This talk introduces the new OWASP projects focusing on the new GDPR regulation and the impact on the Software Development Life Cycle for a Company today.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
The document outlines an event hosted by DevOps Indonesia on March 8, 2022. The event featured two presentations - one in Bahasa on "DevSecOps Implementation Journey" and one in English on "A secure NGINX deployment on K8s". It provided an agenda, rules for participation, background on DevOps Indonesia community and past events. The goal was to promote DevOpsDays Jakarta 2022 through these presentations and discussions on DevOps topics.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
The document outlines an event hosted by DevOps Indonesia on March 8, 2022. The event featured two presentations - one in Bahasa on "DevSecOps Implementation Journey" and one in English on "A secure NGINX deployment on K8s". It provided an agenda, rules for participation, background on DevOps Indonesia community and past events. The goal was to promote DevOpsDays Jakarta 2022 through these presentations and discussions on DevOps topics.
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key.
Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
DevSecOps integrates security practices into DevOps processes to allow for lean and agile security testing throughout software development without disrupting delivery cycles. It is necessary because DevOps failed to properly account for security and compliance issues, whereas DevSecOps facilitates collaboration between developers and security teams to identify and resolve vulnerabilities early. Key principles of DevSecOps include security, compliance, collaboration, threat intelligence, and continuous learning.
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
The document provides an overview of OWASP projects and resources that can be used today. It describes several key OWASP tools and projects including the OWASP Top 10, Code Review Guide, Testing Guide, Cheat Sheet Series, AppSec Tutorials, Application Security Verification Standard (ASVS), and LiveCD/WTE. These free and open resources help developers, testers and organizations build more secure software.
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
Meghashyam Varanasi and Venkat Moncompu conducted a session on "Decoding Security in DevSecOps" at #ATAGTR2018.
please refer our linkedin post for session details
https://www.linkedin.com/pulse/session-decoding-security-devsecops-atagtr2018-agile-testing-alliance/
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
This webinar demonstrates the value of combining the powerful and easy-to-use Checkmarx CxSAST engine with the application vulnerability correlation capabilities of the ThreadFix vulnerability resolution platform to create a comprehensive application security program. Specifically, it will examine:
Correlating Checkmarx CxSAST results with DAST scans via Hybrid Analysis Mapping to help developers maximize the value from both security testing approaches and increase the confidence in testing results
Using Checkmarx CxSAST and ThreadFix’s HotSpot identification technology to highlight vulnerable components developed and shared within your organization
Onboarding Checkmarx CxSAST scanning results and operations into ThreadFix to get up and running quickly
Integrating both Checkmarx CxSAST and dynamic application security testing into developers’ CI/CD pipelines to reduce critical metrics like mean-time-to-discover and mean-time-to-fix
Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around
DevSecOps pipeline.
Is DevSecOps the only thing you need to do for security in your IT division or is there more?
What impact does bringing in secure culture in an engineering context mean?
What handshake is needed between the IT function and the security / risk function for large enterprises?
How does this impact roles and responsibilities of a developer?
This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
Cybersecurity is a compulsory, tough and expensive task for all organizations, private and public, large , medium and small.
No one can ignore it anymore, and building a viable Cybersecurity strategy is a complex task that needs to balance budget, keeping up with attacker technologies, available skills and a plethora of expensive tools on the market.
Let's discus s on how available Opensource solutions may greatly help ours organizations to be more effective in implementing their Cybersecurity posture, while optimizing available budget.
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
DevSecOps integrates security practices into DevOps processes to allow for lean and agile security testing throughout software development without disrupting delivery cycles. It is necessary because DevOps failed to properly account for security and compliance issues, whereas DevSecOps facilitates collaboration between developers and security teams to identify and resolve vulnerabilities early. Key principles of DevSecOps include security, compliance, collaboration, threat intelligence, and continuous learning.
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
The document provides an overview of OWASP projects and resources that can be used today. It describes several key OWASP tools and projects including the OWASP Top 10, Code Review Guide, Testing Guide, Cheat Sheet Series, AppSec Tutorials, Application Security Verification Standard (ASVS), and LiveCD/WTE. These free and open resources help developers, testers and organizations build more secure software.
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
Meghashyam Varanasi and Venkat Moncompu conducted a session on "Decoding Security in DevSecOps" at #ATAGTR2018.
please refer our linkedin post for session details
https://www.linkedin.com/pulse/session-decoding-security-devsecops-atagtr2018-agile-testing-alliance/
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
This webinar demonstrates the value of combining the powerful and easy-to-use Checkmarx CxSAST engine with the application vulnerability correlation capabilities of the ThreadFix vulnerability resolution platform to create a comprehensive application security program. Specifically, it will examine:
Correlating Checkmarx CxSAST results with DAST scans via Hybrid Analysis Mapping to help developers maximize the value from both security testing approaches and increase the confidence in testing results
Using Checkmarx CxSAST and ThreadFix’s HotSpot identification technology to highlight vulnerable components developed and shared within your organization
Onboarding Checkmarx CxSAST scanning results and operations into ThreadFix to get up and running quickly
Integrating both Checkmarx CxSAST and dynamic application security testing into developers’ CI/CD pipelines to reduce critical metrics like mean-time-to-discover and mean-time-to-fix
Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around
DevSecOps pipeline.
Is DevSecOps the only thing you need to do for security in your IT division or is there more?
What impact does bringing in secure culture in an engineering context mean?
What handshake is needed between the IT function and the security / risk function for large enterprises?
How does this impact roles and responsibilities of a developer?
This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps!
DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss:
* What is DevSecOps
* Changing the security mindset
* The Do's and Don'ts for success
Cybersecurity is a compulsory, tough and expensive task for all organizations, private and public, large , medium and small.
No one can ignore it anymore, and building a viable Cybersecurity strategy is a complex task that needs to balance budget, keeping up with attacker technologies, available skills and a plethora of expensive tools on the market.
Let's discus s on how available Opensource solutions may greatly help ours organizations to be more effective in implementing their Cybersecurity posture, while optimizing available budget.
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
The document discusses application security maturity models and how to build an effective application security program. It summarizes two maturity models, the BSIMM and SAMM, and compares their key aspects. It then provides details on how an application security team can establish processes and activities aligned with the SDL, including requirements, design reviews, threat modeling, code auditing, security assessments, and a response process. The presentation emphasizes collaboration, providing value to engineers, and establishing processes to integrate application security practices into development.
Internship report about Research and deployment ISA Server 2006Vũ Vương
This document provides details about the internship of Võ Văn Vương Vũ at the Athena Network Security Center over 8 weeks. It describes the history and activities of Athena, including network administration and security training. During the internship, Vũ installed and configured ISA Server 2006, creating access rules, templates and publishing servers. He also installed servers on virtual private servers and created access rules to manage and secure them.
The document discusses implementing a static application security testing (SAST) tool. It recommends starting with a central scanning model where a security team scans code and reports vulnerabilities. Over time, the organization can transition to a full software development lifecycle model where developers use the tool during coding. Key factors for a successful implementation include choosing the right scanning model, training users, and establishing processes for fixing and verifying issues. The document also provides tips on maximizing returns and reducing costs such as licensing the tool granularly and keeping deployment and training short.
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
The CA Technologies | Veracode Platform: A 360-Degree View of Your Application's Security
For more information on DevSecOps, please visit: http://ow.ly/LcyX50g63fO
Matteo meucci Software Security - Napoli 10112016Minded Security
This document discusses software security and how companies can manage it. It begins with an introduction to software security risks from the perspectives of end users and companies. It then explains how companies can implement software security best practices using OWASP (Open Web Application Security Project) standards and processes. This includes incorporating security activities like risk assessments, secure design reviews, and testing throughout the entire software development lifecycle (SDLC). The document emphasizes that without focusing on security, vulnerabilities will exist, and that the OWASP resources can help integrate security practices.
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee
Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine
This talk covers critical foundations for building a scalable Application Security Program.
Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program.
Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale.
Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers.
If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on.
Is there a script you could follow? And which set of frameworks would you use to get started in the right direction?
My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started.
What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program.
[Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
This document outlines best practices for delivering secure in-vehicle software. It discusses five practices: 1) Manage and mitigate issues through static code analysis and testing to find vulnerabilities early, 2) Build security into the development workflow by integrating security checks from the start, 3) Enforce standards and ensure compliance with tools to check for adherence to guidelines like MISRA and ISO 26262, 4) Manage open source risk through policies, inventorying, and ongoing governance, and 5) Streamline processes with continuous integration, automation, and security/compliance checks integrated into the pipeline. The presentation emphasizes finding and fixing issues early, making security everyone's responsibility, and using tools to enforce best practices.
Take Control: Design a Complete DevSecOps Program DevOps.com
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
This document provides a quick reference guide for secure coding practices. It contains a checklist of over 50 secure coding practices organized into categories such as input validation, authentication, session management, and access control. The introduction provides an overview of why secure coding is important and recommends establishing secure development processes and training developers. It defines key security concepts like threats, vulnerabilities, and risks. The goal is to help development teams integrate security practices into the software development lifecycle to mitigate common vulnerabilities.
Faisal Yahya discusses threat modelling in DevSecOps culture. Traditional prevent and detect security approaches are becoming inadequate as organizations increasingly use cloud systems and open APIs. Threat modelling helps security professionals identify potential threats by decomposing systems and identifying threats using techniques like STRIDE. It is important to embed security during planning and design through activities like threat modelling. This helps harden DevOps processes and can accelerate delivery while improving quality, security, and reliability.
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
10 things to get right for successful dev secopsMohammed Ahmed
This document discusses 10 things that are important to get right for successful DevSecOps implementation. It recommends that security testing be integrated seamlessly into the development process without disrupting developers. It also advises focusing first on identifying and fixing known critical vulnerabilities in libraries and components before custom code, and accepting that not all vulnerabilities can be eliminated. Developers should receive basic secure coding training without being expected to become security experts. The overall goal is to make security processes transparent to developers in order to balance security and speed of development.
This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
1) The document discusses the challenges of implementing application security in a DevOps environment, noting that while many organizations are adopting DevOps, few are integrating security testing during development.
2) It presents the DevSecOps approach which incorporates security capabilities and practices into DevOps technologies, processes, and culture through principles of collaboration, continuous improvement, automation, and security as code.
3) Key aspects of DevSecOps discussed include threat modeling, static and dynamic application security testing integrated into the development pipeline, container security, analytics dashboards for visualizing security metrics and risks, and maturity models for prioritizing applications based on risk assessments.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry.
In such ever changing world, cutting edge research on application security is one of the topics that requires attention
in order to keep up with this.
Minded Security, since the beginning of its mission, has been focusing on application security research in order to
professionally support analysis and mitigation of old and new threats for our customers.
This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.
More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
Minded Security offers a series of courses that target different skills including secure design, secure coding, secure testing and vulnerability management. Besides the software developers, the main target roles for software security training are the software architects, the business analysts, the project managers and the information security managers/officers.
The training courses being developed by Minded Security have been developed over the course of several years (since 2007) delivering software security professional services for customers.
This month we delivered a really interesting Live Hacking Demo for one of our relevant customer. We published the anonymized results and you can have a look here.
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
The document discusses JavaScript deobfuscation techniques. It begins by introducing common JavaScript obfuscation methods like Eval Packer, Metasploit JSObfu, JSFuck, JJEncode, AAEncode, and others. It then discusses the goals of deobfuscation, including semantics preservation, automation, robustness, readability, and efficiency. Several deobfuscation techniques are presented, such as using a sandboxed runtime environment or static and dynamic analysis with partial evaluation. The document dives deeper into an AST-based approach using Esprima to parse code into an AST and then reduce subtrees. It references an existing deobfuscation tool for JSObfu code and discusses areas for improvement. In the
Minded Security was invited to have a 4 mins pitch at the CyberTech Europe 2017. In this presentation we describe the technology Blueclosure a JavaScript Security Platform for developers, auditor, testers, SOC in order to identify, detect and response to JS security flaws in the code.
BC Detect Enterprise is a product designed to automate client-side JavaScript security analysis, and to provide continuous integration with DevOps teams for testing Web client side security issues.
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
1. 3rd Party Software: how to manage the update of 3rd party software
2. 3rd Party Development: Outsourcing
3. 3rd Party Supplier
4. 3rd Party OF THINGS
This document discusses JavaScript deobfuscation techniques using abstract syntax trees (ASTs). It begins by explaining goals of JavaScript obfuscation like blocking reverse engineering and bypassing antivirus detection. Common obfuscation techniques like eval packing and JSFuck are described. The document then discusses approaches to deobfuscation including runtime execution and manual analysis. It focuses on the benefits of partial evaluation using AST traversal and subtree reduction to perform operations like constant folding and function inlining. Examples are provided of challenges in evaluating complex data structures and functions. The conclusion is that AST-based deobfuscation is difficult but can counter some obfuscation techniques through multi-pass analysis and function hoisting.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
- Concrete5 version 5.7.3.1 is vulnerable to remote code execution (RCE) via a vulnerability in its sendmail functionality that allows arbitrary command execution when sending registration notification emails. An authenticated administrator can be tricked via CSRF into configuring notification emails with a specially crafted address that executes code. This allows an attacker to execute code by registering a new user account. The vulnerability is fixed in version 5.7.4.
The document describes multiple reflected cross-site scripting (XSS) vulnerabilities identified in Concrete5 version 5.7.3.1. User input passed through various request parameters was not properly sanitized before being used to generate HTML output, allowing attackers to potentially inject arbitrary JavaScript code. The vulnerabilities were addressed in Concrete5 version 5.7.4. The vulnerabilities included issues in files related to page versions, user selection, group searching, language setup, single page loading, and attribute selection.
Con PHP Object Injection ci si riferisce ad una classe di vulnerabilità che può affliggere quelle applicazioni PHP che utilizzano la funzione "unserialize" in modo insicuro. Attraverso questo genere di vulnerabilità un potenziale attaccante potrebbe essere in grado di "iniettare" uno o più oggetti all'interno dello scope dell'applicazione. Gli attributi di tali oggetti possono essere modificati arbitrariamente dall'attaccante, e ciò potrebbe causare un comportamento inaspettato del flusso di esecuzione dell'applicazione, che potrebbe consentire all'attaccante di eseguire diverse tipologie di attacchi, o nei casi più gravi di eseguire codice PHP arbitrario.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
1. 1ISACA VENICE Chapter
V Conference on Application
Security and Modern Technologies
Venezia, Università Ca’ Foscari
6 Ottobre 2017
In collaborazione con
2. 26/10/2017 ISACA VENICE Chapter
Matteo Meucci
OWASP Nuovi standard per la
sicurezza applicativa
3. 36/10/2017 ISACA VENICE Chapter
<AGENDA>
1. How OWASP can help Companies on software security
1.1 Devs, Architects
1.2 Auditors, Testers
1.2 CISO, Management
2. Focus on SAMM and GDPR
</AGENDA>
4. 46/10/2017 ISACA VENICE Chapter
Who Am I?
Informatics Engineer (since 2001)
Research:
• OWASP contributor (since 2002)
• OWASP-Italy Chair (since 2005)
• OWASP Testing Guide Lead (since 2006)
Work:
• 16+ years on Information Security focusing on Software Security
• CEO @ Minded Security – The Software Security Company (since
2007)
6. 66/10/2017 ISACA VENICE Chapter
• The Open Web Application Security Project
(OWASP) is a 501c3 not-for-profit also registered
in Europe as a worldwide charitable organization
focused on improving the security of software.
• Our mission is to make application security
visible, so that people and organizations can make
informed decisions about true application security
risks.
• Everyone is welcomed to participate in OWASP
and all of our materials are available under free
and open software licenses.
www.OWASP.org
7. 76/10/2017 ISACA VENICE Chapter
• PROTECT - These are tools and documents that can
be used to guard against security-related design
and implementation flaws.
• DETECT - These are tools and documents that can
be used to find security-related design and
implementation flaws.
• LIFE CYCLE - These are tools and documents that
can be used to add security-related activities into
the Software Development Life Cycle (SDLC).
OWASP HAS ~140 PROJECTS
8. 8
Timo Pagel
Equifax Incident September 2017
Impacting approximately 143 million consumers
Reason: Using library with known vulnerabilities
(Apache Struts 2 vulnerability CVE-2017-5638)
9. 9
Timo Pagel
Detection of Components with
Known Vulnerabilities
Through 2020, 99% of vulnerabilities exploited will
continue to be ones known by security and IT
professionals for at least one year.
Gartner, 2016
Source: Gartner’s Top 10 Security Predictions 2016
12. 126/10/2017 ISACA VENICE Chapter
A1-Injection
A2-Broken Authentication and Session
Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known
vulnerabilities
A10-Underprotected APIs
Top 2013 is available in italian language
OWASP TOP10 2017 (?)
13. 136/10/2017 ISACA VENICE Chapter
1. Verify for Security Early and Often
2. Parameterize Queries
3. Encode Data
4. Validate All Inputs
5. Implement Identity and
Authentication Controls
6. Implement Appropriate Access
Controls
7. Protect Data
8. Implement Logging and Intrusion
Detection
9. Leverage Security Frameworks and
Libraries
10. Error and Exception Handling
TOP10 PROACTIVE CONTROLS
Project leaders:
Jim.Manico@owasp.org
Jim.Bird@owasp.org
Katy.Anton@owasp.org
15. 156/10/2017 ISACA VENICE Chapter
I would like to find all the
bugs in this software
AUDITORS, TESTERS
16. 166/10/2017 ISACA VENICE Chapter
www.owasp.org/index.php/Code_Review_Guide
CODE REVIEW GUIDE
• Most comprehensive open
source secure code review
guide on the web
• Years of development effort
• Version 2
• Numerous contributors
• Project Leader and Editor
eoin.keary@owasp.org
18. 186/10/2017 ISACA VENICE Chapter
www.owasp.org/index.php/Testing_Guide
• Most comprehensive open source
secure testing guide on the web
• Years of development effort
• Version 4.0 produced in 2014
• Hundred of contributors
• Project Leader and Editor
• Matteo Meucci, Andrew Muller
▪ matteo.meucci@owasp.org,
andrew.muller@owasp.org
TESTING GUIDE
23. 236/10/2017 ISACA VENICE Chapter
Roles and responsabilities
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Software
Acceptance
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Secure
Installation
Change
Management
Secure
Architecture
SCR and
WAPT
Hardening
Fixing
Business Analyst
Security Manager
Business Analyst
AppSec Specialist
Business Analyst
Software Architect,
AppSec Specialist
Security Manager
Application Owner
Software Architect
Security Manager
Security Manager
Developer
AppSec Specialist
Developer
Security Manager
App Owner
System
Engineer
System
Engineer
AppSec Specialist
Sec Manager
App Owner
Develper
24. 246/10/2017 ISACA VENICE Chapter
Use the OWASP Software Contract Annex to regulate your
outsourcer contracts
Use the CISO Guide for Management’s Awareness
Use the OWASP TopTen Proactive Controls, the Building
Guide and Cheat sheets to write more secure software
Use the OWASP Secure Code Review to review the code
Use the OWASP Testing Guide to review to test your
application
OWASP for CISO
25. 256/10/2017 ISACA VENICE Chapter
The fixing process is the most important step of the process of
software security
Retest your application after a bug fixing or a new release
to be sure that the right implementations are in place
Use the OWASP SAMM to assess your maturity and
to build an Application Security Program to
manage the SDLC
The OWASP Application Security Verification
Standard (ASVS) Project provides a basis for
testing web application technical security controls
and also provides developers with a list of
requirements for secure development.
OWASP FOR CISO (2)
32. 326/10/2017 ISACA VENICE Chapter
SAMM goals
• SAMM allows a Company to:
– Measure and improve software security best
practices
– Focus on security risk to make effective use of
security resources
– Find vulnerabilities earlier in the development
process
– Design a Roadmap to manage the software
security in your projects
33. 33
OWASP SAMM: objectives
The SAMM’s goals are:
Evaluate an organization’s existing software security
practices
Build a balanced software security assurance program
in well-defined iterations
Demonstrate concrete improvements to a security
assurance program
Define and measure security-related activities
throughout an organization
34. 34
OWASP SAMM: 4 Business functions
Define Design Develop Deploy Maintain
Governance Construction Verification Deployment
Software development
management activities
and organisation-wide
business processes
Goal definition and
software creation
processes
Checking, evaluation
and testing of
software development
artifacts
Software release
management and
normal operational
management
39. 396/10/2017 ISACA VENICE Chapter
Step 4: create the roadmap
• For each Security Practice write down the Activities
to implement
• Evaluate the benefits and the efforts for the
organization necessary to improve each Security
Practice.
41. 416/10/2017 ISACA VENICE Chapter
CASE-STUDY: HOW COMPANIES
ARE APPROACHING THE
GOVERNANCE OF SOFTWARE
SECURITY
42. 42
What Italian Companies are doing today
Area: Governance Activities Participants
Strategy and Metrics
Conduct periodic industry wide cost
comparisons, collect metrics for
historic security spend (% project),
past spending.
10%
Policy and Compliance
Identify and monitor external
compliance drivers, build and
maintain compliance guidelines.
80%
Education and
Guidance
Training courses for Developers,
Analysts, Auditors and Workshop for
Management.
55%
Source: Minded Security – Results of 14 assessments from 2012 to 2016
43. 43
What Italian Companies are doing today (2)
Area: Construction Activities Participants
Secure Architecture
Build the document for the Governance of
the development outsourcing process.
30%
Security Requirements
Develop: “Building Secure applications
guidelines”.
60%
Secure Design
Apply the methodology of threat modeling
to the projects evaluated with medium to
high risk in the definition phase of the
project and the specific
10%
Source: Minded Security – Results of 14 assessments from 2012 to 2016
44. 44
What Italian Companies are doing today (3)
Source: Minded Security – Results of 14 assessments from 2012 to 2016
Area: Verification Activities Participants
Design Review
Identify software attack surface, Analyze
design against known security
requirements, Inspect for complete
provision of security mechanisms.
20%
Code Review
Conduct Manual Secure Code Review for
critical applications
30%
Security Testing
Conduct penetration testing on software
releases with fixing support.
75%
45. 45
What Italian Companies are doing today (4)
Area: Deployment Activities Participants
Vulnerability
Management
Create information security response
team(s) for the application security,
Establish consistent incident response
process, Conduct root cause analysis for
application security incidents.
20%
Environment Hardening
Develop Hardening procedures for all your
technologies, Implement a fixing process
to be sure to patch all the issues identified
during the security assessment.
60%
Operational Enablement
Request support for fixing all the
vulnerabilities identified during the Secure
Code Review and Penetration Testing
activities.
40%
Source: Minded Security – Results of 14 assessments from 2012 to 2016
47. 476/10/2017 ISACA VENICE Chapter
GDPR
The General Data Protection
Regulation (GDPR) (Regulation
(EU) 2016/679) is a regulation by
which the European Parliament,
intend to strengthen and unify
data protection for all individuals
within the European Union (EU).
It also addresses the export of
personal data outside the EU.
The GDPR aims primarily to give
control back to citizens and
residents over their personal
data and to simplify the
regulatory environment for
international business by
unifying the regulation within
the EU.
48. 486/10/2017 ISACA VENICE Chapter
GDPR: impact on Application Security
Article Activities
Art. 4:
Expansion of
definition of
“personal data”
The GDPR’s definition of the “personal data” that must be protected is
more detailed and broad than previous regulations. It can be anything
from a name, a photo, an email address, bank details, posts on social
networking websites, medical information or a computer IP address.
Art. 25: Security
by Design
The GDPR includes a requirement to implement “data protection by
design and by default.” This requirement involves creating applications
from scratch with security and data protection in mind.
For applications, “security by design” incorporates activities like threat
modeling, secure design, training developers on secure coding best
practices, and ensuring that developers are not only coding securely, but
also identifying and remediating security-related defects in their code
(fixing)
49. 49
Article Activities
Art. 28:
Third-party
vendor security
Article 28 states that, in choosing a data processor(outside vendor), “the
controller shall select a processor providing sufficient guarantees to
implement appropriate technical and organisational measures and
procedures in such a way that the processing will meet the requirements
of this Regulation and ensure the protection of the rights of the data
subject.” For application security, this means you can’t assume the
security of third-party software. You need “sufficient guarantees” that
these externally sourced applications comply with the EU GDPR.
Art. 33:
Notification of a
personal data
breach to the
supervisory
authority
Under the EU GDPR, breach notification will become mandatory in all
member states where a data breach is likely to “result in a risk for the
rights and freedoms of individuals.” This must be done within 72 hours
of first having become aware of the breach. Data processors will also
be required to notify their customers “without undue delay” after first
becoming aware of a data breach.
GDPR: impact on Application Security (2)
50. 506/10/2017 ISACA VENICE Chapter
SDLC and GDPR
Art. 4: Expansion of definition of “personal data”
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Software
Acceptance
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Secure
Installation
Change
Management
Secure
Architecture
SCR and
WAPT
Hardening
Fixing
51. 516/10/2017 ISACA VENICE Chapter
SDLC and GDPR
Art. 25: Security by Design
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Software
Acceptance
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Secure
Installation
Change
Management
Secure
Architecture
SCR and
WAPT
Hardening
Fixing
53. 536/10/2017 ISACA VENICE Chapter
SDLC and GDPR
Art. 33: Notification of a personal data breach to the supervisory authority
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Software
Acceptance
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Secure
Installation
Change
Management
Secure
Architecture
SCR and
WAPT
Hardening
Fixing
54. 546/10/2017 ISACA VENICE Chapter
SDLC and GDPR: advantages
• GDPR and SDLC re-inforce each other
• (ab)use GDPR to start SDLC (business case)
• Improve SDLC by including GDPR activities
• SDLC “deliverables” with GDPR demonstrate compliance
Thanks to: Embedding GDPR into the SDLC. Sebastien Deleersnyder, Siebe De Roovere