Advertisement
Advertisement

More Related Content

Advertisement

Secure SDLC for Software

  1. SOFTWARE/APPLICATION SECURITY (STATE)
  2. Data Breaches & Security
  3. Hacks & Attacks
  4. Security with Banks
  5. Security with Banks
  6. Security with Banks
  7. Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors
  8. AppSec dynamics
  9. Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs
  10. Top 10 & Bugs
  11. Threats and Controls Source – Web Application Security Consortium
  12. Mapping
  13. SDLC – WHERE IS SECURITY?
  14. Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring
  15. Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation
  16. Different models
  17. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  18. Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White
  19. MISSING PARTS
  20. Black-White-TM
  21. Architecture review
  22. QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review
  23. Vulnerable and Exploit
  24. Building code from object…
  25. Attack & Entry
  26. AppCodeScan way…
  27. Impact Analysis
  28. Impact
  29. Impact
  30. Tracing
  31. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com
Advertisement