5. 軟體安全問題層出不窮
75% of hacks occur at the
application level
Application
Host
Network
6
"75% of hacks occur at the application level " -
Gartner
"92% of reported vulnerabilities are in
applications, not networks" - NIST
17. 軟體安全的挑戰
開發人員不是資安專家
資安團隊在SDLC太晚期才發現問題
% Bugs introduced in this phase
% Bugs found in this phase
$ Cost to repair bug in this phase
$16,000
$1,000
$100
$250
$25
85%
PercentageofBugsandFlaws
Code Build Test Release
SAST PENTEST
18. 安全軟體開發生命週期
治本 “Build Security In”
Abuse
Cases
Security
Requirements
Risk
Analysis
Risk-based
Security
Tests
Code Review
(Tools)
Penetration
Testing
Risk
Analysis
Security
Operations
FEEDBACK FROM
THE FIELD
TEST AND TEST
RESULTS
CODETEST PLANS
ARCHITECTURE
AND DESIGN
REQUIREMENTS
AND USE CASES
19. 成功關鍵因素- 4P
Process
Total Cost of Ownership
People Product
Champions
Standard & Integration
Price
Easy to use
23. 依角色設計課程
Touchpoint: Foundational: Subject Matter Expert: Security Champion:
Foundations
Foundations of Information Security
Awareness
Foundations of Software Security
Introduction to PCI for Developers
Introduction to Cryptography for
architects & Developers -
Requirements, Threats
and Architecture
Foundations of Software Security
Requirements
Foundations of Threat Modeling Architecture Risk Analysis
Coding errors and
Defensive Programming
Attack and Defense
OWASP Top 10 Plus 2
Defensive Programming: JavaEE
(Web Applications)
Defensive Programming:
Javascript & HTML5
Defensive Programming:
Javascript & HTML5
(1 Day)
Security Testing - -
Risk-based Security Testing
Strategy
Mobile
Foundations of Mobile Security
Foundations of Android Security
Foundations of iOS Security
Defensive Programming for
Android
Defensive Programing for iOS
-
Time Requirements 9 Hours 15 min 5 Hours 45 Min 4 Hours 30 min
24. 依角色設計課程
增加行動安全課程
# Role Class 1 Class 2 Class 3 Class 4
1 Mobile Developer Foundations of
Mobile Security
Foundations of
Android Security
Defensive
Programming
Android
Foundations of Threat
Modeling
Foundations of iOS Defensive
Programming iOS
Foundations of
Javascript/HTML5
Defensive
Programming
Javascript/HTML5
3 Mobile Architects Foundations of
Mobile Security
Foundations of
Threat Modeling
4 AD Leads Foundations of
Mobile Security
Foundations of
Android or iOS
Security
Foundations of
Threat Modeling
Mobile
27. Process
Standard
資安準則依風險分級分類
設定檢測條件與驗收標準
High risk
Medium risk
Low risk
Security
requirements
Static
analysis1
Dynamic
Scanning
Pen
testing
Manual code
review
Project Risk
classification
Test scripts
NewNew
2
Native
Hybrid
MobileWeb
NA
NA
NA
28. Process
Standard
資安準則依風險分級分類
設定檢測條件與驗收標準
專案類型
修復標準- 檢測條件
對外網站 1. High – OWASP Top 10
2. High – All
3. Medium – OWASP Top 10
用戶端重要系統 1. High - All
2. High - SANS Top 25
其他系統 1. High – SANS Top 25