Minded Security, profile picture
Uploaded byMinded Security
PDF, PPTX701 views

Matteo meucci Software Security - Napoli 10112016

This document discusses software security and how companies can manage it. It begins with an introduction to software security risks from the perspectives of end users and companies. It then explains how companies can implement software security best practices using OWASP (Open Web Application Security Project) standards and processes. This includes incorporating security activities like risk assessments, secure design reviews, and testing throughout the entire software development lifecycle (SDLC). The document emphasizes that without focusing on security, vulnerabilities will exist, and that the OWASP resources can help integrate security practices.

Embed presentation

Download as PDF, PPTX
Software Security in a interconnected world Matteo Meucci, CEO @ Minded Security – 10th November 2016 Università degli Studi di Napoli ‘’L’Orientale’’
<AGENDA> 1. Introduction to Software Security 1.1 Who uses software? 1.2 What are the risks for the end users? 1.3 What are the risks for the Companies? 2. How can a Company manage Software Security? 2.2 The OWASP standards 2.2 Software Security Processes </AGENDA>
Informatics Engineer (since 2001) Research • OWASP contributor (since 2002) • OWASP-Italy Chair (since 2005) • OWASP Testing Guide Lead (since 2006) Work • 15+ years on Information Security focusing on Software Security • CEO @ Minded Security – The Software Security Company (since 2007) 3 Who am I?
1. INTRODUCTION TO SOFTWARE SECURITY 1.1 SCENARIO: WHO USES SOFTWARE?
EVERYONE IS CONNECTED!
EVERYONE USES SOFTWARE! Users Cyber criminals Companies Governments
1.2 FROM THE END USER POINT OF VIEW: WHAT ARE THE RISKS?
HOW CAN I UNDERSTAND IF AN APP IS SAFE OR NOT?
It’s secure! It’s on the store! Sure! Everyone uses it! IS THIS APP “SECURE”?
HOW CAN I UNDERSTAND IF AN APPLICATION IS “SECURE”?
It’s secure! Looks at the lock, down on the right! It’s secure! It’s Google! Sure! The news said that is unbreakable! IS YOUR GOOGLE MAIL “SECURE”?
Gmail vulnerability: 2 days ago
USER risks • Software not updated: critical risk • Shared Software: high risk • Implicit trust: high risk
Operative system not updated • http://www.eweek.com/security/google-patches-39-android-vulnerabilities-in-april-update.html
Software not updated 250 M of users are still using XP with no updated software for example Internet Explorer An e-mail or a Web site can compromise a pc with XP in a few seconds!!!
Shared software
Implicit Trust (e.g.: WiFi Pineapple) • How many of you connect automatically to open wifi? • How many of you think that it is dangerous to do that? • Let’s show you the result of a test done at the last Festival of Journalism in Perugia
Wifi Sniffing at IJF 2016
Man-in-the-middle IJF 2016 results
Risk: disclosure of sensitive information
From an end user point of view • There is not perception of the usage of a secure software or not • Most of the users download everything (risk malware), interact with everything (risk possible exploit of vulnerabilities), trust everything (risk possible disclosure of information)
1.3 FROM A COMPANY POINT OF VIEW
Actors User: who uses the software Ministry of Informatics: who buys the software Development teams (internal/external): who develops the software
Press conference for the launch of the service Now you can take advantage of a new service on the portal of the Ministry of Informatics Fantastic!! Compliments!!
The day after…
Users access to the portal… John Black – 12/12/1970 – JBlack@company.com Josh White - 10/09/1982 – White@bank.com Paul Red– 09/02/1960 – Paul@bank.com
Users access to the portal… Oh oh...I find a problem...
Some days after…
The reactions… Ohh..how it was possible? Fault of the developers! but it is impossible !? We followed all your instructions If you do not ask for security, no one will develop secure software
• The Vulnerabilities in the software development process are expected. • The control of the security bugs and flaws in the software should be considered as part of the process of software development. SOFTWARE SECURITY PRINCIPLES
2. HOW CAN A COMPANY MANAGE "SECURE SOFTWARE”? 2.1 THE OWASP STANDARDS
• The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registered in Europe as a worldwide charitable organization focused on improving the security of software. • Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. • Everyone is welcomed to participate in OWASP and all of our materials are available under free and open software licenses. OWASP
BUILD SECURE SOFTWARE
1: Parameterize Queries 2: Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security In Project leaders: Jim.Manico@owasp.org Jim.Bird@owasp.org Katy.Anton@owasp.org TOP10 PROACTIVE CONTROLS (BUILDERS)
Hack your code!
www.owasp.org/index.php/Code_Review_Guide CODE REVIEW GUIDE (BREAKERS) • Most comprehensive open source secure code review guide on the web • Years of development effort • Version 2 alfa 2016 • Numerous contributors • Project Leader and Editor  eoin.keary@owasp.org
www.owasp.org/index.php/Testing_Guide • Most comprehensive open source secure testing guide on the web • Years of development effort • Version 4.0 produced in 2014 • Hundred of contributors • Project Leader and Editor • Matteo Meucci, Andrew Muller  matteo.meucci@owasp.org, andrew.muller@owasp.org TESTING GUIDE (BREAKERS)
THE OWASP GUIDES: COMMUNITY DRIVEN FOR ALL THE ENTERPRISES
Fight with the same weapons (knowledge)
2.2 HOW TO USE THE OWASP STANDARDS IN YOUR PROCESSES
Roles and responsibilities Define Design Develop Deploy Maintain Risk Assessment Secure Design Design Review Software Acceptance Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Secure Installation Change Management Secure Architecture SCR and WAPT Hardening Fixing Business Analyst Security Manager Business Analyst AppSec Specialist Business Analyst Software Architect, AppSec Specialist Security Manager Application Owner Software Architect Security Manager Security Manager Developer AppSec Specialist Developer Security Manager App Owner Sistemista Sistemista AppSec Specialist Sec Manager App Owner Develper
Software Security Maturity Define Design Develop Deploy Maintain Risk Assessment Secure Design Design Review Application Penetration Testing Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Software Acceptance Change Management Secure Architecture Secure Code Review Secure Installation Fixing Hardening Source: Minded Security – Results of 12 SAMM assessments from 2012 to 2015 20 % 60 % 30 % 10 % 30 % 30 % 60 % 40 % 30 % 90 % 30 % 50 % 60 % 40 % 40 %
OWASP resources into your SDLC If you do not ask for security, no one will develop secure software Use the OWASP Software Contract Annex to regulate your outsourcer contracts If you do not know the application threats, you will develop unsecure software Use the OWASP Top 10 for General Awareness Use the CISO Guide for Management’s Awareness Vulnerabilities in the software development process are expected Use the OWASP Building Guide and ESAPI to write more secure software Use the OWASP Secure Code Review Guide to review the code Use the OWASP Testing Guide to review to test your application
OWASP resources into your SDLC The fixing process is the most important step of the process of software security Retest your application after a bug fixing or a new release to be sure that the right implementations are in place How can I manage the Software Security Governance? Use the OWASP SAMM to assess your maturity and to build an Application Security Program to manage the SDLC
CONCLUSIONS
• Awareness on SwSec! From developers to analyst, application owner, management. • Hire Information Security managers: Application Security manager and Privacy Security managers • Software Security Program: without a program and assigned responsibilities it is difficult to manage Software Security. NEXT STEPS: WHAT IS MISSING TODAY?
QUESTIONS? WWW.MINDEDSECURITY.COM MATTEO.MEUCCI@MINDEDSECURITY.COM THANKS!

More Related Content

PDF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
PPTX
Mobile security recipes for xamarin
byNicolas Milcoff
 
PPT
Software Security Engineering
byMarco Morana
 
PPT
Software Security Frameworks
byMarco Morana
 
PDF
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
PPTX
Security in the Development Lifecycle - lessons learned
byBoaz Shunami
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PPTX
The road towards better automotive cybersecurity
byRogue Wave Software
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
Mobile security recipes for xamarin
byNicolas Milcoff
 
Software Security Engineering
byMarco Morana
 
Software Security Frameworks
byMarco Morana
 
Software Security Initiative And Capability Maturity Models
byMarco Morana
 
Security in the Development Lifecycle - lessons learned
byBoaz Shunami
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
The road towards better automotive cybersecurity
byRogue Wave Software
 

What's hot

PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PDF
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
PPT
Secure by design and secure software development
byBill Ross
 
PDF
Software security, secure software development in the age of IoT, smart thing...
byLabSharegroup
 
PPTX
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
PPTX
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 
PPTX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
PPSX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
DOC
David Patterson IT Security Resumes 2016
byDavid Patterson
 
PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
PDF
Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
PDF
A successful application security program - Envision build and scale
byPriyanka Aash
 
PDF
The Web AppSec How-To: The Defender's Toolbox
byCheckmarx
 
PPTX
The Importance of Endpoint Protection - Featuring SEP 14
byAventis Systems, Inc.
 
PDF
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
byTekRevol LLC
 
PDF
Pactera - Cloud, Application, Cyber Security Trend 2016
byKyle Lai
 
PDF
Managing third party libraries
byn|u - The Open Security Community
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
Secure by design and secure software development
byBill Ross
 
Software security, secure software development in the age of IoT, smart thing...
byLabSharegroup
 
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
David Patterson IT Security Resumes 2016
byDavid Patterson
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
A successful application security program - Envision build and scale
byPriyanka Aash
 
The Web AppSec How-To: The Defender's Toolbox
byCheckmarx
 
The Importance of Endpoint Protection - Featuring SEP 14
byAventis Systems, Inc.
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
byTekRevol LLC
 
Pactera - Cloud, Application, Cyber Security Trend 2016
byKyle Lai
 
Managing third party libraries
byn|u - The Open Security Community
 

Viewers also liked

PDF
Sandboxing JS and HTML. A lession Learned
byMinded Security
 
PPT
Software Security Testing
byankitmehta21
 
PPTX
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
byWrikeTechClub
 
PPTX
Security_Testing_Presentation
byRazil Shaik
 
PPTX
Security testing operation vijay
bylavanyam210
 
PPTX
Xss what the heck-!
byVodqaBLR
 
PPTX
Information gathering using windows command line utility
byVishal Kumar
 
PPTX
Security testing
byRihab Chebbah
 
PPT
Software security
byRoman Oliynykov
 
PDF
Secure by Design - Security Design Principles for the Rest of Us
byEoin Woods
 
PDF
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
byIosif Itkin
 
PPTX
PL-SQL DIFFERENT PROGRAMS
byraj upadhyay
 
PDF
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
byThierry Matusiak
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
byLuca Carettoni
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PPTX
Sql injection
byZidh
 
PDF
IBM Security Software Solutions - Powerpoint
byThierry Matusiak
 
PPTX
How to Get the Most Out of Security Tools
bySecurity Innovation
 
Sandboxing JS and HTML. A lession Learned
byMinded Security
 
Software Security Testing
byankitmehta21
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
byWrikeTechClub
 
Security_Testing_Presentation
byRazil Shaik
 
Security testing operation vijay
bylavanyam210
 
Xss what the heck-!
byVodqaBLR
 
Information gathering using windows command line utility
byVishal Kumar
 
Security testing
byRihab Chebbah
 
Software security
byRoman Oliynykov
 
Secure by Design - Security Design Principles for the Rest of Us
byEoin Woods
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
byIosif Itkin
 
PL-SQL DIFFERENT PROGRAMS
byraj upadhyay
 
Synthèse de l'offre logicielle IBM de Sécurité - Nov 2016
byThierry Matusiak
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
byLuca Carettoni
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
Sql injection
byZidh
 
IBM Security Software Solutions - Powerpoint
byThierry Matusiak
 
How to Get the Most Out of Security Tools
bySecurity Innovation
 

Similar to Matteo meucci Software Security - Napoli 10112016

PPT
六合彩香港-六合彩
bybaoyin
 
PDF
Matteo Meucci Isaca Venice - 2017
byMinded Security
 
PDF
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
KEY
Application Security Done Right
bypvanwoud
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PDF
OWASP Secure Coding Quick Reference Guide
byAryan G
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Building an AppSec Culture
byNirosh Jayaratnam
 
PPTX
Web Application Security Strategy
byNetwork Intelligence India
 
PPTX
Web appsec and it’s 10 best SDLC practices
byPotato
 
PPT
OWASP - Building Secure Web Applications
byalexbe
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PDF
Running a Software Security Program with Open Source Tools
byDenim Group
 
PPT
SoftwareSecurity.ppt
byssuserfb92ae
 
PDF
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PDF
Long-term Impact of Log4J
byDenim Group
 
六合彩香港-六合彩
bybaoyin
 
Matteo Meucci Isaca Venice - 2017
byMinded Security
 
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Application Security Done Right
bypvanwoud
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
OWASP Secure Coding Quick Reference Guide
byAryan G
 
How to develop an AppSec culture in your project
by99X Technology
 
Building an AppSec Culture
byNirosh Jayaratnam
 
Web Application Security Strategy
byNetwork Intelligence India
 
Web appsec and it’s 10 best SDLC practices
byPotato
 
OWASP - Building Secure Web Applications
byalexbe
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
Running a Software Security Program with Open Source Tools
byDenim Group
 
SoftwareSecurity.ppt
byssuserfb92ae
 
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Long-term Impact of Log4J
byDenim Group
 

More from Minded Security

PDF
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 
PDF
Microservices Security: dos and don'ts
byMinded Security
 
PDF
Live hacking Demo
byMinded Security
 
PDF
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
PDF
BlueClosure Pitch - Cybertech Europe 2017
byMinded Security
 
PDF
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
byMinded Security
 
PDF
Advanced JS Deobfuscation
byMinded Security
 
PDF
Concrete5 Sendmail RCE Advisory
byMinded Security
 
PDF
Concrete5 Multiple Reflected XSS Advisory
byMinded Security
 
PDF
PHP Object Injection
byMinded Security
 
PDF
iOS Masque Attack
byMinded Security
 
Ieee S&P 2020 - Software Security: from Research to Industry.
byMinded Security
 
Microservices Security: dos and don'ts
byMinded Security
 
Live hacking Demo
byMinded Security
 
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
BlueClosure Pitch - Cybertech Europe 2017
byMinded Security
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
byMinded Security
 
Advanced JS Deobfuscation
byMinded Security
 
Concrete5 Sendmail RCE Advisory
byMinded Security
 
Concrete5 Multiple Reflected XSS Advisory
byMinded Security
 
PHP Object Injection
byMinded Security
 
iOS Masque Attack
byMinded Security
 

Recently uploaded

PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 

Matteo meucci Software Security - Napoli 10112016

  • 1.
    Software Security ina interconnected world Matteo Meucci, CEO @ Minded Security – 10th November 2016 Università degli Studi di Napoli ‘’L’Orientale’’
  • 2.
    <AGENDA> 1. Introduction toSoftware Security 1.1 Who uses software? 1.2 What are the risks for the end users? 1.3 What are the risks for the Companies? 2. How can a Company manage Software Security? 2.2 The OWASP standards 2.2 Software Security Processes </AGENDA>
  • 3.
    Informatics Engineer (since2001) Research • OWASP contributor (since 2002) • OWASP-Italy Chair (since 2005) • OWASP Testing Guide Lead (since 2006) Work • 15+ years on Information Security focusing on Software Security • CEO @ Minded Security – The Software Security Company (since 2007) 3 Who am I?
  • 4.
    1. INTRODUCTION TOSOFTWARE SECURITY 1.1 SCENARIO: WHO USES SOFTWARE?
  • 5.
  • 6.
    EVERYONE USES SOFTWARE! Users Cybercriminals Companies Governments
  • 7.
    1.2 FROM THEEND USER POINT OF VIEW: WHAT ARE THE RISKS?
  • 8.
    HOW CAN IUNDERSTAND IF AN APP IS SAFE OR NOT?
  • 9.
    It’s secure! It’son the store! Sure! Everyone uses it! IS THIS APP “SECURE”?
  • 10.
    HOW CAN IUNDERSTAND IF AN APPLICATION IS “SECURE”?
  • 11.
    It’s secure! Looksat the lock, down on the right! It’s secure! It’s Google! Sure! The news said that is unbreakable! IS YOUR GOOGLE MAIL “SECURE”?
  • 12.
  • 13.
    USER risks • Softwarenot updated: critical risk • Shared Software: high risk • Implicit trust: high risk
  • 14.
    Operative system notupdated • http://www.eweek.com/security/google-patches-39-android-vulnerabilities-in-april-update.html
  • 15.
    Software not updated 250M of users are still using XP with no updated software for example Internet Explorer An e-mail or a Web site can compromise a pc with XP in a few seconds!!!
  • 16.
  • 17.
    Implicit Trust (e.g.:WiFi Pineapple) • How many of you connect automatically to open wifi? • How many of you think that it is dangerous to do that? • Let’s show you the result of a test done at the last Festival of Journalism in Perugia
  • 18.
  • 19.
  • 20.
    Risk: disclosure ofsensitive information
  • 21.
    From an enduser point of view • There is not perception of the usage of a secure software or not • Most of the users download everything (risk malware), interact with everything (risk possible exploit of vulnerabilities), trust everything (risk possible disclosure of information)
  • 22.
    1.3 FROM ACOMPANY POINT OF VIEW
  • 23.
    Actors User: who usesthe software Ministry of Informatics: who buys the software Development teams (internal/external): who develops the software
  • 24.
    Press conference forthe launch of the service Now you can take advantage of a new service on the portal of the Ministry of Informatics Fantastic!! Compliments!!
  • 25.
  • 26.
    Users access tothe portal… John Black – 12/12/1970 – JBlack@company.com Josh White - 10/09/1982 – White@bank.com Paul Red– 09/02/1960 – Paul@bank.com
  • 27.
    Users access tothe portal… Oh oh...I find a problem...
  • 28.
  • 29.
    The reactions… Ohh..how itwas possible? Fault of the developers! but it is impossible !? We followed all your instructions If you do not ask for security, no one will develop secure software
  • 30.
    • The Vulnerabilitiesin the software development process are expected. • The control of the security bugs and flaws in the software should be considered as part of the process of software development. SOFTWARE SECURITY PRINCIPLES
  • 31.
    2. HOW CANA COMPANY MANAGE "SECURE SOFTWARE”? 2.1 THE OWASP STANDARDS
  • 32.
    • The OpenWeb Application Security Project (OWASP) is a 501c3 not-for-profit also registered in Europe as a worldwide charitable organization focused on improving the security of software. • Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. • Everyone is welcomed to participate in OWASP and all of our materials are available under free and open software licenses. OWASP
  • 33.
  • 34.
    1: Parameterize Queries 2:Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security In Project leaders: Jim.Manico@owasp.org Jim.Bird@owasp.org Katy.Anton@owasp.org TOP10 PROACTIVE CONTROLS (BUILDERS)
  • 35.
  • 36.
    www.owasp.org/index.php/Code_Review_Guide CODE REVIEW GUIDE(BREAKERS) • Most comprehensive open source secure code review guide on the web • Years of development effort • Version 2 alfa 2016 • Numerous contributors • Project Leader and Editor  eoin.keary@owasp.org
  • 37.
    www.owasp.org/index.php/Testing_Guide • Most comprehensiveopen source secure testing guide on the web • Years of development effort • Version 4.0 produced in 2014 • Hundred of contributors • Project Leader and Editor • Matteo Meucci, Andrew Muller  matteo.meucci@owasp.org, andrew.muller@owasp.org TESTING GUIDE (BREAKERS)
  • 38.
    THE OWASP GUIDES:COMMUNITY DRIVEN FOR ALL THE ENTERPRISES
  • 39.
    Fight with thesame weapons (knowledge)
  • 40.
    2.2 HOW TOUSE THE OWASP STANDARDS IN YOUR PROCESSES
  • 41.
    Roles and responsibilities DefineDesign Develop Deploy Maintain Risk Assessment Secure Design Design Review Software Acceptance Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Secure Installation Change Management Secure Architecture SCR and WAPT Hardening Fixing Business Analyst Security Manager Business Analyst AppSec Specialist Business Analyst Software Architect, AppSec Specialist Security Manager Application Owner Software Architect Security Manager Security Manager Developer AppSec Specialist Developer Security Manager App Owner Sistemista Sistemista AppSec Specialist Sec Manager App Owner Develper
  • 42.
    Software Security Maturity DefineDesign Develop Deploy Maintain Risk Assessment Secure Design Design Review Application Penetration Testing Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Software Acceptance Change Management Secure Architecture Secure Code Review Secure Installation Fixing Hardening Source: Minded Security – Results of 12 SAMM assessments from 2012 to 2015 20 % 60 % 30 % 10 % 30 % 30 % 60 % 40 % 30 % 90 % 30 % 50 % 60 % 40 % 40 %
  • 43.
    OWASP resources intoyour SDLC If you do not ask for security, no one will develop secure software Use the OWASP Software Contract Annex to regulate your outsourcer contracts If you do not know the application threats, you will develop unsecure software Use the OWASP Top 10 for General Awareness Use the CISO Guide for Management’s Awareness Vulnerabilities in the software development process are expected Use the OWASP Building Guide and ESAPI to write more secure software Use the OWASP Secure Code Review Guide to review the code Use the OWASP Testing Guide to review to test your application
  • 44.
    OWASP resources intoyour SDLC The fixing process is the most important step of the process of software security Retest your application after a bug fixing or a new release to be sure that the right implementations are in place How can I manage the Software Security Governance? Use the OWASP SAMM to assess your maturity and to build an Application Security Program to manage the SDLC
  • 45.
  • 46.
    • Awareness onSwSec! From developers to analyst, application owner, management. • Hire Information Security managers: Application Security manager and Privacy Security managers • Software Security Program: without a program and assigned responsibilities it is difficult to manage Software Security. NEXT STEPS: WHAT IS MISSING TODAY?
  • 47.