Uploaded bydevObjective
360 views

Who owns Software Security

This document discusses software security and outlines a 4 step plan to improve it. It begins by recommending studying successful security initiatives at other companies. The second step is to inventory your own applications to understand what data and services they involve. The third step is to incorporate security practices into agile development processes and use tools to help scale this. The final step is to drive a security-focused culture change and have plans for incident response.

Embed presentation

Download to read offline
Who Owns Software Security? Tim Buntel @tbuntel
(obligatory)  About  Me   Smarter  in   the  City  
2010 2013 Injection1   Injection Broken Auth & Session Mgmt2   Cross Site Scripting (XSS) Cross Site Scripting (XSS) 3   Broken Auth & Session Mgmt Insecure Direct Obj References 4   Insecure Direct Obj References h2p://starwars.wikia.com/  
Applica<on  Security  Risks,  Frozen  in  Time     OWASP  Top  10  –  2010  (old)   OWASP  Top  10  –  2013  (New)   2010-­‐A1  –  InjecCon   2013-­‐A1  –  InjecCon   2010-­‐A2  –  Cross  Site  ScripCng  (XSS)   2013-­‐A2  –  Broken  AuthenCcaCon  and  Session  Management   2010-­‐A3  –  Broken  AuthenCcaCon  and  Session  Management   2013-­‐A3  –  Cross  Site  ScripCng  (XSS)   2010-­‐A4  –  Insecure  Direct  Object  References   2013-­‐A4  –  Insecure  Direct  Object  References   2010-­‐A5  –  Cross  Site  Request  Forgery  (CSRF)   2013-­‐A5  –  Security  MisconfiguraCon   2010-­‐A6  –  Security  MisconfiguraCon   2013-­‐A6  –  SensiCve  Data  Exposure   2010-­‐A7  –  Insecure  Cryptographic  Storage   2013-­‐A7  –  Missing  FuncCon  Level  Access  Control   2010-­‐A8  –  Failure  to  Restrict  URL  Access   2013-­‐A8  –    Cross-­‐Site  Request  Forgery  (CSRF)   2010-­‐A9  –  Insufficient  Transport  Layer  ProtecCon   2013-­‐A9  –  Using  Known  Vulnerable  Components  (NEW)   2010-­‐A10  –  Unvalidated  Redirects  and  Forwards  (NEW)   2013-­‐A10  –  Unvalidated  Redirects  and  Forwards   3  Primary  Changes:   §  Merged:  2010-­‐A7  and  2010-­‐A9  -­‐>  2013-­‐A6   §  Added  New  2013-­‐A9:  Using  Known  Vulnerable  Components   §  2010-­‐A8  broadened  to  2013-­‐A7   renamed   combined  
BIG PROBLEM? At least 1Billion records of PII were leaked in 2014
Still! Breaches by SQLi into 2015 3rd most common attack type (after DDoS and Malware)
Do you scan your apps for cybersecurity vulnerabilities before making them available? No   40%   How much do you budget towards securing mobile apps built for customers? $0  
FIX THE DAMNED SOFTWARE!
“It seems that application security is just not considered to be as important as network security, even though vulnerabilities in applications are consistently being exploited by hackers of all types in order to access network resources and data.” Michael Cobb in SearchSecurity
Why? Time  to  market   Training   Cost   Tools   Agile  
Time to Market Duh. Are You Under Pressure to Release New Applications Faster, and Why? Yes, Customer demand Yes, Competitive actions Yes, Revenue shortfalls No Sorry, I was just f*&%ing with you, it’s YES 60%   60%   19%   6%   6%  
Training? What Training? No "secure development lifecycle" in the vast majority of universities' degree program How many years of software development experience do you have? >12 years! 34% 4-12 years! 30% How much previous application security training have you received? None 30% <1 day 20% >3 days 25% 1-3 days 25%
No Tools?
Problematic Tools $$   “Security Team” vs  
New Tools? •  Endpoint profiling •  Endpoint forensics •  Network forensics •  “Secure” platforms
LOCK THE DAMNED DOOR!
Agile? h2p://www.expertprogrammanagement.com/   Pen Testing DAST Enterprise SAST Network protection
But I don’t have anything worth hacking! PII VC$ Consulting   Acquisition  
But enough about the problems… The Quality Metaphor
QA Quality Then
Quality Today •  Patterns, frameworks, and good design •  Do it early, do it often (and automate it) •  High quality people make high quality software •  It’s everyone’s responsibility Doing it right is actually quicker in the end!
GOOD SOFTWARE IS SECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  
Your  4  Step  Plan!  YOUR 4 STEP PLAN   1. Study successes 2. Inventory yourself 3. Make it agile 4. Drive the culture
Describes software security initiatives at 67 well- known companies https://www.bsimm.com 1 Study Successes  
112 activities organized in twelve practices 1
1 Study Successes   •  Java •  Node •  Rails •  .NET failures
Know your stack! Your Code Frameworks Languages Third Party Services OSS “Technical  debt”   2
Know your app •  Store a password •  Login a user •  Upload a photo •  Display user contributed content •  Concatenate strings •  What’s secret? Credentials for DB access, machine accts, etc. – “Principle of Least Privilege” What data is moving where? 2
Agile Quality == Agile Security Add security to your “definition of done” 3
Tools (help) scale the process “Incorporate static analysis into the code review process in order to make code review more efficient and more consistent.” 3 IDE’s with “checkers” “Near-real- time” tools Build tools IntelliJ Klocwork, Codiscope, Coverity Brakeman
Culture; the toughest part 1.  Even a little security is better than none. Don't wait for a “big initiative” 2.  Don’t make security a “special event” 3.  Get trained! Train Champions. 4.  Have a plan for when something does go wrong 4
GOOD SOFTWARE IS SECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  
Thanks! tim@buntel.com @tbuntel www.codiscope.com

More Related Content

PPTX
Allianz Global CISO october-2015-draft
byEoin Keary
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
PDF
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
PPTX
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
PPTX
We cant hack ourselves secure
byEoin Keary
 
PPTX
The Teams Behind DevSecOps
byUleska
 
PDF
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
byDenim Group
 
PDF
Threat Modeling for the Internet of Things
byEric Vétillard
 
Allianz Global CISO october-2015-draft
byEoin Keary
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
byStefan Streichsbier
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
We cant hack ourselves secure
byEoin Keary
 
The Teams Behind DevSecOps
byUleska
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
byDenim Group
 
Threat Modeling for the Internet of Things
byEric Vétillard
 

What's hot

PDF
Using threat models to control project brief
byDinis Cruz
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PPTX
Building an AppSec Team Extended Cut
byMike Spaulding
 
PPTX
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
PDF
Owasp top 10 2017 (en)
byPrashantDhakol
 
PDF
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
PPTX
Building a Mobile Security Program
byDenim Group
 
PDF
Collaborative security : Securing open source software
byPriyanka Aash
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PDF
Securing 100 products - How hard can it be?
byPriyanka Aash
 
PDF
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
bycentralohioissa
 
PDF
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
byDinis Cruz
 
PDF
Threat Modeling Everything
byAnne Oikarinen
 
PDF
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
byDenim Group
 
PPTX
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
byMobodexter
 
PDF
Renato Rodrigues - Security in the wild
byDevSecCon
 
PPTX
Why 'positive security' is a software security game changer
byJaap Karan Singh
 
PPTX
Continuous security testing - sharing responsibility
byVodqaBLR
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Using threat models to control project brief
byDinis Cruz
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
Building an AppSec Team Extended Cut
byMike Spaulding
 
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
Owasp top 10 2017 (en)
byPrashantDhakol
 
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
Building a Mobile Security Program
byDenim Group
 
Collaborative security : Securing open source software
byPriyanka Aash
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
Securing 100 products - How hard can it be?
byPriyanka Aash
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
bycentralohioissa
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
byDinis Cruz
 
Threat Modeling Everything
byAnne Oikarinen
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
byDenim Group
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
byMobodexter
 
Renato Rodrigues - Security in the wild
byDevSecCon
 
Why 'positive security' is a software security game changer
byJaap Karan Singh
 
Continuous security testing - sharing responsibility
byVodqaBLR
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 

Similar to Who owns Software Security

PDF
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PPT
SoftwareSecurity.ppt
byssuserfb92ae
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PPTX
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PDF
The Thing That Should Not Be
bymorisson
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
PDF
ScotSecure 2020
byRay Bugg
 
PDF
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
KEY
Application Security Done Right
bypvanwoud
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
SoftwareSecurity.ppt
byssuserfb92ae
 
Software Security in the Real World
byMark Curphey
 
The Future of Software Security Assurance
byRafal Los
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
Secure coding guidelines
byZakaria SMAHI
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
The path of secure software by Katy Anton
byDevSecCon
 
Top Application Security Trends of 2012
byDaveEdwards12
 
The Thing That Should Not Be
bymorisson
 
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
ScotSecure 2020
byRay Bugg
 
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
Application Security Done Right
bypvanwoud
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Software Security Engineering
byMarco Morana
 
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 

More from devObjective

PDF
Lets git together
bydevObjective
 
PDF
Raspberry Pi a la CFML
bydevObjective
 
PDF
Command box
bydevObjective
 
PDF
Effective version control
bydevObjective
 
PDF
Front end-modernization
bydevObjective
 
PDF
Using type script to build better apps
bydevObjective
 
PDF
Csp and http headers
bydevObjective
 
PDF
Naked and afraid Offline mobile
bydevObjective
 
PDF
Web hackingtools 2015
bydevObjective
 
PDF
Node without servers aws-lambda
bydevObjective
 
PDF
I am-designer
bydevObjective
 
PDF
Garbage First and You!
bydevObjective
 
PDF
Fusion Reactor
bydevObjective
 
PDF
Paying off emotional debt
bydevObjective
 
PPTX
My SQL Skills Killed the Server
bydevObjective
 
PDF
Authentication Control
bydevObjective
 
PDF
Multiply like rabbits with rabbit mq
bydevObjective
 
PPTX
Preso slidedeck
bydevObjective
 
PDF
Intro to TDD & BDD
bydevObjective
 
PDF
Rethink Async with RXJS
bydevObjective
 
Lets git together
bydevObjective
 
Raspberry Pi a la CFML
bydevObjective
 
Command box
bydevObjective
 
Effective version control
bydevObjective
 
Front end-modernization
bydevObjective
 
Using type script to build better apps
bydevObjective
 
Csp and http headers
bydevObjective
 
Naked and afraid Offline mobile
bydevObjective
 
Web hackingtools 2015
bydevObjective
 
Node without servers aws-lambda
bydevObjective
 
I am-designer
bydevObjective
 
Garbage First and You!
bydevObjective
 
Fusion Reactor
bydevObjective
 
Paying off emotional debt
bydevObjective
 
My SQL Skills Killed the Server
bydevObjective
 
Authentication Control
bydevObjective
 
Multiply like rabbits with rabbit mq
bydevObjective
 
Preso slidedeck
bydevObjective
 
Intro to TDD & BDD
bydevObjective
 
Rethink Async with RXJS
bydevObjective
 

Recently uploaded

PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
API-First Architecture in Financial Systems
bycyy111112
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 

Who owns Software Security

  • 1.
  • 2.
    (obligatory)  About  Me   Smarter  in   the  City  
  • 3.
    2010 2013 Injection1   Injection BrokenAuth & Session Mgmt2   Cross Site Scripting (XSS) Cross Site Scripting (XSS) 3   Broken Auth & Session Mgmt Insecure Direct Obj References 4   Insecure Direct Obj References h2p://starwars.wikia.com/  
  • 4.
    Applica<on  Security  Risks,  Frozen  in  Time     OWASP  Top  10  –  2010  (old)   OWASP  Top  10  –  2013  (New)   2010-­‐A1  –  InjecCon   2013-­‐A1  –  InjecCon   2010-­‐A2  –  Cross  Site  ScripCng  (XSS)   2013-­‐A2  –  Broken  AuthenCcaCon  and  Session  Management   2010-­‐A3  –  Broken  AuthenCcaCon  and  Session  Management   2013-­‐A3  –  Cross  Site  ScripCng  (XSS)   2010-­‐A4  –  Insecure  Direct  Object  References   2013-­‐A4  –  Insecure  Direct  Object  References   2010-­‐A5  –  Cross  Site  Request  Forgery  (CSRF)   2013-­‐A5  –  Security  MisconfiguraCon   2010-­‐A6  –  Security  MisconfiguraCon   2013-­‐A6  –  SensiCve  Data  Exposure   2010-­‐A7  –  Insecure  Cryptographic  Storage   2013-­‐A7  –  Missing  FuncCon  Level  Access  Control   2010-­‐A8  –  Failure  to  Restrict  URL  Access   2013-­‐A8  –    Cross-­‐Site  Request  Forgery  (CSRF)   2010-­‐A9  –  Insufficient  Transport  Layer  ProtecCon   2013-­‐A9  –  Using  Known  Vulnerable  Components  (NEW)   2010-­‐A10  –  Unvalidated  Redirects  and  Forwards  (NEW)   2013-­‐A10  –  Unvalidated  Redirects  and  Forwards   3  Primary  Changes:   §  Merged:  2010-­‐A7  and  2010-­‐A9  -­‐>  2013-­‐A6   §  Added  New  2013-­‐A9:  Using  Known  Vulnerable  Components   §  2010-­‐A8  broadened  to  2013-­‐A7   renamed   combined  
  • 5.
    BIG PROBLEM? At least1Billion records of PII were leaked in 2014
  • 6.
    Still! Breaches bySQLi into 2015 3rd most common attack type (after DDoS and Malware)
  • 7.
    Do you scan yourapps for cybersecurity vulnerabilities before making them available? No   40%   How much do you budget towards securing mobile apps built for customers? $0  
  • 8.
    FIX THE DAMNEDSOFTWARE!
  • 9.
    “It seems that applicationsecurity is just not considered to be as important as network security, even though vulnerabilities in applications are consistently being exploited by hackers of all types in order to access network resources and data.” Michael Cobb in SearchSecurity
  • 10.
    Why? Time  to  market   Training   Cost   Tools   Agile  
  • 11.
    Time to Market Duh. AreYou Under Pressure to Release New Applications Faster, and Why? Yes, Customer demand Yes, Competitive actions Yes, Revenue shortfalls No Sorry, I was just f*&%ing with you, it’s YES 60%   60%   19%   6%   6%  
  • 12.
    Training? What Training? No"secure development lifecycle" in the vast majority of universities' degree program How many years of software development experience do you have? >12 years! 34% 4-12 years! 30% How much previous application security training have you received? None 30% <1 day 20% >3 days 25% 1-3 days 25%
  • 13.
  • 14.
  • 15.
    New Tools? •  Endpointprofiling •  Endpoint forensics •  Network forensics •  “Secure” platforms
  • 16.
  • 17.
  • 18.
    But I don’thave anything worth hacking! PII VC$ Consulting   Acquisition  
  • 19.
    But enough aboutthe problems… The Quality Metaphor
  • 20.
  • 21.
    Quality Today •  Patterns,frameworks, and good design •  Do it early, do it often (and automate it) •  High quality people make high quality software •  It’s everyone’s responsibility Doing it right is actually quicker in the end!
  • 22.
    GOOD SOFTWARE ISSECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  
  • 23.
    Your  4  Step  Plan!  YOUR 4 STEP PLAN   1. Study successes 2. Inventory yourself 3. Make it agile 4. Drive the culture
  • 24.
  • 25.
    112 activities organizedin twelve practices 1
  • 26.
    1 Study Successes   •  Java •  Node •  Rails •  .NET failures
  • 27.
    Know your stack! YourCode Frameworks Languages Third Party Services OSS “Technical  debt”   2
  • 28.
    Know your app • Store a password •  Login a user •  Upload a photo •  Display user contributed content •  Concatenate strings •  What’s secret? Credentials for DB access, machine accts, etc. – “Principle of Least Privilege” What data is moving where? 2
  • 29.
    Agile Quality ==Agile Security Add security to your “definition of done” 3
  • 30.
    Tools (help) scalethe process “Incorporate static analysis into the code review process in order to make code review more efficient and more consistent.” 3 IDE’s with “checkers” “Near-real- time” tools Build tools IntelliJ Klocwork, Codiscope, Coverity Brakeman
  • 31.
    Culture; the toughestpart 1.  Even a little security is better than none. Don't wait for a “big initiative” 2.  Don’t make security a “special event” 3.  Get trained! Train Champions. 4.  Have a plan for when something does go wrong 4
  • 32.
    GOOD SOFTWARE ISSECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  
  • 33.