Secure Software
Development Lifecycle in the Mindsphere Environment
Andreas Reiter RC-AT DI FA DH-GRAZ SAS
siemens.com/industrialsecurityUnrestricted © Siemens AG 2019
Unrestricted © Siemens AG 2019
2019-09-19Page 2 Andreas Reiter / RC-AT DI FA DH-GRAZ
Factory Automation
Massive amounts of data
is generated
Make use of this data
Unrestricted © Siemens AG 2019
2019-09-19Page 3 Andreas Reiter / RC-AT DI FA DH-GRAZ
Mindsphere – IoT Operating System
ActionsData
Information
MindSphereVirtual World
Real World
10010111
01001110
10010111
10010111
10010100
01001110
10010111
10010111
10010111
0100
1001
1001011101
10010100
01001110010011
10010111
100101110010
Unrestricted © Siemens AG 2019
2019-09-19Page 4 Andreas Reiter / RC-AT DI FA DH-GRAZ
Risks
Leaking company and production internals
In case attackers can modify data, it can lead to wrong decision
Safety implications
Unrestricted © Siemens AG 2019
2019-09-19Page 5 Andreas Reiter / RC-AT DI FA DH-GRAZ
Mindsphere Architecture
Unrestricted © Siemens AG 2019
2019-09-19Page 6 Andreas Reiter / RC-AT DI FA DH-GRAZ
Mindsphere Applications
Real-time decision making
Predictive maintenance
Unrestricted © Siemens AG 2019
2019-09-19Page 7 Andreas Reiter / RC-AT DI FA DH-GRAZ
Mindsphere Development
Microservice architecture
Development teams around the world
Independent service development
Agree an APIs and interfaces
Versioning
Unrestricted © Siemens AG 2019
2019-09-19Page 8 Andreas Reiter / RC-AT DI FA DH-GRAZ
Mindsphere Development
At the beginning: Threat and Risk Analysis
Team starts engineering…
Each team has individual automated pipelines for…
Testing
Continuous integration
Continuous delivery
Unrestricted © Siemens AG 2019
2019-09-19Page 9 Andreas Reiter / RC-AT DI FA DH-GRAZ
Process Overview
Unrestricted © Siemens AG 2019
2019-09-19Page 10 Andreas Reiter / RC-AT DI FA DH-GRAZ
Secure Software Development Lifecycle
1Development
Costs / Effort
15Quality assurance/testing
Costs / Effort
100Production
Costs / Effort
Unrestricted © Siemens AG 2019
2019-09-19Page 11 Andreas Reiter / RC-AT DI FA DH-GRAZ
Process Overview
Continuous testing (and on regular schedules) involves…
Behavior driven security testing
Test driven security
Security team implements security tests
Development team implements security controls
Unrestricted © Siemens AG 2019
2019-09-19Page 12 Andreas Reiter / RC-AT DI FA DH-GRAZ
Behavior Driven Security Testing
Behavior driven development approach for security testing
▪ Bridge gap between behavior and implementation
Scenario: All incoming connections are TLS secured
Given All open endpoints of target service are known
When TLS configuration of all open ports is checked
Then only secure TLS cipher suites are used
Keywords control invocation: Given, When, Then, And,…
Unrestricted © Siemens AG 2019
2019-09-19Page 13 Andreas Reiter / RC-AT DI FA DH-GRAZ
Behavior Driven Security Testing
SASTStatic Application Security Testing
Input parsing issues
Injections
Buffer overflows
Unrestricted © Siemens AG 2019
2019-09-19Page 14 Andreas Reiter / RC-AT DI FA DH-GRAZ
Behavior Driven Security Testing
Dependency checking
Find all sorts of issues in dependencies
Checked on a regular basis
OSS Index
Unrestricted © Siemens AG 2019
2019-09-19Page 15 Andreas Reiter / RC-AT DI FA DH-GRAZ
Behavior Driven Security Testing
Dynamic Application Security Testing
Runtime and environment related issues
Authentication and authorization issues
Staging environments should be really close
DAST
Unrestricted © Siemens AG 2019
2019-09-19Page 16 Andreas Reiter / RC-AT DI FA DH-GRAZ
Behavior Driven Security Testing
Container Security
Infrastructure Security/Compliance
Unrestricted © Siemens AG 2019
2019-09-19Page 17 Andreas Reiter / RC-AT DI FA DH-GRAZ
Back to the Process Overview ….
Unrestricted © Siemens AG 2019
2019-09-19Page 18 Andreas Reiter / RC-AT DI FA DH-GRAZ
DevOps to DevSecOps Success Factors
Automation
Still provide efficient false-positives handling
Maintain the independence of the teams
Provide immediate feedback
Integrate in the teams’ development lifecycles.
Unrestricted © Siemens AG 2019
2019-09-19Page 19 Andreas Reiter / RC-AT DI FA DH-GRAZ
What’s Next?
Decouple automated security testing from CI/CD pipelines
Security Testing-as-a-Service
Local and hosted automated security testing on demand
Collect issues on a team’s dashboard
Unrestricted © Siemens AG 2019
2019-09-19Page 20 Andreas Reiter / RC-AT DI FA DH-GRAZ
Dev[Sec]Ops Pitfalls
#1DevSecOps: Don‘t skip
design and architecture
Unrestricted © Siemens AG 2019
2019-09-19Page 21 Andreas Reiter / RC-AT DI FA DH-GRAZ
Dev[Sec]Ops Pitfalls
#2Security is part of
the product
Unrestricted © Siemens AG 2019
2019-09-19Page 22 Andreas Reiter / RC-AT DI FA DH-GRAZ
Dev[Sec]Ops Pitfalls
#3Software lifecycle does
not end after release
Unrestricted © Siemens AG 2019
2019-09-19Page 23 Andreas Reiter / RC-AT DI FA DH-GRAZ
Dev[Sec]Ops Pitfalls
#4Automation is not a
replacement for audits or
pen-testing
Unrestricted © Siemens AG 2019
2019-09-19Page 24 Andreas Reiter / RC-AT DI FA DH-GRAZ
Contacts
Andreas Reiter
RC-AT DI FA DH-GRAZ SAS
E-mail:
siemens.com/digital-factory