SANS AppSec 2010    Building Secure   Web Applications              Alex Bello           IronKey, Inc.          IronKey – ...
About meAlex Bello• Director of Technical Operations at IronKey• Product Threat Team Lead at IronKey• Technical Operations...
About IronKey• Founded by security experts in 2005• Funded by DHS• Designed & assembled in USA• Secure Hardware with cloud...
IronKey Management Services
Facts• Web is full of web application hacking  tutorials and tools• Botnets are used to scan for recent web  application e...
What to do?• Create security program• Integrate security into SDLC• Use phased approach
How to Start?•   Create security awareness and training•   Get release management under control•   Assess important securi...
Create Security Program•   Policies and procedures•   Security training•   Security architecture•   Periodic risk assessme...
Integrate Security in SDLCRequirements / Design  • Threat Modeling  • Risk Analysis  • Secure Architecture Design
Integrate Security in SDLCImplementation  •   Use modern Secure Frameworks  •   Secure Implementation / Best Practices (OW...
Integrate Security in SDLCQuality Assurance  • Security Testing of Changes (automated/manual)  • Security Regression Testing
Integrate Security in SDLCOperations  • Vulnerability alerting  • Web application firewalls  • Log analysis tools  • Secur...
Summary• Invest in security training and certification• Integrate security into SDLC in phases• Never trust input, validat...
Thank YouEmail: abello@ironkey.comWeb: https://www.ironkey.com
Upcoming SlideShare
Loading in …5
×

SANS AppSec - Building Secure Web Applications

581 views

Published on

Presentation about building secure web applications by integrating security into SDLC and Operations.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
581
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SANS AppSec - Building Secure Web Applications

  1. 1. SANS AppSec 2010 Building Secure Web Applications Alex Bello IronKey, Inc. IronKey – © 2010 All rights reserved.
  2. 2. About meAlex Bello• Director of Technical Operations at IronKey• Product Threat Team Lead at IronKey• Technical Operations at Anti-Phishing Working Group (APWG)Deep expertise in process, systems architecture, networking,databases, security and web development.
  3. 3. About IronKey• Founded by security experts in 2005• Funded by DHS• Designed & assembled in USA• Secure Hardware with cloud based remote management services• Scales globally in major banks, hospitals, DHS, FEMA and NATO
  4. 4. IronKey Management Services
  5. 5. Facts• Web is full of web application hacking tutorials and tools• Botnets are used to scan for recent web application exploits• 75% of attacks happen at the app layer• Security holes in web apps result in huge business losses
  6. 6. What to do?• Create security program• Integrate security into SDLC• Use phased approach
  7. 7. How to Start?• Create security awareness and training• Get release management under control• Assess important security controls• Scan applications prior to new releases• Benchmark against industry best-practices• Communicate results to the organization• Conduct independent security audits
  8. 8. Create Security Program• Policies and procedures• Security training• Security architecture• Periodic risk assessments• Periodic testing and evaluation• Incident response team• Change management
  9. 9. Integrate Security in SDLCRequirements / Design • Threat Modeling • Risk Analysis • Secure Architecture Design
  10. 10. Integrate Security in SDLCImplementation • Use modern Secure Frameworks • Secure Implementation / Best Practices (OWASP) • Security checklists • Code review (internal/third party)
  11. 11. Integrate Security in SDLCQuality Assurance • Security Testing of Changes (automated/manual) • Security Regression Testing
  12. 12. Integrate Security in SDLCOperations • Vulnerability alerting • Web application firewalls • Log analysis tools • Secure device configuration • Security perimeter testing • Penetration testing (internal/third party) (Major releases/monthly) • Tracking security metrics
  13. 13. Summary• Invest in security training and certification• Integrate security into SDLC in phases• Never trust input, validate all input/output• Strong encryption of sensitive data and key management• Strong access controls and hardening• Stay on top of vulnerabilities and keep your networks, servers, applications up to date
  14. 14. Thank YouEmail: abello@ironkey.comWeb: https://www.ironkey.com

×