SlideShare a Scribd company logo

Just4Meeting 2012 - How to protect your web applications

Magno Logan
Magno Logan

Just4Meeting 2012 - How to protect your web applications Julho de 2012 em Cascais, Portugal. http://www.just4meeting.com/

Technology
1 of 36
Download to read offline
How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
About Me Who am I? • Ex-developer • Security Analyst • Chapter Leader • Investments • Martial Arts
Paraíba?! I’m here! • Caipirinha • Soccer • Samba • Girls We have it all!
I live where you take vacations, sorry! =)
Agenda • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems (maybe?)
They are everywhere!
They are everywhere! And they have bugs everywhere! • The cost of a data breach averages $5.5 million or $194 per customer record* • Companies that take security seriously can reduce the cost per customer by up to 62% * From a 2011 study by the Ponemon Institute
What are we doing wrong? • Secure application development is a top priority • But web applications are still the number one source of data breaches • We need to change the mindset of software development *From a 2011 Forrester Research study: Application Security: 2011 & Beyond
What are we doing wrong? • We’re in 2012 and SQL Injection is still the biggest issue! • The first public issue dates from 1998 • SQL Injections can lead to shell access now!
Why these still happens? Excuses to the problems: • Security is not important! Money is! • There is no time! • Developer’s fault! They are the scape goat of security!
Back to the basics CIA Triad
Now what? So, how to protect our apps?! 1. Threat Modeling 2. Security Testing 3. Code Review 4. SDL
Threat Modeling
Threat Modeling • Structured approach to identify and measure risks • It defines the security requisites • Allows the design to address the security issues • Helps the security testing and code reviews
Threat Modeling Process 1. Identify your assets 2. Create an architectural view 3. Decompose the software 4. Identify, document and classify the threats to your app
(Security) Design Patterns • Use them! There a lot out there! • Don’t reinvent the wheel! • Exception Handling • Input Validation • Protected Logging
Development Phase • Use a guide to implement your security, like the OWASP Developer’s Guide • Use unit test cases focused on security • Present security training to developers • Perform penetration testing and code reviews
OWASP Top 10 2010 Testing, testing, testing…
2011 CWE/SANS Top 25 And more testing…
So what do they do? • Protect you from common mistakes • Avoid you from getting hacked by automated tools/scanners and script kiddies By the way, if you work with AppSec and you never heard of these two docs…
You need to find another job!
How to apply them? Many FREE resources! Not just OWASP stuff…
Code reviews Ok, now what?! OWASP Code Review Guide • Code review takes a deeper look into your app • Things that automated scanners won’t find • You’ll see the common mistakes devs make
SDL We fixed the problems. How to stop them? • Implement a SDL process • Train your developers about app security • They don’t need to be experts, at least know how it works and how to protect their apps
Free Docs Yay! More free stuff… • OWASP ASVS – verify your security • OWASP OpenSAMM – create a security program • OWASP Developer’s Guide – tips to devs
Not yet… It’s not that simple… • If we have all that, why aren’t our apps secure? • Why even the big companies don’t follow the basic rules? Hello Linkedin!
Security Myths We know, we know… • Security costs money. Yeah, but so does development, support, operations, etc. • Security costs money. But it will save you a lot more! Why most companies still don’t see the value of security until they get hacked?
If it compiles, ship it! Like Dinis Cruz said at AppSec Latam 2011: Unless you’ve been hacked before… If it compiles, Ship it! That’s the motto in most dev companies
ISLC The real picture (Developer’s view) • They don’t like the security teams • They already work on a tight schedule • Security will increase their programming time
The ideal world How it should be… • Dev and infosec should work together • Security practices and implementations should be included in the schedule time • It will increase the apps protection and decrease the amount of bugs and work
Conclusions In a nutshell… • Security is not a plugin, it’s a process. • Test everything, every time they change. • Allocate time for security testing within your project • Never assume security controls are effective
OWASP Floripa Day Conferences 15 e 16 de Setembro https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
AppSec Brazil 2012 Conferences OWASP AppSec Brazil 2012 In November in João Pessoa!
Questions? @magnologan @owasppb
References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic - http://www.veracode.com/blog/2012/06/building-secure- web-applications-infographic/ OWASP - www.owasp.org

Recommended

BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersEoin Keary
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 

Recommended

BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersEoin Keary
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTechWell
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a ToolboxDevOps Indonesia
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksSatyajit Malugu
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelWhiteSource
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 

More Related Content

What's hot

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTechWell
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksSatyajit Malugu
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelWhiteSource
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 

What's hot (20)

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test Automation
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of Frameworks
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 

Similar to Just4Meeting 2012 - How to protect your web applications

_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSecDarin Morris
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous TestingTechWell
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDarin Morris
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information SecurityDarin Morris
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 

Similar to Just4Meeting 2012 - How to protect your web applications (20)

_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSec
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft Tech
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information Security
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 

More from Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)Magno Logan
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BRMagno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroMagno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEMagno Logan
 

More from Magno Logan (20)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
 

Recently uploaded

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Just4Meeting 2012 - How to protect your web applications

  • 1. How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
  • 2. About Me Who am I? • Ex-developer • Security Analyst • Chapter Leader • Investments • Martial Arts
  • 3. Paraíba?! I’m here! • Caipirinha • Soccer • Samba • Girls We have it all!
  • 4. I live where you take vacations, sorry! =)
  • 5. Agenda • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems (maybe?)
  • 7. They are everywhere! And they have bugs everywhere! • The cost of a data breach averages $5.5 million or $194 per customer record* • Companies that take security seriously can reduce the cost per customer by up to 62% * From a 2011 study by the Ponemon Institute
  • 8. What are we doing wrong? • Secure application development is a top priority • But web applications are still the number one source of data breaches • We need to change the mindset of software development *From a 2011 Forrester Research study: Application Security: 2011 & Beyond
  • 9. What are we doing wrong? • We’re in 2012 and SQL Injection is still the biggest issue! • The first public issue dates from 1998 • SQL Injections can lead to shell access now!
  • 10.
  • 11. Why these still happens? Excuses to the problems: • Security is not important! Money is! • There is no time! • Developer’s fault! They are the scape goat of security!
  • 12. Back to the basics CIA Triad
  • 13. Now what? So, how to protect our apps?! 1. Threat Modeling 2. Security Testing 3. Code Review 4. SDL
  • 15. Threat Modeling • Structured approach to identify and measure risks • It defines the security requisites • Allows the design to address the security issues • Helps the security testing and code reviews
  • 16. Threat Modeling Process 1. Identify your assets 2. Create an architectural view 3. Decompose the software 4. Identify, document and classify the threats to your app
  • 17. (Security) Design Patterns • Use them! There a lot out there! • Don’t reinvent the wheel! • Exception Handling • Input Validation • Protected Logging
  • 18. Development Phase • Use a guide to implement your security, like the OWASP Developer’s Guide • Use unit test cases focused on security • Present security training to developers • Perform penetration testing and code reviews
  • 19. OWASP Top 10 2010 Testing, testing, testing…
  • 20. 2011 CWE/SANS Top 25 And more testing…
  • 21. So what do they do? • Protect you from common mistakes • Avoid you from getting hacked by automated tools/scanners and script kiddies By the way, if you work with AppSec and you never heard of these two docs…
  • 22. You need to find another job!
  • 23. How to apply them? Many FREE resources! Not just OWASP stuff…
  • 24. Code reviews Ok, now what?! OWASP Code Review Guide • Code review takes a deeper look into your app • Things that automated scanners won’t find • You’ll see the common mistakes devs make
  • 25. SDL We fixed the problems. How to stop them? • Implement a SDL process • Train your developers about app security • They don’t need to be experts, at least know how it works and how to protect their apps
  • 26. Free Docs Yay! More free stuff… • OWASP ASVS – verify your security • OWASP OpenSAMM – create a security program • OWASP Developer’s Guide – tips to devs
  • 27. Not yet… It’s not that simple… • If we have all that, why aren’t our apps secure? • Why even the big companies don’t follow the basic rules? Hello Linkedin!
  • 28. Security Myths We know, we know… • Security costs money. Yeah, but so does development, support, operations, etc. • Security costs money. But it will save you a lot more! Why most companies still don’t see the value of security until they get hacked?
  • 29. If it compiles, ship it! Like Dinis Cruz said at AppSec Latam 2011: Unless you’ve been hacked before… If it compiles, Ship it! That’s the motto in most dev companies
  • 30. ISLC The real picture (Developer’s view) • They don’t like the security teams • They already work on a tight schedule • Security will increase their programming time
  • 31. The ideal world How it should be… • Dev and infosec should work together • Security practices and implementations should be included in the schedule time • It will increase the apps protection and decrease the amount of bugs and work
  • 32. Conclusions In a nutshell… • Security is not a plugin, it’s a process. • Test everything, every time they change. • Allocate time for security testing within your project • Never assume security controls are effective
  • 33. OWASP Floripa Day Conferences 15 e 16 de Setembro https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
  • 34. AppSec Brazil 2012 Conferences OWASP AppSec Brazil 2012 In November in João Pessoa!
  • 36. References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic - http://www.veracode.com/blog/2012/06/building-secure- web-applications-infographic/ OWASP - www.owasp.org