SlideShare a Scribd company logo
N E W E R A O F S O F T WA R E W I T H
M O D E R N A P P L I C AT I O N S E C U R I T Y
V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 )
O WA S P L O N D O N C H A P T E R
@ D I N I S C R U Z
@ D I N I S C R U Z
• Developer for 25 years
• AppSec for 13 years
• Leader OWASP O2 Platform
project
• Head of Application Security at
The Hut Group
• Application Security Training for
JBI Training
• http://blog.diniscruz.com/
• https://www.linkedin.com/in/
diniscruz
Q U A L I T Y
Software Craftsmanship is about
Software Quality
a big problem with the Craftsmanship (and testing)
community is:



‘How to define Quality?’
Everybody knows that Quality is key
… but …
‘how to measure Quality?’
My thesis is that
Application Security can be used to 

define and measure Quality
Application Security is all about the non-functional
requirements of software*
* software = apps, websites, web services, apis, tools, build scripts = code
Application Security is all about understanding
HOW the software work
* vs how software behaves
Using Application Security 



I can measure the quality of software
Because Application Security 



measures the unintended side effects of coding
W R I T I N G S E C U R E C O D E M Y T H
“If only software developers had security
knowledge they would be able write secure code”
This is a myth because secure code has very little
to do with developer’s skills and craftsmanship
Software security (or insecurity) is a consequence
of the Software development environment 



(namely the business and managers focus)
And I know that this is a myth because
I cannot write ‘secure code’ 



when I’m programming
T H E P O L L U T I O N A N A L O G Y
T E C H N I C A L D E B T I S A B A D A N A L O G Y
• The developers are the ones who pays the debt
• Population is a much better analogy
• The key is to make the business accept the risk (i.e the
debt)
L E T ’ S H A C K ( A L I T T L E B I T ) 

H T T P : / / M A N I F E S T O . S O F T WA R E C R A F T S M A N S H I P. O R G /
Demo
C U R R E N T S TAT E O F A P P L I C AT I O N
I N S E C U R I T Y
How secure is your code?
How insecure is your code?
How many risks/vulnerabilities are
you aware of?
J I R A R I S K W O R K F L O W
http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html
K E Y C O N C E P T S O F T H I S W O R K F L O W
• All tests should pass all the time
• Tests that check/confirm vulnerabilities should also
pass
• The key to make this work is to: 



Make business owners understand the risks of their
decisions (and click on the ‘accept risk’ button)
You have to make sure that it is your
boss that gets fired
… he/she should make sure that it is
his/hers boss that gets fired …
… all the way to the CTO
(i.e. Board level responsibility)
S E N I O R M A N A G E M E N T O V E R S I G H T
• ‘Security Memo’ (from God)
• Incident response plans
• Emergency response exercises (can you detect them?)
• Cyber Insurance
• Enterprise Cyber Risk management
• Which C-level executive will get fired?
D O E S Y O U R C O M PA N Y / T E A M H AV E :
• AppSec team/person
• Security Champion
• Secure coding standards
• Threat Models
• OWASP contributors
• Secure code reviews
If your answer was not YES to all of them...
then 



Your Application WILL have a high
number of Security Vulnerabilities
W H Y D O A P P L I C AT I O N S E C U R I T Y ?
Because you care about: 

your users

good engineering
your application
your company
You have been lucky so far due
to lack of commercially focused
attackers
This has been a
Blessing and Curse
You are making
an Hedged bet
the
Security of your code
vs
Skill and motivation of attacks
will not change in next 2 years
Your hedge bet is that :
Most of you are creating the
perfect storm ….
User personalisation
+
Digital Payments
+
APIs
A large % of your apps users
will have malware on their
box
You are as secure as your
most unexperienced
developer
W H O I S AT TA C K I N G Y O U
I F T H E
AT TA C K E R T E L L S
Y O U A B O U T T H E
AT TA C K
Y O U S H O U L D
T H A N K T H E M
The dangerous ones are the
commercially focused
criminals
It’s all about the money
… to hack you …
Buy botnet for $110
How much it cost to be an ‘internal user’
100% Anti-virus non detection guarantee
But the credit cards were protected
R U S S I A N H A C K E R S M O V E D R U B L E R AT E
W I T H M A LWA R E
http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
I T I S I N T H E B I L L I O N S
• The real criminals are running highly professional
companies, with high quality software Development,
Testing, QA, AB testing, etc…
N E W G E N E R AT I O N
O F A P P L I C AT I O N
S E C U R I T Y
T H I N K I N G
• TDD
• Docker
• Test Automation
• Static Analysis
• cleaver Fuzzing
• JIRA Risk workflows
• Kanban
• micro web services visualization, and
• ELK
W E H AV E S O L U T I O N S
O WA S P ! ! ! !
T I P S F O R B U I L D I N G A M O D E R N
S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N
• https://georgianpartners.com/tips-for-building-a-modern-security-
engineering-organization
H O W T O B U I L D S E C U R E W E B
A P P L I C AT I O N
• http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-
application/
R E A L W O R L D M U TAT I O N T E S T I N G
• http://pitest.org/
S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E
• https://www.microsoft.com/en-us/sdl/process/design.aspx
S P O T I F Y E N G I N E E R I N G C U LT U R E -
PA R T 1
• https://labs.spotify.com/2014/03/27/spotify-engineering-culture-
part-1/
• https://spotifylabscom.files.wordpress.com/2014/03/spotify-
engineering-culture-part1.jpeg
S P O T I F Y E N G I N E E R I N G C U LT U R E -
PA R T 2
• https://labs.spotify.com/2014/09/20/spotify-engineering-culture-
part-2/
• https://spotifylabscom.files.wordpress.com/2014/09/spotify-
engineering-culture-part2.jpeg
F I N A L T H O U G H T S
U N W R I T T E N R U L E S O F A P I S
“Every API is destined to be connected to the internet”
U N W R I T T E N R U L E S O F A P I S
“All API data wants to be exposed in a Web Page”
“Would you fly in a plane that has the code quality
of your APIs”
Thanks, any questions?

More Related Content

What's hot

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
DevSecOps at Agile 2019
DevSecOps at   Agile 2019 DevSecOps at   Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
JasonRomero21
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
Stefan Streichsbier
 

What's hot (20)

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
DevSecOps at Agile 2019
DevSecOps at   Agile 2019 DevSecOps at   Agile 2019
DevSecOps at Agile 2019
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp  - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 

Viewers also liked

From java to scala at crowd mix
From java to scala at crowd mixFrom java to scala at crowd mix
From java to scala at crowd mix
Stefano Galarraga
 
Databus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture PipelineDatabus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture Pipeline
Sunil Nagaraj
 
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon KinesisDay 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Amazon Web Services
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
Building a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & SlickBuilding a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & Slick
Zalando Technology
 
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and TransformIntro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Apache Apex
 
Real time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.jsReal time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.js
Ben Laird
 

Viewers also liked (7)

From java to scala at crowd mix
From java to scala at crowd mixFrom java to scala at crowd mix
From java to scala at crowd mix
 
Databus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture PipelineDatabus - LinkedIn's Change Data Capture Pipeline
Databus - LinkedIn's Change Data Capture Pipeline
 
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon KinesisDay 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
Day 5 - Real-time Data Processing/Internet of Things (IoT) with Amazon Kinesis
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
Building a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & SlickBuilding a Reactive RESTful API with Akka Http & Slick
Building a Reactive RESTful API with Akka Http & Slick
 
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and TransformIntro to Apache Apex - Next Gen Platform for Ingest and Transform
Intro to Apache Apex - Next Gen Platform for Ingest and Transform
 
Real time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.jsReal time data viz with Spark Streaming, Kafka and D3.js
Real time data viz with Spark Streaming, Kafka and D3.js
 

Similar to New Era of Software with modern Application Security (v0.6)

So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
Greta Strolyte
 
Compliance in the Era of Cloud
Compliance in the Era of CloudCompliance in the Era of Cloud
Compliance in the Era of Cloud
OneLogin
 
Getting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise LandscapeGetting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise Landscape
ryngrn
 
Matic technology website development and digital marketing company
Matic technology   website development and digital marketing companyMatic technology   website development and digital marketing company
Matic technology website development and digital marketing company
Matic Technology
 
A Career in Software Engineering
A Career in Software EngineeringA Career in Software Engineering
A Career in Software Engineering
DVT - Smart people. Smart solutions.
 
Decoupled APIs through microservices
Decoupled APIs through microservicesDecoupled APIs through microservices
Decoupled APIs through microservices
David Simons
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
David Brumbaugh
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Decoupled APIs through Microservices
Decoupled APIs through MicroservicesDecoupled APIs through Microservices
Decoupled APIs through Microservices
David Simons
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
CognitiveClouds Customer Presentation
CognitiveClouds Customer PresentationCognitiveClouds Customer Presentation
CognitiveClouds Customer Presentation
Amit Ashwini
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur KhrotkoCONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
PROIDEA
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Similar to New Era of Software with modern Application Security (v0.6) (20)

So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
 
Compliance in the Era of Cloud
Compliance in the Era of CloudCompliance in the Era of Cloud
Compliance in the Era of Cloud
 
Getting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise LandscapeGetting UX Buy-in in an Enterprise Landscape
Getting UX Buy-in in an Enterprise Landscape
 
Matic technology website development and digital marketing company
Matic technology   website development and digital marketing companyMatic technology   website development and digital marketing company
Matic technology website development and digital marketing company
 
A Career in Software Engineering
A Career in Software EngineeringA Career in Software Engineering
A Career in Software Engineering
 
Decoupled APIs through microservices
Decoupled APIs through microservicesDecoupled APIs through microservices
Decoupled APIs through microservices
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Decoupled APIs through Microservices
Decoupled APIs through MicroservicesDecoupled APIs through Microservices
Decoupled APIs through Microservices
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
CognitiveClouds Customer Presentation
CognitiveClouds Customer PresentationCognitiveClouds Customer Presentation
CognitiveClouds Customer Presentation
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur KhrotkoCONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
CONFidence 2015: AppSec, the untrustable dev - Timur Khrotko
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 

More from Dinis Cruz

Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless  Security Workflows - cyber talks - 19th nov 2019Serverless  Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
Dinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
Dinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas  - Open Security Summit (Working Session 21th May 2019)Jira schemas  - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019   owasp london 25th febOpen security summit 2019   owasp london 25th feb
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019  - OWASP London 25th febOwasp summit 2019  - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
Dinis Cruz
 

More from Dinis Cruz (20)

Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless  Security Workflows - cyber talks - 19th nov 2019Serverless  Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas  - Open Security Summit (Working Session 21th May 2019)Jira schemas  - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019   owasp london 25th febOpen security summit 2019   owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019  - OWASP London 25th febOwasp summit 2019  - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 

Recently uploaded (20)

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 

New Era of Software with modern Application Security (v0.6)

  • 1. N E W E R A O F S O F T WA R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 ) O WA S P L O N D O N C H A P T E R @ D I N I S C R U Z
  • 2. @ D I N I S C R U Z • Developer for 25 years • AppSec for 13 years • Leader OWASP O2 Platform project • Head of Application Security at The Hut Group • Application Security Training for JBI Training • http://blog.diniscruz.com/ • https://www.linkedin.com/in/ diniscruz
  • 3. Q U A L I T Y
  • 4. Software Craftsmanship is about Software Quality
  • 5. a big problem with the Craftsmanship (and testing) community is:
 
 ‘How to define Quality?’
  • 6. Everybody knows that Quality is key … but … ‘how to measure Quality?’
  • 7. My thesis is that Application Security can be used to 
 define and measure Quality
  • 8. Application Security is all about the non-functional requirements of software* * software = apps, websites, web services, apis, tools, build scripts = code
  • 9. Application Security is all about understanding HOW the software work * vs how software behaves
  • 10. Using Application Security 
 
 I can measure the quality of software
  • 11. Because Application Security 
 
 measures the unintended side effects of coding
  • 12. W R I T I N G S E C U R E C O D E M Y T H
  • 13. “If only software developers had security knowledge they would be able write secure code”
  • 14. This is a myth because secure code has very little to do with developer’s skills and craftsmanship
  • 15. Software security (or insecurity) is a consequence of the Software development environment 
 
 (namely the business and managers focus)
  • 16. And I know that this is a myth because I cannot write ‘secure code’ 
 
 when I’m programming
  • 17. T H E P O L L U T I O N A N A L O G Y
  • 18. T E C H N I C A L D E B T I S A B A D A N A L O G Y • The developers are the ones who pays the debt • Population is a much better analogy • The key is to make the business accept the risk (i.e the debt)
  • 19. L E T ’ S H A C K ( A L I T T L E B I T ) 
 H T T P : / / M A N I F E S T O . S O F T WA R E C R A F T S M A N S H I P. O R G / Demo
  • 20. C U R R E N T S TAT E O F A P P L I C AT I O N I N S E C U R I T Y
  • 21. How secure is your code?
  • 22. How insecure is your code? How many risks/vulnerabilities are you aware of?
  • 23. J I R A R I S K W O R K F L O W http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html
  • 24. K E Y C O N C E P T S O F T H I S W O R K F L O W • All tests should pass all the time • Tests that check/confirm vulnerabilities should also pass • The key to make this work is to: 
 
 Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)
  • 25. You have to make sure that it is your boss that gets fired
  • 26. … he/she should make sure that it is his/hers boss that gets fired …
  • 27. … all the way to the CTO (i.e. Board level responsibility)
  • 28. S E N I O R M A N A G E M E N T O V E R S I G H T • ‘Security Memo’ (from God) • Incident response plans • Emergency response exercises (can you detect them?) • Cyber Insurance • Enterprise Cyber Risk management • Which C-level executive will get fired?
  • 29. D O E S Y O U R C O M PA N Y / T E A M H AV E : • AppSec team/person • Security Champion • Secure coding standards • Threat Models • OWASP contributors • Secure code reviews
  • 30. If your answer was not YES to all of them... then 
 
 Your Application WILL have a high number of Security Vulnerabilities
  • 31. W H Y D O A P P L I C AT I O N S E C U R I T Y ?
  • 32. Because you care about: 
 your users
 good engineering your application your company
  • 33. You have been lucky so far due to lack of commercially focused attackers
  • 34. This has been a Blessing and Curse
  • 35. You are making an Hedged bet
  • 36. the Security of your code vs Skill and motivation of attacks will not change in next 2 years Your hedge bet is that :
  • 37. Most of you are creating the perfect storm ….
  • 39. A large % of your apps users will have malware on their box
  • 40. You are as secure as your most unexperienced developer
  • 41. W H O I S AT TA C K I N G Y O U
  • 42. I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K
  • 43. Y O U S H O U L D T H A N K T H E M
  • 44. The dangerous ones are the commercially focused criminals
  • 45. It’s all about the money
  • 46. … to hack you …
  • 47.
  • 49. How much it cost to be an ‘internal user’
  • 50. 100% Anti-virus non detection guarantee
  • 51. But the credit cards were protected
  • 52. R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LWA R E http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
  • 53. I T I S I N T H E B I L L I O N S • The real criminals are running highly professional companies, with high quality software Development, Testing, QA, AB testing, etc…
  • 54. N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G
  • 55. • TDD • Docker • Test Automation • Static Analysis • cleaver Fuzzing • JIRA Risk workflows • Kanban • micro web services visualization, and • ELK
  • 56. W E H AV E S O L U T I O N S
  • 57. O WA S P ! ! ! !
  • 58. T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N • https://georgianpartners.com/tips-for-building-a-modern-security- engineering-organization
  • 59. H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N • http://blog.knoldus.com/2016/02/03/how-to-build-secure-web- application/
  • 60. R E A L W O R L D M U TAT I O N T E S T I N G • http://pitest.org/
  • 61. S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E • https://www.microsoft.com/en-us/sdl/process/design.aspx
  • 62. S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 1 • https://labs.spotify.com/2014/03/27/spotify-engineering-culture- part-1/ • https://spotifylabscom.files.wordpress.com/2014/03/spotify- engineering-culture-part1.jpeg
  • 63. S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 2 • https://labs.spotify.com/2014/09/20/spotify-engineering-culture- part-2/ • https://spotifylabscom.files.wordpress.com/2014/09/spotify- engineering-culture-part2.jpeg
  • 64. F I N A L T H O U G H T S
  • 65. U N W R I T T E N R U L E S O F A P I S “Every API is destined to be connected to the internet”
  • 66. U N W R I T T E N R U L E S O F A P I S “All API data wants to be exposed in a Web Page”
  • 67. “Would you fly in a plane that has the code quality of your APIs”