SlideShare a Scribd company logo

Security as a New Metric for Your Business, Product and Development Lifecycle (Nazar Tymoshyk Technology Stream)

Download as PPTX, PDF
IT Arena
IT Arena

Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.

Technology
1 of 68
Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
Agenda Business Products Your imaginary Questions Developers
BUSINESS
A rough year in 2012
A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
http://www.informationisbeautiful.net/visualizations/wor
WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
If your Cloud server is hacked….
PRODUCT
Simple ROI of Product security
Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
Typical Security Report delivered by competitor
How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
Remember I'm offering you the truth. Nothing More. To do Security or not to Do
QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
Report sample
DEVELOPMENT
Risks are for managers, not developers
PEOPLE always bypass restriction if possible Keep in mind this when you design security
• Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
Mobile banking app from Pakistan
What is wrong?
Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
What is wrong on next stage of Login process?
Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
Browser exploitation framework
Social Engineering
SQL-Injections to win a Trip Dumped admin password hashes
Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
Why so simple?
Story about Hybrid Mobile Development in India
Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
WEAK Cryptography v Was cleaned up by Vendor Team
REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
DEVELOPER TEAM FACEPALM v
ENCRYPTION PASSWORD AFTER APPSTORE RELEASE vv v v v v
SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
All Apps are considered safe until proven guilty by a security review Financial Institution
SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
Customers database dump
defaults and sample files
Forgotten Files on server
Upload Java shell and take server under control
Are your product Popular? You are Next Target
How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
Add Security into your PROCESS
Security
THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS
Home Work

Recommended

Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 

Recommended

Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 

More Related Content

What's hot

Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 

What's hot (20)

Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 

Similar to Security as a New Metric for Your Business, Product and Development Lifecycle (Nazar Tymoshyk Technology Stream)

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief TourRobert Keefer
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 

Similar to Security as a New Metric for Your Business, Product and Development Lifecycle (Nazar Tymoshyk Technology Stream) (20)

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 

More from IT Arena

Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprint
Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprintShalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprint
Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprintIT Arena
 
Dave Karow, Split. Powering Progressive Delivery With Data
Dave Karow, Split. Powering Progressive Delivery With DataDave Karow, Split. Powering Progressive Delivery With Data
Dave Karow, Split. Powering Progressive Delivery With DataIT Arena
 
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investments
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investmentsIhar Mahaniok, Angel Investor. Hunting unicorns for early stage investments
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investmentsIT Arena
 
Yuriy Zaremba, AXDRAFT. How to sell your startup
Yuriy Zaremba, AXDRAFT. How to sell your startupYuriy Zaremba, AXDRAFT. How to sell your startup
Yuriy Zaremba, AXDRAFT. How to sell your startupIT Arena
 
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...John Griffin, Ford Credit Europe. Normalising failure and making way for succ...
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...IT Arena
 
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...IT Arena
 
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...IT Arena
 
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...IT Arena
 
Beth Anne Katz, Microsoft. How to Product Manage Your Mental Health
Beth Anne Katz, Microsoft. How to Product Manage Your Mental HealthBeth Anne Katz, Microsoft. How to Product Manage Your Mental Health
Beth Anne Katz, Microsoft. How to Product Manage Your Mental HealthIT Arena
 
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...IT Arena
 
Colleen Graneto, Airbnb. 3 steps to better product decision making
Colleen Graneto, Airbnb. 3 steps to better product decision makingColleen Graneto, Airbnb. 3 steps to better product decision making
Colleen Graneto, Airbnb. 3 steps to better product decision makingIT Arena
 
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...IT Arena
 
Godard Abel, G2. The SaaS Trust Crisis
Godard Abel, G2. The SaaS Trust CrisisGodard Abel, G2. The SaaS Trust Crisis
Godard Abel, G2. The SaaS Trust CrisisIT Arena
 
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...IT Arena
 
Namir Anani, ICTC. Economic Resiliency in The Face of Adversity
Namir Anani, ICTC. Economic Resiliency in The Face of AdversityNamir Anani, ICTC. Economic Resiliency in The Face of Adversity
Namir Anani, ICTC. Economic Resiliency in The Face of AdversityIT Arena
 
Mada Seghete, Branch. Mobile Growth Trends
Mada Seghete, Branch. Mobile Growth Trends Mada Seghete, Branch. Mobile Growth Trends
Mada Seghete, Branch. Mobile Growth TrendsIT Arena
 
Julia Petryk, MacPaw. Product PR: a how-to guide
Julia Petryk, MacPaw. Product PR: a how-to guideJulia Petryk, MacPaw. Product PR: a how-to guide
Julia Petryk, MacPaw. Product PR: a how-to guideIT Arena
 
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...IT Arena
 
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...IT Arena
 
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and Kubeflow
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and KubeflowKostiantyn Bokhan, N-iX. CD4ML based on Azure and Kubeflow
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and KubeflowIT Arena
 

More from IT Arena (20)

Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprint
Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprintShalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprint
Shalini Agarwal, LinkedIn. Engineering excellence: marathon, not a sprint
 
Dave Karow, Split. Powering Progressive Delivery With Data
Dave Karow, Split. Powering Progressive Delivery With DataDave Karow, Split. Powering Progressive Delivery With Data
Dave Karow, Split. Powering Progressive Delivery With Data
 
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investments
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investmentsIhar Mahaniok, Angel Investor. Hunting unicorns for early stage investments
Ihar Mahaniok, Angel Investor. Hunting unicorns for early stage investments
 
Yuriy Zaremba, AXDRAFT. How to sell your startup
Yuriy Zaremba, AXDRAFT. How to sell your startupYuriy Zaremba, AXDRAFT. How to sell your startup
Yuriy Zaremba, AXDRAFT. How to sell your startup
 
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...John Griffin, Ford Credit Europe. Normalising failure and making way for succ...
John Griffin, Ford Credit Europe. Normalising failure and making way for succ...
 
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...
Vitaliy Diatlenko, Uklon. Transforming your business with machine learning. T...
 
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...
Chris Cassarino, SoftServe. Stop Fixating on Fixing – Solving the global enga...
 
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...
Michael Labate, Intellias. EDI in the DNA: Why Equity, Diversity and Inclusio...
 
Beth Anne Katz, Microsoft. How to Product Manage Your Mental Health
Beth Anne Katz, Microsoft. How to Product Manage Your Mental HealthBeth Anne Katz, Microsoft. How to Product Manage Your Mental Health
Beth Anne Katz, Microsoft. How to Product Manage Your Mental Health
 
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...
Sally Foote, GoCompare & Look After My Bills. Magic Goggles: the tools you ne...
 
Colleen Graneto, Airbnb. 3 steps to better product decision making
Colleen Graneto, Airbnb. 3 steps to better product decision makingColleen Graneto, Airbnb. 3 steps to better product decision making
Colleen Graneto, Airbnb. 3 steps to better product decision making
 
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...
Vasyl Zadvornyy, Prozorro. The Future of Governance: Can a Script Replace the...
 
Godard Abel, G2. The SaaS Trust Crisis
Godard Abel, G2. The SaaS Trust CrisisGodard Abel, G2. The SaaS Trust Crisis
Godard Abel, G2. The SaaS Trust Crisis
 
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...
Zeb Evans, ClickUp. From $0 to $20M ARR in 2 Years: Bootstrapping to Natural ...
 
Namir Anani, ICTC. Economic Resiliency in The Face of Adversity
Namir Anani, ICTC. Economic Resiliency in The Face of AdversityNamir Anani, ICTC. Economic Resiliency in The Face of Adversity
Namir Anani, ICTC. Economic Resiliency in The Face of Adversity
 
Mada Seghete, Branch. Mobile Growth Trends
Mada Seghete, Branch. Mobile Growth Trends Mada Seghete, Branch. Mobile Growth Trends
Mada Seghete, Branch. Mobile Growth Trends
 
Julia Petryk, MacPaw. Product PR: a how-to guide
Julia Petryk, MacPaw. Product PR: a how-to guideJulia Petryk, MacPaw. Product PR: a how-to guide
Julia Petryk, MacPaw. Product PR: a how-to guide
 
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...
Yaroslav Ravlinko, Intellias. You don’t need Kubernetes. You need to understa...
 
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...
Yaroslav Novytskyy, Anton Vasylenko, N-iX. Migrating to the cloud: options an...
 
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and Kubeflow
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and KubeflowKostiantyn Bokhan, N-iX. CD4ML based on Azure and Kubeflow
Kostiantyn Bokhan, N-iX. CD4ML based on Azure and Kubeflow
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Security as a New Metric for Your Business, Product and Development Lifecycle (Nazar Tymoshyk Technology Stream)

  • 1. Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
  • 2. OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
  • 3. Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
  • 4. Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
  • 7. A rough year in 2012
  • 8. A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
  • 10.
  • 11.
  • 12. WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
  • 13. Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
  • 14. Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
  • 15. If your Cloud server is hacked….
  • 17. Simple ROI of Product security
  • 18. Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
  • 19. Typical Security Report delivered by competitor
  • 20. How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
  • 21. Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
  • 22. How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
  • 23.
  • 24. Remember I'm offering you the truth. Nothing More. To do Security or not to Do
  • 25. QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
  • 26. Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
  • 27. Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
  • 30. Risks are for managers, not developers
  • 31. PEOPLE always bypass restriction if possible Keep in mind this when you design security
  • 32. • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
  • 33. Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
  • 34. Mobile banking app from Pakistan
  • 36. Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 37. What is wrong on next stage of Login process?
  • 38. Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
  • 39. Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
  • 40. Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
  • 41. Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
  • 44. SQL-Injections to win a Trip Dumped admin password hashes
  • 45. Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
  • 47. Story about Hybrid Mobile Development in India
  • 48. Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
  • 49. WEAK Cryptography v Was cleaned up by Vendor Team
  • 50. REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
  • 51. HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
  • 52. BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 53. WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 56. SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
  • 57. All Apps are considered safe until proven guilty by a security review Financial Institution
  • 58. SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
  • 62. Upload Java shell and take server under control
  • 64. How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
  • 65. Add Security into your PROCESS
  • 67. THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS

Editor's Notes

  1. майндмапа дала зрозуміти які сценарії і як використовувати щоб приносити бенефіти на існуючих проектах сценарії бабло інволвмент виконавці часові фрейми усування конкурентів вирішення ряду бізнес проблем наприклад усунення конкурентів