OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amsterdam 2016

•

0 likes•6,771 views

Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.

Technology

Glenn ten Cate
Twitter:
@FooBar_testing_
Riccardo ten Cate
Twitter:
@RiieCco
2

Agenda
• Why?
• Software (AND Security) development life cycle
3
Developer, you are the one
3

Agenda
• Why?
• Software (AND Security) development life cycle
4
Coding mistakes, déjà vu.
4

Agenda
• Why?
• Software (AND Security) development life cycle
5
Barely hanging on …
5

Agenda
• Why?
• Software (AND Security) development life cycle
6
But there is always an option!
6

Agenda
• Why?
• Software (AND Security) development life cycle
7
There are ways to learn!
7

• Worldwide not-for-profit charitable.
• Our mission is to make software security visible, so that
individuals and organizations worldwide can make
informed decisions about true software security risks.
8

Agenda
• Why?
• Software (AND Security) development life cycle
9
Be responsible for your code.
9

Verify your code
• ASVS lvl1 Opportunistic
It adequately defends against application security vulnerabilities
that are easy to discover.
• ASVS lvl2 Standard
It adequately defends against prevalent application security
vulnerabilities whose existence poses moderate-to-serious risk.
• ASVS lvl3 Advanced
It adequately defends against all advanced application security
vulnerabilities, and also demonstrates principles of good security
design.
10

What is S.K.F
• Guide to secure programming
By adapting your design to security, not securing your design
• Security awareness
It informs you about threats even before you wrote a single line of
code.
• Clear and transparent
Provides information applicable for your specific needs on the spot.
11

Agenda
• Why?
• Software (AND Security) development life cycle
12
And now the blind dev can see.
12

Agenda
• Why?
• Software (AND Security) development life cycle
14
You know this, you are ready.
14

SDLC MANUAL
• OWASP-SKF
• Software Development Life Cycle
• Code review
• SAST
• DAST
15

SDLC CI
• OWASP-SKF
• Software Development Life Cycle
• Travis CI
• Coveralls CI
• Scrutinizer CI
16

Agenda
• Why?
• Software (AND Security) development life cycle
17
GitHub
• https://github.com/blabla1337/skf-flask
17

Agenda
• Why?
• Software (AND Security) development life cycle
18
You have the skills …
18

Agenda
• Why?
• Software (AND Security) development life cycle
19
… you are the one.
19

Getting involved?
• OWASP
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Fr
amework
• Website
https://secureby.design
Together we can make it big, strong and helpful!
20

Agenda
• Why?
• Software (AND Security) development life cycle
21
You are only as strong as the
weakest developer in your team.
21

Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended. Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.

Zero to Ninety in Securing DevOps

DevSecOps Days

Delivered at DevSecOps Days 2018, RSA Conference j. Wolfgang Goerlich About J. Wolfgang Goerlich About J Wolfgang Goerlich CBI (Creative Breakthroughs, Inc.) Cyber Security Strategist J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.

DevOps or DevSecOps

Michelangelo van Dam

In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream. But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments. In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process. Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.

Adversary Driven Defense in the Real World

James Wickett

DevSecOps and the CI/CD Pipeline

James Wickett

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at OWASP NoVA, Sept 25th, 2018

DeadDropSF - Better Red Than Dead

Rob Ragan

Tools, techniques, and war stories from the security researchers at Bishop Fox. Feel the power to brute-force subdomains, with accuracy, at the rate of the entire English dictionary in less than 90 seconds. Learn to fly the DangerDrone, a pentesting quadcopter that takes wireless hacking and remote code execution to the sky. And, most importantly, learn advanced red team techniques from the dark side. In this talk, we’ll share a few of our favorite stories from the frontlines as well as our choice of tools for reconnaissance, physical attacks, and evasion techniques. We’ll also demonstrate tools such as GoGoDNS, the Tastic RFID Thief, and, yes, even the Danger Drone. You’ll walk away with insight into how to be a better security professional and how to ensure you’re enabled to simulate the latest emerging threats.

ABN AMRO DevSecOps Journey

Derek E. Weeks

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion

SeniorStoryteller

DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Moshiul Islam, CISSP, CISA, CFE

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

How to automate your DevSecOps successfully

Manuel Pistner

Service based apps using open source components and containers for continuous deployment in DevOp teams need to react fast and deploy often. With increasing complexity of software systems and the need for agility and flexibility the demand for security increases. These slides show an approach for DevSecOp automation and present the results of a survey about the current status of security automation in software development companies. If you want to see the resulting concept which was developed during the study, please contact me on linked in.

DevSecCon London 2017: Shift happens ... by Colin Domoney

DevSecCon

Outpost24 webinar - application security in a dev ops world-08-2018

Outpost24

As DevOps continue to advance, and agile development continues to be widely adopted, the latest OWASP top 10 list shows little to no movement at the top in terms of the most serious vulnerabilities affecting web applications. With a plethora of tools and information to help reduce application vulnerabilities and increase the level of security awareness in development team available, why do we still see web applications as a significant attack vector?

Dos and Don'ts of DevSecOps

Priyanka Aash

DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully. Learning Objectives: 1: Identify key principles of DevSecOps and see how it relates to DevOps principles. 2: Analyze common pitfalls and see where integration security takes part in DevSecOps. 3: Demonstrate how to do “Continuous Security” by using a lifecycle approach. (Source: RSA Conference USA 2018)

Security as Code: A DevSecOps Approach

VMware Tanzu

DevSecCon London 2017: when good containers go bad by Tim Mackey

DevSecCon

DevSecOps - The big picture

DevSecOpsSg

Hacker-powered Software Development

Assembla

DevSecOps: essential tooling to enable continuous security 2019-09-16

Rich Mills

RSAC DevSecOpsDays 2018 - We are all Equifax

Sonatype

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevSecOps for you Full Stack

Ron Nixon

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon

8 Tips for Deploying DevSecOps

Felicia Haggarty

Implementing DevOps in a Regulated Environment - DJ Schleen

SeniorStoryteller

How GitLab and HackerOne help organizations innovate faster without compromis...

HackerOne

Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016

Codemotion

The Evolution of Asynchronous Javascript - Alessandro Cinelli - Codemotion Mi...

Codemotion

One of JavaScript’s strengths is how it handles asynchronous code. Async is one of the most important and often misunderstood part of Javascript or any other language. Async is hard because we, as human beings, can’t do two conscious actions at once and think about both of them at the same moment. In this talk we will see how asynchronous JavaScript evolved over the years. It all started with callbacks… and it landed on generators.

What's hot

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Mohamed Nizzad

The Rise of DevSecOps - Fabian Lim - DevSecOpsSg

DevSecOpsSg

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Moshiul Islam, CISSP, CISA, CFE

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

How to automate your DevSecOps successfully

Manuel Pistner

DevSecCon London 2017: Shift happens ... by Colin Domoney

DevSecCon

Outpost24 webinar - application security in a dev ops world-08-2018

Outpost24

Dos and Don'ts of DevSecOps

Priyanka Aash

Security as Code: A DevSecOps Approach

VMware Tanzu

DevSecCon London 2017: when good containers go bad by Tim Mackey

DevSecCon

DevSecOps - The big picture

DevSecOpsSg

Hacker-powered Software Development

Assembla

DevSecOps: essential tooling to enable continuous security 2019-09-16

Rich Mills

RSAC DevSecOpsDays 2018 - We are all Equifax

Sonatype

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevSecOps for you Full Stack

Ron Nixon

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon

8 Tips for Deploying DevSecOps

Felicia Haggarty

Implementing DevOps in a Regulated Environment - DJ Schleen

SeniorStoryteller

How GitLab and HackerOne help organizations innovate faster without compromis...

HackerOne

What's hot (20)

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

The Rise of DevSecOps - Fabian Lim - DevSecOpsSg

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Continuous security: Bringing agility to the secure development lifecycle

How to automate your DevSecOps successfully

DevSecCon London 2017: Shift happens ... by Colin Domoney

Outpost24 webinar - application security in a dev ops world-08-2018

Dos and Don'ts of DevSecOps

Security as Code: A DevSecOps Approach

DevSecCon London 2017: when good containers go bad by Tim Mackey

DevSecOps - The big picture

Hacker-powered Software Development

DevSecOps: essential tooling to enable continuous security 2019-09-16

RSAC DevSecOpsDays 2018 - We are all Equifax

Benefits of DevSecOps

DevSecOps for you Full Stack

DevSecCon London 2017: How far left do you want to go with security? by Javie...

8 Tips for Deploying DevSecOps

Implementing DevOps in a Regulated Environment - DJ Schleen

How GitLab and HackerOne help organizations innovate faster without compromis...

Viewers also liked

Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016

Codemotion

The Evolution of Asynchronous Javascript - Alessandro Cinelli - Codemotion Mi...

Codemotion

Corporate Renewable Energy Procurement - Why and How

WRI India

How to Leverage Machine Learning (R, Hadoop, Spark, H2O) for Real Time Proces...

Codemotion

Big Data is key for innovation in many industries today. Large amounts of historical data are stored and analyzed in Hadoop, Spark or other clusters to find patterns, e.g. for predictive maintenance or cross-selling. However: How do you increase revenue or reduce risks in new transactions proactively? Stream processing is the solution to embed patterns into future actions in real-time. This session discusses and demos how machine learning and analytic models with R, Spark MLlib, H2O, etc. can be build and integrated into real-time event processing frameworks. The session focuses on live demos

Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...

Codemotion

If you were a carpenter, would your skills at building be more important than the tools you use to build? Skills, right? Tools are just a means to an end. So why do developers think the language they use defines the problems they solve? This talk will take a look at misconceptions across the board, some experiences, both positive and negative, people have had crossing barriers to new languages, and show some of the benefits thinking of one's self as a coder and not a "Ruby coder" or a "PHP dev" can have on being a better problem solver.

Staying Alive: Patterns for Failure Management From the Bottom of the Ocean -...

Codemotion

This talk uses the framework of technical SCUBA and rebreather diving to talk about patterns for failure management and how they can be applied towards engineering. It examines the ways that complex systems fail and challenges our heroism-based model of success which ignores consistent, uneventful execution. It also looks into different approaches to risk management and why the typical model that we depend on is not safe. You will walk away with an understanding of how failure cascades occur and how to protect your system and your team from failure.

App Dev in the Cloud: Not my circus, not my monkeys... - Eric D. Schabell - ...

Codemotion

When faced with all the hype around Cloud, most application developers are not really all that excited. Maybe you get that feeling that it isn't your problem, just leave me to my applications. Let me show you why, as an application developer, you can't ignore your Cloud stack anymore. We will examine your Cloud stack anxieties and provide you with a solutions to ease you into your first private PaaS on your own local machine that you can install in just minutes. Finally you will be given a myriad of examples to take home with you to take control of this circus and own the monkeys!

Universal JavaScript Web Applications with React - Luciano Mammino - Codemoti...

Codemotion

Since we started to see JS on the server side, the dream of developers has been to reduce the gap and the cost of switch between frontend/backend. Today with Node.js, React and a whole ecosystem of tools, this dream is becoming true! In this talk I am going to discuss about Universal (a.k.a. Isomorphic) JS and present some practical example regarding the major patterns related to routing, data retrieval and rendering. I will use Node, React, Webpack, Babel and React Router and give you a series of example to get you started easily with this new technology trend.

Fast Cars, Big Data - How Streaming Can Help Formula 1 - Tugdual Grall - Code...

Codemotion

Modern race cars produce lot of data, and all this in real time. In this presentation I will show you how data could be generated and used by various applications in the car, on the track or team head quarter. The demonstration will show how to move data using messaging systems like Apache Kafka, process the data using Apache Spark and use various storage technics: Distributed File System, NoSQL Database. This presentation is a great opportunity to see how to build a " near real time big data application". The code from this talk will be made available as open source.

Insights into Chatbot Development - Implementing Cross-Platform Chatbots - Ba...

Codemotion

Con te non ci lavoro - Francesco Fullone - Codemotion Rome 2017

Codemotion

Ogni azienda ha una serie di criteri, più o meno condivisibili, per la scelta dei collaboratori esterni con cui portare avanti progetti. Nel nostro caso questi criteri sono un risultato delle nostre passate esperienze lavorative, dei valori che abbiamo abbracciato e dell’approccio che ci aspettiamo di trovare nel suddetto collaboratore. Questo talk presenta una sorta di vademecum operativo utile a tutti i knowledge workers ed alle aziende che vogliono collaborare con loro.

Microservices and the Inverse Conway Manoeuvre - James Lewis - Codemotion Rom...

Codemotion

Go faster than your competitors. That’s the promise of microservices – deploy faster, scale faster, be more robust. It’s all about outcomes and the way your organisation is structured has a tremendous impact on those outcomes. it’s easy to say “Conway’s Law” and then move swiftly on. “But but but, but how?” In this talk James explores what we mean by business capabilities and how architecture and organisational design interact. He may even mention Isomorphism.

SUPPORTING REGIME FOR SMALL AND MEDIUM ENTERPRISES (“SMEs”) IN VIETNAM

Dr. Oliver Massmann

I just hacked your app! - Marcos Placona - Codemotion Rome 2017

Codemotion

Android security is nowhere near where it should be. I have been able to hack and get sensitive information from a few different apps and I’m just an amateur hacker at best. It’s easy to forget mobile devices aren’t as safe as we think they are. In this session we will explore a number of ways an Android app can be exploited and methods we can use to avoid these attacks. We will finish by looking at common techniques that will help you protect sensitive information within your application by adding tampering detection and making sure every external communication request is made securely.

Progressive Web Apps: trick or real magic? - Maurizio Mangione - Codemotion M...

Codemotion

Con il passare del tempo i siti e le applicazioni diventano sempre più pesanti e gli utenti consumano i loro contenuti prevalentemente attraverso dispositivi mobile. Due cose che non vanno certo d'accordo. Rendere le applicazioni performanti è un compito difficile soprattutto quando ci sono variabili che non possiamo controllare, come la connessione. I Service Worker e altre tecniche che stanno dietro le Progressive Web Apps possono essere una risposta concreta a questo problema.

Boxcars and Cabooses: When one more XHR is too much - Peter Chittum - Codemot...

Codemotion

RESTful APIs have simplified backend access providing clean URL-based resource representations using standard HTTP methods. But growth in the number of these APIs can lead to inefficiencies: if an app needs to access many of these resources at once, performance can bog down. 'Boxcarring' is the bundling together of multiple HTTP requests into one. For example, the client might bundle multiple requests into a single call. On the server, a RESTful API can accept a POST to multiple resources in one request. This talk will demonstrate both client and server side examples of boxcar requests.

Sinfonier: How I turned my grandmother into a data analyst - Fran J. Gomez - ...

Codemotion

More than a technology, Sinfonier is the logic evolution of real time processing systems. It's the combination of a visual programming language (Yahoo Pipes), a collaborative philosophy (community) and a framework for real-time processing (Apache Storm) made available to users. During years solutions that exploit information using batch processing techs. have been growing. Now it is time to bring this philosophy to the world of real-time processing. Sinfonier was born with a clear focus on solving problems related to cybersecurity but technology supports other aspects we'll show this.

If security is hard, you are doing it wrong - Fabio Locati - Codemotion Amste...

Codemotion

Knowledge is Power: Getting out of trouble by understanding Git - Steve Smith...

Codemotion

Git is rapidly taking over the development workplace. One of the downsides of high-level tools is that they can hide the details of what is happening under the hood; when things go wrong it can be hard to understand why git behaves the way it does. But at its core Git consists of a few simple concepts that, when understood, make it a much more intuitive tool. This talk introduces these core Git concepts and uses them to clarify some examples of seemingly counterintuitive behaviour. It also introduces some of Git's less-known features and tricks that are useful to have in your arsenal.

Living on the Edge (Service) - Mark Heckler - Codemotion Amsterdam 2016

Codemotion

Devices (phones, tablets, etc.) already consume most services/data, but they have to get those services somewhere! In this session, learn how to use proven patterns & open source software to quickly and effectively build edge services that marshal & streamline communication between your key services and end-users with devices in hand. The presenter will demonstrate how to develop & manage microservices & expose them via an edge service, securely, using OSS tools employed by Netflix to keep movies streaming globally 24x7.

Viewers also liked (20)