This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
put the
finishing touches on this book, Twitter is busy recovering
from the latest very public and newsworthy cybersecurity
incident widely reported in the media. For every one of
these highly publicized breaches there are hundreds of
other damaging cyberattacks experienced by businesses
and government entities. To help organizations protect
themselves against and respond to information security
incidents, many of them turn to the chief information
security officer (CISO) for leadership. The CISO is
becoming the guardian of the modern business, charged
with protecting the organization against security threats
in the digital world.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
put the
finishing touches on this book, Twitter is busy recovering
from the latest very public and newsworthy cybersecurity
incident widely reported in the media. For every one of
these highly publicized breaches there are hundreds of
other damaging cyberattacks experienced by businesses
and government entities. To help organizations protect
themselves against and respond to information security
incidents, many of them turn to the chief information
security officer (CISO) for leadership. The CISO is
becoming the guardian of the modern business, charged
with protecting the organization against security threats
in the digital world.
Session 2 (two) of the course Information Technology Security and Business Continuity . Objective if information security, attacking method, responsibilities, risk management and Security System Development Life Cycle are discussed
Presented at Bangladesh Institute of Management on 21 November 2015.
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Finance Industry. ArcSight, Fortify, Voltage, NetIQ, Data Discovery and File Analysis suites.
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
Security by design is an approach to software development that seeks to make systems as free of vulnerabilities and attacks as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices.
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Key Metrics and Process in Cyber Security Case Scenario for:
Identity & Access Management
Secure SDLC & Application Security
Endpoint Security
Vulnerability Management
This helps tell a story across the business process and the comparison of different vendors.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...QADay
Online Quality Assurance Day 2020 #2
ОЛЬГА АКСЬОНЕНКО
«Безпечна розробка програмного забезпечення в Agile проектах»
telegram: wwww.t.me/goqameetup
fb: www.fb.com/goqaevent
fb: www.fb.com/qaday.org
Сайт: www.qaday.org
2010 National BDPA Technology Conference Presentation
Date: Aug 2010
Topic: Mastering linkedIn Advanced Techniques and Insider Secrets BDPA National Presentation
Presenter: Keith Warwick
Tittle: Professional Development Toolkit
Date: 4/5/2010
BY: National VP of Business Management/President Elect Monique Berry.
This tool can be used to plan or map out steps/actions toward career development.
This document will also be uploaded and available in the BDPA Portal. Thank you to Monique for providing this.
June 10, 2010 BDPA Charlotte Program Meeting Presentation.
Presenter:
Markus Beamer, BDPA Charlotte President Elect
Topic:
Intelligent Data Strategies - Intro to Data Marts and Data Warehouses
February 10, 2011 BDPA Charlotte Program meeting.
Presented by:
Karen D. Hill, RHIA
Recruitment/Placement Specialist
ONC HIT Grant
Health Sciences Division
Central Piedmont Community College
Health Information Technology Workforce Development Program
Central Piedmont Community College
The BDPA is the premier organization for African Americans in the Information Technology field.
Become a powerful voice in the Information Technology industry that represents the interests of our members and community.
"...Advancing Careers From The Classroom To The Boardroom"
More from BDPA Charlotte - Information Technology Thought Leaders (10)
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
2. Information Security & the SDLC
Information Security Principles
Secure Software Development Life Cycle Touch points
Risk Management
Security Requirements
Software Security Guidelines
Threat Modeling
Security Design
Code Reviews
Disposition
Conclusion
3. Information Security Axioms
“Security is combination of confidentiality,
integrity and availability” [ITSEC91]
“Security is a process, not a product!” [Bruce
Schneier]
“Software Security is not Security Software” [Gary
McGraw]
“Security is everybody’s problem”
“Inside attacks are more powerful than externals”
4. What is Information Security?
The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
Necessary tools: policy, awareness, training, education,
technology
5. Information Security Domains
A successful organization should have multiple layers of security in
place:
Access control Operations security
Network security Business continuity
Risk management planning and disaster
Applications security
recovery planning
Legal and regulatory
Cryptography
compliance
Security Architecture &
Physical/environmental
Design
security
6. Security Core Principles
Confidentiality: "Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information…" A loss of confidentiality is the
unauthorized disclosure of Information. [F199-04]
Integrity: "Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity…" A loss of integrity is the unauthorized modification or
destruction of information. [F199-04]
Availability: "Ensuring timely and reliable access to and use of
information…" A loss of availability is the disruption of access to or use of
information or an information system. [F199-04]
Usability: “is a term used to denote the ease with which people can
employ a particular tool or other human-made object in order to
achieve a particular goal. Usability can also refer to the methods of
measuring usability and the study of the principles
8. HOW: Security Base Principles
To respect core principles we need:
Identification: “is how a user tells a system who he or she
is (for example, by using a username or User ID);
Authentication: “is the process of verifying a user's
claimed identity (for example, by comparing an entered
password to the password stored on a system for a given
username).”;
Authorization: “defines a user's rights and permissions on
a system. After a user (or process) is authenticated,
authorization determines what that user can do on the
system.”;
Auditing: “an evaluation of an organization, system,
process, project or product”.
9. Business Drivers
Security is less expensive to implement if it is
planned from the beginning
Building security controls into the system, rather
than adding them after the system is already built
improves system performance
Security becomes an enabling factor rather than a
barrier to success by reducing the need for expensive
reengineering and reprogramming
It ensures success of certification and accreditation
processes and keeps the project on schedule
17. Excuses to underestimate security in the SDLC
“We've reviewed the code, and there are no security
bugs.”
“We know it's the default, but the administrator can
turn it off.”
“If we don't run as administrator, stuff breaks.”
“But we'll slip the schedule.”
“It's not exploitable.”
“But that's the way we've always done it.”
“If only we had better tools….”
18. Excuses to underestimate security in the SDLC
“No one will do that!”
“Why would anyone do that?”
“We've never been attacked.”
“We're secure, we use cryptography.”
“We're secure, we use ACLs.”
“We're secure, we use a firewall.”
19. Web Application Security SDLC Elevator Pitch
Between 70% and 90% of web applications have
serious vulnerabilities because
…the average developer is still not trained well enough.
Embedding application security controls into
development and deployment will
Allow for higher uptime, less TCO
Put YOU into risk control
20. Major Vulnerabilities in the
Application Space
A1 – Injection
A2 – Cross Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration (NEW)
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards (NEW)
A9 – Insecure Cryptographic Storage
A10 – Insufficient Transport Layer Protection
OWASP Top 10 - 2010
21. Software Security Guidelines
Security Usability:
what to do: security should impact minimally on system
usability;
why: applications that are too secure are not usable and
will not be used;
how: all security features have to be balanced with
usability factors;
Use “least privileges principle”:
what to do: every application should be executed with
minimum privileges to execute its tasks;
why: least privileges principle limits the dangerousness of
an application vulnerability exploitation;
how: check and set only applications needed privileges;
22. Software Security Guidelines
Confidentiality:
what to do: personal information must be protected;
why: unauthorized users should not access to confidential
information;
how: data and channel encryption; Identification, Authorization and
Authentication guidelines;
Integrity:
what to do: protect application data from corruption activities;
why: data is the highest value asset in Information Systems;
how: use good access control policy and respect Identification,
Identification, Authorization and Authentication guidelines;
Availability:
what to do: ensure applications are always available for the users'
tasks and goals;
why: mission critical application have to be always available;
how: try to disconnect “resources” as network, peripherals, etc. and
test applications; Identification, Authorization and Authentication
guidelines;
23. Software Security Guidelines
Identification & Authentication:
what to do: identify and authenticate users or system to implement
access control policies;
why: identification and authentication are needed for the
Authentication phase;
how: something you: Know (1F*); Have (2F*); Are (3F*); Do (4F*);
Authorization:
what to do: authorize a user to “use” only objects he or she should use;
why: authorization is needed for the Integrity of data and systems;
how: adopt well-known access control policy as MAC, RBAC, DAC;
Auditing & Logging:
what to do: monitor applications activities;
why: logs are useful to track activities and to detect errors and flaws;
how: ensure auditing aspects are activated on the system;
27. Initiation Phase
System Categorization
System Description
Need, purpose and mission
Functional requirements
Policy and architecture
Network topology
Information flow
Security controls (either planned or already implemented)
Physical and environmental security
Boundary analysis and interconnections
Component inventory
Hardware
Software
External interfaces to other systems
Data
People
28. Initiation Phase
Risk Assessment
Risk assessment is the process of analyzing threats to
an information system and known vulnerabilities to
determine the likelihood and impact of some
anticipated loss. This risk analysis can then be used to
design protective security controls that reduce these
factors to acceptable levels.
Pre-requisite to Risk Assessment is system
categorization
29. Initiation Phase
Risk Assessment
Part of a greater process called Risk Management.
Risk Management begins with Risk Assessment and
then moves into protecting the information system
with Risk Mitigation (through security controls) and
closes out with Evaluation and Assessment to confirm
that the Risk Management process is actually working.
30. Initiation Phase
Vulnerability Identification
A vulnerability is a weakness in a system or its
protections that could be exercised, creating a breach
in the security protection of the system. The goal of
this step is to come up with a list of vulnerabilities that
could be exercised by potential threat sources.
Vulnerabilities can be identified from lists and
advisories on common vulnerabilities and also by
testing the system.
31. Initiation Phase
Vulnerability lists
Databases – NIST National Vulnerability Database
Vendor advisories – Google directory of computer security
advisories and patches
CIRT lists and bulletins
US-CERT
SANS Top 20
SANS Internet Storm Center
System testing
Vulnerability scanning
Penetration testing
Security controls assessment
Previous risk assessment documentation
32. Requirements Analysis
Used to identify the systems protection requirements
through the use of a formal risk assessment process.
Generates essential information needed to complete the
system security plan.
The risk assessment includes the following:
Identification of threats and vulnerabilities
The potential impact or magnitude of harm that a loss of
confidentiality, integrity, or availability would have on assets,
operations, image, reputation should there be a thereat of
exploitation
Consider potential inheritance of vulnerabilities from other
systems
33. Security Functional Requirements Analysis
Analysis should include laws and regulations such as:
Privacy act
PCI
SOX
GLBA
Other regulations
More than one risk assessment may be required as this
phase of the SDLC progresses
34. Threat Modeling
Understand the operating environment your
application is heading into
Identify, analyze and document (and thus hopefully
mitigate) threats
34
35. Threats
Natural threats Criminal
Storms Bribery, extortion
System intrusion
Floods
Data compromise
Tornadoes
Terrorist
Hurricanes
Bribery, extortion
Electrical storms System intrusion
Earthquakes Data compromise
Slides Information warfare
Landslide System disruption
Organizational disruption
Avalanche
Industrial espionage
Temperature extremes System intrusion
Environmental threats Data compromise
Power failures Organizational disruption
Human threats Insiders
Unintentional System intrusion
Data compromise Data compromise
Intentional Organizational disruption
Hacker/cracker
System intrusion
Defacement
Data compromise
36. Identifying threats – data flow diagrams
contains the major processes, system boundaries
.. interactions with external entities
36
37. Categorizing and Quantifying Threats
Most known: Microsoft stride, dread
spoofing, tampering, repudiation, information
disclosure, denial of service, escalation of privileges
damage potential, reproducibility, exploitability,
affected users, discoverability
37
38. Threat Modeling
Select mitigation strategy and techniques based on
identified, documented and rated threats.
Benefits:
Prevent security design flaws
Identify & address greatest risks
Increased risk awareness and understanding
Mechanism for reaching consensus
Cost justification and support for needed controls
Means for communicating results
38
39. Secure Design
Principles (*)
Secure the weakest link
Practice defence in depth
Fail securely
Follow the principle of least privilege
Compartmentalize
Keep it simple
Promote privacy
Remember that hiding secrets is hard
Be reluctant to trust
Use your community resources
Future proof security design!
(*) Building Secure Software, Viega-McGraw
39
40. Design Reviews
Better to find flaws early
Security design reviews
Check to ensure design meets requirements
Also check to make sure you didn’t miss a requirement
Assemble a team
Experts in the technology
Security-minded team members
Do a high-level penetration test against the design
Be sure to do root cause analysis on any flaws identified
40
41. Secure Coding Guideline
Formalize best practices into secure coding guidelines
well documented and enforceable coding standards
Tune towards environment
OWASP Secure Coding Guide can be reference
can be used as a metric to evaluate source code
41
43. The OWASP Testing Guide
Part of an appsec body of knowledge…
Testing Principles Information Gathering
Testing Process Business Logic Testing
Custom Web Applications Authentication Testing
Black Box Testing Session Management Testing
Grey Box Testing Data Validation Testing
Risk and Reporting Denial of Service Testing
Appendix: Testing Tools Web Services Testing
Appendix: Fuzz Vectors Ajax Testing
43
44. Application Security Principles
Minimize attack surface area
Establish secure defaults
Principle of Least privilege
Principle of Defense in depth
Fail securely
Don't trust services
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly
44
45. Operations and Maintenance
Phase
Establishing a change control process.
Continuous Monitoring
Application Vulnerability Scanning
Penetration Testing
46. Disposal Phase
Without correctly finishing up, all the previous
defensive measures can be wasted. The following steps
are taken to ensure correct disposal:
Information preservation
Media Sanitization
Hardware and software disposal
How is equipment/software retired?
48. References
[AHM04] A. Anton, P. Hope, G. McGraw, “Misuse and Abuses Cases: Getting Past the Positive”, IEEE
Security & Privacy, March 2004;
[CA06] Curphey, Araujo, “Web Application Security Assessment Tools”, IEEE Security and Privacy
archive, Volume 4 , Issue 4 (July 2006)
[CM04] B. Chess, G. McGraw, “Static Analysis for Security”, IEEE Security & Privacy, December
2004;
[ITSEC91] “Information Technology Security Evaluation Criteria”, Commission European
Communities, 1991;
[F199-04] Federal Information Processing Standard (fips) 199, “Standards for security
categorization of federal information and information systems”, 2004
[GW03] M.G. Graff, K.R. van Wyk, “Secure Coding: Principles & Practices”, O'ReillyPub, 2003;
[LH03] D. Le Blanc, M. Howard, “Writing secure code 2”, Microsoft Press, 2003;
[M04] G. McGraw, “Software Security”, IEEE Security & Privacy, February 2004;
[MP04] G. McGraw, B. Potter, “Software Security Testing”, IEEE Security & Privacy, May 2004;
[MV04] G. McGraw, D. Verdon, “Risk Analysis in Software Design”, IEEE Security & Privacy, April
2004;
[NIST04] NIST, “Security Considerations in the Information SDLC”, SP 800-64 Rev. 1, 2004;
[V04] Vaclav Rajlich, “Changing the paradigm of software engineering”,Communications of the
ACM archive,Volume 49 , Issue 8 (August 2006)