SlideShare a Scribd company logo

Security Culture from Concept to Maintenance: Secure Software Development Life Cycle

Introduction to Secure Software Development Life Cycle (SDLC) and common attacks

1 of 61
Download to read offline
HELPING YOU SECURE YOUR INFORMATION ASSETS
Security Culture from Concept to
Maintenance:
Secure Software Development Life Cycle
Dilum Bandara, PhD
Consultant, TechCERT
Senior Lecturer, University of Moratuwa
SDLC
Copyright © TechCERT 2016 2
Reality
• High-level security requirements
• Password policy, HTTPS
• Secure design is almost none existent
• Implementation
• Password policy, HTTPS, etc.,
• Based on a code found in Stack Overflow
• Limited developer-level testing
• Focus on bugs, not flaws
• Rarely test interfaces & on actual server/environment
• No concern for security during evolution
Copyright © TechCERT 2016 3
Result
• 75% of vulnerabilities are application related –
Gartner
• Web is the #1 target
• 95% of web applications have some sort of a
vulnerability – Imperva
• 99% of mobile apps have some sort of a vulnerability –
IViZ
• 82% fail initial PCI-DSS assessment –
Computerworld
• Only 11% able to maintain compliance across
assessments – Computerworld
Copyright © TechCERT 2016 4
• Time gap between
identification of vulnerability &
attack decreasing
• Zero day attacks are increasing
Copyright © TechCERT 2016 5
Web Application Security Vulnerabilities
Source: HP Security Research Cyber Risk Report 2015
Copyright © TechCERT 2016 6
Ad

Recommended

Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for ConsultantsDilum Bandara
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 

More Related Content

What's hot

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecurityThomas Malmberg
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules  - Detecting more with RSA Security AnalyticsThe Golden Rules  - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 

What's hot (19)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules  - Detecting more with RSA Security AnalyticsThe Golden Rules  - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 

Viewers also liked (15)

Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Organizational security culture - Eric Vanderburg
Organizational security culture - Eric VanderburgOrganizational security culture - Eric Vanderburg
Organizational security culture - Eric Vanderburg
 
Web technologies
Web technologiesWeb technologies
Web technologies
 
Red tecton
Red tectonRed tecton
Red tecton
 
Busses
BussesBusses
Busses
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
 
Chapter 8: Switching
Chapter 8: SwitchingChapter 8: Switching
Chapter 8: Switching
 
Data Representation
Data RepresentationData Representation
Data Representation
 
ITE v5.0 - Chapter 7
ITE v5.0 - Chapter 7ITE v5.0 - Chapter 7
ITE v5.0 - Chapter 7
 
Memory Organization
Memory OrganizationMemory Organization
Memory Organization
 
Industrial economics
Industrial economicsIndustrial economics
Industrial economics
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 

Similar to Security Culture from Concept to Maintenance: Secure Software Development Life Cycle

Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc   cosac - 201...Enumerating software security design flaws throughout the ssdlc   cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Similar to Security Culture from Concept to Maintenance: Secure Software Development Life Cycle (20)

Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc   cosac - 201...Enumerating software security design flaws throughout the ssdlc   cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

More from Dilum Bandara

Wired Broadband Communication
Wired Broadband CommunicationWired Broadband Communication
Wired Broadband CommunicationDilum Bandara
 
Wireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksWireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksDilum Bandara
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networksDilum Bandara
 
Distributed Memory Programming with MPI
Distributed Memory Programming with MPIDistributed Memory Programming with MPI
Distributed Memory Programming with MPIDilum Bandara
 
Mutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsMutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsDilum Bandara
 
Solution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingSolution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingDilum Bandara
 
Concurrent Programming Patterns
Concurrent Programming PatternsConcurrent Programming Patterns
Concurrent Programming PatternsDilum Bandara
 
Writing Concurrent Programs
Writing Concurrent ProgramsWriting Concurrent Programs
Writing Concurrent ProgramsDilum Bandara
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Introduction to Accelerators
Introduction to AcceleratorsIntroduction to Accelerators
Introduction to AcceleratorsDilum Bandara
 
Shared Memory Programming with Pthreads and OpenMP
Shared Memory Programming with  Pthreads and OpenMPShared Memory Programming with  Pthreads and OpenMP
Shared Memory Programming with Pthreads and OpenMPDilum Bandara
 
How Much Parallelism?
How Much Parallelism?How Much Parallelism?
How Much Parallelism?Dilum Bandara
 
Introduction to Concurrent Programming
Introduction to Concurrent ProgrammingIntroduction to Concurrent Programming
Introduction to Concurrent ProgrammingDilum Bandara
 
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Dilum Bandara
 
A Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsA Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsDilum Bandara
 

More from Dilum Bandara (20)

Mobile Services
Mobile ServicesMobile Services
Mobile Services
 
Wired Broadband Communication
Wired Broadband CommunicationWired Broadband Communication
Wired Broadband Communication
 
Mobile IP
Mobile IPMobile IP
Mobile IP
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
Wireless Metropolitan Area Networks
Wireless Metropolitan Area NetworksWireless Metropolitan Area Networks
Wireless Metropolitan Area Networks
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networks
 
Distributed Memory Programming with MPI
Distributed Memory Programming with MPIDistributed Memory Programming with MPI
Distributed Memory Programming with MPI
 
Mutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory SystemsMutual Exclusion in Distributed Memory Systems
Mutual Exclusion in Distributed Memory Systems
 
Deadlocks
DeadlocksDeadlocks
Deadlocks
 
Solution Patterns for Parallel Programming
Solution Patterns for Parallel ProgrammingSolution Patterns for Parallel Programming
Solution Patterns for Parallel Programming
 
Concurrent Programming Patterns
Concurrent Programming PatternsConcurrent Programming Patterns
Concurrent Programming Patterns
 
Writing Concurrent Programs
Writing Concurrent ProgramsWriting Concurrent Programs
Writing Concurrent Programs
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
 
Mutual Exclusion
Mutual ExclusionMutual Exclusion
Mutual Exclusion
 
Introduction to Accelerators
Introduction to AcceleratorsIntroduction to Accelerators
Introduction to Accelerators
 
Shared Memory Programming with Pthreads and OpenMP
Shared Memory Programming with  Pthreads and OpenMPShared Memory Programming with  Pthreads and OpenMP
Shared Memory Programming with Pthreads and OpenMP
 
How Much Parallelism?
How Much Parallelism?How Much Parallelism?
How Much Parallelism?
 
Introduction to Concurrent Programming
Introduction to Concurrent ProgrammingIntroduction to Concurrent Programming
Introduction to Concurrent Programming
 
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
 
A Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based ApplicationsA Decision Model for Choosing Patterns in Blockchain-based Applications
A Decision Model for Choosing Patterns in Blockchain-based Applications
 

Recently uploaded

nervous system ppt pptx anatomy system of nerves
nervous system ppt pptx anatomy system of nervesnervous system ppt pptx anatomy system of nerves
nervous system ppt pptx anatomy system of nervesPhebeLois1
 
Get start with Machine Learning and Vertexai
Get start with Machine Learning and VertexaiGet start with Machine Learning and Vertexai
Get start with Machine Learning and VertexaiAshishChanchal1
 
Pointers and Array, pointer and String.pptx
Pointers and Array, pointer and String.pptxPointers and Array, pointer and String.pptx
Pointers and Array, pointer and String.pptxAnanthi Palanisamy
 
MedTech R&D - Tamer Emara - resume @2024
MedTech R&D - Tamer Emara - resume @2024MedTech R&D - Tamer Emara - resume @2024
MedTech R&D - Tamer Emara - resume @2024Tamer Emara
 
GDSC Google Cloud Study jam Web Bootcamp - Day-4 Session 4
GDSC  Google Cloud Study jam Web Bootcamp - Day-4  Session 4GDSC  Google Cloud Study jam Web Bootcamp - Day-4  Session 4
GDSC Google Cloud Study jam Web Bootcamp - Day-4 Session 4SahithiGurlinka
 
SR Globals Profile - Building Vision, Exceeding Expectations.
SR Globals Profile -  Building Vision, Exceeding Expectations.SR Globals Profile -  Building Vision, Exceeding Expectations.
SR Globals Profile - Building Vision, Exceeding Expectations.srglobalsenterprises
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxasmitaTele2
 
CCNA: Routing and Switching Fundamentals
CCNA: Routing and Switching FundamentalsCCNA: Routing and Switching Fundamentals
CCNA: Routing and Switching FundamentalsDebabrata Halder
 
CDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdfCDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdf8-koi
 
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...C Sai Kiran
 
Deluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfDeluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfartpoa9
 
Nexus - Final Day 12th February 2024.pptx
Nexus - Final Day 12th February 2024.pptxNexus - Final Day 12th February 2024.pptx
Nexus - Final Day 12th February 2024.pptxRohanAgarwal340656
 
Introduction to the telecom tower industry
Introduction to the telecom tower industryIntroduction to the telecom tower industry
Introduction to the telecom tower industryssuserf5bbfd
 
PM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxPM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxnissamant
 
chap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignchap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignteddymebratie
 
ExtraordinAIre Monthly Newsletter Jan 2024
ExtraordinAIre Monthly Newsletter Jan 2024ExtraordinAIre Monthly Newsletter Jan 2024
ExtraordinAIre Monthly Newsletter Jan 2024Savipriya Raghavendra
 
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdf
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdfForged Fitting Socket Welding Standard- ASME-B16.11-2001.pdf
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdfVikasKumar11936
 
【文凭定制】坎特伯雷大学毕业证学历认证
【文凭定制】坎特伯雷大学毕业证学历认证【文凭定制】坎特伯雷大学毕业证学历认证
【文凭定制】坎特伯雷大学毕业证学历认证muvgemo
 
Metrology Measurements and All units PPT
Metrology Measurements and  All units PPTMetrology Measurements and  All units PPT
Metrology Measurements and All units PPTdinesh babu
 

Recently uploaded (20)

nervous system ppt pptx anatomy system of nerves
nervous system ppt pptx anatomy system of nervesnervous system ppt pptx anatomy system of nerves
nervous system ppt pptx anatomy system of nerves
 
Get start with Machine Learning and Vertexai
Get start with Machine Learning and VertexaiGet start with Machine Learning and Vertexai
Get start with Machine Learning and Vertexai
 
AC DISTRIBUTION - ELECTRICAL POWER SYSTEM
AC DISTRIBUTION - ELECTRICAL POWER SYSTEMAC DISTRIBUTION - ELECTRICAL POWER SYSTEM
AC DISTRIBUTION - ELECTRICAL POWER SYSTEM
 
Pointers and Array, pointer and String.pptx
Pointers and Array, pointer and String.pptxPointers and Array, pointer and String.pptx
Pointers and Array, pointer and String.pptx
 
MedTech R&D - Tamer Emara - resume @2024
MedTech R&D - Tamer Emara - resume @2024MedTech R&D - Tamer Emara - resume @2024
MedTech R&D - Tamer Emara - resume @2024
 
GDSC Google Cloud Study jam Web Bootcamp - Day-4 Session 4
GDSC  Google Cloud Study jam Web Bootcamp - Day-4  Session 4GDSC  Google Cloud Study jam Web Bootcamp - Day-4  Session 4
GDSC Google Cloud Study jam Web Bootcamp - Day-4 Session 4
 
SR Globals Profile - Building Vision, Exceeding Expectations.
SR Globals Profile -  Building Vision, Exceeding Expectations.SR Globals Profile -  Building Vision, Exceeding Expectations.
SR Globals Profile - Building Vision, Exceeding Expectations.
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptx
 
CCNA: Routing and Switching Fundamentals
CCNA: Routing and Switching FundamentalsCCNA: Routing and Switching Fundamentals
CCNA: Routing and Switching Fundamentals
 
CDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdfCDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdf
 
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...
Introduction to Machine Learning Unit-1 Notes for II-II Mechanical Engineerin...
 
Deluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfDeluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdf
 
Nexus - Final Day 12th February 2024.pptx
Nexus - Final Day 12th February 2024.pptxNexus - Final Day 12th February 2024.pptx
Nexus - Final Day 12th February 2024.pptx
 
Introduction to the telecom tower industry
Introduction to the telecom tower industryIntroduction to the telecom tower industry
Introduction to the telecom tower industry
 
PM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxPM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptx
 
chap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignchap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processign
 
ExtraordinAIre Monthly Newsletter Jan 2024
ExtraordinAIre Monthly Newsletter Jan 2024ExtraordinAIre Monthly Newsletter Jan 2024
ExtraordinAIre Monthly Newsletter Jan 2024
 
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdf
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdfForged Fitting Socket Welding Standard- ASME-B16.11-2001.pdf
Forged Fitting Socket Welding Standard- ASME-B16.11-2001.pdf
 
【文凭定制】坎特伯雷大学毕业证学历认证
【文凭定制】坎特伯雷大学毕业证学历认证【文凭定制】坎特伯雷大学毕业证学历认证
【文凭定制】坎特伯雷大学毕业证学历认证
 
Metrology Measurements and All units PPT
Metrology Measurements and  All units PPTMetrology Measurements and  All units PPT
Metrology Measurements and All units PPT
 

Security Culture from Concept to Maintenance: Secure Software Development Life Cycle

  • 1. HELPING YOU SECURE YOUR INFORMATION ASSETS Security Culture from Concept to Maintenance: Secure Software Development Life Cycle Dilum Bandara, PhD Consultant, TechCERT Senior Lecturer, University of Moratuwa
  • 3. Reality • High-level security requirements • Password policy, HTTPS • Secure design is almost none existent • Implementation • Password policy, HTTPS, etc., • Based on a code found in Stack Overflow • Limited developer-level testing • Focus on bugs, not flaws • Rarely test interfaces & on actual server/environment • No concern for security during evolution Copyright © TechCERT 2016 3
  • 4. Result • 75% of vulnerabilities are application related – Gartner • Web is the #1 target • 95% of web applications have some sort of a vulnerability – Imperva • 99% of mobile apps have some sort of a vulnerability – IViZ • 82% fail initial PCI-DSS assessment – Computerworld • Only 11% able to maintain compliance across assessments – Computerworld Copyright © TechCERT 2016 4
  • 5. • Time gap between identification of vulnerability & attack decreasing • Zero day attacks are increasing Copyright © TechCERT 2016 5
  • 6. Web Application Security Vulnerabilities Source: HP Security Research Cyber Risk Report 2015 Copyright © TechCERT 2016 6
  • 8. Solutions • Secure Software Development Life Cycle (SDLC) • SDL – Secure Development Lifecycle • Organizations with a secure SDLC will experience 80% decrease in critical vulnerabilities – Gartner • 50% reduction in vulnerabilities could reduce configuration management & incident response costs by 75% each – Gartner Copyright © TechCERT 2016 8
  • 9. Secure SDLC Copyright © TechCERT 2016 9
  • 10. Benefits • Minimize costs due to security-related issues • Avoid reputation damage • Decrease number of security issues • Minimize future security issues • Improve security expertise/practices of development team • Reduce 3rd party testing/validation costs Copyright © TechCERT 2016 10
  • 11. Challenges • Team pushback • Not in their blood • Security ownership • You develop, we test • “Security is Special” problem • Official/actual adoption dilemma • Measurement & justification of benefits • Disruption due to Big-Bang adoption Copyright © TechCERT 2016 11
  • 12. Ways to Build a Security Culture • You must invest in a security culture • Make sure it sustains through: • Understanding that security belongs to everyone • Awareness & beyond • Adopt a Secure Development Lifecycle (SDL) • Reward & recognize people that do the right thing for security • Build security community • Make security fun & engaging Copyright © TechCERT 2016 12
  • 13. Secure SDLC Copyright © TechCERT 2016 13
  • 14. Security Development Lifecycle (SDL) • Introduced by Microsoft • Software development process • Helps developers build more secure software & address security compliance requirements • Reduce development cost Copyright © TechCERT 2016 14 Source: www.microsoft.com/en-us/sdl/
  • 15. SDL Steps Copyright © TechCERT 2016 15
  • 16. SDL – Training • Core Security Training • Educate designers & developers on fundamentals of building better software • Secure design • Threat modeling • Secure coding • Security testing • Privacy • Best practices Copyright © TechCERT 2016 16
  • 17. SDL – Requirements • Establish Security & Privacy Requirements • Define security & privacy requirements • Make it easier to identify key milestones & deliverables • Minimize disruptions to plans & schedules • Create Quality Gates/Bug Bars • Define minimum acceptable levels of security & privacy • Helps team understand risks associated with security issues, identify & fix security bugs • Apply standards throughout the entire project Copyright © TechCERT 2016 17
  • 18. SDL – Requirements (Cont.) • Perform Security & Privacy Risk Assessments • Examine design based on costs & regulatory requirements • Team can identify which portions of project require threat modeling & security design • Determine privacy Impact rating of a product Copyright © TechCERT 2016 18
  • 19. SDL – Design • Establish Design Requirements • Consider security & privacy concerns • Minimize risk of schedule disruptions & reduce cost • Attack Surface Analysis/Reduction • Reduce potential weak spots or vulnerabilities • Require thoroughly analysis of overall attack surface • Restrict access to system services • Apply the principle of least privilege • Employ layered defenses Copyright © TechCERT 2016 19
  • 20. SDL – Design (Cont.) • Use Threat Modeling • Apply a structured approach to threat scenarios • More effective & less expensively identification of vulnerabilities, risks, & mitigations Copyright © TechCERT 2016 20 Source: https://technet.microsoft.com/en-us/security/dn140238.aspx
  • 21. Threat Modeling Copyright © TechCERT 2016 21 Source: https://www.owasp.org/index.php/Application_Threat_Modeling
  • 22. SDL – Implementation • Use Approved Tools • Identify list of approved tools & associated security checks • Compiler/linker options and warnings • Automate & enforce security practices easily at a low cost • Use latest tool versions • Deprecate Unsafe Functions • Analyzing all functions & APIs, & ban those that are unsafe • Replacing them with safer alternatives • Perform Static Analysis • Analyze source code prior to compile • Security code review • Ensure secure coding policies are being followed Copyright © TechCERT 2016 22
  • 23. SDL – Verification • Perform Dynamic Analysis • Run-time verification • Use tools that monitor application behavior for memory corruption, user privilege issues, etc. • Fuzz Testing • Deliberately introducing malformed or random data to break application • Attack Surface Review • Review attack surface • Can identify any design or implementation changes • Review changes and threat models Copyright © TechCERT 2016 23
  • 24. SDL – Release • Create an Incident Response Plan • Help address new threats that can emerge over time • Identify security emergency contacts • Establish security servicing plans for code inherited from 3rd parties • Conduct Final Security Review • Review all security activities • Review against threat models, tools outputs, & performance against quality gates & bug bars • Certify Release & Archive • Certify software • Archive all pertinent data/code Copyright © TechCERT 2016 24
  • 25. SDL – Response • Execute Incident Response Plan • Help protect customers from software security or privacy vulnerabilities • Practice, practice, practice Copyright © TechCERT 2016 25
  • 26. Proactive vs. Reactive SDLC Source: Tjylen Veselyj, SoftServe Security requirements / risk and threat analysis Coding guidelines /code reviews/ static analysis Security testing / dynamic analysis Vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC Copyright © TechCERT 2016 26
  • 27. Training for All Steps • Ensure Best Practices are integral to the development program & applied over lifecycle of Application Copyright © TechCERT 2016 27 Requirements Security Requirements Compliance Analysis Governance Definition Design Risk Assessment Secure Architecture Implementation Code Reviews Code Analysis Verification Security Testing Risk Assessment Review Penetration Testing Release Security Review Incident Response Plan Response Incident Forensics Security Monitoring Security Awareness Trainings Source: Tjylen Veselyj, SoftServe
  • 28. Remember – It’s a Cycle Copyright © TechCERT 2016 28 Source: www.juniper.net/us/en/security/sdl/
  • 29. Copyright © TechCERT 2016 29 Source: Tjylen Veselyj, SoftServe
  • 30. Agile Development • Security better aligns to waterfall-like processes • Can be used in Agile methods with proper care Copyright © TechCERT 2016 30 Source: www.screenmedia.co.uk/blog/2014/08/what-is-agile-development-a-brief-introduction/
  • 31. In the Long Run… • Organization’s behavior changes slowly over time • Changes must be iterative while working toward long-term goals • No single recipe works for all organizations • Adopt a Maturity Model • Must provide enough details for non-security people • Must be simple, well-defined, & measurable Copyright © TechCERT 2016 31
  • 32. OpenSAMM – Software Assurance Maturity Model • Open framework to help organizations formulate & implement a strategy for software security • Tailored to specific risks facing the organization • Helps to • Valuate an organization’s existing software security practices • Build a balanced software security program in well- defined iterations • Demonstrate concrete improvements to a security assurance program • Define & measure security-related activities within an organization Copyright © TechCERT 2016 32
  • 33. OpenSAMM Copyright © TechCERT 2016 33 Source: www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
  • 34. Where to Begin Copyright © TechCERT 2016 34
  • 35. Secure Development • Start with known/common vulnerabilities Copyright © TechCERT 2016 35 Source: www.securityninja.co.uk/secure-development/the-principles-place/
  • 36. Top Vulnerabilities Copyright © TechCERT 2016 36 Source: https://geekflare.com/online-scan-website-security-vulnerabilities/
  • 37. OWASP Top 10 Copyright © TechCERT 2016 37 Source: http://dunnesec.com
  • 38. A1: Injection • SQL Injection • OS Command Injection Copyright © TechCERT 2016 38
  • 39. SQL Injection – Solution Copyright © TechCERT 2016 39 Source: www.owasp.org
  • 40. Injection – Solutions • Validate • Prepare query • CAPTCHA for open forms • Resources • SQL Injection • http://www.w3schools.com/sql/sql_injection.asp • OS Command Injection • https://www.owasp.org/index.php/Command_Injection • SQL Injection Prevention Cheat Sheet • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet • Query Parameterization Cheat Sheet • https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet • TSQL • http://www.codeproject.com/Tips/586207/How-to-prevent-SQL-Injection-in- Stored-Procedures Copyright © TechCERT 2016 40
  • 41. A2: Broken Authentication & Session Management • http://example.com/sale/saleitems/jsessi onid=2P0OC2JSNDLPSKHCJUN2JV/?item=laptop • Suppose a user e-mail this link to a friend • Has session ID • May include credit card nos, & other unique data Copyright © TechCERT 2016 41
  • 42. Broken Authentication & Session Management – Solutions • Store session ID in a cookie & use with HTTP payload • Resources • Example • http://www.tutorialspoint.com/security_testing/testing_broken_a uthentication.htm • Session Management Cheat Sheet • https://www.owasp.org/index.php/Session_Management_Cheat_ Sheet • Authentication Cheat Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • Forgot Password Cheat Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Shee t Copyright © TechCERT 2016 42
  • 43. A3: Cross-Site Scripting (XSS) Copyright © TechCERT 2016 43 Source: http://www.acunetix.com/blog/articles/blind-xss/
  • 44. XSS Example Copyright © TechCERT 2016 44 Source: Amit Klein, Sanctum Security Group
  • 45. XSS Solutions • Validate and filter out everything • CAPTCHA for open forms • Resources • Cross-site Scripting (XSS) • https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 • Cross Site Scripting Explained • https://crypto.stanford.edu/cs155/papers/CSS.pdf • PHP 5 Form Validation • http://www.w3schools.com/php/php_form_validation.asp • XSS (Cross Site Scripting) Prevention Cheat Sheet • https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prev ention_Cheat_Sheet • DOM based XSS Prevention Cheat Sheet • https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_S heet Copyright © TechCERT 2016 45
  • 46. A4: Insecure Direct Object References http://webapp.com/app/accountInfo?acct=admin String sqlquery = "SELECT * FROM useraccounts WHERE account = ?"; PreparedStatement st = connection.prepareStatement(sqlquery , � ); st.setString( 1, request.getParameter("acct")); ResultSet results = st.executeQuery( ); When developer exposes a reference to an internal implementation object, such as a file, account no, directory, or database key without any validation Copyright © TechCERT 2016 46
  • 47. Insecure Direct Object References – Example Copyright © TechCERT 2016 47 Source: http://lazarusalliance.com/test-your-owasp-knowledge/
  • 48. Insecure Direct Object References – Solution • Check access control • Use only one user or session for indirect object references • Resources • Example • http://www.tutorialspoint.com/security_testing/insecure_direct_o bject_reference.htm • Top 10 2007-Insecure Direct Object Reference • https://www.owasp.org/index.php/Top_10_2007- Insecure_Direct_Object_Reference • Testing for Insecure Direct Object References • https://www.owasp.org/index.php/Testing_for_Insecure_Direct_O bject_References_%28OTG-AUTHZ-004%29 Copyright © TechCERT 2016 48
  • 49. A5: Security Misconfiguration • When security settings are defined, implemented, & maintained as defaults • Not disabling directory listing • Show debug information • Default settings • Sample apps that came with tool • Solution • Address above issues • Resources • Example • http://www.tutorialspoint.com/security_testing/testing_security_ misconfiguration.htm Copyright © TechCERT 2016 49
  • 50. A6: Sensitive Data Exposure • Not using SSL • Use of account & credit card numbers without hashing • Unencrypted passwords & credit card numbers Copyright © TechCERT 2016 50 Source: www.htbridge.com/vulnerability/common-web-weaknesses/
  • 51. Sensitive Data Exposure – Solutions • Solutions • Proper use of SSL 2.0 • Hashing & encryption • PCD DSS & PA DSS • Resources • Example • http://www.tutorialspoint.com/security_testing/testing_sensitive_data_ex posure.htm • Cryptographic Storage Cheat Sheet • https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • Password Storage Cheat Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • Transport Layer Protection Cheat Sheet • https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh eet Copyright © TechCERT 2016 51
  • 52. A7: Missing Function Level Access Control • Due to in proper authorization Copyright © TechCERT 2016 52 Source: www.slideshare.net/appsec/19-owasp-top-10-a7missing-function-level-access-control
  • 53. Missing Function Level Access Control – Solutions • Authenticate & authorize every form/request • Deny everything else • Resources • Example • http://www.tutorialspoint.com/security_testing/missing_functi on_level_access_control.htm • Failure to Restrict URL Access • https://www.owasp.org/index.php/Top_10_2007- Failure_to_Restrict_URL_Access • Guide to Authorization • https://www.owasp.org/index.php/Guide_to_Authorization Copyright © TechCERT 2016 53
  • 54. A8: Cross Site Request Forgery (CSRF) http://bankx.com/app?action=transferFund&amount=35 00&destinationAccount=4673243243 <img src="http://bankx.com/app?action=transferFunds&amo unt=14000&destinationAccount=attackersAcct#" width="0" height="0" /> Copyright © TechCERT 2016 54 Source: http://www.redteamsecure.com/labs/post/66/Demystifying-Cross-Site-Request-Forgery
  • 55. Cross Site Request Forgery – Solutions • Unique token in a hidden field - sent in body of HTTP request rather than in an URL • Re-authentication before a transaction • Captcha • Resources • Example • http://www.tutorialspoint.com/security_testing/cross_site_request_forger y.htm • Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet • OWASP CSRFGuard Project • https://www.owasp.org/index.php/CSRFGuard Copyright © TechCERT 2016 55
  • 56. A9: Using Known Vulnerable Components • 3rd party libraries, frameworks, etc. • Solutions • Identify all components & versions used • Keep all components such as public databases, project mailing lists upto date • Add security wrappers • Resources • Example • http://www.tutorialspoint.com/security_testing/components_wit h_vulnerabilities.htm • OWASP Dependency Check • https://www.owasp.org/index.php/OWASP_Dependency_Check Copyright © TechCERT 2016 56
  • 57. A10: Unvalidated Redirects & Forwards • Unvalidated forwarding & redirections http://www.mywebapp.com/redirect.jsp?redirectrul=hack er.com http://www.mywebapp.com/checkstatus.jsp?fwd=appadmin. jsp • Solutions • Avoid using redirects & forwards • Use without involving user parameters in redirecting the destination • Resources • Example • http://www.tutorialspoint.com/security_testing/unvalidated_redirects_an d_forwards.htm • Unvalidated Redirects and Forwards Cheat Sheet • https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_ Cheat_Sheet Copyright © TechCERT 2016 57
  • 58. More • .NET Security Cheat Sheet • https://www.owasp.org/index.php/.NET_Security_Cheat_She et • PHP Security Cheat Sheet • https://www.owasp.org/index.php/PHP_Security_Cheat_She et • PHP Top 5 • https://www.owasp.org/index.php/PHP_Top_5 • Design Guidelines for Secure Web Applications • https://msdn.microsoft.com/en-us/library/ff648647.aspx • Common Security Mistakes in Web Applications • http://www.smashingmagazine.com/2010/10/common- security-mistakes-in-web-applications/ Copyright © TechCERT 2016 58
  • 59. Tools • Static Application Security Testing • HP Fortify • Veracode • SonarQube • Dynamic analysis • Acunetix • Burp Suite • w3af Copyright © TechCERT 2016 59
  • 60. How TechCERT Can Support • Application Functionality Assessment & Certification • Mobile App Assessment • Secure communication • Secure storage & memory • OWAPS Top 10 • Secure Code Review • Tool-based & manual • OWAPS Top 10 • Backdoors, login issues, cryptography implementation • Best practices • Tool-Based Vulnerability Assessment • Penetration Testing • Consulting Secure SDLC Initiatives Copyright © TechCERT 2016 60
  • 61. Q & A dilumb@techcert.lk Copyright © TechCERT 2016 61

Editor's Notes

  1. Time gap between a vulnerability & attack decreasing. Zero day attacks are increasing
  2. Web application security vulnerabilities increasing Rankings of web app vulnerabilities by type, 2013 vs 2014 (% of occurrence in apps)
  3. Like Capability Maturity Model (CMM)
  4. /* …. */-- Comments
  5. Prepared statements ensure that an attacker is not able to change the intent of a query,