Jerod Brennen, profile picture
Uploaded byJerod Brennen
PPTX, PDF1,666 views

Integrating security into the application development process

The document provides an overview of integrating security into the application development process. It discusses seeking to understand development methodologies, programming languages, and risk frameworks. It also covers source code security best practices like code reviews and tools. Application security and software quality assurance testing methods are reviewed. The document also discusses analyzing deployed applications and other considerations like training and metrics. Resources for further learning are provided.

Embed presentation

Downloaded 33 times
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
How to Write Good Code From http://xkcd.com/844/
SEEK FIRST TO UNDERSTAND
Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
SOURCE CODE SECURITY
Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
APPSEC AND SQA
The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
ANALYZING DEPLOYED APPLICATIONS
Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
OTHER CONSIDERATIONS
SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
RESOURCES
Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

More Related Content

PPTX
Trust No-One Architecture For Services And Data
byAidan Finn
 
PPTX
Digitally Transform (And Keep) Your On-Premises File Servers
byAidan Finn
 
PPTX
Azure Networking - The First Technical Challenge
byAidan Finn
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PPTX
Shared Security Responsibility for the Azure Cloud
byAlert Logic
 
PPTX
Azure Security Fundamentals
byLorenzo Barbieri
 
PPTX
Azure Security and Management
byAllen Brokken
 
PDF
Best Practices in Cloud Security
byAlert Logic
 
Trust No-One Architecture For Services And Data
byAidan Finn
 
Digitally Transform (And Keep) Your On-Premises File Servers
byAidan Finn
 
Azure Networking - The First Technical Challenge
byAidan Finn
 
Microsoft Azure Security Overview
byAlert Logic
 
Shared Security Responsibility for the Azure Cloud
byAlert Logic
 
Azure Security Fundamentals
byLorenzo Barbieri
 
Azure Security and Management
byAllen Brokken
 
Best Practices in Cloud Security
byAlert Logic
 

What's hot

PPTX
Power of the cloud - Introduction to azure security
byBruno Capuano
 
PPTX
Windows Azure Security Features And Functionality
byvivekbhat
 
PPTX
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
PPTX
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Govern Your Cloud: The Foundation for Success
byAlert Logic
 
PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PPTX
Azure Security Center
byUdaiappa Ramachandran
 
PPTX
Azure Security Overview
byAllen Brokken
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
byKarl Ots
 
PDF
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
byRightScale
 
PDF
Security OF The Cloud
byMark Nunnikhoven
 
PPTX
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
KEY
Cloud Security at Netflix
byJason Chan
 
PPTX
CSS17: DC - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PPTX
Shared Security Responsibility Model of AWS
byAkshay Mathur
 
PDF
Austin CSS Slalom Presentation
byAlert Logic
 
PDF
Protecting Against Web App Attacks
byAlert Logic
 
PDF
Networking deep dive
byJeroen Niesen
 
Power of the cloud - Introduction to azure security
byBruno Capuano
 
Windows Azure Security Features And Functionality
byvivekbhat
 
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Govern Your Cloud: The Foundation for Success
byAlert Logic
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
Azure Security Center
byUdaiappa Ramachandran
 
Azure Security Overview
byAllen Brokken
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
byKarl Ots
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
byRightScale
 
Security OF The Cloud
byMark Nunnikhoven
 
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
Cloud Security at Netflix
byJason Chan
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Shared Security Responsibility Model of AWS
byAkshay Mathur
 
Austin CSS Slalom Presentation
byAlert Logic
 
Protecting Against Web App Attacks
byAlert Logic
 
Networking deep dive
byJeroen Niesen
 

Viewers also liked

PPT
Software security engineering
byAHM Pervej Kabir
 
ODP
CISSP Week 13
byjemtallon
 
PDF
isecure's Identity Management Training Intro
byEsesve Digumarthi
 
PDF
CISSP Prep: Ch 9. Software Development Security
bySam Bowne
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
PPSX
7 Software Development Security
byAlfred Ouyang
 
PPTX
Information systems development methodologies
byFereshte Moghadam
 
Software security engineering
byAHM Pervej Kabir
 
CISSP Week 13
byjemtallon
 
isecure's Identity Management Training Intro
byEsesve Digumarthi
 
CISSP Prep: Ch 9. Software Development Security
bySam Bowne
 
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
7 Software Development Security
byAlfred Ouyang
 
Information systems development methodologies
byFereshte Moghadam
 

Similar to Integrating security into the application development process

PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PDF
OWASP-Web-Security-testing-4.2
byICTperspectives
 
PPT
香港六合彩
bybaoyin
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Including security in devops
byJérémy Matos
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
byVandana Verma
 
PPT
六合彩香港-六合彩
bybaoyin
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Building an AppSec Culture
byNirosh Jayaratnam
 
PPTX
Fun with Application Security
byBruce Abernethy
 
PDF
OWASP Overview of Projects You Can Use Today - DefCamp 2012
byDefCamp
 
PDF
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
ODP
CiNPA Security SIG - AppSec Presentation
byThreatReel Podcast
 
PDF
Who Owns Software Security?
byColdFusionConference
 
PDF
Who owns Software Security
bydevObjective
 
PDF
Owasp summit debrief v1.0 (jun 2017)
byowaspsummit
 
AppSec in an Agile World
byDavid Lindner
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
OWASP-Web-Security-testing-4.2
byICTperspectives
 
香港六合彩
bybaoyin
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
byQA or the Highway
 
Web Application Security Testing
byMarco Morana
 
Including security in devops
byJérémy Matos
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
byVandana Verma
 
六合彩香港-六合彩
bybaoyin
 
Software Security Engineering
byMarco Morana
 
How to develop an AppSec culture in your project
by99X Technology
 
Building an AppSec Culture
byNirosh Jayaratnam
 
Fun with Application Security
byBruce Abernethy
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
byDefCamp
 
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
CiNPA Security SIG - AppSec Presentation
byThreatReel Podcast
 
Who Owns Software Security?
byColdFusionConference
 
Who owns Software Security
bydevObjective
 
Owasp summit debrief v1.0 (jun 2017)
byowaspsummit
 

More from Jerod Brennen

PDF
Embedding Security in the SDLC
byJerod Brennen
 
PPTX
The Path to IAM Maturity
byJerod Brennen
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
PDF
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
PDF
Automating Security Testing with the OWTF
byJerod Brennen
 
PPTX
Assess all the things
byJerod Brennen
 
PDF
What you need to know about OSINT
byJerod Brennen
 
PDF
Running Your Apps Through the "Gauntlt"
byJerod Brennen
 
PPTX
Common Sense Security Framework
byJerod Brennen
 
PPTX
Please, Please, PLEASE Defend Your Mobile Apps!
byJerod Brennen
 
PDF
Bridging the Social Media Implementation/Audit Gap
byJerod Brennen
 
PDF
Attacking and Defending Mobile Applications
byJerod Brennen
 
PDF
Identity and Access Management 101
byJerod Brennen
 
PDF
DDoS Attack Preparation and Mitigation
byJerod Brennen
 
PDF
Information Security Management 101
byJerod Brennen
 
Embedding Security in the SDLC
byJerod Brennen
 
The Path to IAM Maturity
byJerod Brennen
 
Hacking identity: A Pen Tester's Guide to IAM
byJerod Brennen
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
Automating Security Testing with the OWTF
byJerod Brennen
 
Assess all the things
byJerod Brennen
 
What you need to know about OSINT
byJerod Brennen
 
Running Your Apps Through the "Gauntlt"
byJerod Brennen
 
Common Sense Security Framework
byJerod Brennen
 
Please, Please, PLEASE Defend Your Mobile Apps!
byJerod Brennen
 
Bridging the Social Media Implementation/Audit Gap
byJerod Brennen
 
Attacking and Defending Mobile Applications
byJerod Brennen
 
Identity and Access Management 101
byJerod Brennen
 
DDoS Attack Preparation and Mitigation
byJerod Brennen
 
Information Security Management 101
byJerod Brennen
 

Recently uploaded

PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
DOCX
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Mathematical reviewer gor mmw in theofern
byyeojlevantinojesalva
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 

Integrating security into the application development process

  • 1.
    Integrating Security intothe Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  • 2.
    Agenda • Seek Firstto Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
  • 3.
    How to WriteGood Code From http://xkcd.com/844/
  • 4.
    SEEK FIRST TOUNDERSTAND
  • 5.
    Development Methodologies • Agilewith Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
  • 6.
    Programming Languages • ASP.NET •C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
  • 7.
    Risk/Security Frameworks • COBIT(ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
  • 8.
    Project Phase-Gate Model •Scoping • Build Business Case • Development • Testing and Validation • Launch
  • 9.
    The OWASP TopTen (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
  • 10.
    The OWASP TopTen (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
  • 11.
    Prep Checklist • Whatdevelopment methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
  • 12.
  • 13.
    Code Reviews • Benefits –Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
  • 14.
    OWASP Code ReviewProject • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
  • 15.
    Code Review Tools •NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
  • 16.
    Code Review Tools(cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
  • 17.
  • 18.
    The SQA Process •Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
  • 19.
    Positive and NegativeTesting • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
  • 20.
    Top 10 NegativeTest Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  • 21.
    SQA Security Tools •QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
  • 22.
  • 23.
    Application Scanning • Automatedscanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
  • 24.
    Manual App Analysis •OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
  • 25.
    Scanning vs. PenTesting • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
  • 26.
    Web App SecurityScanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
  • 27.
  • 28.
    SQA Metrics • ISO9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
  • 29.
    SQA Metrics (cont’d) •OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
  • 30.
    Developer Training • OWASPResources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
  • 31.
    Professional Organizations • OWASP •ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
  • 32.
  • 33.
    Resources • Codecademy – http://www.codecademy.com/learn •OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
  • 34.
    More Resources • ProjectPhase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
  • 35.
    Even More Resources •SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
  • 36.
    Contact Info Jerod Brennen,CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com