SlideShare a Scribd company logo
1 of 49
Download to read offline
A	
  Journey	
  into	
  Application	
  
Security
Christian	
  Martorella
ISACA	
  Italy	
  2014
Venezia,	
  3rd October
Who	
  am	
  I
• Principal	
  Program	
  Manager,	
  Product	
  Security
Skype	
  – Microsoft
• Edge-­‐Security:	
  Wfuzz,	
  theHarvester,	
  Metagoofil,	
  Webslayer
• Presented	
  in	
  many	
  Security	
  conferences:	
  Hack.lu,	
  BlackhatArsenal,	
  
Source,	
  OWASP	
  Summit,	
  OSIRA
• CIS(A,M,SP),	
  OPS(T,A)	
  
My	
  background
• Started	
  as	
  internal	
  security	
  auditor	
  (Offensive)
• System	
  and	
  network	
  security	
  responsible	
  of	
  a	
  small	
  ISP	
  (Defensive)
• Penetration	
  tester	
  -­‐>	
  Team	
  leader	
  (Offensive)
• Practice	
  lead	
  for	
  Threat	
  and	
  Vulnerability	
  in	
  EMEA	
  (Offensive)
• Product	
  Security	
  Analyst	
  in	
  Skype	
  (Defensive)
Introduction
This presentation is about the evolution of software development and
the relation with Applicationsecurity.
How application security teams adapted over time and the challenges
we are facing
Waterfall	
  development
Waterfall	
  development
• Originated	
  from	
  the	
  manufacturing	
  and	
  construction	
  industries.	
  
• Hardware	
  oriented	
  model	
  adapted	
  to	
  Software	
  development
• Sequential	
  design	
  process
• Introduced	
  by	
  Winston	
  Royce	
  in	
  the	
  ’70
Waterfall	
  development
• Make	
  sure	
  each	
  phase	
  is	
  100%	
  complete	
  and	
  absolutely	
  correct	
  
before	
  proceeding	
  to	
  the	
  next	
  phase
• Emphasis	
  on	
  documentation
• Project	
  span	
  across	
  long	
  period	
  of	
  time
• Time	
  spent	
  early on	
  making	
  sure	
  requirements and	
  design are	
  correct
saves	
  much	
  time	
  and	
  effort	
  later.
Application	
  Security
Microsoft	
  Secure	
  Development	
  Lifecycle	
  (SDL)
Set	
  of	
  software	
  development	
  process	
  improvements
Born	
  in	
  2002	
  and	
  established	
  in	
  2004,	
  as	
  result	
  of	
  MS	
  Trustworthy	
  Computer	
  
(TWC)	
  initiative.
More	
  than	
  50%	
  less	
  vulnerabilities	
  in	
  shipped	
  code
SDL	
  Methodologies
SDL	
  evolution
Security	
  approach
Influence	
  in	
  the	
  Design	
  phase:
• All	
  functional	
  and	
  design	
  specifications,	
   regardless	
  of	
  document	
  size,	
  should	
  
contain	
  a	
  section	
  describing	
  how	
  the	
  component	
  impacts	
  security
• Threat	
  Modeling:	
  Understand	
  assets	
  to	
  protect,	
  threats	
  and	
  vulnerabilities	
   to	
  
the	
  product	
  and	
  how	
  will	
  be	
  mitigated.	
  Critical	
  to	
  create	
  a	
  secure	
  software
Most	
  important	
  phase	
  in	
  Waterfall
Security	
  approach
Development	
  phase:
Implement	
  security	
  tools:	
  
• Static	
  analysis,	
  Banned	
  Apis,	
  FxCop,	
  /Analyze
Implement	
  security	
  checklist
Secure	
  coding	
  best	
  practices
Verification	
  /	
  Release	
  phase:
Fuzzing
Verify	
  /	
  validate	
  Threat	
  Model
Final	
  security	
  review	
  (FSR)
Security	
  testing	
  by	
  another	
  team	
  or	
  third	
  party
Challenges
• Lack	
  of	
  security	
  requirementsin	
  design	
  phase	
  will	
  make	
  it	
  difficult	
  to	
  add	
  
them	
  in	
  later	
  stages
• Non	
  iterative	
  nature	
  makes	
  difficult	
  to	
  fix	
  issues	
  identified	
  in	
  advanced	
  
stages	
  of	
  development
• Issues	
  detected	
  in	
  the	
  Final	
  review,	
  will	
  be	
  expensive	
  to	
  fix
Agile	
  development
Agile	
  development
• Cross	
  functional	
  teams,	
  self	
  organizing
• Short	
  time	
  boxed	
  development	
  iterations
• Delivery	
  of	
  small	
  functional	
  stories
• Listen	
  to	
  customer	
  needs	
  and	
  adapt
• Usually	
  low	
  in	
  documentation
Agile	
  Manifesto
Individuals	
  and	
  interactionsover	
  processes	
  and	
  tools
Working	
  software	
  over	
  comprehensive	
  documentation
Customer	
  collaboration	
  over	
  contract	
  negotiation
Responding	
  to	
  change	
  over	
  following	
  a	
  plan
That	
  is,	
  while	
  there	
  is	
  value	
  in	
  the	
  items	
  on
the	
  right,	
  we	
  value	
  the	
  items	
  on	
  the	
  left	
  more.
Challenges
• SDL	
  too	
  complex	
  to	
  fit	
  in	
  each	
  release/Sprint
• Design,	
  requirements	
  evolve	
  over	
  time
• New	
  interactions	
  with	
  third	
  parties	
  are	
  not	
  known	
  in	
  advance
• Teams	
  usually	
  don’t	
  have	
  an	
  Application	
  Security	
  specialist
• Teams	
  move	
  faster	
  than	
  Waterfall
• New	
  code	
  is	
  being	
  pushed	
  to	
  production	
  every	
  week	
  or	
  even	
  days.
• Low	
  on	
  documentation
SDL	
  for	
  Agile
SDL	
  for	
  Agile
The	
  categorization	
  of	
  SDL	
  requirements	
  into:
• every-­‐sprint
• one-­‐time
• Three	
  bucket	
  groups	
  (Verification,	
  design,	
  Response)
is	
  the	
  SDL-­‐Agile	
  solution	
  for	
  dealing	
  with	
  SDL	
  in	
  Agile	
  environments
Recommendations
• Training	
  the	
  teams	
  and	
  providing	
  them	
  with	
  tools	
  is	
  the	
  most	
  
important	
  aspect	
  in	
  order	
  to	
  implement	
  SDL	
  in	
  Agile	
  teams
• Security	
  specialist	
  assigned	
  to	
  a	
  few	
  teams,	
  to	
  provide	
  consultancy
• Useful	
  to	
  participate	
  in	
  Sprint	
  planning	
  to	
  understand	
  what	
  is	
  going	
  
on
• Sprint	
  Security	
  Checklist	
  (FSR),	
  after	
  Sprint	
  planning
• Get	
  familiar	
  with	
  Agile	
  tools,	
  backlog.
SDL	
  for	
  Agile
• Continuous	
  Integration	
  (Automation):	
  
Secure	
  Code	
  analysis
Security	
  unit	
  test
Vulnerability	
  scanning
Secure	
  configuration
Happiness
Cloud	
  fotos
Cloud
• “We	
  want	
  to	
  start	
  using	
  Cloud	
  services”
Challenges
• Security	
  of	
  the	
  data
• Security	
  of	
  the	
  servers
• Who	
  is	
  responsible	
  for	
  the	
  servers
• Where	
  is	
  the	
  data	
  located
• Encryption	
  at	
  rest
• Disks	
  reutilization
Security	
  Approach
• New	
  Security	
  policy	
  for	
  Cloud	
  services
• Security	
  Onboarding	
  for	
  teams
• Inventory	
  of	
  cloud	
  services
DEVOPS
Why	
  Devops?
• Continuous	
  software	
  delivery	
  
• Faster	
  delivery	
  of	
  features
• Faster	
  resolution	
  of	
  problems
• Less	
  complex	
  problems	
  to	
  fix
More	
  Deploys	
  Means	
  Faster	
  Time	
  to	
  Market	
  and	
  Continual	
  Improvement
Challenges
• Rapid	
  releases	
  cycles	
  (every	
  day,	
  multiple	
  times	
  a	
  day)
• Autonomous	
  teams	
  
• Teams	
  are	
  doing	
  development	
  and	
  operations	
  now
• Infrastructure	
  also	
  changes	
  fast
Development	
  cycles
Waterfall
Agile
Devops
Surviving	
  Devops
• Providing	
  security	
  training	
  to	
  teams
• Provide	
  security	
  policies,	
  guidelines
• Security	
  and	
  abuse	
  stories,	
  driven	
  by	
  business
• Situational	
  awareness:	
  
• What	
  do	
  we	
  have?
• Changes,	
  alerts.
• Attack	
  surface,	
  priorities
Surviving	
  Devops
• Automation:
• Integrate	
  testing	
  into	
  continuous	
  integration	
  and	
  release	
  process	
  (Chef	
  &	
  
Puppet)
• Integrate	
  and	
  extend	
  production	
  configuration	
  monitoring
• Develop	
  your	
  own	
  security	
  testing	
  tools,	
  more	
  focused	
  and	
  adapted	
  to	
  your	
  
particular	
  needs
Surviving	
  Devops
Situational	
  awareness	
  &	
  Automation	
  example:
-­‐Source	
  code	
  Product	
  attack	
  surface	
  analyzer,	
  alerts,	
  prioritization	
  of	
  
efforts.	
  
-­‐Internet	
  footprint,	
  scanning	
  and	
  inventory.	
  Updated	
  every	
  hour.
Surviving	
  Devops
• Integrate	
  InfoSec	
  and	
  IR	
  into	
  the	
  Ops/Devs escalation	
  process
• Harden	
  the	
  production	
  environment
• Provide	
  guidelines/baselines	
   on	
  what	
  is	
  a	
  hardened	
  environment
• Automate	
  hardening	
  (Chef/Puppet)
• Tolerate	
  failure	
  in	
  production	
  environments	
  (Chaos	
  Monkey)
Surviving	
  Devops
• Metrics:	
  
• Identify	
  if	
  teams	
  are	
  repeating	
  certain	
  type	
  of	
  vulnerabilities,	
   train	
  them	
  to	
  
prevent	
  repeating	
  again.	
  
• Prioritize	
  training
• Modify	
  policies	
  and	
  baselines
• Tune	
  tools
• Interact	
  more	
  closely	
  with	
  teams,	
  attend	
  to	
  standups
• Be	
  more	
  flexible	
  and	
  adapt	
  to	
  team	
  processes	
  
• mesh	
  with	
  the	
  unique	
  development	
  cultures	
  of	
  individual	
  teams
The	
  Future?
Rugged	
  software
“Rugged”	
  describes	
  software	
  development	
  organizations	
  which	
  have	
  a	
  
culture	
  of	
  rapidly	
  evolving	
  their	
  ability	
  to	
  create	
  available,	
  survivable,	
  
defensible,	
  secure,	
  and	
  resilient	
  software
Rugged	
  is	
  NOT	
  a	
  technology,	
  process	
  model,	
  SDLC,	
  or	
  organizational	
  
structure.	
  It’s	
  not	
  even	
  a	
  noun.
Rugged	
  software
Rugged	
  describes	
  staying	
  ahead	
  of	
  the	
  threat	
  over	
  time
“We	
  are	
  convinced	
  that	
  negative	
  and	
  reactive	
  approaches	
  to	
  
application	
  security	
  cannot	
  scale	
  and	
  are	
  doomed	
  to	
  fail.	
  These	
  
approaches	
  primarily	
  rely	
  on	
  finding	
  vulnerabilities	
  and	
  fixing	
  them.”
Rugged	
  Manifesto
I	
  am	
  rugged	
  and,	
  more	
  importantly,	
  my	
  code	
  is	
  rugged.
I	
  recognize	
  that	
  software	
  has	
  become	
  a	
  foundation	
  of	
  our	
  modern	
  world.
I	
  recognize	
  the	
  awesome	
  responsibility	
   that	
  comes	
  with	
  this	
  foundational	
  role.
I	
  recognize	
  that	
  my	
  code	
  will	
  be	
  used	
  in	
  ways	
  I	
  cannot	
  anticipate,	
  in	
  ways	
  it	
  was	
  not	
  designed,	
  
and	
  for	
  longer	
  than	
  it	
  was	
  ever	
  intended.
I	
  recognize	
  that	
  my	
  code	
  will	
  be	
  attacked	
  by	
  talented	
  and	
  persistent	
  adversaries	
  who	
  threaten	
  
our	
  physical,	
  economic	
  and	
  national	
  security.
I	
  recognize	
  these	
  things	
  – and	
  I	
  choose	
  to	
  be	
  rugged.
I	
  am	
  rugged	
  because	
  I	
  refuse	
  to	
  be	
  a	
  source	
  of	
  vulnerability	
  or	
  weakness.
I	
  am	
  rugged	
  because	
  I	
  assure	
  my	
  code	
  will	
  support	
  its	
  mission.
I	
  am	
  rugged	
  because	
  my	
  code	
  can	
  face	
  these	
  challenges	
   and	
  persist	
  in	
  spite	
  of	
  them.
I	
  am	
  rugged,	
  not	
  because	
  it	
  is	
  easy,	
  but	
  because	
  it	
  is	
  necessary	
  and	
  I	
  am	
  up	
  for	
  the	
  challenge.
Conclusion
• Development	
  methodologies	
  and	
  processes	
  changed	
  considerably	
  
over	
  time
• More	
  things	
  happening	
  in	
  shorter	
  period	
  of	
  time
• Security	
  tools	
  and	
  techniques	
  needs	
  to	
  adapt	
  to	
  this	
  situation
• Automation	
  is	
  key	
  in	
  Devops environment
• Security	
  professionals	
  need	
  to	
  be	
  flexible	
  and	
  engage	
  more	
  than	
  ever	
  
with	
  development	
  teams
?
Thank	
  you
cmartorella@edge-­‐security.com
Resources
• Microsoft	
  SDL	
  -­‐ http://www.microsoft.com/security/sdl/default.aspx
• Rugged	
  Software	
  -­‐ https://www.ruggedsoftware.org/
• http://labs.securitycompass.com/appsec-­‐2/the-­‐cultural-­‐challenges-­‐of-­‐
application-­‐security/
• http://devops.com/features/the-­‐unexpected-­‐benefits-­‐of-­‐devops/
• http://newrelic.com/devops/benefits-­‐of-­‐devops

More Related Content

What's hot

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 

What's hot (20)

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
H@dfex 2015 malware analysis
H@dfex 2015   malware analysisH@dfex 2015   malware analysis
H@dfex 2015 malware analysis
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 

Viewers also liked

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Oauth2 et OpenID Connect
Oauth2 et OpenID ConnectOauth2 et OpenID Connect
Oauth2 et OpenID ConnectPascal Flamand
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016Pascal Flamand
 
OSINT 2.0 - Past, present and future
OSINT 2.0  - Past, present and futureOSINT 2.0  - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability MattersMatt Lord
 
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentSomatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentYourCoach BVBA
 
July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1Ward Law Firm GA
 
February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1Ward Law Firm GA
 
October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1Ward Law Firm GA
 
June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1Ward Law Firm GA
 
November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1Ward Law Firm GA
 
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionSemana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionTelescopioDigital
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionCoin Sciences Ltd
 
O Diário de Juliana
O Diário de JulianaO Diário de Juliana
O Diário de JulianaCybele Meyer
 
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Olympus IMS
 

Viewers also liked (20)

Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
Oauth2 et OpenID Connect
Oauth2 et OpenID ConnectOauth2 et OpenID Connect
Oauth2 et OpenID Connect
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016
 
OSINT 2.0 - Past, present and future
OSINT 2.0  - Past, present and futureOSINT 2.0  - Past, present and future
OSINT 2.0 - Past, present and future
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability Matters
 
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentSomatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
 
July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1
 
February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1
 
October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1
 
June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1
 
November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1
 
Antorcha(1)
Antorcha(1)Antorcha(1)
Antorcha(1)
 
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionSemana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN Explosion
 
O Diário de Juliana
O Diário de JulianaO Diário de Juliana
O Diário de Juliana
 
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
 

Similar to A journey into Application Security

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 

Similar to A journey into Application Security (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 

More from Christian Martorella

Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007Christian Martorella
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Christian Martorella
 

More from Christian Martorella (6)

Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
 

Recently uploaded

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementDianaGray10
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureAntonio de Llamas
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Antonio de Llamas
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 

Recently uploaded (20)

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions management
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for Rotogravure
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 

A journey into Application Security

  • 1. A  Journey  into  Application   Security Christian  Martorella ISACA  Italy  2014 Venezia,  3rd October
  • 2. Who  am  I • Principal  Program  Manager,  Product  Security Skype  – Microsoft • Edge-­‐Security:  Wfuzz,  theHarvester,  Metagoofil,  Webslayer • Presented  in  many  Security  conferences:  Hack.lu,  BlackhatArsenal,   Source,  OWASP  Summit,  OSIRA • CIS(A,M,SP),  OPS(T,A)  
  • 3. My  background • Started  as  internal  security  auditor  (Offensive) • System  and  network  security  responsible  of  a  small  ISP  (Defensive) • Penetration  tester  -­‐>  Team  leader  (Offensive) • Practice  lead  for  Threat  and  Vulnerability  in  EMEA  (Offensive) • Product  Security  Analyst  in  Skype  (Defensive)
  • 4. Introduction This presentation is about the evolution of software development and the relation with Applicationsecurity. How application security teams adapted over time and the challenges we are facing
  • 5.
  • 7. Waterfall  development • Originated  from  the  manufacturing  and  construction  industries.   • Hardware  oriented  model  adapted  to  Software  development • Sequential  design  process • Introduced  by  Winston  Royce  in  the  ’70
  • 8. Waterfall  development • Make  sure  each  phase  is  100%  complete  and  absolutely  correct   before  proceeding  to  the  next  phase • Emphasis  on  documentation • Project  span  across  long  period  of  time • Time  spent  early on  making  sure  requirements and  design are  correct saves  much  time  and  effort  later.
  • 9. Application  Security Microsoft  Secure  Development  Lifecycle  (SDL) Set  of  software  development  process  improvements Born  in  2002  and  established  in  2004,  as  result  of  MS  Trustworthy  Computer   (TWC)  initiative. More  than  50%  less  vulnerabilities  in  shipped  code
  • 12. Security  approach Influence  in  the  Design  phase: • All  functional  and  design  specifications,   regardless  of  document  size,  should   contain  a  section  describing  how  the  component  impacts  security • Threat  Modeling:  Understand  assets  to  protect,  threats  and  vulnerabilities   to   the  product  and  how  will  be  mitigated.  Critical  to  create  a  secure  software Most  important  phase  in  Waterfall
  • 13. Security  approach Development  phase: Implement  security  tools:   • Static  analysis,  Banned  Apis,  FxCop,  /Analyze Implement  security  checklist Secure  coding  best  practices Verification  /  Release  phase: Fuzzing Verify  /  validate  Threat  Model Final  security  review  (FSR) Security  testing  by  another  team  or  third  party
  • 14. Challenges • Lack  of  security  requirementsin  design  phase  will  make  it  difficult  to  add   them  in  later  stages • Non  iterative  nature  makes  difficult  to  fix  issues  identified  in  advanced   stages  of  development • Issues  detected  in  the  Final  review,  will  be  expensive  to  fix
  • 16. Agile  development • Cross  functional  teams,  self  organizing • Short  time  boxed  development  iterations • Delivery  of  small  functional  stories • Listen  to  customer  needs  and  adapt • Usually  low  in  documentation
  • 17. Agile  Manifesto Individuals  and  interactionsover  processes  and  tools Working  software  over  comprehensive  documentation Customer  collaboration  over  contract  negotiation Responding  to  change  over  following  a  plan That  is,  while  there  is  value  in  the  items  on the  right,  we  value  the  items  on  the  left  more.
  • 18.
  • 19.
  • 20. Challenges • SDL  too  complex  to  fit  in  each  release/Sprint • Design,  requirements  evolve  over  time • New  interactions  with  third  parties  are  not  known  in  advance • Teams  usually  don’t  have  an  Application  Security  specialist • Teams  move  faster  than  Waterfall • New  code  is  being  pushed  to  production  every  week  or  even  days. • Low  on  documentation
  • 22. SDL  for  Agile The  categorization  of  SDL  requirements  into: • every-­‐sprint • one-­‐time • Three  bucket  groups  (Verification,  design,  Response) is  the  SDL-­‐Agile  solution  for  dealing  with  SDL  in  Agile  environments
  • 23. Recommendations • Training  the  teams  and  providing  them  with  tools  is  the  most   important  aspect  in  order  to  implement  SDL  in  Agile  teams • Security  specialist  assigned  to  a  few  teams,  to  provide  consultancy • Useful  to  participate  in  Sprint  planning  to  understand  what  is  going   on • Sprint  Security  Checklist  (FSR),  after  Sprint  planning • Get  familiar  with  Agile  tools,  backlog.
  • 24. SDL  for  Agile • Continuous  Integration  (Automation):   Secure  Code  analysis Security  unit  test Vulnerability  scanning Secure  configuration
  • 27. Cloud • “We  want  to  start  using  Cloud  services”
  • 28. Challenges • Security  of  the  data • Security  of  the  servers • Who  is  responsible  for  the  servers • Where  is  the  data  located • Encryption  at  rest • Disks  reutilization
  • 29. Security  Approach • New  Security  policy  for  Cloud  services • Security  Onboarding  for  teams • Inventory  of  cloud  services
  • 30.
  • 32. Why  Devops? • Continuous  software  delivery   • Faster  delivery  of  features • Faster  resolution  of  problems • Less  complex  problems  to  fix More  Deploys  Means  Faster  Time  to  Market  and  Continual  Improvement
  • 33.
  • 34. Challenges • Rapid  releases  cycles  (every  day,  multiple  times  a  day) • Autonomous  teams   • Teams  are  doing  development  and  operations  now • Infrastructure  also  changes  fast
  • 36.
  • 37.
  • 38. Surviving  Devops • Providing  security  training  to  teams • Provide  security  policies,  guidelines • Security  and  abuse  stories,  driven  by  business • Situational  awareness:   • What  do  we  have? • Changes,  alerts. • Attack  surface,  priorities
  • 39. Surviving  Devops • Automation: • Integrate  testing  into  continuous  integration  and  release  process  (Chef  &   Puppet) • Integrate  and  extend  production  configuration  monitoring • Develop  your  own  security  testing  tools,  more  focused  and  adapted  to  your   particular  needs
  • 40. Surviving  Devops Situational  awareness  &  Automation  example: -­‐Source  code  Product  attack  surface  analyzer,  alerts,  prioritization  of   efforts.   -­‐Internet  footprint,  scanning  and  inventory.  Updated  every  hour.
  • 41. Surviving  Devops • Integrate  InfoSec  and  IR  into  the  Ops/Devs escalation  process • Harden  the  production  environment • Provide  guidelines/baselines   on  what  is  a  hardened  environment • Automate  hardening  (Chef/Puppet) • Tolerate  failure  in  production  environments  (Chaos  Monkey)
  • 42. Surviving  Devops • Metrics:   • Identify  if  teams  are  repeating  certain  type  of  vulnerabilities,   train  them  to   prevent  repeating  again.   • Prioritize  training • Modify  policies  and  baselines • Tune  tools • Interact  more  closely  with  teams,  attend  to  standups • Be  more  flexible  and  adapt  to  team  processes   • mesh  with  the  unique  development  cultures  of  individual  teams
  • 43. The  Future? Rugged  software “Rugged”  describes  software  development  organizations  which  have  a   culture  of  rapidly  evolving  their  ability  to  create  available,  survivable,   defensible,  secure,  and  resilient  software Rugged  is  NOT  a  technology,  process  model,  SDLC,  or  organizational   structure.  It’s  not  even  a  noun.
  • 44. Rugged  software Rugged  describes  staying  ahead  of  the  threat  over  time “We  are  convinced  that  negative  and  reactive  approaches  to   application  security  cannot  scale  and  are  doomed  to  fail.  These   approaches  primarily  rely  on  finding  vulnerabilities  and  fixing  them.”
  • 45. Rugged  Manifesto I  am  rugged  and,  more  importantly,  my  code  is  rugged. I  recognize  that  software  has  become  a  foundation  of  our  modern  world. I  recognize  the  awesome  responsibility   that  comes  with  this  foundational  role. I  recognize  that  my  code  will  be  used  in  ways  I  cannot  anticipate,  in  ways  it  was  not  designed,   and  for  longer  than  it  was  ever  intended. I  recognize  that  my  code  will  be  attacked  by  talented  and  persistent  adversaries  who  threaten   our  physical,  economic  and  national  security. I  recognize  these  things  – and  I  choose  to  be  rugged. I  am  rugged  because  I  refuse  to  be  a  source  of  vulnerability  or  weakness. I  am  rugged  because  I  assure  my  code  will  support  its  mission. I  am  rugged  because  my  code  can  face  these  challenges   and  persist  in  spite  of  them. I  am  rugged,  not  because  it  is  easy,  but  because  it  is  necessary  and  I  am  up  for  the  challenge.
  • 46. Conclusion • Development  methodologies  and  processes  changed  considerably   over  time • More  things  happening  in  shorter  period  of  time • Security  tools  and  techniques  needs  to  adapt  to  this  situation • Automation  is  key  in  Devops environment • Security  professionals  need  to  be  flexible  and  engage  more  than  ever   with  development  teams
  • 47. ?
  • 49. Resources • Microsoft  SDL  -­‐ http://www.microsoft.com/security/sdl/default.aspx • Rugged  Software  -­‐ https://www.ruggedsoftware.org/ • http://labs.securitycompass.com/appsec-­‐2/the-­‐cultural-­‐challenges-­‐of-­‐ application-­‐security/ • http://devops.com/features/the-­‐unexpected-­‐benefits-­‐of-­‐devops/ • http://newrelic.com/devops/benefits-­‐of-­‐devops