2. Krutarth Vasavada
• B.E. (Electronics and Communication), AITS 2002-06
• M.S. (Computer Engineering), San Jose State University,
California, US
• Certified Cloud Security Professional, ISC2
• 13+ Years into Software Product Development,
Cybersecurity, Information Security Audits, Data
Privacy & Compliance
• Worked in India, USA, EU (currently) in Automobile,
Chemicals, Insurance, Investment Banking, and e-
Commerce domains.
3. Topics
Cybersecurity
– What? Why?
Where? How?
01
What is a
secure
software?
02
Why we need
a secure
software?
03
Areas of
Software
Security
04
Secure
Software
Checklist
05
Exercises and
References
06
4. Scope
Secure Coding Standards is a
separate topic and it is not
part of this workshop!
This session focuses on
software security from
end-user perspective
5. Scope
In the context of this workshop,
Software = Desktop Applications (Dropbox, MS Office, etc.)
Mobile Applications (Zoom, WhatsApp, LinkedIn, etc.)
Web/SaaS Solutions (Email, JIRA/Confluence, Web Portals, etc.)
7. Next Topics
Cybersecurity –
What? Why? Where?
How?
01
What is a secure
software?
02
Why we need a
secure software?
03
Areas of Software
Security
04
Secure Software
Checklist
05
References
06
8. What is a Secure Software?
Protects information
identity
Respects privacy
user rights
Improvessecure exchange of data
Provides reliable authentication
Uses secure architecture
privacy-by-design
Complies with local/global laws
Certified ISO 27001
SOC 2
9. Why we need a Secure Software?
Corporations
Loss of reputation
Customer data exposure
Legal battles
Monetary compensations
Disciplinary action
Penalty
Individuals
Identity theft
Financial loss
Exposure of personal data/files
Blackmail/Ransomware
Using a software which doesn’t meet the security requirements has repercussions for corporations as well
as individuals.
10. Next Topic
Cybersecurity –
What? Why? Where?
How?
01
What is a secure
software?
02
Why we need a
secure software?
03
Areas of Software
Security
04
Secure Software
Checklist
05
References
06
11. Areas of Software Security
Technology Stack Up-to-date or Outdated?
Architecture Secure? Privacy-by-design? Scalable?
Hosting Cloud? Bare-metal? On premises? Hybrid?
Geography Locally hosted? Outside the country? within EU/US?
Security Features Multi-factor authentication? Backup-Recovery? Audit Logs?
Data Privacy Third-party access? User rights?
Compliance Information Security Certification? GDPR?
Processes e.g., Recruitment process (background check for sensitive jobs)
12. Next Topic
Cybersecurity –
What? Why? Where?
How?
01
What is a secure
software?
02
Why we need a
secure software?
03
Areas of Software
Security
04
Secure Software
Checklist
05
References
06
13. Is your software secure?
❑ Review Permissions - What does it access? And when?
❑ Data backup and encryption policies
❑ Will you be able to permanently remove all your data when you want?
❑ How many concurrent sessions does it allow?
❑ With which third-parties your data is shared?
❑ Do you know where the software application and data are hosted?
❑ Does it have any globally trusted information security certification?
❑ Does it have publicly known vulnerabilities?
❑ Does it participate in any global privacy programs such as EU-US, Swiss-US Privacy Shield?
15. Exercise and Reference Reading
According to you, which of the following search engines has better (= end-user friendly) privacy policies? Why?
Google – DuckDuckGo – Bing
Are WhatsApp messages always end-to-end encrypted? Does that mean WhatsApp cannot read messages
exchanged between users?
Web Security Academy - https://portswigger.net/web-security
Conduct security assessment of your favorite cloud storage drive and prepare an audit report.
DHS United States – Defence in Depth Recommendations