Chapter 9

Responding to Cybersecurity Incidents

1. Deploy an Incident Handling and Response Architecture
2. Mitigate Incidents
3. Prepare for Forensic Investigation as a CSIRT

Incident Handling and Response Planning

Design an incident handling capability

● Detects compromises quickly and efficiently.
● Responds to incidents quickly.
● Identifies the cause effectively.

In response to an incident:
● Secure data.
● Contain the incident.
● Return operations to normal.
● Identify how to prevent further exploitation.
● Assess the damage and impact.
● Update security policies and procedures based on lessons
learned.

Site Book
Hardware
Serial numbers, MAC addresses, disk drive type/sizes, CPU
type/speed, etc.

Software
 Operating systems, applications, scripts, add-ons, etc.

Network infrastructure
Cabling, switches, routers, etc.

Physical infrastructure
Power supplies, table, chairs, shelving, etc.

Warranty information
Dates, vendors, receipts, registration information, etc.

Configurations
IP addresses, organization layout, distribution, configuration
files, etc.

Administrative credentials
User names, passwords, tokens, etc.

SOCs
● Equipped to perform incident response duties.
● Supported by organizational policies.
● Aware of strengths and limitations of tools.
● Able to separate signal from noise in monitoring.
● Able to balance size and presence in the organization.
● Able to incorporate various security processes.
● Prepared to leverage strong processes and minimize weaker
ones.
● Staffed with skilled professionals.
● Able to protect SOC itself.
● Willing to collaborate with other SOCs
CSIRT Organization
Central Team
● One team works on behalf of entire organization.
● Suitable for smaller organizations/organizations in one
location.

Distributed Team
● Multiple CSIRTs for different segments/locations of
organization.
● Suitable for large organizations/organizations in many
locations.
● Must be collaboration and consistency between teams.

Coordinating Team
● Overarching team provides guidance to other teams.
● Coordinates actions of distributed teams.

CSIRT Roles

Manager/team leader
● Supervises CSIRT.

Investigator
● Discovers impact and source of incident.

Security specialist
● Supports team members when dealing with specialized
systems.
Help desk staff
● Supports employees and customers affected by incident.

Crisis communicator
● Communicates important details of incident to stakeholders.

Auditor
● Evaluates existing security mechanisms.

Legal counsel/liaison
● Provides legal assistance in criminal incidents.

Software developer
● Builds and maintains tools used by CSIRT.

A Day in the Life or a CSIRT

● Take immediate action in response to incidents.
● Perform analytical and problem-solvings tasks.
● Communicate effectively to all stakeholders.
● Adapt to change.
● Conduct tabletop exercises.
● Protect evidence, privacy, and confidentiality.

CSIRT Communication Process

1. Identify individuals to contact
2. Identify external individuals to contact
3. Determine when to notify CSIRT members
4. Determine secure communication channel
5. Establish protocols for out-of-band communication
 6. Prevent the release of information to untrusted parties
7. Document and train individuals in the process
8. Test the process and revise it

Incident Indicator Sources

● Anti-malware software
● NIDS/HIPS
● HIDS/HIPS
● System logs
● Network device logs
● SIEM
● Flow control device
● Internal personnel
● People outside the organization
● Research

The Impact and Scope of Incidents

Consequences of an Incident
● Damage to data and information system resources
● Unauthorized changes to data and systems.
● Theft of data or resources.
● Disclosure of sensitive data.
● Interruption of services

Impact can be tangible or intangible

● Corrupt data on hard drive (tangible)
● Losing potential customers after a DoS (intangible)
● Company’s reputation tarnished after data stolen (intangible)
Don’t underestimate the scope of an incident’s impact.
Incident Evaluation and Analysis
● Document all systems within your organization.
● Consider systems in terms of their criticality.
● Consider how recovery time may be affected.
● Set a baseline for normal behavior.
● Retain logs from all sources.
● Correlate potential indicators across all sources.
● Research reputable sources.
● Filter irrelevant or inconsequential sources.
● Properly document analysis findings in a database.

Incident Containment
● Ensure the safety and security of all personnel.
● Remove devices from the network.
● Disable communications between network devices.
● Disable network user accounts.
● Disable email accounts.
● Limit access to affected subnets.
● Isolate the compromised system.
● Treat the compromised system as a crime scene.

Incident Mitigation and Eradication

● Intent is to stop an incident as it occurs.
● Also, to shut down negative effects left behind.
● Identify which systems are affected, and how.
● Example: After isolating subnets to contain a worm, you can
now remove the infection from the subnet.
● Remember: your primary goal is to return operations to
normal.
Incident Recovery
Recovery examples:
● Restoring data deleted by a malicious user.
● Manually rebooting servers and performing a health check
after DDoS.
● Wiping a hard drive after malware is discovered on a device.

Additional CSIRT recovery roles:

● Provide leadership with information and response strategies.
● Provide information needed for crisis communications.
● Provide follow-up support for customer and partner relations.

Incident Handling Tools

TASK COMMON TOOLS

Create disk images EnCase, Clonezilla, FTK Imager

Display network shares BySoft Network Share Browser, NetShareWatcher

User rights management Novell ZENworks Desktop Management 7,

Windows Users and Groups control panel

Deleted data recover TestDisk, Foremost

Network sniffing/packet Wireshark, Packetyzer, tcpdump

analysis

Password cracking Cain & Abel, John the Ripper

Active ports enumeration Nmap, Netcat

System Hardening
● Deactivate unnecessary components
● Disable unused user accounts
 ● Implement patch management
● Restrict access to peripheral protocols
● Restrict shell commands

Blacklisting

● Blocking known sources of attack.

● Useful in responding to malware threats.
● External example:
- Users infected by random malvertisements.
- Not localized to one site.
- You can block ads or scripts on client side, or filter
known malicious advert domains.

● Internal example:
- Logic bombs triggering under known circumstances.
- You know the effect and the ports it uses to spread.
- Block these ports at the firewall to stop the spread.

● Limitations:
- False positives and collateral damage.
- What you don’t know can still hurt you.

Whitelisting
● Response to the problem of what you don’t know.
● Block everything except what you trust.
● You know the sources you trust; takes time and effort to
identify all possible bad sources.
● Enforcing a whitelist of trusted domains, ports, etc., will block
more bad sources.
 ● Can also be used to restrict application usage during
mitigation efforts.
● Limitations:
- Can be very restrictive
- Need to be constantly fine-tuned.

DNS Filtering
● Restricts what kind of lookup requests are validated.
● Uses blacklists/whitelists to block untrusted sources.
● Usually returns a block message to user who tries to access
untrusted sources.
● During an incident, filtering can prevent more malware from
downloading.
● Easy to apply across the organization.
● Won’t remove an infection, but contain it.
● Users can bypass filtering if they don’t use your DNS server.

Black Hole Routing

● Dropping traffic before it reaches destination.
● Source is not alerted to this.
● Traffic uses connectionless, unreliable protocols like UDP.
● Most effective as black hole routing to mitigate DDoS.
● Send traffic to a null0 interface to silently drop it.
● Reduces overhead compared to other forms of traffic
filtering.
● High potential for collateral damage - be very careful when
filtering entire ranges.

Mobile Device Management

MDM Features
 - Device enrollment/authentication
- Remote lock/wipe.
- Locating devices through GPS.
- Pushing out software updates.
- Preventing root access.
- Constructing encrypted containers.
- Restricting features.

Example use cases:

- CSIRT can wipe a stolen or lost phone.
- CSIRT can locate a stolen or lost phone.
- CSIRT can push out patches to fix malware vulnerabilities.

Secure Erasure and Disposal

- Some malware may persist despite your mitigation efforts.
- A more drastic approach is sometimes needed.
- Sanitization is the secure erasure of data.
- Data is unrecoverable
- Done through software or hardware
- Replaces data with random bits or all zeros
- Destructive to data, not to the physical drive
- You can reimage a sanitized drive to recover it
- You can also destroy the storage medium.
- Drive itself is unrecoverable
- Crush, shred, or otherwise destroy through force
- Degauss a magnetic storage drive

Devices Used in Mitigation

Devices How They Can Be Used to Help Mitigate Incidents

Firewalls - Perform rudimentary traffic filtering based on
whitelists/blacklists.
- WAFs can filter unwanted traffic at higher network
layers.

Routers and switches - Routers used as black holes to combat DDoS.

- Also have basic firewall functionality
- Switches can create subnets to use in system
isolation.

Proxies - Proxies can filter content for users connecting to

outside the network.
- Reverse proxies can hide internal servers from
external traffic.

Virtual machines - Used in malware isolation and analysis

- Can also be distributed to handle excessive traffic
in event of DDoS.

Desktops - Platform on which you’ll use security tools.

- Also a major source of incident intelligence.

Servers - Provide load balancing and data backups during

DDoS/data destruction.
- Can take on processing power of
resource-intensive efforts.

Mobile Devices - Portability may speed up mitigation efforts.

- Also enable more convenient communication.

The Importance of Updating Device Signatures

- Update devices that provide security to others.

- Anti-malware and IDSs use signatures to identify malicious
behavior.
- Vendors update signatures daily you need to keep these
devices current.
- Participate in the cybersecurity community bny sharing
newly found signatures,
Additional Mitigation Tactics

- Use MAC to enforce explicit access to objects to prevent

further privilege exploitation.
- Use group policies to enforce access controls over a
Windows domain.
- Implement NAC:
- Time-based
- Location-based
- Rule-based
- Role-based
-Establish a centralized log management system.

Guidelines for Mitigating Incidents

- Harden systems by disabling unnecessary components.
- Isolate affected hosts
- Isolate affected apps on VMs.
- Control what traffic gets blocked or allowed with
blacklist/whitelist.
- Use DNS filtering to prevent users from accessing malicious
sites.
- Use black hole routing to drop malicious traffic.
- Use MDM to exercise control over mobile devices.
- Keep detection signatures for anti-malware and IDS
up-to-date.
- Have a plan to implement compensating controls.
Chapter 10 (DONE-ERS)
Investigating Cybersecurity Incidents

· Apply a Forensic Investigation Plan

· Securely Collect and Analyze Electronic Evidence

· Follow Up on the Results of an Investigation

A Day in the Life of a Forensic Analyst

· Follow legal procedures for protecting evidence.

· Obtain evidence.

· Communicate and procedure documentation.

· Support prosecution.

· Maintain technology and forensic skills.

Forensic Investigation Preparation

· Know your hardware.

· Know your operating systems.

· Know your software.

· Know your tools.

· Know your virtualized environments.

· Know your systems that must stay active during an investigation.

· Know applicable laws and regulations.

· Ensure there is a policy in place and you are following it.

Investigating Scope

· You may come across activity that is beyond the scope of your current investigation.

· Always consult with management to decide next steps.

· Taking on too large an investigation can impede your efforts.

 · There may be other repercussions for failing to stay in scope.

Timeline Generation and Analysis

· Tie events to specific times for a consistent narrative.

· Can give you a holistic perspective of events.

· One way to record timelines is on a spreadsheet.

· Thousands or millions of events might necessitate a more specialized tool.

Authentication of Evidence

· Evidence must be confirmed for its validity.

· Consider which types of evidence may or may not be authenticated.

· Some evidence isn’t admissible.

· Other evidence is hard to verify, like financial transactions.

· These circumstances may shape your investigation.

Chain of Custody

● Collect Evidence
● Analyze and Store
● Present in court

Communication and Interaction with Third Parties

· Some organizations are in the business of forensics.

· You must effectively collaborate with third parties.

· Share information in a timely, constant manner.

· Agree to a plan or schedule for communications.

· Law enforcement can lend their investigative expertise.

· They may not be as technical or have the same knowledge of your organization.
 · Consider the risk of evidence being seized for long periods of time.

Forensic Toolkit (Software)

● TSK
● EnCase
● CAINE
● Helix3
● FTK
● Forensic Explorer
● SIFT
● DFF
● COFEE
● Elcomsoft Forensic Disk Decryptor
● WindowsSCOPE
● Volatility
● md5sum
● shasum
● HashMyFiles
● HashKeeper
● Foremost
● TestDisk
● log2timeline
● Wireshark

Forensic Toolkit (Physical)

· Digital forensics · Write blockers · Crime tape and

workstations tamper-proof seals
· Mobile device
· Cables and drive forensics tools
adapters
· Cameras
· Removable media

Guidelines for Preparing for a Forensic Investigation

· Develop a plan for who will handle each type of forensic task.

· Create and maintain forensic investigation guidelines and procedures.

 · Make sure that systems are configured.

· The organization should develop its own capability to perform digital forensics.

Develetech Incident Summary, Part 1

· There were multiple attempts to remotely access Charles’ account from

67.240.182.117.

· Charles’ account was locked out.

· Charles claims he wasn’t trying to log in recently.

· Charles oversees an R&D server holding new product data.

· Linda accessed the same server at 7:43 A.M. from her internal workstation.

· Linda has been on vacation this week.

Develetech Incident Summary, Part 2

· An attacker attempted to use Charles’ account to connect remotely to the internal

research and development server. The attacker failed.

· Later, in the early morning before most people made it in to the office, the attacker
physically went to Linda’s desk, discovered her password written down in a drawer,
and used it to log in to her workstation and the remote server.

· While in the remote server, the attacker transferred a smart watch schematic to
Linda’s workstation, where he or she then copied the document to a removable drive.

· The attacker deleted the document from Linda’s workstation, ejected the removable
drive, and left.

· The organization’s data has been breached.

Develetech Incident Summary, Part 3

· Affected hosts (research and development server and Linda’s workstation) have
been disconnected from the network.

· A malware scan was run on both computers; nothing detected.

 · Affected hosts will stay out of commission for now.

· A new machine with a backup of the research and development server is pushed to
the live environment.

· Charles’ account has been re-enabled.

· Linda’s account will stay disabled for now, and she will be provisioned a new,
temporary workstation.

· Linda is required to attend end user security training.

· The CSIRT writes an AAR, suggesting:

o Encrypt sensitive data on research and development and other servers.

o Mandate company-wide training for end users.

o Draft security policies, especially concerning password usage.

o Implement a DLP solution on the server, if feasible.

Order of Volatility

1. RAM

2. Network Cache

3. Hard Drive

4. DVD-ROM

File Systems

· File systems can reveal:

o Directory structure.

o File location.

o File size.

o File names

o Date and time values (last modified, last accessed, etc.)

o Miscellaneous attributes
 · System images or forensic tools can let you capture and view metadata.

· Be aware of the different file system types:

o FAT32 (older machines)

o NTFS (Windows)

o HFS+ (Mac OS)

o ext3/4 (Linux)

File Craving and Data Extraction

· File carving

o Extracting data that has no associated file system metadata.

o Attempting to piece and fragments together to reconstruct the file.

· Essential to evidence collection.

· Files deleted by a malicious user may remain on the target system.

· Data recovery software (i.e., TestDisk and Foremost) can recover deleted or
corrupted data from a disk partition.

Data Preservation for Forensics

· Preserve all gathered evidence in a proper manner for a lengthy period of time.

· Replicate evidence across multiple storage media for redundancy.

· Be careful when selecting where to physically store this hardware.

· Create metadata that accurately defines characteristics about data.

· Secure data in evidence rooms using locks, guards, cameras, etc.

· Place evidence in lock boxes to further secure it.

· Place evidence in bags to label it and uphold chain of custody.

Forensic Analysis of Compromised Systems

· Capture system image.

 · Examine network traffic and logs.

· Capture video.

· Record time offset

· Take hashes.

· Take screenshots.

· Identify witnesses.

· Track person hours and expenses.

Cyberlaw

· Governs the behavior of individuals and groups in the use of computers, the internet,
and other information technology domains.

· Varies from state-to-state and nation-to-nation.

· Extends legal protection to victims of computer-related crimes, while punishing the

perpetrators of these crimes.

Technical Experts and Law Enforcement Liaisons

· Communicate the who, why, and how to those who can take legal actions.

· Understand both the liabilities and the constraints of law enforcement.

· Know the threshold for interest in an investigation.

· Share pertinent evidence with authorities, not trivial information.

· Find out what agencies need from you.

· Communicate what you need from them.

Documentation of Investigation Results

· Who tasked you with the investigation?

· What were you tasked with?

· What did you investigate?

· What did you do?

 · What did you find?

· What does it all mean?

Reflective Questions

1. From your experience, share a cybersecurity incident that warranted a forensic

investigation.

2. What evidence presentation techniques are most commonly implemented in your

organization?

Chapter 11 (DONE)
Addressing Security
● Remediate Identify and Access Management Issues
● Implement Security During the SDLC
IAM Tasks
● Assigning and changing user access.
● Resetting user passwords.
● Tracking user activities.
● Creating and de-provisioning IDs.
● Synchronizing multiple identities.
● Enforce identity and access control policies.
● Designing and maintaining identity systems.
● Evaluating identity-based threats and vulnerabilities.
● Maintaining compliance with government regulations.
IAM Issues

● Personnel
○ Popular vector for attack - easy for users to be careless
○ Requires end user security training.
 ● Endpoints
○ Devices are difficult to identify outside the organization
○ Endpoint management can assign untrusted profiles to
unknown endpoints.
● Server
○ Servers need stronger authentication through digital
certificates.
○ Issuing CAs and private keys must be thoroughly
protected.
● Software
○ Determine which entities are allowed to run certain
apps
○ Services like AppLocker can enforce app identity and
permissions for client access
● Roles
○ Roles define identity based on an asset’s function
○ Roles must be meaningfully defined to avoid privilege
creep
Directory Services Issues
● Directory services assign attributes to objects for
identification
● LDAP is dominant directory service protocol
○ Active Directory, OpenLDAP, etc.
● LDAP susceptible to code injection
○ Attacker can dump or modify records
○ Based on malformed queries
○ Use input validation and query encoding to remediate.
● LDAP transmits in plaintext by default
○ Attacker can eavesdrop on directory info
○ LDAPS constructs an SSL/TLS tunnel for confidentiality
RADIUS vs. TACACS+

RADIUS TACACS+
Transport Protocol UDP TCP
Encryption Only Passwords All payload contents
Authentication/Aut Combines functions Separates functions
horization

Context-Based Authentication

● Time
○ Based on time of day or day of year
○ Can block users working off hours or in different regions
○ Supplement with other rules or schemes
● Location
○ Based on physical location
○ Can also be restrictive
○ GPS and IP are not always reliable indicators
● Frequency
○ Based on how often an object tries to access a
resource
○ Difficult to determine
○ Evaluate workflow before setting this rule
● Behavior
○ Based on how object acts
○ Complex and susceptible to false positives
○ Test rules and evaluate effectiveness
SSO and Identity Federation

SSO and Identity Federation Issues

● Provisioning and de-provisioning of accounts:

○ Automation can streamline the process
■ Users have immediate access to service after
authentication with identity provider.
■ Can create a single point of compromise.
○ Manual approach is an alternative
■ Accounts are created or deleted only through
human intervention
■ May cause service delays/interruption.
● Password resetting options:
 ○ non-SSO systems allow users to self-service reset
passwords.
○ Service in an SSO may not be able to allow self-service
reset.
○ Example:
■ Your organization hosts a website.
■ A partner organization has an AD domain.
■ Partner employees log on to your site with their
domain credentials.
■ Partner employees can’t reset their password at
your site.
■ You have no control over the domain accounts.
■ Work with partnered services/identity providers to
inform users.
IAM Exploits

● Impersonation
○ Social engineering can net an attacker new or
modified credentials.
○ Mitigation: Train users to spot social engineering
● Man-in-the-middle
○ Attackers can eavesdrop on unsecured
transmissions
○ Mitigation: Employ end-to-end encrypted channels
● Privilege escalation
○ Buffer overflows can help attacker assume
privileges of running software
○ Mitigation: Run software with least privilege and
ASLR
● XSS and session hijacking
 ○ Malicious code injection can hijack user’s web
cookies
○ Mitigation: HTML input/output encoding and
validation
● Rootkits
○ Can bypass IAM at the kernel/firmware level
○ Mitigation: Harden systems with secure
boot/trusted computing
Guidelines for Remediating IAM Issues

● Ensure that all end users are properly trained.

● Use centralized IAM systems to manage endpoint
connections.
● Use digital certificates to establish identity and trust with
critical servers.
● Enforce software policies that examine levels of trust with
applications.
● Clearly define the roles used in a role-based access control
architecture.
● Validate code that interfaces with LDAP solutions.
● Consider using TACACS+ instead of RADIUS.
● Consider how contextual aspects like time can restrict
access control.
● Evaluate manual vs. automated provisioning of federated
accounts.
● Work with SSO providers to inform users about their
password reset options.
● Employ end-to-end encrypted channels.
● Employ least privilege and ASLR in running software.
● Validare and encode HTML input/output.
 ● Harden systems with Secure Boot and trusted computing.

Activity: Remediating IAM Issues

● Public relations employees must change password at first

login
● Their password must expire at some point
● They must no be allowed to access their account on
weekends.
● They must only be in Domain Users and Public Relations
groups.
● Public Relations group must have read-only access to
network share.

Employee Computer Name

Anthony Stevens pr-desk-alpha
Luke Packard pr-desk-beta
Irene Taylor pr-desk-gamma
Catherine Ruiz pr-desk-delta
Douglas Price pr-desk-epsition

● Disable/delete unused, unnecessary, or vulnerable accounts.

Microsoft SDL
Training
1. Core Security Training
Requirements
2. Establish security requirements
 3. Create quality gates/bugs bars
4. Perform security and privacy risk assessments
Design
5. Establish design requirements
6. Perform attack surface analysis / reduction
7. Use threat modeling
Implementation
8. Use approved tools
9. Deprecate unsafe functions
10. Perform static analysis
Verification
11. Perform dynamic analysis
12. Performa fuzz testing
13. Conduct attack surface review
Release
14. Create an incident response plan
15. Conduct final security review
16. Certify release and archive
Response
- Execute incident response plan
Security Requirements
- App must meet expected behavior baseline
- Several security requirements are common among all
projects
- Legal and regulatory requirements drive security efforts
- You may be required to handle PII a certain way for privacy
- How will security mechanisms affect the user experience?
- App must also align with risk management policies
- What are the password policy requirements the app needs to
enforce?
 - How will you control access and permissions in your app?
- Compile requirements from stakeholders into a document
Security testing tools
- Uses different tools to validate app security
- Web app vulnerability scan:
- Looks for weaknesses to SQL injection and related
attacks
- Results could change app’s design
- Interception proxy:
- Crawls outbound traffic from an app
- Determine nature of HTTPS traffic
- Is traffic secure?
- Fuzzing
- Active testing of app
- Sends random data as input to cause a crash
- Demonstrates potential attack
- Static code analysis
- Don’t just test apps in execution
- Code analysis can reveal faulty logic and insecure
libraries
Development Tests
Manual peer review
- Reviewers analyze other people’s code, not their own
- Automated review should supplement, not replace, manual
review
Input validation
- App must handle all types of input gracefully
- Can identify weaknesses to irregular input like code injection
Stress testing
- Apps must perform under significant load
 - May reveal ways for an attacker to launch DoS
User acceptance testing
- Apps must meet general needs of consumer
- Users must be satisfied with how private data is handled
Security regression testing
- Evaluates old code for issues when new changes are
implemented
- New code may break existing security mechanisms
Secure coding
- Secure coding saves the organization from avoidable
incidents
- Ensures that software is secure by design
- Best practices may differ based on source
- Ultimately about anticipating vulnerabilities and applying
recognized techniques
- Sources for best practices
- OWASP
- SANS
- CIS
OWASP
- Open web application security project
- Provides free access to web app security programming
resources
- Top 10 project lists most significant risks to web apps for a
calendar year
- Latest is 2013; planned to restart in 2017
- Secure coding cheat sheets go into depth for prevention
strategies
- Examples of topics covered
- User authentication
 - Input validation
- Output encoding
- Error handling
- Cryptography
- Cookie handling
- Threat defense
- Secure coding practices quick reference guide is a checklist
for these topics:
- Checklist items are brief reminders of what to
incorporate
- Latest version (v2) from 2010, but still useful
SANS
- Cybersecurity training organization
- Offers curricula on many topics, including secure coding
- Secure software development curriculum:
- Level 1: secure coding for web apps, mobile apps,
DevOps
- Level 2: secure coding for languages like C++, Java,
.NET
- Level 3: app pen testing and lifecycle management
- Some courses map to GIAC certs
- Reading room
- Free whitepapers on most areas of security
- Secure coding whitepaper examples:
- Applying regression testing
- Preventing buffer overflows
- Preventing XSS attacks
- Conducting static code analysis
CIS
 - Non-profit that provides cybersecurity resources to public
and private sectors
- Intends to foster trusted environments that interface with one
another
- Benchmarks:
- Best practices and design recommendations
- Target a variety of systems
- Provide metrics and assessment tools
- Can test application vulnerabilities on hardened
environments
- Some offered free of charge, rest require paid
membership
- Controls:
- Techniques to defend against attacks
- Short checklists of high-priority actions
- 20 total, each with no more than 10 action items
- One control focuses on secure application development
- Free for non-commercial use
Guidelines for implementing security during the SDLC
- Integrate security at every step on the process
- Clearly define all security requirements
- Consider how compliance has an effect of app design
- Consult with relevant stakeholders regarding requirements
- Put app through testing regimen
- Use passive testing tools to identify weak areas
- Use active tools to demonstrate attack vectors
- Employ static code analysis
- Test apps against user privacy expectations
- Stress test apps
- Regression test apps
- Employ input validation
- Perform manual peer reviews of code
- Consult sources like OWASP, SANS, and CIS for secure
coding best practices.