2. My vision
Security isn’t a miracle
There is no lack in “security testing” there is a lack of “testing security”
Traditional testing is more more formalized, manageable and difficult.
WHY?
3.
4. OWASP SAMM
The Open Web Application Security Project Software
Assurance Maturity Model
5. Postures
Evaluating an organization’s existing software
security practices.
Building a balanced software security assurance
program in well-defined iterations.
Demonstrating concrete improvements to a security
assurance program.
Defining and measuring security-related activities
throughout an organization.
6. Why we need to use it?
Users:
Software development company
Enterprise
17. Case 4. XSS Example
<script>alert(‘ok’);</script>
"'}})}}})});alert(ok'); window.addEventListener('load', function() { new
Vue({ methods:{ filter:function(){$.ajax({data:{a:'"
20. Case 5. HTTPS example
Requirement: Server and client should communicate via HTTP protocol.
Requirement: Server and client should communicate via HTTPS protocol.
Requirement: Server and client should communicate via HTTP with way that excludes the
disclosure of critical information.
22. Conclusions
Security really is not a miracle
Security testing is a part of global testing coverage
SAMM is a step from dedicated security testing to TMM
and EAAF