongsiriwong, CISSP (20)

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System Overview
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Security Patterns for Software Development

  • 1. Security Patterns for Software Development Narudom Roongsiriwong, CISSP OWASP Meeting, July 30, 2020
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Head of IT Security, Kiatnakin Bank PLC (KKP) ● Committee Member, Thailand Banking Sector CERT (TB-CERT) ● APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific ● Consultant, OWASP Thailand Chapter ● Committee Member, National Digital ID Project, Technical Team ● Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia ● Contact: narudom@owasp.org
  • 3. What Is Security Patterns Design patterns those can be applied to achieve goals in the area of security Classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity and availability. Additionally, one can create a new design pattern to specifically achieve some security goal such as non- repudiation
  • 4. Approach to Software Development UML/OCL Models, Security Patterns Model Checking and Composability of Systems Vulnerability Analysis, Code Examination, Best Practices Theoretical Analysis of Security Model- Driven Security Code Based Security Verification Certification Certification
  • 5. Value of Patterns ● Reusable solutions, but maybe not directly, usually require tailoring ● Encapsulate experience and knowledge of designers (best practices) ● Free of errors after a while ● Need to be cataloged to be useful ● Used as guidelines for design ● Good to evaluate systems and standards ● Useful for teaching
  • 6. Why Security Patterns ● Gaps in knowledge ● Gaps in coverage ● Risks that are complicated and subtle ● Broad range of issues ● Different kinds of expert knowledge
  • 7. Basic Knowledge of Cryptography ● The following security patterns heavily based on cryptography. ● Two cryptography categories – Encryption – Hashing
  • 8. Types of Cryptography Secret Writing Confidentiality Control Masking Overt Covert Encryption Hashing Steganography Digital Watermarking
  • 9. Symmetric Asymmetric Speed Very fast and efficient in encrypting large volumes of data Computationally intensive and much slower Key Exchange & Management Both the sender and the receiver must have a mechanism in place to share the key without compromising its secrecy. Exchange public key freely but management including identification requires a public key infrastructure (PKI) in some format such as X.509 or blockchain Scalability Not very scalable, the number of keys required depends on the number of users or parties involved in secure transaction. Only two keys needed per user: one that is private and held by the sender and the other that is public Nonrepudiation Does not provide proof of origin The sender cannot deny sending the message when the message has been encrypted using the private key of the sender Encryption
  • 10. Two Usage of Asymmetric Encryption Confidentiality assurance in asymmetric key cryptography Encrypt Decrypt Plaintext PlaintextCipher Text Bob’s Public Bob’s Private Decrypt Encrypt BobAlice Alice’s Private Alice’s Public Proof of origin assurance in asymmetric key cryptography Encrypt Decrypt Plaintext PlaintextCipher Text Bob’s Public Bob’s Private Decrypt Encrypt BobAlice Alice’s Private Alice’s Public Accountability
  • 11. ● Condenses arbitrary message to fixed size – h = H(M) ● Usually assume hash function is public ● Hash used to detect changes to message ● Well-know hash functions: SHA-1, SHA-2 (SHA-256, SHA-512), SHA-3 Hashing
  • 13. Pattern#1: Sending Encrypted Message or File Data Encrypt key using receiver’s public key RSA Encrypted Message Encrypt Decrypt Encrypt data using random key q4fzNeBCRSYqv Encrypted Key Generate Random Key Data TIakvAQkCu2u Random Key Encrypted Message Data q4fzNeBCRSYqv Encrypted Key Decrypt data using key Decrypt using receiver’s private key RSA TIakvAQkCu2u Data ● Use OpenPGP Standard ● Combine strength of symmetric (fast) and asymmetric (recipient only) cryptography ● For multiple recipients, each of their public keys is used to encrypt a copy of the same secret (symmetric key) ● Support libraries https://www.openpgp.org/soft ware/developer/
  • 14. Pattern#2: Microservice Architecture Access Control ● Problems – Access control logic needs to be handled in each microservice – A microservice only handles a single business logic thus the global access control logic should not be placed in the microservice implementation – HTTP is a stateless protocol – Access control schemes need to be considered to ensure the security of the application
  • 15. Pattern#2: Microservice Architecture Access Control Microservices API Gateway Service Service Service Service Identity Provider Log TLS
  • 16. Pattern#2: Microservice Architecture Access Control :Client :API Gateway :Identity Provid... :Service authenticate return access token authenticate return access token call { access token } service response validate token return authentication service response call service Viewer does not support full SVG 1.1
  • 17. Pattern#3: Federation and Assertion ● Federation: a process that allows for the conveyance of authentication attributes and subscriber attributes across networked systems ● NIST SP800-63c ● Two types of assertion presentation – Back channel presentation (recommended) – Front channel presentation IdP = Identity Provider, RP = Relying Party
  • 18. Pattern#3: Federation and Assertion Back Channel Assertion ● The subscriber is given an assertion reference to present to the RP, generally through the front channel. ● The assertion reference itself contains no information about the subscriber and SHALL be resistant to tampering and fabrication by an attacker.
  • 19. Pattern#3: Federation and Assertion NDID – Out of Band Assertion ● NDID – National Digital Identity ● The subscriber tells the RP which IdP for assertion. ● The RP will send the request message the IdP for assertion. ● The IdP will ask the subscriber authentication/approval with the request message ● If the subscriber confirms, the assertion will be sent to the RP
  • 20. Pattern#4: Strong Authentication FIDO Protocol is one of this pattern implementation But we can implement our own way
  • 22. Pattern#4: Strong Authentication – Authentication
  • 24. Pattern#4: Strong Authentication – Deregistration
  • 25. Pattern#5: Pinning ● What's the problem – Applications expect end-to-end security on their secure channels, but some secure channels are not meeting the expectation ● What Is Pinning – The process of associating a host with their expected X.509 certificate or public key by associated or 'pinned' them to the host ● How Do You Pin – To harden the channel, the program would take advantage of the OnConnect callback offered by a library, framework or platform. In the callback, the program would verify the remote host's identity by validating its certificate or public key
  • 26. Pattern#5: Pinning – What Should Be Pinned Public Certificate Public Key Hash of Certificate Information (full or partial) Reference: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning