Software Development in the Age of Breaches

•Download as PPTX, PDF•

0 likes•41 views

98% of the attacks against applications are opportunistic. This means, vast majority of these attacks could be prevented by simply following "Defense Driven Development" methodology. A variant of Test Driven Development, this methodology puts emphasis on early detection, automation, and defensive coding styles. This presentation talks about what it is like to adopt Defense Driven Development.

Software

Opportunistic Indeed !
TalkTalk
150K + PII records compromised
SQL Injection
Ashley Madison
37 MM records compromised
Weak VPN Authentication
HomeDepot
56MM PII records compromised
Weak Access Control
Patreon
2.3MM PII records compromised
Debugger in Prod
000WebHost
13.5MM PII records compromised
Using old PHP version

Test Driven Development
• Bugs increase security risk
• Allows you to release faster
• Fixing issues while in development is cheaper
• Only way to prove that “My code works”

$Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }$

New Responsibility Model
• At SecureDB, we have no testers. Only
“Buddies”
• “Buddies” are fellow developers that:
– Test your code
– Review your code
– Give you feedback
• Switch “Buddies” every sprint

Where would I even start?
STEP 1: Find a comparable company in your space
STEP 2: COPY IDEAS SHAMELESSLY
Examples:
You’re a social media co that has too many locked accounts.
A: How many login attempts does Twitter Allow?
You’re an e-commerce site worried about fake accounts.
A: How does Amazon do it?
Don’t re-invent the wheel

Two Factor Everything
• Evaluate every service you use for TFA support
- Hosting - Code Repos
- Email - SSH Access
- DNS - File sharing systems
• If a vendor does not support TFA
– Are they really worth your time and money?

Change Default Accounts
• Default Admin Username/Password
– Databases
– Key Stores
– Content Management Systems
• Disable Unnecessary Services
• Delete unwanted accounts

Firewall Effectively
• Dev environment is only for Developers
– Block access from internet
– IP Based restrictions
• Restrict SSH access
– IP Based restrictions
– Easy to setup
• Ingress and Egress
• Install WAF (It’s FREE)

Continuous Security (DevSecOps)
• Provisioning a new VM
– Install latest patches
– Apply right firewall policies
– Stop unwanted services
– Start appropriate services
• Run as part of the build:
– Fuzzing Tests
– Run vulnerability scans
– Static Analysis
– Dynamic Analysis

Input Validation
• Trust nothing that comes from client
• Every layer to do it’s own validation
• Whitelist vs Blacklist?
– Whitelist is better
• Use well tested libraries
– Or OWASP RegEx
• Specifically Test for SQLi and XSS
• Example

Output Escaping
• Escape all content to be rendered
• Use UI Frameworks that escape by default
• Scan the code to check the usage of un-
escaped methods
• Example

Authentication
Web
Form Based Authentication
Two Factor Authentication
TOTP
Text Message
Social Logins
Facebook
Twitter
Google
Basic Authentication
Digest Authentication
OAuth
Certificate Based Auth.
JWT (with JWS/JWE)
APIs

Authorization
• Privilege Escalation attacks are common
• Authz mechanisms
– Role Based Access Control (RBAC)
– Attribute Based Access (ABAC)
• Do Authz checks at every layer
– Cookies
– JWT (Mobile Friendly)

White Hat Program
• Allow white hat hackers to find security issues and report
them to you
• Explicit contract laying out what kind of attacks they could
execute
• Implicit contract that they won’t go public with it
– And give you reasonable time to fix it
• Make payments per bug and severity
• Example

you are the best CISO …
of your application
You are the best CISO
of your application

What's hot

2014 ZAP Workshop 2: Contexts and Fuzzing

Simon Bennetts

Hacker Proof web app using Functional tests

Ankita Gupta

[Wroclaw #7] Security test automation

OWASP

[OWASP Poland Day] Application frameworks' vulnerabilities

OWASP

Java Secure Coding Practices

OWASPKerala

BSides Manchester 2014 ZAP Advanced Features

Simon Bennetts

[Wroclaw #6] Introduction to desktop browser add-ons

OWASP

Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS) • Risk, Stories & the news • XSS Anatomy • Untrusted Data Sources – Well, Where did that come from? • Shouldn’t it be called CSS instead? • Types of XSS - Type 0 [DOM based] - Type 1 [Reflected or Non-persistent XSS] - Type 2 [Persistent or Stored XSS] • Live Demo: XSS 101 with alert('hello XSS world') • Live Demo: Cookie Hijacking and Privilege Escalation - Face/Off with John Travolta and Nicolas Cage • Live Demo: Let’s deploy some Key loggers,huh? • Mitigations - Input Sanitization - Popular Libraries for .Net, Java, php  Demo: Input sanitization - Whitelists (vs. Blackists) - Output Encoding  Contextual  Demo: Output Encoding - Browser Protections & bypasses - Framework Protections & bypasses - Content Security Policy (CSP) in brief • Secure Code reviews: Spot an XSS, How? • Tools: Do we have an option? • XSS Buzz and how to Fuzz • Renowned Cheat sheets • Further reading & References

Devouring Security Insufficient data validation risks Cross Site Scripting

gmaran23

[Wroclaw #7] AWS (in)security - the devil is in the detail

OWASP

Zed Attack Proxy (ZAP)

JAINAM KAPADIYA

Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/ The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode. This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.

Automating OWASP ZAP - DevCSecCon talk

Simon Bennetts

JavaOne 2014 Security Testing for Developers using OWASP ZAP

Simon Bennetts

The OWASP Zed Attack Proxy

Aditya Gupta

OWASP Zed Attack Proxy

Fadi Abdulwahab

Anatomy of a Cloud Hack

NotSoSecure Global Services

NoSQL Exploitation Framework

Francis Alexander

Using the Zed Attack Proxy as a Web App testing tool

David Sweigert

Fundamental of malware analysis

Sumedt Jitpukdebodin

Zap vs burp

Tomasz Fajks

Presentation on Web Attacks

Vivek Sinha Anurag

What's hot (20)

2014 ZAP Workshop 2: Contexts and Fuzzing

Hacker Proof web app using Functional tests

[Wroclaw #7] Security test automation

[OWASP Poland Day] Application frameworks' vulnerabilities

Java Secure Coding Practices

BSides Manchester 2014 ZAP Advanced Features

[Wroclaw #6] Introduction to desktop browser add-ons

Devouring Security Insufficient data validation risks Cross Site Scripting

[Wroclaw #7] AWS (in)security - the devil is in the detail

Zed Attack Proxy (ZAP)

Automating OWASP ZAP - DevCSecCon talk

JavaOne 2014 Security Testing for Developers using OWASP ZAP

The OWASP Zed Attack Proxy

OWASP Zed Attack Proxy

Anatomy of a Cloud Hack

NoSQL Exploitation Framework

Using the Zed Attack Proxy as a Web App testing tool

Fundamental of malware analysis

Zap vs burp

Presentation on Web Attacks

Similar to Software Development in the Age of Breaches

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

SecuRing

Lateral Movement - Phreaknik 2016

Xavier Ashe

This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation. This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...

Apostolos Giannakidis

The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20

Tabăra de Testare

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Spa Secure Coding Guide

Geoffrey Vandiest

Vulnerabilities in modern web applications

Niyas Nazar

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Alert Logic

CSS17: Houston - Protecting Web Apps

Alert Logic

NoSQL - No Security?

Gavin Holt

Lateral Movement: How attackers quietly traverse your Network

EC-Council

Lateral Movement - Hacker Halted 2016

Xavier Ashe

Owasp first5 presentation

Ashwini Paranjpe

Owasp first5 presentation

owasp-pune

Problems with parameters b sides-msp

Mike Saunders

Code Quality - Security

sedukull

Top Ten Java Defense for Web Applications v2

Jim Manico

CSS 17: NYC - Protecting your Web Applications

Alert Logic

DevSecOps: Taking a DevOps Approach to Security

Alert Logic

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

Robert Conti Jr.

ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf

Ortus Solutions, Corp

Similar to Software Development in the Age of Breaches (20)

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Lateral Movement - Phreaknik 2016

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...

The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20

Spa Secure Coding Guide

Vulnerabilities in modern web applications

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

CSS17: Houston - Protecting Web Apps

NoSQL - No Security?

Lateral Movement: How attackers quietly traverse your Network

Lateral Movement - Hacker Halted 2016

Owasp first5 presentation

Problems with parameters b sides-msp

Code Quality - Security

Top Ten Java Defense for Web Applications v2

CSS 17: NYC - Protecting your Web Applications

DevSecOps: Taking a DevOps Approach to Security

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf

Recently uploaded

Document contains steps to getting ups and running quickly with MyTimeClock Employee Scheduling and Time Keeping Cloud Software as a Service Solution, Web version. Try MyTimeClock or any of our other software packages risk-free by registering for a FREE ACCOUNT at https://register.myintellisource.com/. If you would like more information about our company or its software, follow us on Facebook, Instagram, LinkedIn, Twitter, or YouTube, visit our home page at https://www.myintellisource.com/, or send us an email at cs@myintellisource.com. Take care and have a great day.

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...

MyIntelliSource, Inc.

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

How To Use Server-Side Rendering with Nuxt.js

Andolasoft Inc

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

5 Signs You Need a Fashion PLM Software.pdf

Wave PLM

Hand gesture recognition PROJECT PPT.pptx

bodapatigopi8531

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live Booking Contact Details :- WhatsApp Chat :- [+91-9999965857 ] The Best Call Girls Delhi At Your Service Russian Call Girls Delhi Doing anything intimate with can be a wonderful way to unwind from life's stresses, while having some fun. These girls specialize in providing sexual pleasure that will satisfy your fetishes; from tease and seduce their clients to keeping it all confidential - these services are also available both install and outcall, making them great additions for parties or business events alike. Their expert sex skills include deep penetration, oral sex, cum eating and cum eating - always respecting your wishes as part of the experience (29-April-2024(PSS)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Diamond Application Development Crafting Solutions with Precision

SolGuruz

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

Software Quality Assurance Interview Questions

Arshad QA

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

kellynguyen01

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

Introducing MyIntelliAccount™ Cloud Accounting Software as a Service (SaaS) , the complete system for simplifying business accounting needs. MyIntelliAccount Cloud Accounting SaaS is an easy to understand and easy to use application and system designed for the Web with supporting applications for iOS and Android devices. Designed to work like a natural extension of your web browser, the user interface for MyIntelliAccount Cloud Accounting SaaS is intuitive and thoughtfully organized to help you easily navigate and access your business accounting information. Because our company takes the time to research, study, and understand the applications we develop, we are confident that once you use MyIntelliAccount Cloud Accounting SaaS , you will be asking yourself how you ever got along without it.

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...

MyIntelliSource, Inc.

Recently uploaded (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

TECUNIQUE: Success Stories: IT Service provider

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

A Secure and Reliable Document Management System is Essential.docx

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

How To Use Server-Side Rendering with Nuxt.js

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

5 Signs You Need a Fashion PLM Software.pdf

Hand gesture recognition PROJECT PPT.pptx

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

Optimizing AI for immediate response in Smart CCTV

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live

Microsoft AI Transformation Partner Playbook.pdf

Diamond Application Development Crafting Solutions with Precision

Unlocking the Future of AI Agents with Large Language Models

Software Quality Assurance Interview Questions

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...

Software Development in the Age of Breaches

4. Opportunistic Indeed ! TalkTalk 150K + PII records compromised SQL Injection Ashley Madison 37 MM records compromised Weak VPN Authentication HomeDepot 56MM PII records compromised Weak Access Control Patreon 2.3MM PII records compromised Debugger in Prod 000WebHost 13.5MM PII records compromised Using old PHP version

7. Test Driven Development • Bugs increase security risk • Allows you to release faster • Fixing issues while in development is cheaper • Only way to prove that “My code works”

8. Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }

10. New Responsibility Model • At SecureDB, we have no testers. Only “Buddies” • “Buddies” are fellow developers that: – Test your code – Review your code – Give you feedback • Switch “Buddies” every sprint

11.

12.

13. Where would I even start? STEP 1: Find a comparable company in your space STEP 2: COPY IDEAS SHAMELESSLY Examples: You’re a social media co that has too many locked accounts. A: How many login attempts does Twitter Allow? You’re an e-commerce site worried about fake accounts. A: How does Amazon do it? Don’t re-invent the wheel

14.

15. Two Factor Everything • Evaluate every service you use for TFA support - Hosting - Code Repos - Email - SSH Access - DNS - File sharing systems • If a vendor does not support TFA – Are they really worth your time and money?

16. Change Default Accounts • Default Admin Username/Password – Databases – Key Stores – Content Management Systems • Disable Unnecessary Services • Delete unwanted accounts

17. Firewall Effectively • Dev environment is only for Developers – Block access from internet – IP Based restrictions • Restrict SSH access – IP Based restrictions – Easy to setup • Ingress and Egress • Install WAF (It’s FREE)

18.

19. Continuous Security (DevSecOps) • Provisioning a new VM – Install latest patches – Apply right firewall policies – Stop unwanted services – Start appropriate services • Run as part of the build: – Fuzzing Tests – Run vulnerability scans – Static Analysis – Dynamic Analysis

20.

21. Input Validation • Trust nothing that comes from client • Every layer to do it’s own validation • Whitelist vs Blacklist? – Whitelist is better • Use well tested libraries – Or OWASP RegEx • Specifically Test for SQLi and XSS • Example

22. Output Escaping • Escape all content to be rendered • Use UI Frameworks that escape by default • Scan the code to check the usage of un- escaped methods • Example

23. Authentication Web Form Based Authentication Two Factor Authentication TOTP Text Message Social Logins Facebook Twitter Google Basic Authentication Digest Authentication OAuth Certificate Based Auth. JWT (with JWS/JWE) APIs

24. Authorization • Privilege Escalation attacks are common • Authz mechanisms – Role Based Access Control (RBAC) – Attribute Based Access (ABAC) • Do Authz checks at every layer – Cookies – JWT (Mobile Friendly)

25.

26. White Hat Program • Allow white hat hackers to find security issues and report them to you • Explicit contract laying out what kind of attacks they could execute • Implicit contract that they won’t go public with it – And give you reasonable time to fix it • Make payments per bug and severity • Example

27. you are the best CISO … of your application You are the best CISO of your application

28. Questions?

Software Development in the Age of Breaches

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Software Development in the Age of Breaches

Similar to Software Development in the Age of Breaches (20)

Recently uploaded

Recently uploaded (20)

Software Development in the Age of Breaches