Desvendando o desenvolvimento seguro de software

751 views

Published on

O mundo atual está vivendo uma revolução no quesito aplicações onde cada vez mais temos temas como mobilidade, big data e consumerização, neste contexto a segurança da informação tem papel fundamental para garantir a mitigação de risco de exposição de informações. Atualmente o tema espionagem corporativa ou política está em volga devido ao caso NSA, ou seja, estamos vivendo uma época onde o tema segurança é de vital importância para as corporações. Com uma curva crescente de demanda por novas aplicações atualmente a área de desenvolvimento é forçada a entregar as aplicações em tempo cada vez menor, levando em consideração isso para otimização de esforço no ciclo de desenvolvimento se faz necessário adotar soluções que mitiguem o risco de segurança de informação em tempo de desenvolvimento. A família AppScan vem para endereçar este ponto, onde ela além de otimizar o processo de testes na disciplina de segurança de informação ela garante uma constante atualização em relação as ameaças correntes.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
751
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Author Notes:
    This is the PowerPoint template for the IBM Technical Summit breakout sessions
    This template has been built in PowerPoint 2003. If you’re using PowerPoint 2007 or above, you may experience different usability results than what is provided as guidance here.
    To allow all masters of your exiting presentation to be updated correctly, download this template to your hard drive and copy your existing slides into the new template using slide sorter.
    IBMers can find additional information on presentation guidelines and resources at:https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/Rational%20Presentation%20Templates,%20Guidelines,%20and%20Resources
    IBM Rational presenters can leverage existing brand-level assets and sparklers (including Rational Brand Messaging Slides, Client Success Slides and Client Quotes, Statistics) from SSW’s Brand Content Page:https://w3-03.sso.ibm.com/software/xl/myportal/content?synKey=R789607U42052O71
    Imagery guidelines: Avoid using cartoon like clip-art, use photo-art instead. Third party material cannot be used in a presentation without written permission (this includes product and Web page screen shots, and photos). Images must be acquired from a ‘royalty-free to use’ source such as:
    Microsoft or Lotus Symphony Clip Art library
    http://www.freebyte.com/clipart_images_photos_icons/#freevectorgraphics
    http://www.freedigitalphotos.net/
    IBMers can use royalty-free images from the following repositories:
    IBM Brand Systems Center / Assets / PhotographyLogin instructions: https://w3-connections.ibm.com/forums/html/topic?id=c1082624-e54c-4e04-bad1-ddb150ac7540
    IBM Software Story Imageshttps://w3-connections.ibm.com/files/app#/collection/b7570645-b2f8-4450-a27f-9269a163fc2d
    IBM Rational Presentation Image Library: https://w3-connections.ibm.com/wikis/home?lang=en_US#!/wiki/Rational%20Presentation%20Templates,%20Guidelines,%20and%20Resources/page/Presentation%20Image%20Library
  • Please note the following
    IBMers must include the next slide (verbatim) after your title slide.
    IBMers must also include the mandatory “Acknowledgements and Disclaimers” slide (see slide 10) at the end of your presentation before the closing “Thank You” slide.
    - You will need to customize the “Acknowledgements and Disclaimers” text in red appropriately.
  • Optional slide. Graphic is available in English only.
  • Mandatory closing slide (1 of 2)
    Acknowledgements and disclaimers
    IBMers must include This mandatory “Acknowledgements and Disclaimers” slide at the end of your presentation before the closing “Thank You” slide.
    - You will need to customize the “Acknowledgements and Disclaimers” text in red appropriately.
  • Mandatory closing slide (2 of 2)
    Thank You Slide (available in English only).
  • Desvendando o desenvolvimento seguro de software

    1. 1. IBM Technical Summit 2013 Erik Oliveira Senior Security Consultant, IBM Security System erikso@br.ibm.com © 2013 IBM Corporation
    2. 2. Please note the following IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2
    3. 3. Mundo interconectado EXPLOSÃO DE DADOS CONSUMERIZAÇÃO DA TI Com o advento da Empresa 2.0 e do negócio social, desapareceu a linha entre tempo, dispositivos e dados pessoais e profissionais TUDO ESTÁ EM TODA PARTE Organizações continuam mudando para novas plataformas, inclusive computação em nuvem, virtualização, dispositivos móveis, negócio social e muito mais SOFISTICAÇÃO DOS ATAQUES 3 A era do "Big Data" – a explosão da informação digital – chegou e é facilitada pela difusão de aplicativos acessados de todos os lugares A velocidade e destreza dos ataques aumentaram, associados a novos agentes com novas motivações, do crime cibernético e terrorismo, até invasões patrocinadas por governos
    4. 4. Seu dispositivo é 4
    5. 5. Mobile Malware 2013 Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013 5
    6. 6. Distribuição de Vulnerabilidade por linguagem 6
    7. 7. Contexto Mundial Tipo de ataque Software Bethesda Injeção SQL Manipulação de URL Northrop Grumman Fox News X-Factor Phishing focalizado Citigroup SW de terceiros Policia Federal espanhola DDoS Secure ID Sony Lockheed Martin L3 Communications O tamanho do círculo estima o impacto relativo da quebra de segurança Sony BMG Grécia Booz Allen Hamilton PBS PBS RSA HB Gary Sega Contas do Gmail Epsilon Desconhecido Site do premier italiano FMI Vanguard Defense SOCA Site do gov. malaio Polícia peruana Nintendo Gov. Brasileiro Governo Turco Monsanto SK Communications Coreia Polícia do Arizona OTAN Senado dos EUA Fev 7 Mar Abril Maio Junho Julho Ago
    8. 8. Custo da brecha Custos: 1,000,000x Fluxo de Segurança Dano a Empresa Notificação ao cliente Multas Litígio Exposição da reputação Exposição da marca Custo para reparo Fluxo Funcional 10x 1x Desenvolvimento 8       Teste Produção
    9. 9. Detectando SQL Injection Source – um métodos retornando string insegura // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password +Usuário pode mudar o SQL "'"; executado commandos // ... ResultSet rs = stmt.executeQuery(query); Sink – um potencial método perigoso 9
    10. 10. Detectando SQL Injection String username = request.getParameter("username"); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; String query = "SELECT …" + username // ... ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query); 10
    11. 11. Detectando SQL Injection String username = request.getParameter("username"); username = ‘anything' OR 'x'='x ‘ username = ‘x' AND 1=(SELECT COUNT(*) FROM tabname); --‘ username = ‘x' AND userid IS NULL; --‘ String query = "SELECT …" + username 11
    12. 12. Fluxo de dados 1 2 3 4 12
    13. 13. Como funciona AppScan Automação de Testes de Segurança em Aplicações Análise Relatório (identificar riscos) Scan das aplicações (detalhado e assertivo) Fix 13
    14. 14. Ciclo de Vida CODIFICAÇÃO BUILD QA SEGURANCA E PRODUÇÃO IBM AppScan Enterprise Server AppScan Source users AppScan Enterprise user Eclipse, Visual Studio, RAD AppScan Source for Automation AppScan Standard (via CLI) (scanning agent) AppScan Enterprise user AppScan Standard Build Management Gerenciamento de Ameaças 14 AppScan Enterprise user (web client) AppScan Standard (desktop)
    15. 15. AppScan Segurança Relatório Corporativo • Configuração de Software • Registro de progresso • Scan • Compare Applications • Triagem de Resultados • Manage Security Policies AppScan Enterprise Server • Dashboardas customizados • Gerenciamento de risco • Base de conhecimento • Banco de Assessment IDE Plug-Ins • Regras Customizadas Automação • Fluxo de Investigação • Guia de remediação • Scan automatizados • Scan • ANT, Make, Maven • Confirmação de Fix 15 • Integração de Buidl • APIs de acessos de dados
    16. 16. AppScan  Templates Wizards Importe Eclipse Workspaces e soluções .NET  Matrix de Vulnerabilidade Isolamento de vulnerabilidades confirmadas Otimização de triagem de issues Auxilia na falta de expertise de segurança  Filtros poderosos Facilidade de utilização Foco em baixo número de riscos prioritários Filtros pré definidos 16 Vulnerabilidade Confirmadas
    17. 17. AppScan  Análise rápida – Gereciamento de memória e cache – Otimização de re-scan – 100+ patentes  Fluxo de dados / Fluxo de chamadas – Suporte para longas trilhas – Facilidade em idetificar código malicioso ou não  Desconsidera coisas que a análise não entende  Nada é ignorado – Relatório de “Lost Sinks” 17  Análise de StringString Analysis – Identifica de forma automática a validação de rotinas – Tecnologia de IBM Research – Checa efetividade da validação lógica
    18. 18. AppScan Linguagem Suportadas Out-of-the-Box  Java  Perl  JSP  ColdFusion C  Client-Side JavaScript  C++  .NET  Server-Side JavaScript – C#  VBScript – VB.NET  COBOL – ASP.NET  PL/SQL  Classic ASP (VB6)  T-SQL  PHP  Android e IOS  HTML 18  SAP ABAP Extensível Análises por expressão regular  Definir regras customizadas  Usar o poder da expressões regulares  Associação de regras com maioria das linguagem
    19. 19. 19
    20. 20. Acknowledgements and disclaimers Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2013. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. 20
    21. 21. © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 21

    ×