Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Matteo meucci Software Security - Napoli 10112016

442 views

Published on

Software Security in a interconnected world

Published in: Technology

Matteo meucci Software Security - Napoli 10112016

  1. 1. Software Security in a interconnected world Matteo Meucci, CEO @ Minded Security – 10th November 2016 Università degli Studi di Napoli ‘’L’Orientale’’
  2. 2. <AGENDA> 1. Introduction to Software Security 1.1 Who uses software? 1.2 What are the risks for the end users? 1.3 What are the risks for the Companies? 2. How can a Company manage Software Security? 2.2 The OWASP standards 2.2 Software Security Processes </AGENDA>
  3. 3. Informatics Engineer (since 2001) Research • OWASP contributor (since 2002) • OWASP-Italy Chair (since 2005) • OWASP Testing Guide Lead (since 2006) Work • 15+ years on Information Security focusing on Software Security • CEO @ Minded Security – The Software Security Company (since 2007) 3 Who am I?
  4. 4. 1. INTRODUCTION TO SOFTWARE SECURITY 1.1 SCENARIO: WHO USES SOFTWARE?
  5. 5. EVERYONE IS CONNECTED!
  6. 6. EVERYONE USES SOFTWARE! Users Cyber criminals Companies Governments
  7. 7. 1.2 FROM THE END USER POINT OF VIEW: WHAT ARE THE RISKS?
  8. 8. HOW CAN I UNDERSTAND IF AN APP IS SAFE OR NOT?
  9. 9. It’s secure! It’s on the store! Sure! Everyone uses it! IS THIS APP “SECURE”?
  10. 10. HOW CAN I UNDERSTAND IF AN APPLICATION IS “SECURE”?
  11. 11. It’s secure! Looks at the lock, down on the right! It’s secure! It’s Google! Sure! The news said that is unbreakable! IS YOUR GOOGLE MAIL “SECURE”?
  12. 12. Gmail vulnerability: 2 days ago
  13. 13. USER risks • Software not updated: critical risk • Shared Software: high risk • Implicit trust: high risk
  14. 14. Operative system not updated • http://www.eweek.com/security/google-patches-39-android-vulnerabilities-in-april-update.html
  15. 15. Software not updated 250 M of users are still using XP with no updated software for example Internet Explorer An e-mail or a Web site can compromise a pc with XP in a few seconds!!!
  16. 16. Shared software
  17. 17. Implicit Trust (e.g.: WiFi Pineapple) • How many of you connect automatically to open wifi? • How many of you think that it is dangerous to do that? • Let’s show you the result of a test done at the last Festival of Journalism in Perugia
  18. 18. Wifi Sniffing at IJF 2016
  19. 19. Man-in-the-middle IJF 2016 results
  20. 20. Risk: disclosure of sensitive information
  21. 21. From an end user point of view • There is not perception of the usage of a secure software or not • Most of the users download everything (risk malware), interact with everything (risk possible exploit of vulnerabilities), trust everything (risk possible disclosure of information)
  22. 22. 1.3 FROM A COMPANY POINT OF VIEW
  23. 23. Actors User: who uses the software Ministry of Informatics: who buys the software Development teams (internal/external): who develops the software
  24. 24. Press conference for the launch of the service Now you can take advantage of a new service on the portal of the Ministry of Informatics Fantastic!! Compliments!!
  25. 25. The day after…
  26. 26. Users access to the portal… John Black – 12/12/1970 – JBlack@company.com Josh White - 10/09/1982 – White@bank.com Paul Red– 09/02/1960 – Paul@bank.com
  27. 27. Users access to the portal… Oh oh...I find a problem...
  28. 28. Some days after…
  29. 29. The reactions… Ohh..how it was possible? Fault of the developers! but it is impossible !? We followed all your instructions If you do not ask for security, no one will develop secure software
  30. 30. • The Vulnerabilities in the software development process are expected. • The control of the security bugs and flaws in the software should be considered as part of the process of software development. SOFTWARE SECURITY PRINCIPLES
  31. 31. 2. HOW CAN A COMPANY MANAGE "SECURE SOFTWARE”? 2.1 THE OWASP STANDARDS
  32. 32. • The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registered in Europe as a worldwide charitable organization focused on improving the security of software. • Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. • Everyone is welcomed to participate in OWASP and all of our materials are available under free and open software licenses. OWASP
  33. 33. BUILD SECURE SOFTWARE
  34. 34. 1: Parameterize Queries 2: Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security In Project leaders: Jim.Manico@owasp.org Jim.Bird@owasp.org Katy.Anton@owasp.org TOP10 PROACTIVE CONTROLS (BUILDERS)
  35. 35. Hack your code!
  36. 36. www.owasp.org/index.php/Code_Review_Guide CODE REVIEW GUIDE (BREAKERS) • Most comprehensive open source secure code review guide on the web • Years of development effort • Version 2 alfa 2016 • Numerous contributors • Project Leader and Editor  eoin.keary@owasp.org
  37. 37. www.owasp.org/index.php/Testing_Guide • Most comprehensive open source secure testing guide on the web • Years of development effort • Version 4.0 produced in 2014 • Hundred of contributors • Project Leader and Editor • Matteo Meucci, Andrew Muller  matteo.meucci@owasp.org, andrew.muller@owasp.org TESTING GUIDE (BREAKERS)
  38. 38. THE OWASP GUIDES: COMMUNITY DRIVEN FOR ALL THE ENTERPRISES
  39. 39. Fight with the same weapons (knowledge)
  40. 40. 2.2 HOW TO USE THE OWASP STANDARDS IN YOUR PROCESSES
  41. 41. Roles and responsibilities Define Design Develop Deploy Maintain Risk Assessment Secure Design Design Review Software Acceptance Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Secure Installation Change Management Secure Architecture SCR and WAPT Hardening Fixing Business Analyst Security Manager Business Analyst AppSec Specialist Business Analyst Software Architect, AppSec Specialist Security Manager Application Owner Software Architect Security Manager Security Manager Developer AppSec Specialist Developer Security Manager App Owner Sistemista Sistemista AppSec Specialist Sec Manager App Owner Develper
  42. 42. Software Security Maturity Define Design Develop Deploy Maintain Risk Assessment Secure Design Design Review Application Penetration Testing Web Intrusion Monitoring Secure Requirements Threat Modeling Secure Development Software Acceptance Change Management Secure Architecture Secure Code Review Secure Installation Fixing Hardening Source: Minded Security – Results of 12 SAMM assessments from 2012 to 2015 20 % 60 % 30 % 10 % 30 % 30 % 60 % 40 % 30 % 90 % 30 % 50 % 60 % 40 % 40 %
  43. 43. OWASP resources into your SDLC If you do not ask for security, no one will develop secure software Use the OWASP Software Contract Annex to regulate your outsourcer contracts If you do not know the application threats, you will develop unsecure software Use the OWASP Top 10 for General Awareness Use the CISO Guide for Management’s Awareness Vulnerabilities in the software development process are expected Use the OWASP Building Guide and ESAPI to write more secure software Use the OWASP Secure Code Review Guide to review the code Use the OWASP Testing Guide to review to test your application
  44. 44. OWASP resources into your SDLC The fixing process is the most important step of the process of software security Retest your application after a bug fixing or a new release to be sure that the right implementations are in place How can I manage the Software Security Governance? Use the OWASP SAMM to assess your maturity and to build an Application Security Program to manage the SDLC
  45. 45. CONCLUSIONS
  46. 46. • Awareness on SwSec! From developers to analyst, application owner, management. • Hire Information Security managers: Application Security manager and Privacy Security managers • Software Security Program: without a program and assigned responsibilities it is difficult to manage Software Security. NEXT STEPS: WHAT IS MISSING TODAY?
  47. 47. QUESTIONS? WWW.MINDEDSECURITY.COM MATTEO.MEUCCI@MINDEDSECURITY.COM THANKS!

×