At large enterprises, a security development life-cycle (SDLC) needs
to support a large range of development models as well as a large
range of programming techniques.
I will present the SDLC of a large software vendor from the
perspective of introducing security testing into the early steps of a
software development life-cycle (i.e., enabling developers to use
software testing tools).
Security testing is an important part of any security development
life-cycle (SDLC) and, thus, should be a part of any secure software
development life-cycle. Still, security testing is often understood by
an activity done by security testers in the time between "end of
development" and "offering the product to customers".
Learning from traditional testing that the fixing of bugs is the more
costly the later it is done in development, we believe that security
testing should be integrated into the daily development activities.
Based on the SDLC of a large software vendor, we will present the
benefits of early security testing and discuss what is necessary to
achieve a "security testing as development activity" approach.
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
Developing mobile applications is a challenging business: de-
velopers need to support multiple platforms and, at the same time, need
to cope with limited resources, as the revenue generated by an average
app is rather small. This results in an increasing use of cross-platform
development frameworks that allow developing an app once and offering
it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform
apps. Cordova combines HTML5 and JavaScript with native applica-
tion code. Combining web and native technologies creates new security
challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the
foreign language calls. We evaluate our approach by analysing the top
Cordova apps from Google Play. Moreover, we report on the current state
of the overall quality and security of Cordova apps.
Valery Boronin presented on Application Inspector SSDL Edition, an application security testing tool. He began with an overview of common problems with application security like poor code quality costing over $500 billion annually. He then demonstrated Application Inspector SSDL Edition's capabilities like automated scanning, issue tracking, role-based access controls, and guidance for developers on fixing vulnerabilities. Benefits highlighted were helping develop more secure software through interaction with developers and automatic validation of fixes. Future plans include integration with build servers, IDEs, and providing more customization, compliance support, and analytics.
Cyber-security is a critical part of all distributed applications. By understanding and implementing proper security measures, you guard your own resources against malicious attackers as well as provide a secure environment for all relevant parties.
This presentation is a gentle introduction to it.
This document proposes a web content analytics architecture to detect malicious JavaScript through real-time analysis of web traffic. It collects HTTP traffic using a proxy server and analyzes web content through static and dynamic analysis. Static analysis includes pattern matching, and dynamic analysis executes scripts to extract API call traces. Traces are clustered and signatures are generated by combining common tokens to detect similar malicious scripts while reducing false positives. The proposed approach analyzes JavaScript obfuscation and HTML5 usage to determine if further dynamic analysis is needed, and refines signatures through comparison to benign scripts. Evaluation showed the refined signatures improved detection rates while reducing false positives.
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
The document outlines security challenges in JavaScript applications, including examples from SAP UI5, Apache Cordova, and HANA XS Engine. It discusses common vulnerabilities like cross-site scripting, insecure functions, and secrets stored in source code. Specific issues addressed include prototype-based inheritance risks in SAP UI5, the JavaScript to Java bridge in Cordova exposing more than intended, and SQL injection risks in HANA XS Engine applications. The goal is to help detect security problems during development for these application types.
In security testing, as much as possible is automated. Are human hackers than no longer needed? Surely they are, because automated tools fail dramatically in finding certain important types of vulnerabilities. In this presentation we take a look at the tools, examples of what they're good at and what they miss, and how to deal with this in practice.
Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016
Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.
Security testing is an important part of any security development
life-cycle (SDLC) and, thus, should be a part of any secure software
development life-cycle. Still, security testing is often understood by
an activity done by security testers in the time between "end of
development" and "offering the product to customers".
Learning from traditional testing that the fixing of bugs is the more
costly the later it is done in development, we believe that security
testing should be integrated into the daily development activities.
Based on the SDLC of a large software vendor, we will present the
benefits of early security testing and discuss what is necessary to
achieve a "security testing as development activity" approach.
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
Developing mobile applications is a challenging business: de-
velopers need to support multiple platforms and, at the same time, need
to cope with limited resources, as the revenue generated by an average
app is rather small. This results in an increasing use of cross-platform
development frameworks that allow developing an app once and offering
it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform
apps. Cordova combines HTML5 and JavaScript with native applica-
tion code. Combining web and native technologies creates new security
challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the
foreign language calls. We evaluate our approach by analysing the top
Cordova apps from Google Play. Moreover, we report on the current state
of the overall quality and security of Cordova apps.
Valery Boronin presented on Application Inspector SSDL Edition, an application security testing tool. He began with an overview of common problems with application security like poor code quality costing over $500 billion annually. He then demonstrated Application Inspector SSDL Edition's capabilities like automated scanning, issue tracking, role-based access controls, and guidance for developers on fixing vulnerabilities. Benefits highlighted were helping develop more secure software through interaction with developers and automatic validation of fixes. Future plans include integration with build servers, IDEs, and providing more customization, compliance support, and analytics.
Cyber-security is a critical part of all distributed applications. By understanding and implementing proper security measures, you guard your own resources against malicious attackers as well as provide a secure environment for all relevant parties.
This presentation is a gentle introduction to it.
This document proposes a web content analytics architecture to detect malicious JavaScript through real-time analysis of web traffic. It collects HTTP traffic using a proxy server and analyzes web content through static and dynamic analysis. Static analysis includes pattern matching, and dynamic analysis executes scripts to extract API call traces. Traces are clustered and signatures are generated by combining common tokens to detect similar malicious scripts while reducing false positives. The proposed approach analyzes JavaScript obfuscation and HTML5 usage to determine if further dynamic analysis is needed, and refines signatures through comparison to benign scripts. Evaluation showed the refined signatures improved detection rates while reducing false positives.
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
The document outlines security challenges in JavaScript applications, including examples from SAP UI5, Apache Cordova, and HANA XS Engine. It discusses common vulnerabilities like cross-site scripting, insecure functions, and secrets stored in source code. Specific issues addressed include prototype-based inheritance risks in SAP UI5, the JavaScript to Java bridge in Cordova exposing more than intended, and SQL injection risks in HANA XS Engine applications. The goal is to help detect security problems during development for these application types.
In security testing, as much as possible is automated. Are human hackers than no longer needed? Surely they are, because automated tools fail dramatically in finding certain important types of vulnerabilities. In this presentation we take a look at the tools, examples of what they're good at and what they miss, and how to deal with this in practice.
Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016
Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.
This document discusses the importance of metrics and performance monitoring, and introduces Javamelody as a tool for monitoring Java applications. It notes that while profiling during development is useful, continuous monitoring of production is most important. Javamelody makes monitoring easy by adding as a servlet filter. Metrics can be stored locally and visualized with graphics to show correlations and impacts. Going further, the document suggests using complex event processing to analyze multiple sources and apply monitoring proactively.
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third
party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their
software supply chain.
As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply
chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed,
FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand,
FLOSS licenses contain usually a very strong “no warranty” clause and no service-level agreement. On the other hand, FLOSS
licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.
This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular,
into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small
mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code),
a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as
well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).
SecDevOps: Development Tools for Security ProsDenim Group
Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
The document discusses integrating security testing into continuous integration pipelines, referred to as "Security DevOps". It proposes a "Security DevOps Maturity Model" with four axes: Static Depth, Dynamic Depth, Intensity, and Consolidation. For the Dynamic Depth axis, it describes different levels of integrating dynamic application security testing tools like ZAP, Arachni, BDD-Security, and Gauntlt to test public, authenticated, and backend application layers within a CI pipeline. Examples are given for configuring the tools to perform targeted scans during commits or nightly builds.
This is an introduction to application security, covering some core concepts and the most important practices when creating secure code.
It was developed by Mike McBryde and Bryant Zadegan (during our day job) and released under the Creative Commons. It was first delivered to OWASP DC on March 4, 2015.
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
LEARNING OUTCOMES FROM PRESENTATION:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
The document discusses approaches to building secure web applications, including establishing software security processes and maturity levels. It covers security activities like threat modeling, defining security requirements, secure coding standards, security testing, and metrics. Business cases for software security focus on reducing costs of vulnerabilities, threats to web apps, and root causes being application vulnerabilities and design flaws.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and consulting services through in-depth research and analysis. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower saw a 206% increase in revenue in 2006 and its security team consists of over 27 consultants worldwide who have been featured in publications and by clients such as Microsoft.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and services through in-depth research, analysis, and knowledge sharing. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower has experienced significant revenue growth and its security team consists of highly talented experts that provide services to some of the world's largest companies.
This document summarizes a presentation on SQL injection prevention. It introduces the three presenters - Colin Buckton from OWASP, David Klassen who will demonstrate SQL injection, and Jose Kaharian who will discuss the BSIMM study. Buckton covers OWASP resources and describes SQL injection vulnerabilities. Klassen demonstrates SQL injection in a code sample and how to prevent it. Kaharian discusses a study of software security initiatives in businesses and how secure coding is becoming a priority in hiring. The presentation aims to raise awareness of SQL injection risks and prevention best practices.
The document outlines an approach to application security that involves establishing a software security roadmap. It discusses assessing maturity, defining a security-enhanced software development lifecycle (S-SDLC), and implementing security activities such as threat modeling, secure coding practices, security testing, and metrics. The goal is to manage software risks through a proactive and holistic approach rather than just reacting to vulnerabilities.
This document outlines an approach to application security that involves assessing maturity, defining a software security roadmap, and implementing security activities throughout the software development lifecycle (SDLC). It discusses security requirements, threat modeling, secure design guidelines, coding standards, security testing, configuration management, metrics, and making business cases to justify security investments. The goal is to manage software risks proactively by building security into each phase rather than applying it reactively through patches.
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
This document discusses bringing a hacker mindset to requirements and testing for application security. It begins by highlighting statistics showing the poor state of application security and vulnerabilities. The document then contrasts producer and consumer views of quality, and explains why security requirements are difficult by nature. It provides examples of threat modeling and negative testing techniques that can help requirements analysts and testers think like hackers to identify vulnerabilities. The presentation calls for adopting these adversarial techniques to improve application security.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
The Magic Of Application Lifecycle Management In Vs PublicDavid Solivan
The document discusses challenges with software development projects and how tools from Microsoft can help address these challenges. It notes that most projects fail or are over budget and challenges include poor requirements gathering and testing. However, tools like Visual Studio and Team Foundation Server that integrate requirements, work tracking, source control, testing and other functions can help make successful projects more possible by facilitating team collaboration. The document outlines features of these tools and how they aim to make application lifecycle management a routine part of development.
The document discusses challenges for incorporating security practices into agile development and proposes a "Security Toolbox" to help development teams identify and mitigate security risks through the use of accepted security knowledge bases and guidance mapped to specific architectural elements. The toolbox is intended to minimize "Security Debt" by predicting security issues upfront and providing acceptance tests and estimates to integrate security into sprint planning and product backlogs. An example is provided of how the toolbox could be applied to help three development teams implement a secure online comment system.
This document discusses the importance of metrics and performance monitoring, and introduces Javamelody as a tool for monitoring Java applications. It notes that while profiling during development is useful, continuous monitoring of production is most important. Javamelody makes monitoring easy by adding as a servlet filter. Metrics can be stored locally and visualized with graphics to show correlations and impacts. Going further, the document suggests using complex event processing to analyze multiple sources and apply monitoring proactively.
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third
party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their
software supply chain.
As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply
chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed,
FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand,
FLOSS licenses contain usually a very strong “no warranty” clause and no service-level agreement. On the other hand, FLOSS
licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.
This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular,
into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small
mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code),
a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as
well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).
SecDevOps: Development Tools for Security ProsDenim Group
Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
The document discusses integrating security testing into continuous integration pipelines, referred to as "Security DevOps". It proposes a "Security DevOps Maturity Model" with four axes: Static Depth, Dynamic Depth, Intensity, and Consolidation. For the Dynamic Depth axis, it describes different levels of integrating dynamic application security testing tools like ZAP, Arachni, BDD-Security, and Gauntlt to test public, authenticated, and backend application layers within a CI pipeline. Examples are given for configuring the tools to perform targeted scans during commits or nightly builds.
This is an introduction to application security, covering some core concepts and the most important practices when creating secure code.
It was developed by Mike McBryde and Bryant Zadegan (during our day job) and released under the Creative Commons. It was first delivered to OWASP DC on March 4, 2015.
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
LEARNING OUTCOMES FROM PRESENTATION:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
The document discusses approaches to building secure web applications, including establishing software security processes and maturity levels. It covers security activities like threat modeling, defining security requirements, secure coding standards, security testing, and metrics. Business cases for software security focus on reducing costs of vulnerabilities, threats to web apps, and root causes being application vulnerabilities and design flaws.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and consulting services through in-depth research and analysis. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower saw a 206% increase in revenue in 2006 and its security team consists of over 27 consultants worldwide who have been featured in publications and by clients such as Microsoft.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and services through in-depth research, analysis, and knowledge sharing. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower has experienced significant revenue growth and its security team consists of highly talented experts that provide services to some of the world's largest companies.
This document summarizes a presentation on SQL injection prevention. It introduces the three presenters - Colin Buckton from OWASP, David Klassen who will demonstrate SQL injection, and Jose Kaharian who will discuss the BSIMM study. Buckton covers OWASP resources and describes SQL injection vulnerabilities. Klassen demonstrates SQL injection in a code sample and how to prevent it. Kaharian discusses a study of software security initiatives in businesses and how secure coding is becoming a priority in hiring. The presentation aims to raise awareness of SQL injection risks and prevention best practices.
The document outlines an approach to application security that involves establishing a software security roadmap. It discusses assessing maturity, defining a security-enhanced software development lifecycle (S-SDLC), and implementing security activities such as threat modeling, secure coding practices, security testing, and metrics. The goal is to manage software risks through a proactive and holistic approach rather than just reacting to vulnerabilities.
This document outlines an approach to application security that involves assessing maturity, defining a software security roadmap, and implementing security activities throughout the software development lifecycle (SDLC). It discusses security requirements, threat modeling, secure design guidelines, coding standards, security testing, configuration management, metrics, and making business cases to justify security investments. The goal is to manage software risks proactively by building security into each phase rather than applying it reactively through patches.
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
This document discusses bringing a hacker mindset to requirements and testing for application security. It begins by highlighting statistics showing the poor state of application security and vulnerabilities. The document then contrasts producer and consumer views of quality, and explains why security requirements are difficult by nature. It provides examples of threat modeling and negative testing techniques that can help requirements analysts and testers think like hackers to identify vulnerabilities. The presentation calls for adopting these adversarial techniques to improve application security.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
The Magic Of Application Lifecycle Management In Vs PublicDavid Solivan
The document discusses challenges with software development projects and how tools from Microsoft can help address these challenges. It notes that most projects fail or are over budget and challenges include poor requirements gathering and testing. However, tools like Visual Studio and Team Foundation Server that integrate requirements, work tracking, source control, testing and other functions can help make successful projects more possible by facilitating team collaboration. The document outlines features of these tools and how they aim to make application lifecycle management a routine part of development.
The document discusses challenges for incorporating security practices into agile development and proposes a "Security Toolbox" to help development teams identify and mitigate security risks through the use of accepted security knowledge bases and guidance mapped to specific architectural elements. The toolbox is intended to minimize "Security Debt" by predicting security issues upfront and providing acceptance tests and estimates to integrate security into sprint planning and product backlogs. An example is provided of how the toolbox could be applied to help three development teams implement a secure online comment system.
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
The document discusses information security for data-driven platforms and open source projects. It motivates the importance of security through examples of data breaches. It covers topics like encryption, authentication, vulnerabilities in open source code, and how to evaluate open source libraries for security issues. The document demonstrates penetration testing tools like Vega and SQLMap to find vulnerabilities like SQL injection in web applications.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Building Generative AI-infused apps: what's possible and how to startMaxim Salnikov
In this session, we'll explore different scenarios where the features of Generative AI can provide added value to an IT solution. We'll also learn how to begin developing your own application powered by AI. Using Azure OpenAI service as an illustration, we'll examine the various APIs it offers, review the best practices of Prompt Engineering, explore different ways to incorporate your own data into the process, and take a glance at several tools and resources that make the developer experience more seamless.
The document discusses several coding security practices for developing secure software, including input validation, output handling, parameterizing queries, identity and authentication controls, and access controls. It provides examples and recommendations for implementing each practice to prevent common vulnerabilities like injection and data tampering. The goal is to integrate security at the code level from the beginning to reduce risks.
Similar to Developing Secure Software: Experiences From an International Software Vendor (20)
The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should
not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred
as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.
But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many
easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last
weeks/months/years are caused by “seemingly simple to fix” programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and
programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from
providing usable security for developers.
In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly)
impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus,
that we cannot expert from software developers).
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
Most popular technologies are based on informal or semiformal standards that lack a rigid formal semantics. Typical examples include web technologies such as the DOM or HTML, which are defined by the Web Hypertext Application Technology Working Group (WHATWG) and the World Wide Web Consortium (W3C). While there might be API specifications and test cases meant to assert the compliance of a certain implementation, the actual standard is rarely accompanied by a formal model that would lend itself for, e.g., verifying the security or safety properties of real systems.
Even when such a formalization of a standard exists, two important questions arise: first, to what extend does the formal model comply to the standard and, second, to what extend does the implementation comply to the formal model and the assumptions made during the verification? In this paper, we present an approach that brings all three involved artifacts - the (semi-)formal standard, the formalization of the standard, and the implementations - closer together by combining verification, symbolic execution, and specification based testing.
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
More and more devices of our daily life are ``smart:'' ranging from
smart light bulbs to smart TVs to smart fridges -- everything can,
and most likely will be, in the future connected to the
Internet. More and more people are already used to remotely
controlling their heating at home using their smart phone. In this
talk, we will explain the technology behind the ``smart things'' and
discuss the how your smart thermostat and your neighbour's TV might
be hijacked to take down the Internet.
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
Cross-platform frameworks, such as Apache Cordova, are becoming
increasingly popular. They promote the development of hybrid apps
that combine native, i.e., system specific, code and system
independent code, e.g., HTML5/JavaScript. Combining native with
platform independent code opens Pandora's box: all the the security
risks for native development are multiplied with the security risk
of web applications.
In the first half of our talk, we start our talk with short
introduction into hybrid app development, present specific attacks
followed by a report on how Android developers are using Apache
Cordova. In the second half of the talk, we will focus on developing
secure hybrid apps: both with hands-on guidelines for defensive
programming as well as recommendations for hybrid app specific
security testing strategies.
On the one hand, browser extensions, e.g., for Chrome, are very
useful, as they extend web browsers with additional functionality
(e.g., blocking ads). On the other hand, they are the most
dangerous code that runs in your browsers: extension can read and
modify both the content displayed in the browser. As they also can
communicate with any web-site or web-service, they can report both
data and metadata to external parties.
The current security model for browser extensions seems to be
inadequate for expressing the security or privacy needs of browser
users. Consequently, browser extensions are a "juice target" for
attackers targeting web users.
We present results of analysing over 2500 browser extensions on how
they use the current security model and discuss examples of extensions
that are potentially of high risk. Based on the results of our
analysis of real world browser extensions as well as our own threat
model, we discuss the limitations of the current security model form a
user perspective.
need of browser users.
The Isabelle homepage describes Isabelle as "a generic proof assistant. It allows mathematical formulas to be expressed in a formal language and provides tools for proving those formulas in a logical calculus." While this, without doubts, what most users of Isabelle are using Isabelle for, there is much more to discover: Isabelle is also a framework for building formal methods tools.
In this talk, I will report on our experience in using Isabelle for building formal tools for high-level specifications languages (e.g., OCL, Z) as well as using Isabelle's core engine for new applications domains such as generating test cases from high-level specifications.
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP.
In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
This document discusses the challenges of secure software development at an industrial scale. It describes SAP's secure software development lifecycle process, which includes training, threat modeling, security testing, validation, and response. It then discusses some of the key challenges for industrial software development, including scalability issues due to large codebases, maintenance challenges due to modular code, and the difficulty of achieving complete security or automation. The document argues for more research in risk-based and economic approaches to security, as well as techniques for composable, automated security testing of integrated software systems.
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
Static application security testing (SAST) is a widely used technique that helps to find security vulnerabilities in program code at an early stage in the software development life-cycle. Since a few years, JavaScript is gaining more and more popularity as an implementation language for large applications. Consequently, there is a demand for SAST tools that support JavaScript.
We report briefly on our method for evaluating SAST tools for JavaScript as well as summarize the results of our analysis.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
The document discusses model-based conformance testing of security properties. It presents an approach for the modular specification of security policies using a formal model. Based on this specification, a model-based test case generation approach is discussed that can be used to test the correctness of security infrastructure implementations and their conformance to high-level security policies. As an example, the document focuses on modeling firewalls and generating test cases to test firewall configurations and implementations. It describes modeling firewall policies directly as well as applying model transformations to optimize the test case generation process by removing redundancies from the policy model.
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
Building large systems by composing reusable services is not a new idea, it is at least 25 years old. Still, only recently the scenario of dynamic interchangeable services that are consumed via public networks is becoming reality. Following the Software as a Service (Saas) paradigm, an increasing number of complex applications is offered as a service that themselves can be used composed for building even larger and more complex applications. This will lead to situations in which users are likely to unknowingly consume services in a dynamic and ad hoc manner.
Leaving the rather static (and mostly on-premise) service composition scenarios of the past 25 years behind us, dynamic service compositions, have not only the potential to transform the software industry from a business perspective, they also requires new approaches for addressing the security, trustworthiness needs of users.
The EU FP7 project Aniketos develops new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of dynamic service compositions, addressing service developers, service providers and service end users.
In this talk, we will motivate several security and trustworthiness requirements that occur in dynamic service compositions and discuss the solutions developed within the project Aniketos. Based on our experiences, we will discuss open research challenges and potential opportunities for potential opportunities for applying type systems.
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
We briefly present the theorem proving environment HOL-OCL. The HOL-OCL system is an interactive proof environment for object-oriented (i.e., UML/OCL) specifications that is build on top of Isabelle/HOL. Overall, we introduce the overall system architecture and, in more detail, our extensible encoding of object-oriented data models into HOL.
While our extensible encoding is inspired by the extensible record package of Isabelle/HOL, its implementation is not directly based on it. In this talk, we will discuss how our approach differs from the existing one and discuss how it serves as a basis for implementing allows for implementing Isabelle-based tools for object-oriented models.
Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. As the requirements for security and trustworthiness, in nearly all sectors, are increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications.
In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Extending Access Control Models with Break-glassAchim D. Brucker
Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed.
Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture.
We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
Integrating Application Security into a Software Development ProcessAchim D. Brucker
Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
Enterprise systems in general and process aware systems in particular are storing and processing the most critical assets of a company. To protect these assets, such systems need to implement a multitude of security properties. Moreover, such systems need often to comply to various compliance regulations.
In this keynote, we present process-level security requirements as well as discuss the gap between the ideal world of process-aware information systems and the real world. We conclude our presentation by discussing several research challenges in the area of verifiable secure process aware information systems.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Developing Secure Software: Experiences From an International Software Vendor
1. Secure Software Development on the Enterprise Level
Achim D. Brucker
a.brucker@sheffield.ac.uk https://www.brucker.ch/
Software Assurance & Security Research
Department of Computer Science, The University of Sheffield, Sheffield, UK
https://logicalhacking.com/
Shift Left: The Incredible Impact Early Security Testing Makes
January 19, 2017, London, UK
2. Outline
1 Background
2 Motivation
3 Secure Software Development
4 From (Mild) Pain to Success: My Experiences at SAP
5 Lesson’s Learned
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 3 of 26
3. Personal Background
Eight year of enterprise secure software development:
Member of the central security team, SAP SE (Germany)
(Global) Security Testing Strategist
Security Research Expert/Architect
Work areas:
Defining the risk-based Security Testing Strategy of SAP
Introducing security testing tools (e.g., SAST, DAST) at SAP
Identify white spots and evaluate and improve
tools/methods
Secure Software Development Life Cycle integration
Applied security research
...
Since 12/2015:
Senior Lecturer, The University of Sheffield, UK
Head of the Software Assurance & Security Research Team
Available as consultant & (research) collaborations
https://www.brucker.uk/
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 4 of 26
4. SAP SE
Leader in Business Software
Cloud
Mobile
On premise
Many different technologies and platforms, e.g.,
In-memory database and application server (Hana)
Netweaver for ABAP and Java
More than 25 industries
63% of the world’s transaction revenue
touches an SAP system
over 68 000 employees worldwide
over 25 000 software developers
Headquarters: Walldorf (Heidelberg), Germany
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 5 of 26
5. Outline
1 Background
2 Motivation
3 Secure Software Development
4 From (Mild) Pain to Success: My Experiences at SAP
5 Lesson’s Learned
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 6 of 26
6.
7. Example (LinkedIn, May 2016)
164 million email addresses and passwords
from an attack in 2012, offered for sale May 2016
Compromised data:
email addresses
passwords
8. Example (TalkTalk, October 2015)
nearly 157,000 customer records leaked
nearly 16,000 records included bank details
more than 150,000 customers lost
(home services market share fall by 4.4 percent
in terms of new customers)
Costs for TalkTalk: around any £60 million
9. Example (Ashley Madison, July 2015)
more than 30 million email addresses & much
more
Compromised data:
Dates of birth
Email addresses
Ethnicities, Genders
Sexual preferences
Home addresses, Phone numbers
Payment histories
Passwords, Usernames, Security questions and
answers
Website activity
Similar Leak: Mate1 in February 2016:
27 million records with even more personal details
(e.g., drinking/drug habits, political views)
10. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
11. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
12. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
13. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
14. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
15. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
Let’s use “’ OR ’1’=’1” as password:
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
16. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
Let’s use “’ OR ’1’=’1” as password:
SELECT * FROM ‘users ‘ WHERE
‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR ’1’=’1 ;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
17. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
Let’s use “’ OR ’1’=’1” as password:
SELECT * FROM ‘users ‘ WHERE
‘name‘ = ’test’ AND ‘pwd‘ = ’’ OR TRUE ;
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
18. What’s the Problem?
Authenticate without a password using “SQL Injection”
Implementation (SQL, simplified):
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’Username’ AND ‘pwd ‘ = ’Password’;
Let’s try: user “test” & password “secret”:
SELECT * FROM ‘users ‘ WHERE
‘name ‘ = ’test ’ AND ‘pwd ‘ = ’secret ’;
Let’s use “’ OR ’1’=’1” as password:
SELECT * FROM ‘users ‘ WHERE
TRUE;
No password check!
Root cause: a bug.
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 8 of 26
19. Outline
1 Background
2 Motivation
3 Secure Software Development
4 From (Mild) Pain to Success: My Experiences at SAP
5 Lesson’s Learned
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 9 of 26
20. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
21. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Training
Security awareness
Secure programming
Threat modelling
Security testing
Data protection and privacy
Security expert curriculum (“Masters”)
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
22. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Risk Identification
Risk identification (“high-level threat modelling”)
Threat modelling
Data privacy impact assessment
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
23. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Plan Security Measures
Plan product standard compliance
Plan security features
Plan security tests
Plan security response
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
24. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Development
Secure Programming
Static code analysis (SAST)
Code review
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
25. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Security Testing
Dynamic Testing (e.g., IAST, DAST)
Manual testing
External security assessment
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
26. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Security Validation (“First Customer”)
Check for “flaws” in the implementation of the S2
DL
Ideally, security validation finds:
No issues that can be fixed/detected earlier
Only issues that cannot be detect earlier
(e.g., insecure default configurations, missing security documentation)
Penetration tests in productive environments are different:
They test the actual configuration
They test the productive environment (e.g., cloud/hosting)
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
27. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Security Response
Execute the security response plan
Security related external communication
Incident handling
Security patches
Monitoring of third party components
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
28. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
29. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
30. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
Security
Validation
Security
Testing
Secure
Development
Plan Security
Measu
res
Risk
Identification
Training
Security
Resp
onse
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
31. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
Security
Validation
Security
Testing
Secure
Development
Plan Security
Measu
res
Risk
Identification
Training
Security
Resp
onse
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
32. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
Security
Validation
Security
Testing
Secure
Development
Plan Security
Measu
res
Risk
Identification
Training
Security
Resp
onse
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
33. A Path Towards (More) Secure Software
SAP’s Secure Software Development Lifecycle (S2DL)
Training
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
Secure Software
Security
Validation
Security
Testing
Secure
Development
Plan Security
Measu
res
Risk
Identification
Training
Security
Resp
onse
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 10 of 26
34. Secure Software Development Lifecycle for Cloud/Agile
Build Operate
Define
Release Release
Decision
Build
Decision
Risk
Identification
Plan Security
Measures
Secure
Development
Security
Testing
Security
Validation
Security
Response
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 11 of 26
35. Outline
1 Background
2 Motivation
3 Secure Software Development
4 From (Mild) Pain to Success: My Experiences at SAP
5 Lesson’s Learned
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 12 of 26
38. In 2010: Static Analysis Becomes Mandatory
SAST tools used at SAP:
Language Tool Vendor
ABAP CodeProfiler Virtual Forge
Others Fortify HP
Since 2010: SAST mandatory for all SAP products
Within two years, multiple billions lines analysed
Constant improvement of tool configuration
Further details:
Deploying Static Application Security Testing on a Large Scale. In
GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages
91-101, GI, 2014.
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 14 of 26
39. A De-Centralised Application Security Approach
How SAP’s Application Development Approach Developed Over Time
Governance & approvals De-centralized approach
2009 2016
One Two SAST tools fit all
VF CodeProfiler
Fortify
Blending of Security Testing Tools
SAST:
SAP Netweaver CVA Add-on, Fortify,
Synopsis Coverity, Checkmarx,
Breakman
DAST:
HP WebInspect, Quotium Seeker
Others:
Burp Suite, OWASP ZAP, Codinomicon
Fuzzer, BDD
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
40. A De-Centralised Application Security Approach
How SAP’s Application Development Approach Developed Over Time
Governance & approvals De-centralized approach
2009 2016
Blending of Security Testing Tools
SAST:
SAP Netweaver CVA Add-on, Fortify,
Synopsis Coverity, Checkmarx,
Breakman
DAST:
HP WebInspect, Quotium Seeker
Others:
Burp Suite, OWASP ZAP, Codinomicon
Fuzzer, BDD
Development Teams
feel pushed
Central Security Team
Controls development teams
Spends a lot time with granting
exemptions
Danger
Only ticking boxes
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
41. A De-Centralised Application Security Approach
How SAP’s Application Development Approach Developed Over Time
Governance & approvals De-centralized approach
2009 2016
Development Teams
feel pushed
Central Security Team
Controls development teams
Spends a lot time with granting
exemptions
Danger
Only ticking boxes
Development Teams
are empowered
are responsible
Central Security Team
Supports development teams
Can focuses on improvements
filling white spots
tooling
processes
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 15 of 26
42. De-Centralised Approach: Organisational Setup
Central security expert team (S2
DL owner)
Organizes security trainings
Defines product standard “Security”
Defines risk and threat assessment methods
Defines security testing strategy
Selects and provides security testing tools
Validates products
Defines and executes response process
Local security experts
Embedded into development teams
Organize local security activities
Support developers and architects
Support product owners (responsibles)
Development teams
Select technologies
Select development model
Design and execute security
testing plan
...
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 16 of 26
43. Security Team Focus: Security Testing for Developers
Security testing tools for developers, need to
Be applicable from the start of
development
Automate the security knowledge
Be integrated into dev world, e.g.,
IDE (instant feedback)
Continuous integration
Provide easy to understand fix
recommendations
Declare their “sweet spots”
security
experts
software
Developer
many cwe
and/or
technologies
only few cwe
and/or
technologies
generalist
tools for
security
Experts
specialist
tools for
security
Experts
specialist
tools for
developers
generalist
tools for
developers
https://logicalhacking.com/blog/2016/10/25/classifying-security-testing-tools/
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 17 of 26
44. Combining Multiple Security Testing Methods and Tools
Web Client
Web Browser
Server Application
Runtime Container
Backend Systems
https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/
Risks of only using only SAST
Wasting effort that could be used more wisely
elsewhere
Shipping insecure software
Examples of SAST limitations
Not all programming languages supported
Covers not all layers of the software stack
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
45. Combining Multiple Security Testing Methods and Tools
Web Client
Web Browser
Server Application
Runtime Container
Backend Systems
SAST (Java)
SAST (JavaScript)
SAST (C/C++)
https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/
Risks of only using only SAST
Wasting effort that could be used more wisely
elsewhere
Shipping insecure software
Examples of SAST limitations
Not all programming languages supported
Covers not all layers of the software stack
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
46. Combining Multiple Security Testing Methods and Tools
Web Client
Web Browser
Server Application
Runtime Container
Backend Systems
SAST (Java)
SAST (JavaScript)
SAST (C/C++)
ToolA(e.g.,DAST)
ToolB(e.g.,IAST)
In-Browser
Security
Testing
Tool
https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/
Risks of only using only SAST
Wasting effort that could be used more wisely
elsewhere
Shipping insecure software
Examples of SAST limitations
Not all programming languages supported
Covers not all layers of the software stack
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
47. Combining Multiple Security Testing Methods and Tools
Web Client
Web Browser
Server Application
Runtime Container
Backend Systems
ToolA(e.g.,DAST)
ToolB(e.g.,IAST)
In-Browser
Security
Testing
Tool
SAST (Java)
SAST (JavaScript)
https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/
Risks of only using only SAST
Wasting effort that could be used more wisely
elsewhere
Shipping insecure software
Examples of SAST limitations
Not all programming languages supported
Covers not all layers of the software stack
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
48. Combining Multiple Security Testing Methods and Tools
Web Client
Web Browser
Server Application
Runtime Container
Backend Systems
ToolA(e.g.,DAST)
ToolB(e.g.,IAST)
In-Browser
Security
Testing
Tool
SAST (Java)
SAST (JavaScript)
https://logicalhacking.com/blog/2017/01/11/sast-vs-dast-vs-iast/
Risks of only using only SAST
Wasting effort that could be used more wisely
elsewhere
Shipping insecure software
Examples of SAST limitations
Not all programming languages supported
Covers not all layers of the software stack
A comprehensive approach combines
Static approaches (i.e., SAST)
Dynamic approaches (i.e., IAST or DAST)
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 18 of 26
49. How to Measure Success (and Identify White Spots)
Analyze the vulnerabilities reported by
Security Validation
External security researchers
Vulnerability not detected by currently used methods
Improve tool configuration
Introduce new tools
Vulnerability detected by our security testing tools
Vulnerability in older software release
Analyze reason for missing vulnerability
Covered
Not Covered
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
50. How to Measure Success (and Identify White Spots)
Analyze the vulnerabilities reported by
Security Validation
External security researchers
Vulnerability not detected by currently used methods
Improve tool configuration
Introduce new tools
Vulnerability detected by our security testing tools
Vulnerability in older software release
Analyze reason for missing vulnerability
Covered
Not Covered
Success criteria:
Percentage of vulnerabilities not covered by our security testing tools increases
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
51. How to Measure Success (and Identify White Spots)
Analyze the vulnerabilities reported by
Security Validation
External security researchers
Vulnerability not detected by currently used methods
Improve tool configuration
Introduce new tools
Vulnerability detected by our security testing tools
Vulnerability in older software release
Analyze reason for missing vulnerability
Covered
Not Covered
Success criteria:
Percentage of vulnerabilities not covered by our security testing tools increases
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
52. How to Measure Success (and Identify White Spots)
Analyze the vulnerabilities reported by
Security Validation
External security researchers
Vulnerability not detected by currently used methods
Improve tool configuration
Introduce new tools
Vulnerability detected by our security testing tools
Vulnerability in older software release
Analyze reason for missing vulnerability
Covered
Not Covered
Newly
Covered
Success criteria:
Percentage of vulnerabilities not covered by our security testing tools increases
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 19 of 26
53. Outline
1 Background
2 Motivation
3 Secure Software Development
4 From (Mild) Pain to Success: My Experiences at SAP
5 Lesson’s Learned
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 20 of 26
54. Key Success Factors
A holistic security awareness program for
Developers
Managers
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
55. Key Success Factors
A holistic security awareness program for
Developers
Managers
Yes, security awareness is important
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
56. Key Success Factors
A holistic security awareness program for
Developers
Managers
Yes, security awareness is important but
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
57. Key Success Factors
A holistic security awareness program for
Developers
Managers
Yes, security awareness is important but
Developer awareness is even more important!
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 21 of 26
58. Listen to Your Developers And Make Their Life Easy!
We are often talking about a lack of security awareness and, by that,
forget the problem of lacking development awareness.
Building a secure system more difficult than finding a successful attack.
Do not expect your developers to become penetration testers (or security experts)!
Organisations can make it hard for developers to apply security testing skills!
Don’t ask developers to do security testing, if their contract doesn’t allows it
Budget application security activities centrally
Educate your developers and make them recognised experts
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 22 of 26
59. Final remarks
What works well:
Delegate power and accountability to development teams
Multi-tiered model of security experts:
local experts for the local implementation of secure development
global experts that support the local security experts (champions):
act as consultant in difficult/non-standard situations
evaluate, purchase, and operate widely used security testing tools
can mediate between development teams and response teams
Strict separation of
security testing supporting developers and
security validation
What does not work well:
Forcing tools, processes, etc. on developers
Penetration testing as “secure development” approach
Penetration has its value, e.g.,
as security integration test
as “meta-test” for your secure development process (validation)
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 23 of 26
60. Thank you for your attention!
Any questions or remarks?
Contact: Dr. Achim D. Brucker
Department of Computer Science
University of Sheffield
Regent Court
211 Portobello St.
Sheffield S1 4DP, UK
ƀ a.brucker@sheffield.ac.uk
@adbrucker
https://de.linkedin.com/in/adbrucker/
ĸ https://www.brucker.ch/
į https://logicalhacking.com/blog/
61. Bibliography
Ruediger Bachmann and Achim D. Brucker.
Developing secure software: A holistic approach to security testing.
Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014.
Achim D. Brucker and Uwe Sodan.
Deploying static application security testing on a large scale.
In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of
Lecture Notes in Informatics, pages 91–101. GI, March 2014.
Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander
Pretschner.
Security testing: A survey.
Advances in Computers, 101:1–51, March 2016.
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 25 of 26
62. Document Classification and License Information
c 2017 LogicalHacking.com, A.D. Brucker.
This presentation is classified as Public (CC BY-NC-ND 4.0):
Except where otherwise noted, this presentation is licensed under a Creative Commons
Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0).
c 2017 LogicalHacking.com. Public (CC BY-NC-ND 4.0) Page 26 of 26