SlideShare a Scribd company logo

New Era of Software with modern Application Security (v0.6)

Dinis Cruz
Dinis Cruz

Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way. The v.06 was presented at London Software Craftsmanship Community on 18/Feb/2016 - http://www.meetup.com/london-software-craftsmanship/members/184071944/ The v.0.6 was presented at the OWASP London Chapter meeting on 25t/Feb/2016

Software
1 of 68
Download to read offline
N E W E R A O F S O F T WA R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 ) O WA S P L O N D O N C H A P T E R @ D I N I S C R U Z
@ D I N I S C R U Z • Developer for 25 years • AppSec for 13 years • Leader OWASP O2 Platform project • Head of Application Security at The Hut Group • Application Security Training for JBI Training • http://blog.diniscruz.com/ • https://www.linkedin.com/in/ diniscruz
Q U A L I T Y
Software Craftsmanship is about Software Quality
a big problem with the Craftsmanship (and testing) community is:
 
 ‘How to define Quality?’
Everybody knows that Quality is key … but … ‘how to measure Quality?’
My thesis is that Application Security can be used to 
 define and measure Quality
Application Security is all about the non-functional requirements of software* * software = apps, websites, web services, apis, tools, build scripts = code
Application Security is all about understanding HOW the software work * vs how software behaves
Using Application Security 
 
 I can measure the quality of software
Because Application Security 
 
 measures the unintended side effects of coding
W R I T I N G S E C U R E C O D E M Y T H
“If only software developers had security knowledge they would be able write secure code”
This is a myth because secure code has very little to do with developer’s skills and craftsmanship
Software security (or insecurity) is a consequence of the Software development environment 
 
 (namely the business and managers focus)
And I know that this is a myth because I cannot write ‘secure code’ 
 
 when I’m programming
T H E P O L L U T I O N A N A L O G Y
T E C H N I C A L D E B T I S A B A D A N A L O G Y • The developers are the ones who pays the debt • Population is a much better analogy • The key is to make the business accept the risk (i.e the debt)
L E T ’ S H A C K ( A L I T T L E B I T ) 
 H T T P : / / M A N I F E S T O . S O F T WA R E C R A F T S M A N S H I P. O R G / Demo
C U R R E N T S TAT E O F A P P L I C AT I O N I N S E C U R I T Y
How secure is your code?
How insecure is your code? How many risks/vulnerabilities are you aware of?
J I R A R I S K W O R K F L O W http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html
K E Y C O N C E P T S O F T H I S W O R K F L O W • All tests should pass all the time • Tests that check/confirm vulnerabilities should also pass • The key to make this work is to: 
 
 Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)
You have to make sure that it is your boss that gets fired
… he/she should make sure that it is his/hers boss that gets fired …
… all the way to the CTO (i.e. Board level responsibility)
S E N I O R M A N A G E M E N T O V E R S I G H T • ‘Security Memo’ (from God) • Incident response plans • Emergency response exercises (can you detect them?) • Cyber Insurance • Enterprise Cyber Risk management • Which C-level executive will get fired?
D O E S Y O U R C O M PA N Y / T E A M H AV E : • AppSec team/person • Security Champion • Secure coding standards • Threat Models • OWASP contributors • Secure code reviews
If your answer was not YES to all of them... then 
 
 Your Application WILL have a high number of Security Vulnerabilities
W H Y D O A P P L I C AT I O N S E C U R I T Y ?
Because you care about: 
 your users
 good engineering your application your company
You have been lucky so far due to lack of commercially focused attackers
This has been a Blessing and Curse
You are making an Hedged bet
the Security of your code vs Skill and motivation of attacks will not change in next 2 years Your hedge bet is that :
Most of you are creating the perfect storm ….
User personalisation + Digital Payments + APIs
A large % of your apps users will have malware on their box
You are as secure as your most unexperienced developer
W H O I S AT TA C K I N G Y O U
I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K
Y O U S H O U L D T H A N K T H E M
The dangerous ones are the commercially focused criminals
It’s all about the money
… to hack you …
Buy botnet for $110
How much it cost to be an ‘internal user’
100% Anti-virus non detection guarantee
But the credit cards were protected
R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LWA R E http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
I T I S I N T H E B I L L I O N S • The real criminals are running highly professional companies, with high quality software Development, Testing, QA, AB testing, etc…
N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G
• TDD • Docker • Test Automation • Static Analysis • cleaver Fuzzing • JIRA Risk workflows • Kanban • micro web services visualization, and • ELK
W E H AV E S O L U T I O N S
O WA S P ! ! ! !
T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N • https://georgianpartners.com/tips-for-building-a-modern-security- engineering-organization
H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N • http://blog.knoldus.com/2016/02/03/how-to-build-secure-web- application/
R E A L W O R L D M U TAT I O N T E S T I N G • http://pitest.org/
S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E • https://www.microsoft.com/en-us/sdl/process/design.aspx
S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 1 • https://labs.spotify.com/2014/03/27/spotify-engineering-culture- part-1/ • https://spotifylabscom.files.wordpress.com/2014/03/spotify- engineering-culture-part1.jpeg
S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 2 • https://labs.spotify.com/2014/09/20/spotify-engineering-culture- part-2/ • https://spotifylabscom.files.wordpress.com/2014/09/spotify- engineering-culture-part2.jpeg
F I N A L T H O U G H T S
U N W R I T T E N R U L E S O F A P I S “Every API is destined to be connected to the internet”
U N W R I T T E N R U L E S O F A P I S “All API data wants to be exposed in a Web Page”
“Would you fly in a plane that has the code quality of your APIs”
Thanks, any questions?

Recommended

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Dinis Cruz
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 

Recommended

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Dinis Cruz
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
JasonRomero21
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
Stefan Streichsbier
 
From java to scala at crowd mix
From java to scala at crowd mixFrom java to scala at crowd mix
From java to scala at crowd mix
Stefano Galarraga
 
Databus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture PipelineDatabus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture Pipeline
Sunil Nagaraj
 

More Related Content

What's hot

DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 

What's hot (20)

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 

Viewers also liked

From java to scala at crowd mix
From java to scala at crowd mixFrom java to scala at crowd mix
From java to scala at crowd mix
Stefano Galarraga
 
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon KinesisDay 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Amazon Web Services
 
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and TransformIntro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Apache Apex
 

Viewers also liked (7)

From java to scala at crowd mix
From java to scala at crowd mixFrom java to scala at crowd mix
From java to scala at crowd mix
 
Databus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture PipelineDatabus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture Pipeline
 
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon KinesisDay 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
Building a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & SlickBuilding a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & Slick
 
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and TransformIntro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
 
Real time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.jsReal time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.js
 

Similar to New Era of Software with modern Application Security (v0.6)

So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
abnmi
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
Greta Strolyte
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
CognitiveClouds Customer Presentation
CognitiveClouds Customer PresentationCognitiveClouds Customer Presentation
CognitiveClouds Customer Presentation
Amit Ashwini
 
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur KhrotkoCONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
PROIDEA
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Similar to New Era of Software with modern Application Security (v0.6) (20)

So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
 
Compliance in the Era of Cloud
Compliance in the Era of CloudCompliance in the Era of Cloud
Compliance in the Era of Cloud
 
Getting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise LandscapeGetting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise Landscape
 
Matic technology website development and digital marketing company
Matic technology website development and digital marketing companyMatic technology website development and digital marketing company
Matic technology website development and digital marketing company
 
A Career in Software Engineering
A Career in Software EngineeringA Career in Software Engineering
A Career in Software Engineering
 
Decoupled APIs through microservices
Decoupled APIs through microservicesDecoupled APIs through microservices
Decoupled APIs through microservices
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Decoupled APIs through Microservices
Decoupled APIs through MicroservicesDecoupled APIs through Microservices
Decoupled APIs through Microservices
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
CognitiveClouds Customer Presentation
CognitiveClouds Customer PresentationCognitiveClouds Customer Presentation
CognitiveClouds Customer Presentation
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur KhrotkoCONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 

More from Dinis Cruz

More from Dinis Cruz (20)

Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 

Recently uploaded

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 

Recently uploaded (20)

WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 

New Era of Software with modern Application Security (v0.6)

  • 1. N E W E R A O F S O F T WA R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 ) O WA S P L O N D O N C H A P T E R @ D I N I S C R U Z
  • 2. @ D I N I S C R U Z • Developer for 25 years • AppSec for 13 years • Leader OWASP O2 Platform project • Head of Application Security at The Hut Group • Application Security Training for JBI Training • http://blog.diniscruz.com/ • https://www.linkedin.com/in/ diniscruz
  • 3. Q U A L I T Y
  • 4. Software Craftsmanship is about Software Quality
  • 5. a big problem with the Craftsmanship (and testing) community is:
 
 ‘How to define Quality?’
  • 6. Everybody knows that Quality is key … but … ‘how to measure Quality?’
  • 7. My thesis is that Application Security can be used to 
 define and measure Quality
  • 8. Application Security is all about the non-functional requirements of software* * software = apps, websites, web services, apis, tools, build scripts = code
  • 9. Application Security is all about understanding HOW the software work * vs how software behaves
  • 10. Using Application Security 
 
 I can measure the quality of software
  • 11. Because Application Security 
 
 measures the unintended side effects of coding
  • 12. W R I T I N G S E C U R E C O D E M Y T H
  • 13. “If only software developers had security knowledge they would be able write secure code”
  • 14. This is a myth because secure code has very little to do with developer’s skills and craftsmanship
  • 15. Software security (or insecurity) is a consequence of the Software development environment 
 
 (namely the business and managers focus)
  • 16. And I know that this is a myth because I cannot write ‘secure code’ 
 
 when I’m programming
  • 17. T H E P O L L U T I O N A N A L O G Y
  • 18. T E C H N I C A L D E B T I S A B A D A N A L O G Y • The developers are the ones who pays the debt • Population is a much better analogy • The key is to make the business accept the risk (i.e the debt)
  • 19. L E T ’ S H A C K ( A L I T T L E B I T ) 
 H T T P : / / M A N I F E S T O . S O F T WA R E C R A F T S M A N S H I P. O R G / Demo
  • 20. C U R R E N T S TAT E O F A P P L I C AT I O N I N S E C U R I T Y
  • 21. How secure is your code?
  • 22. How insecure is your code? How many risks/vulnerabilities are you aware of?
  • 23. J I R A R I S K W O R K F L O W http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html
  • 24. K E Y C O N C E P T S O F T H I S W O R K F L O W • All tests should pass all the time • Tests that check/confirm vulnerabilities should also pass • The key to make this work is to: 
 
 Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)
  • 25. You have to make sure that it is your boss that gets fired
  • 26. … he/she should make sure that it is his/hers boss that gets fired …
  • 27. … all the way to the CTO (i.e. Board level responsibility)
  • 28. S E N I O R M A N A G E M E N T O V E R S I G H T • ‘Security Memo’ (from God) • Incident response plans • Emergency response exercises (can you detect them?) • Cyber Insurance • Enterprise Cyber Risk management • Which C-level executive will get fired?
  • 29. D O E S Y O U R C O M PA N Y / T E A M H AV E : • AppSec team/person • Security Champion • Secure coding standards • Threat Models • OWASP contributors • Secure code reviews
  • 30. If your answer was not YES to all of them... then 
 
 Your Application WILL have a high number of Security Vulnerabilities
  • 31. W H Y D O A P P L I C AT I O N S E C U R I T Y ?
  • 32. Because you care about: 
 your users
 good engineering your application your company
  • 33. You have been lucky so far due to lack of commercially focused attackers
  • 34. This has been a Blessing and Curse
  • 35. You are making an Hedged bet
  • 36. the Security of your code vs Skill and motivation of attacks will not change in next 2 years Your hedge bet is that :
  • 37. Most of you are creating the perfect storm ….
  • 39. A large % of your apps users will have malware on their box
  • 40. You are as secure as your most unexperienced developer
  • 41. W H O I S AT TA C K I N G Y O U
  • 42. I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K
  • 43. Y O U S H O U L D T H A N K T H E M
  • 44. The dangerous ones are the commercially focused criminals
  • 45. It’s all about the money
  • 46. … to hack you …
  • 47.
  • 49. How much it cost to be an ‘internal user’
  • 50. 100% Anti-virus non detection guarantee
  • 51. But the credit cards were protected
  • 52. R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LWA R E http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
  • 53. I T I S I N T H E B I L L I O N S • The real criminals are running highly professional companies, with high quality software Development, Testing, QA, AB testing, etc…
  • 54. N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G
  • 55. • TDD • Docker • Test Automation • Static Analysis • cleaver Fuzzing • JIRA Risk workflows • Kanban • micro web services visualization, and • ELK
  • 56. W E H AV E S O L U T I O N S
  • 57. O WA S P ! ! ! !
  • 58. T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N • https://georgianpartners.com/tips-for-building-a-modern-security- engineering-organization
  • 59. H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N • http://blog.knoldus.com/2016/02/03/how-to-build-secure-web- application/
  • 60. R E A L W O R L D M U TAT I O N T E S T I N G • http://pitest.org/
  • 61. S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E • https://www.microsoft.com/en-us/sdl/process/design.aspx
  • 62. S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 1 • https://labs.spotify.com/2014/03/27/spotify-engineering-culture- part-1/ • https://spotifylabscom.files.wordpress.com/2014/03/spotify- engineering-culture-part1.jpeg
  • 63. S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 2 • https://labs.spotify.com/2014/09/20/spotify-engineering-culture- part-2/ • https://spotifylabscom.files.wordpress.com/2014/09/spotify- engineering-culture-part2.jpeg
  • 64. F I N A L T H O U G H T S
  • 65. U N W R I T T E N R U L E S O F A P I S “Every API is destined to be connected to the internet”
  • 66. U N W R I T T E N R U L E S O F A P I S “All API data wants to be exposed in a Web Page”
  • 67. “Would you fly in a plane that has the code quality of your APIs”