SlideShare a Scribd company logo

Integrating security into the application development process

Download as PPTX, PDF
Jerod Brennen
Jerod Brennen
Technology
1 of 36
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
How to Write Good Code From http://xkcd.com/844/
SEEK FIRST TO UNDERSTAND
Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
SOURCE CODE SECURITY
Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
APPSEC AND SQA
The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
ANALYZING DEPLOYED APPLICATIONS
Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
OTHER CONSIDERATIONS
SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
RESOURCES
Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

Recommended

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersAidan Finn
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 

Recommended

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersAidan Finn
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterUdaiappa Ramachandran
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessKarl Ots
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...RightScale
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The CloudMark Nunnikhoven
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 

More Related Content

What's hot

Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessKarl Ots
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...RightScale
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 

What's hot (20)

Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 

Viewers also liked

Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
isecure's Identity Management Training Intro
isecure's Identity Management Training Introisecure's Identity Management Training Intro
isecure's Identity Management Training IntroEsesve Digumarthi
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
Information systems development methodologies
Information systems development methodologiesInformation systems development methodologies
Information systems development methodologiesFereshte Moghadam
 

Viewers also liked (7)

Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
isecure's Identity Management Training Intro
isecure's Identity Management Training Introisecure's Identity Management Training Intro
isecure's Identity Management Training Intro
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
Information systems development methodologies
Information systems development methodologiesInformation systems development methodologies
Information systems development methodologies
 

Similar to Integrating security into the application development process

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security GovernanceCan Demirel
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 

Similar to Integrating security into the application development process (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 

More from Jerod Brennen

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLCJerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Jerod Brennen
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 

More from Jerod Brennen (14)

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLC
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the things
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Integrating security into the application development process

  • 1. Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  • 2. Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
  • 3. How to Write Good Code From http://xkcd.com/844/
  • 4. SEEK FIRST TO UNDERSTAND
  • 5. Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
  • 6. Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
  • 7. Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
  • 8. Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
  • 9. The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
  • 10. The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
  • 11. Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
  • 13. Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
  • 14. OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
  • 15. Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
  • 16. Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
  • 18. The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
  • 19. Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
  • 20. Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  • 21. SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
  • 23. Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
  • 24. Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
  • 25. Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
  • 26. Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
  • 28. SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
  • 29. SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
  • 30. Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
  • 31. Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
  • 33. Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
  • 34. More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
  • 35. Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
  • 36. Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com