App Sec Eu08 Sec Frm Not In Code

909 views

Published on

My presentation at App Sec Eu08 GANT

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
909
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

App Sec Eu08 Sec Frm Not In Code

  1. 1. OWASP Europe Conference 2008 Security framework is not in the code Sam Reghenzi OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. Do we really need more security in our software? OWASP
  3. 3. Do we really need more security in our software? OWASP
  4. 4. Do we really need more security in our software? Number of security related vulnerabilities OWASP
  5. 5. Do we really need more security in our software? Number of security related vulnerabilities We need to build better software OWASP
  6. 6. #1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle OWASP
  7. 7. #1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle Application security is inside the application not around it OWASP
  8. 8. Traditions (And other bad habits) Security is a network problem and it can be solved with hardware No budget in development Software not developed in a security aware life cycle OWASP
  9. 9. Establish security in your DL Software engineering Find best practice to fit your team or company Test for abuse, not only for good use Measure code, bug and progress Social engineering Make good friends Be aware of your business compliancy Wait... something bad will happen OWASP
  10. 10. The ROI Problem Security in software development brings no direct revenue #1 Reduce costs #2 Bring evidence of risks #3 Sell security as a value OWASP
  11. 11. [Static]Code analysis Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
  12. 12. [Static]Code analysis The poor man so!ware security Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
  13. 13. Security Risk management Manage knowledge, identify risks, rank them and fix them Context Risk Sort Fix OWASP
  14. 14. Security Risk management Gather documentation #1 Gather information from management Gather information from the team Gather information from artifacts #2 Organize everything #3 Make the deal OWASP
  15. 15. Hot stages of SDLC The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  16. 16. Hot stages of SDLC Traditional The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  17. 17. Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  18. 18. Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Touchpoints Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  19. 19. Historical knowledge Know your enemies Find exploit earlier Find focus Prevent attack patterns Enrich security management framework OWASP
  20. 20. Tips Jump on the High availability train Mitigate Web 2.0 Deliver something concrete In Rome act like a Roman OWASP
  21. 21. Q&A ? OWASP

×