SlideShare a Scribd company logo

Гірка правда про безпеку програмного забезпечення, Володимир Стиран

Sigma Software
Sigma Software

Cybersecurity meetup of Open Tech Week by Sigma Software, Kyiv 2018

Software
1 of 32
Download to read offline
bitter truth about software security Vlad Styran OSCP CISSP CISA Berezha Security
Disclaimers Crappy science: no supporting data or peer reviews Based on my own (mostly negative) experience If you have rotten potatoes, wait until the end
Agenda… sort of… Application Security is done wrong. Period. Questions are: 1. Who does it wrong? 2. What is done wrong? 3. How is it done wrong?
Who? Stake-holders: Software people • Have no idea about security • Driven by functionality and deadlines • Focused on visible features Security people • Have no idea about software development • Driven by budgets, "risk” and compliance • Focused on policy and best practice Business people (we won’t touch those)
What? is wrong with software people: Don’t care about security by default Start hiring appsec folks “into projects” once clients start to ask questions Rarely create “horizontal practices” for ad-hoc security assessments
What? is wrong with software people: Too much into their own stuff Usually very isolated cultures Don’t bother about appsec until they get hacked
What? is wrong with software people: Don’t care about security at all Have zero initial budget Are forced into appsec by market regulations or investors Are forced into appsec as a part of general corporate BS once they end being startups
What? is wrong with software people: Don’t see appsec as a feature (because it’s invisible) Think their code is secure by default and maybe has a few vulnerabilities to be “tested” or “scanned” before release Think their developers are well educated in appsec because they follow some weirdos on Twitter and Facebook
What? is wrong with security people: Have mainly network, infrastructure, intelligence/law enforcement background Are focused on setting the rules (“paper tigers”) and deploying controls (“blinking boxes”) As much as the software folks, believe in that ”pentest” or “code review” will solve all their problems The followers of the Best Practice Church
How? is the appsec done wrong: Pentest as a first step in a security program Pentest as the only appsec exercise before the product goes live No initial budget as a way to cut costs No developers awareness training before the project starts Treating appsec as a dull routine that has to be automated
How? Pentestas a firstortheonlypartof securityprogram Pentest is a measurement tool for the effectiveness of your security program If there is nothing yet to measure, it makes no sense • Some hackers will come • They will report a bunch of bugs • These won’t be all the bugs • These won’t be the worst bugs • These will be the easiest to find • This will affect your release date
How? No initial budget as a way to cut costs Built-in vs Bolt-on security Startups don’t care (Until it’s too late) Thinking of security as a project, process, business function etc. Not getting an intuition of risk (Not knowing how much it actually costs) The job market is hell (Or heaven, depends on your POV)
How? No developers training When Lemon Markets, Imposter Syndrome & Dunning–Kruger collide - Haroon Meer https://www.youtube.com/watch?v=YCijTioaCDw
How? Urge for automated security scanning
How? Urge for automated security scanning DAST (Security Scanner) Knows nothing about your code Gets mostly input/output flaws Covers about 15% of bugs Requires a consultant to get more Costs less than SAST SAST (Source Code Analyzer) Knows everything about your code (but gets nothing) Gets only semantic and implementation-level flaws: business logic is way out of scope Covers about 274% of bugs (out of 1078% possible) Costs 10x–100x more than DAST
Let’s summarize Developers and QAs who have no appsec background or training Are supposed to write secure code That contains only few security bugs All of which will be found by a security scanner or a code analyzer For free
Thank god, there are hackers! Expectations 1. Come to an ethical hacker 2 weeks before the release 2. Ask for a DAST for about $2-3k 3. Expect a clean & green report 4. Put it on the wall and go live 5. Live happy ever after Reality 1. Get shocked DAST takes at least 3 to 4 weeks 2. And costs much more 3. Get 10 critical bugs during first week and 50+ pages report 4. Fix the bugs for 2 months 5. Cry over the retest report and realize you still have bugs
Thank god, there are hackers! How hackers changed the security industry - Chris Wysopal https://www.youtube.com/watch?v=LSH3CyR35x4
https://www.microsoft.com/en-us/sdl/default.aspx
What is SDL? A bunch of practices that improve “software assurance” level (a fancy name for appsec) Security architecture and design Formulating security requirements Secure coding and code review Security testing/pentesting Secure deployment and operation Incident response and security patches Automating all of the above And many many more
How to SDL? 1. Give the team an appsec awareness training 2. Consult an SDL framework and choose practices you can implement 3. Plan for adding practices that you should implement 4. Hire a security pro or consultant to help you with practices you cannot implement by yourself 5. Undergo an external appsec assessment after the first full SDL cycle and at least before every major release 6. Undergo an external SDL assessment/audit regularly and improve using the results
Who should SDL? Developers, Testers, DevOps – to relevant extent Security “Champions” or “Evangelists” – part time Project Managers – at higher level Architect and Leads – deep dive AppSec Analysts – full time
Good practice https://www.owasp.org/ http://owasp.kyiv.ua/
Notable OWASP projects OWASP Top Ten OWASP Testing OWASP SAMM OWASP ASVS OWASP ZAP OWASP Juice Shop
SAMM practices example
Cheat codes: roadmap templates
How to get in? OWASP Kyiv https://owasp.kyiv.ua AppSec Awareness Training notes https://github.com/sapran/appsec_a wareness_training Awesome AppSec curated list https://github.com/paragonie/aweso me-appsec AppSec Course on Coursera https://www.coursera.org/learn/soft ware-security WAHH book Ross Anderson’s Security Engineering book
How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker

Recommended

What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
SeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!
Phillip Maddux
 
The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!
Phillip Maddux
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de ingles
Meztli Valeriano Orozco
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 

Recommended

What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
Nicole Forsgren
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
What We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOpsWhat We Learned from Three Years of Sciencing the Crap Out of DevOps
What We Learned from Three Years of Sciencing the Crap Out of DevOps
SeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!
Phillip Maddux
 
The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!
Phillip Maddux
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de ingles
Meztli Valeriano Orozco
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cycle
vulsec123
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Magno Logan
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
TechWell
 
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
TEST Huddle
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
Phillip Maddux
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
Vlad Styran
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QAFest
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
Phillip Maddux
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
Software Analytics
Software AnalyticsSoftware Analytics
Software Analytics
Andy Zaidman
 
Fact or Fiction? What Software Analytics Can Do For Us
Fact or Fiction? What Software Analytics Can Do For UsFact or Fiction? What Software Analytics Can Do For Us
Fact or Fiction? What Software Analytics Can Do For Us
Andy Zaidman
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
AdaCore
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
Vlad Styran
 
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
Neotys
 
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
Inflectra
 
8 Blind Spots Often Overlooked When Testing on Mobile
8 Blind Spots Often Overlooked When Testing on Mobile8 Blind Spots Often Overlooked When Testing on Mobile
8 Blind Spots Often Overlooked When Testing on Mobile
Neotys
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
Eoin Keary
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
nanderoo
 

More Related Content

What's hot

10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
TechWell
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
Phillip Maddux
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
AdaCore
 

What's hot (19)

Information Security Life Cycle
Information Security Life CycleInformation Security Life Cycle
Information Security Life Cycle
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
 
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
 
Software Analytics
Software AnalyticsSoftware Analytics
Software Analytics
 
Fact or Fiction? What Software Analytics Can Do For Us
Fact or Fiction? What Software Analytics Can Do For UsFact or Fiction? What Software Analytics Can Do For Us
Fact or Fiction? What Software Analytics Can Do For Us
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
 
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
Inflectracon2020: Spira for Non-Software Applications: Covid-19 Mask Testing
 
8 Blind Spots Often Overlooked When Testing on Mobile
8 Blind Spots Often Overlooked When Testing on Mobile8 Blind Spots Often Overlooked When Testing on Mobile
8 Blind Spots Often Overlooked When Testing on Mobile
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
 

Similar to Гірка правда про безпеку програмного забезпечення, Володимир Стиран

Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
nanderoo
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 

Similar to Гірка правда про безпеку програмного забезпечення, Володимир Стиран (20)

Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
 

More from Sigma Software

More from Sigma Software (20)

Fast is Best. Using .NET MinimalAPIs
Fast is Best. Using .NET MinimalAPIsFast is Best. Using .NET MinimalAPIs
Fast is Best. Using .NET MinimalAPIs
 
"Are you developing or declining? Don't become an IT-dinosaur"
"Are you developing or declining? Don't become an IT-dinosaur""Are you developing or declining? Don't become an IT-dinosaur"
"Are you developing or declining? Don't become an IT-dinosaur"
 
Michael Smolin, "Decrypting customer's cultural code"
Michael Smolin, "Decrypting customer's cultural code"Michael Smolin, "Decrypting customer's cultural code"
Michael Smolin, "Decrypting customer's cultural code"
 
Max Kunytsia, “Why is continuous product discovery better than continuous del...
Max Kunytsia, “Why is continuous product discovery better than continuous del...Max Kunytsia, “Why is continuous product discovery better than continuous del...
Max Kunytsia, “Why is continuous product discovery better than continuous del...
 
Marcelino Moreno, "Product Management Mindset"
Marcelino Moreno, "Product Management Mindset"Marcelino Moreno, "Product Management Mindset"
Marcelino Moreno, "Product Management Mindset"
 
Andrii Pastushok, "Product Discovery in Outsourcing - What, When, and How"
Andrii Pastushok, "Product Discovery in Outsourcing - What, When, and How"Andrii Pastushok, "Product Discovery in Outsourcing - What, When, and How"
Andrii Pastushok, "Product Discovery in Outsourcing - What, When, and How"
 
Elena Turkenych “BA vs PM: Who' the right person, for the right job, with the...
Elena Turkenych “BA vs PM: Who' the right person, for the right job, with the...Elena Turkenych “BA vs PM: Who' the right person, for the right job, with the...
Elena Turkenych “BA vs PM: Who' the right person, for the right job, with the...
 
Eleonora Budanova “BA+PM+DEV team: how to build the synergy”
Eleonora Budanova “BA+PM+DEV team: how to build the synergy”Eleonora Budanova “BA+PM+DEV team: how to build the synergy”
Eleonora Budanova “BA+PM+DEV team: how to build the synergy”
 
Stoyan Atanasov “How crucial is the BA role in an IT Project"
Stoyan Atanasov “How crucial is the BA role in an IT Project"Stoyan Atanasov “How crucial is the BA role in an IT Project"
Stoyan Atanasov “How crucial is the BA role in an IT Project"
 
Olexandra Kovalyova, "Equivalence Partitioning, Boundary Values ​​Analysis, C...
Olexandra Kovalyova, "Equivalence Partitioning, Boundary Values ​​Analysis, C...Olexandra Kovalyova, "Equivalence Partitioning, Boundary Values ​​Analysis, C...
Olexandra Kovalyova, "Equivalence Partitioning, Boundary Values ​​Analysis, C...
 
Yana Lysa — "Decision Tables, State-Transition testing, Pairwase Testing"
Yana Lysa — "Decision Tables, State-Transition testing, Pairwase Testing"Yana Lysa — "Decision Tables, State-Transition testing, Pairwase Testing"
Yana Lysa — "Decision Tables, State-Transition testing, Pairwase Testing"
 
VOLVO x HACK SPRINT
VOLVO x HACK SPRINTVOLVO x HACK SPRINT
VOLVO x HACK SPRINT
 
Business digitalization trends and challenges
Business digitalization trends and challengesBusiness digitalization trends and challenges
Business digitalization trends and challenges
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Яна Лиса, “Ефективні методи написання хороших мануальних тестових сценаріїв”
Яна Лиса, “Ефективні методи написання хороших мануальних тестових сценаріїв”Яна Лиса, “Ефективні методи написання хороших мануальних тестових сценаріїв”
Яна Лиса, “Ефективні методи написання хороших мануальних тестових сценаріїв”
 
Тетяна Осетрова, “Модель зрілості розподіленної проектної команди”
Тетяна Осетрова, “Модель зрілості розподіленної проектної команди”Тетяна Осетрова, “Модель зрілості розподіленної проектної команди”
Тетяна Осетрова, “Модель зрілості розподіленної проектної команди”
 
Training solutions and content creation
Training solutions and content creationTraining solutions and content creation
Training solutions and content creation
 
False news - false truth: tips & tricks how to avoid them
False news - false truth: tips & tricks how to avoid themFalse news - false truth: tips & tricks how to avoid them
False news - false truth: tips & tricks how to avoid them
 
Анна Бойко, "Хороший контракт vs очікування клієнтів. Що вбереже вас, якщо вд...
Анна Бойко, "Хороший контракт vs очікування клієнтів. Що вбереже вас, якщо вд...Анна Бойко, "Хороший контракт vs очікування клієнтів. Що вбереже вас, якщо вд...
Анна Бойко, "Хороший контракт vs очікування клієнтів. Що вбереже вас, якщо вд...
 
Дмитрий Лапшин, "The importance of TEX and Internal Quality. How explain and ...
Дмитрий Лапшин, "The importance of TEX and Internal Quality. How explain and ...Дмитрий Лапшин, "The importance of TEX and Internal Quality. How explain and ...
Дмитрий Лапшин, "The importance of TEX and Internal Quality. How explain and ...
 

Recently uploaded

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Recently uploaded (20)

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 

Гірка правда про безпеку програмного забезпечення, Володимир Стиран

  • 1. bitter truth about software security Vlad Styran OSCP CISSP CISA Berezha Security
  • 2.
  • 3.
  • 4.
  • 5. Disclaimers Crappy science: no supporting data or peer reviews Based on my own (mostly negative) experience If you have rotten potatoes, wait until the end
  • 6. Agenda… sort of… Application Security is done wrong. Period. Questions are: 1. Who does it wrong? 2. What is done wrong? 3. How is it done wrong?
  • 7. Who? Stake-holders: Software people • Have no idea about security • Driven by functionality and deadlines • Focused on visible features Security people • Have no idea about software development • Driven by budgets, "risk” and compliance • Focused on policy and best practice Business people (we won’t touch those)
  • 8. What? is wrong with software people: Don’t care about security by default Start hiring appsec folks “into projects” once clients start to ask questions Rarely create “horizontal practices” for ad-hoc security assessments
  • 9. What? is wrong with software people: Too much into their own stuff Usually very isolated cultures Don’t bother about appsec until they get hacked
  • 10. What? is wrong with software people: Don’t care about security at all Have zero initial budget Are forced into appsec by market regulations or investors Are forced into appsec as a part of general corporate BS once they end being startups
  • 11. What? is wrong with software people: Don’t see appsec as a feature (because it’s invisible) Think their code is secure by default and maybe has a few vulnerabilities to be “tested” or “scanned” before release Think their developers are well educated in appsec because they follow some weirdos on Twitter and Facebook
  • 12. What? is wrong with security people: Have mainly network, infrastructure, intelligence/law enforcement background Are focused on setting the rules (“paper tigers”) and deploying controls (“blinking boxes”) As much as the software folks, believe in that ”pentest” or “code review” will solve all their problems The followers of the Best Practice Church
  • 13. How? is the appsec done wrong: Pentest as a first step in a security program Pentest as the only appsec exercise before the product goes live No initial budget as a way to cut costs No developers awareness training before the project starts Treating appsec as a dull routine that has to be automated
  • 14. How? Pentestas a firstortheonlypartof securityprogram Pentest is a measurement tool for the effectiveness of your security program If there is nothing yet to measure, it makes no sense • Some hackers will come • They will report a bunch of bugs • These won’t be all the bugs • These won’t be the worst bugs • These will be the easiest to find • This will affect your release date
  • 15. How? No initial budget as a way to cut costs Built-in vs Bolt-on security Startups don’t care (Until it’s too late) Thinking of security as a project, process, business function etc. Not getting an intuition of risk (Not knowing how much it actually costs) The job market is hell (Or heaven, depends on your POV)
  • 16. How? No developers training When Lemon Markets, Imposter Syndrome & Dunning–Kruger collide - Haroon Meer https://www.youtube.com/watch?v=YCijTioaCDw
  • 17. How? Urge for automated security scanning
  • 18. How? Urge for automated security scanning DAST (Security Scanner) Knows nothing about your code Gets mostly input/output flaws Covers about 15% of bugs Requires a consultant to get more Costs less than SAST SAST (Source Code Analyzer) Knows everything about your code (but gets nothing) Gets only semantic and implementation-level flaws: business logic is way out of scope Covers about 274% of bugs (out of 1078% possible) Costs 10x–100x more than DAST
  • 19. Let’s summarize Developers and QAs who have no appsec background or training Are supposed to write secure code That contains only few security bugs All of which will be found by a security scanner or a code analyzer For free
  • 20. Thank god, there are hackers! Expectations 1. Come to an ethical hacker 2 weeks before the release 2. Ask for a DAST for about $2-3k 3. Expect a clean & green report 4. Put it on the wall and go live 5. Live happy ever after Reality 1. Get shocked DAST takes at least 3 to 4 weeks 2. And costs much more 3. Get 10 critical bugs during first week and 50+ pages report 4. Fix the bugs for 2 months 5. Cry over the retest report and realize you still have bugs
  • 21. Thank god, there are hackers! How hackers changed the security industry - Chris Wysopal https://www.youtube.com/watch?v=LSH3CyR35x4
  • 23. What is SDL? A bunch of practices that improve “software assurance” level (a fancy name for appsec) Security architecture and design Formulating security requirements Secure coding and code review Security testing/pentesting Secure deployment and operation Incident response and security patches Automating all of the above And many many more
  • 24. How to SDL? 1. Give the team an appsec awareness training 2. Consult an SDL framework and choose practices you can implement 3. Plan for adding practices that you should implement 4. Hire a security pro or consultant to help you with practices you cannot implement by yourself 5. Undergo an external appsec assessment after the first full SDL cycle and at least before every major release 6. Undergo an external SDL assessment/audit regularly and improve using the results
  • 25. Who should SDL? Developers, Testers, DevOps – to relevant extent Security “Champions” or “Evangelists” – part time Project Managers – at higher level Architect and Leads – deep dive AppSec Analysts – full time
  • 27. Notable OWASP projects OWASP Top Ten OWASP Testing OWASP SAMM OWASP ASVS OWASP ZAP OWASP Juice Shop
  • 28.
  • 30. Cheat codes: roadmap templates
  • 31. How to get in? OWASP Kyiv https://owasp.kyiv.ua AppSec Awareness Training notes https://github.com/sapran/appsec_a wareness_training Awesome AppSec curated list https://github.com/paragonie/aweso me-appsec AppSec Course on Coursera https://www.coursera.org/learn/soft ware-security WAHH book Ross Anderson’s Security Engineering book
  • 32. How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker