The document discusses security best practices across the software development lifecycle (SDLC). It covers:
- The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process.
- Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered.
- DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
Penetration testing has long been a tried and tested method to simulate an attack against companies’ IT systems to find exploitable vulnerabilities before anyone does. But is the price tag worth it?
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
Penetration testing has long been a tried and tested method to simulate an attack against companies’ IT systems to find exploitable vulnerabilities before anyone does. But is the price tag worth it?
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly.
This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Are you doing all you can to further your career as a software developer? With today's rapidly changing and ever-expanding technologies, being successful requires more than technical expertise. In this talk Eduards outlines the practices used by software craftsmen to maintain their professional ethics and simple Dos and Don'ts for teams who want to be considered professional craftsmen.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
The business case for contributing codeZivtech, LLC
In the Drupal community we tend to talk about committing code to our public spaces (drupal.org, but also github) in terms of "contributing" and "contributions", and while much of it can be seen in that light, there are actually very strong business reasons for publishing your code and/or attempting to get your code changes committed to the open source project that you are working on.
We will be looking at several documents from the U.S. Military detailing their recommendations for contracting Open Source Software services, and will use those as a jumping off point to discuss the many benefits of contributing code. Some of the business reasons for public publishing we'll explore will include:
* The power of peer review. With enough eyes, all bugs are shallow, and with only a few eyes the stupidity knows no depths!
* Fork you! The costs associated with "hacking" both Drupal core and contrib modules and base themes.
* Take my code, please! Cost savings from committing patches.
* Professionals publish or perish. Using code commits as marketing towards clients or potential hires.
* It's so easy, even a child(ish person) could do it! How you can easily integrate patching into your development workflow.
This session will also include a walk through of how Zivtech handles code review, patches, and deployment processes and you will hopefully walk away convinced that all of your in-house and out-sourced developers should be publicly committing their work.
Continuous delivery requires more that DevOps. It also requires one to think differently about product design, development & testing, and the overall structure of the organization. This presentation will help you understand what it takes and why one would want to deliver value to your customers multiple times each day. #CIC
Jeff "Cheezy" Morgan Ardita Karaj
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly.
This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Are you doing all you can to further your career as a software developer? With today's rapidly changing and ever-expanding technologies, being successful requires more than technical expertise. In this talk Eduards outlines the practices used by software craftsmen to maintain their professional ethics and simple Dos and Don'ts for teams who want to be considered professional craftsmen.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
Security at the Speed of Software DevelopmentDevOps.com
There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or more faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and coaches and stop thinking of their jobs as gatekeepers.
This webinar will introduce a framework to accomplish this mindset shift. It includes guidance on the characteristics of tools compatible with DevOps. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
The business case for contributing codeZivtech, LLC
In the Drupal community we tend to talk about committing code to our public spaces (drupal.org, but also github) in terms of "contributing" and "contributions", and while much of it can be seen in that light, there are actually very strong business reasons for publishing your code and/or attempting to get your code changes committed to the open source project that you are working on.
We will be looking at several documents from the U.S. Military detailing their recommendations for contracting Open Source Software services, and will use those as a jumping off point to discuss the many benefits of contributing code. Some of the business reasons for public publishing we'll explore will include:
* The power of peer review. With enough eyes, all bugs are shallow, and with only a few eyes the stupidity knows no depths!
* Fork you! The costs associated with "hacking" both Drupal core and contrib modules and base themes.
* Take my code, please! Cost savings from committing patches.
* Professionals publish or perish. Using code commits as marketing towards clients or potential hires.
* It's so easy, even a child(ish person) could do it! How you can easily integrate patching into your development workflow.
This session will also include a walk through of how Zivtech handles code review, patches, and deployment processes and you will hopefully walk away convinced that all of your in-house and out-sourced developers should be publicly committing their work.
Continuous delivery requires more that DevOps. It also requires one to think differently about product design, development & testing, and the overall structure of the organization. This presentation will help you understand what it takes and why one would want to deliver value to your customers multiple times each day. #CIC
Jeff "Cheezy" Morgan Ardita Karaj
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
DevSecOps is a recent offshoot of the DevOps movement, which doubles down on the importance of security. As security continues to be downplayed or ignored even as the threat landscape explodes, DevSecOps promotes a set of well-developed design principles and engineering patterns which involve security owners and product designers much earlier. DevSecOps lays out a robust and practical blueprint for building security features into the design process, leveraging new engineering tools and patterns and creating a secure, defensible software right from the start.
Join Chris Knotts, Innovation Product Director at Cprime, to:
- Learn how the concept of "shifting left" applies to application security and how to prioritize security requirements earlier in the design process
- Get an introduction to a few of the most effective engineering tools for implementing DevSecOps, including popular code scanners, dependency checkers, and free open-source products
- Understand how progress with DevSecOps depends on roles and stakeholders outside of just security staff
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle. The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
This talk was given at Eurostar 2013 in Gothenburg, Sweden.
“Significant forces in the IT industry that mean testing in most organisations is under extreme pressure. Bosses wonder why they need people ‘over here’ to make sure people ‘over there’ do their job properly. Users, analysts, developers and testers may have to redistribute responsibility for testing and checking and by collaborating more effectively.
Testers won’t drive this transition, and they may be caught out if they ignore the winds of change. There's complacency, self-delusion and over capacity in the testing business; there is too little agreement about what testing is, what it’s for or how it should be done. In this talk, Paul will suggest what leadership is required in our industry, the market and our organisations.
Of course, some responsibility will fall on your shoulders. Whether you are a manager or technical specialist, there will be an opportunity for you to lead the change.”
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
2. Equifax breach 2017
Equifax's CEO and other executives resigned following a backlash over the hack at the company that
compromised the data of 143 million people
The thieves spent 76 days within Equifax's network before they were detected.
$700 million to settle federal and state investigations
$425 million to directly help consumers affected by the breach
$1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the
incident
23. Development Methodologies - summarized
SDLC
• Your mileage may very – one size does not fit all
• Waterfall approach may increase reliability, but reduce predictability
24. Development Methodologies - summarized
SDLC
• Your mileage may very – one size does not fit all
• Waterfall approach may increase reliability, but reduce predictability
• Agile approach may increase predictability, but reduce reliability
25. Development Methodologies - summarized
SDLC
• Your mileage may very – one size does not fit all
• Waterfall approach may increase reliability, but reduce predictability
• Agile approach may increase predictability, but reduce reliability
• Training is a one time cost, and gives value over time
26. Development Methodologies - summarized
SDLC
• Your mileage may very – one size does not fit all
• Waterfall approach may increase reliability, but reduce predictability
• Agile approach may increase predictability, but reduce reliability
• Training is a one time cost, and gives value over time
• Ask yourself:
• What do you need?
• What works in your organization?
27. Internal Quality Assurance (QA)
SDLC
• Definition of Done:
• Implemented according to Standards
• Unit test cases has been written for all functionality
• Documented
• Code reviewed by colleague
• Documentation review by colleague
• dependency-check reports 0 vulnerabilities
34. Security – all or nothing?
• Cost
• Productivity hit
• Security hit
• Horror stories?
35. Security – all or nothing?
• Cost
• Productivity hit
• Security hit
• Horror stories?
• Start over?
36. Security – all or nothing?
• Cost
• Productivity hit
• Security hit
• Horror stories?
• Start over?
• The most important step is the first!
• Get started
• Incremental improvements
• Try, try and try again
48. Simplicity
Silver Bullets
• Complex code
• Hard to read
• Hard to review
• Hard to maintain
• Hard to add new features
• Hard to replace/deprecate
49. Simplicity
Silver Bullets
• Complex code
• Hard to read
• Hard to review
• Hard to maintain
• Hard to add new features
• Hard to replace/deprecate
• Lower developer satisfaction
50. Simplicity
Silver Bullets
• Complex code
• Hard to read
• Hard to review
• Hard to maintain
• Hard to add new features
• Hard to replace/deprecate
• Lower developer satisfaction
• Harder to pentest
51. Simplicity
Silver Bullets
• Complex code
• Hard to read
• Hard to review
• Hard to maintain
• Hard to add new features
• Hard to replace/deprecate
• Lower developer satisfaction
• Harder to pentest
Expensive!
52.
53. Security as a Cultural Phenomenon
• Policies, guidelines from management → top-down approach
54. Security as a Cultural Phenomenon
• Policies, guidelines from management → top-down approach
• Security awareness, security trainings → bottom-up approach
55. Security as a Cultural Phenomenon
• Policies, guidelines from management → top-down approach
• Security awareness, security trainings → bottom-up approach
• Code review after pentest → teammeeting, walk through vulnerabilities,
talk about mitigations pros/cons. No finger pointing, only learning.
56. Security as a Cultural Phenomenon
• Policies, guidelines from management → top-down approach
• Security awareness, security trainings → bottom-up approach
• Code review after pentest → teammeeting, walk through vulnerabilities,
talk about mitigations pros/cons. No finger pointing, only learning.
• "What are we doing to prevent this from being abused/exploited?"
57. Security as a Cultural Phenomenon
• OWASP
• "Top 10": https://owasp.org/www-project-top-ten/
• Present one topic each once a week, during a lunchmeeting
58. Security as a Cultural Phenomenon
• OWASP
• "Top 10": https://owasp.org/www-project-top-ten/
• Present one topic each once a week, during a lunchmeeting
59. Security as a Cultural Phenomenon
• OWASP
• "Top 10": https://owasp.org/www-project-top-ten/
• Present one topic each once a week, during a lunchmeeting
• Copenhagen: https://owasp.org/www-chapter-copenhagen/
• Aarhus: https://owasp.org/www-chapter-aarhus/
61. Provide Training
Ensure everyone understands
security best practices.
Define Security
Requirements
Continually update security
requirements to reflect
changes in functionality and
to the regulatory and threat
landscape.
Define Metrics and
Compliance Reporting
Identify the minimum acceptable
levels of security quality and how
engineering teams will be held
accountable.
Perform Threat
Modeling
Use threat modeling to
identify security
vulnerabilities, determine
risk, and identify
mitigations.
Establish Design
Requirements
Define standard security
features that all engineers
should use.
Define and Use
Cryptography
Standards
Ensure the right
cryptographic solutions are
used to protect data.
Manage the Security
Risk of Using Third-
Party Components
Keep an inventory of third-
party components and create
a plan to evaluate reported
vulnerabilities.
Use Approved
Tools
Define and publish a list
of approved tools and
their associated security
checks.
Perform Static
Analysis Security
Testing
Analyze source code before
compiling to validate the use
of secure coding policies.
Perform Dynamic
Analysis Security
Testing
Perform run-time
verification of fully compiled
software to test security of
fully integrated and running
code.
Perform
Penetration
Testing
Uncover potential
vulnerabilities resulting
from coding errors,
system configuration
faults, or other
operational deployment
weaknesses.
Establish a Standard
Incident Response
Process
Prepare an Incident Response
Plan to address new threats
that can emerge over time.
Microsoft SDL
62. Provide Training
Ensure everyone understands
security best practices.
Define Security
Requirements
Continually update security
requirements to reflect
changes in functionality and
to the regulatory and threat
landscape.
Define Metrics and
Compliance Reporting
Identify the minimum acceptable
levels of security quality and how
engineering teams will be held
accountable.
Perform Threat
Modeling
Use threat modeling to
identify security
vulnerabilities, determine
risk, and identify
mitigations.
Establish Design
Requirements
Define standard security
features that all engineers
should use.
Define and Use
Cryptography
Standards
Ensure the right
cryptographic solutions are
used to protect data.
Manage the Security
Risk of Using Third-
Party Components
Keep an inventory of third-
party components and create
a plan to evaluate reported
vulnerabilities.
Use Approved
Tools
Define and publish a list
of approved tools and
their associated security
checks.
Perform Static
Analysis Security
Testing
Analyze source code before
compiling to validate the use
of secure coding policies.
Perform Dynamic
Analysis Security
Testing
Perform run-time
verification of fully
compiled software to test
security of fully integrated
and running code.
Perform
Penetration
Testing
Uncover potential
vulnerabilities resulting
from coding errors,
system configuration
faults, or other
operational deployment
weaknesses.
Establish a Standard
Incident Response
Process
Prepare an Incident Response
Plan to address new threats
that can emerge over time.
Microsoft SDL
67. Static Application Security Testing
https://owasp.org/www-community/Source_Code_Analysis_Tools
https://github.com/features/security
+
• Scales well (only needs the code)
• Finds vulnerabilities earlier in the
process
•Highlights the precise source files, line
numbers, subsections of lines
-
• Many types of security vulnerabilities are
difficult to find automatically
• High numbers of false positives
• Frequently can’t find configuration issues,
since they are not represented in the code
•Difficult to ‘prove’ that an identified security
issue is an actual vulnerability
https://sonarcloud.io/
69. SAST DAST
White box security testing
The tester has access to the underlying framework, design, and
implementation.
The application is tested from the inside out.
This type of testing represents the developer approach.
Black box security testing
The tester has no knowledge of the technologies or frameworks that the
application is built on.
The application is tested from the outside in.
This type of testing represents the hacker approach.
Requires source code.
SAST doesn’t require a deployed application. It analyzes the sources code
or binary without executing the application.
Requires a running application
DAST doesn’t require source code or binaries. It analyzes by executing the
application.
Finds vulnerabilities earlier in the SDLC.
The scan can be executed as soon as code is deemed feature-complete.
Finds vulnerabilities toward the end of the SDLC
Vulnerabilities can be discovered after the development cycle is complete.
Less expensive to fix vulnerabilities.
Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to
remediate them. Findings can often be fixed before the code enters the
QA cycle.
More expensive to fix vulnerabilities
Since vulnerabilities are found toward the end of the SDLC, remediation
often gets pushed into the next cycle. Critical vulnerabilities may be fixed
as an emergency release.
Can’t discover run-time and environment-related issues.
Since the tool scans static code, it can’t discover run-time vulnerabilities.
Can discover run-time and environment-related issues
Since the tool uses dynamic analysis on an application, it is able to find
run-time vulnerabilities.
Supports all kinds of software.
Examples include web applications, web services, and thick clients.
Typically scans only apps like web applications and web services.
DAST is not useful for other types of software.
70.
71. Where do I start?
aka.ms/sdlc
Implement
Use the implementers’
resources guides to
create an
implementation plan
that advances your
SDL maturity.
Self-assess
Review the self-
assessment guide to
assess your
organization’s current
SDL maturity level.
Identify
Identify where
your organization
falls on the SDL
Optimization
Maturity Model.