4. DEVELOPERS AS SECURITY
TESTERS
› Pros:
• Enables continuous security testing.
• Developers will automate.
• Minimal hand-over costs.
• Will find important non-security related bugs.
› Cons:
• Not security specialists. Will miss some things.
• May need investment (training, some tools)
5. BASIC SECURITY MODEL
Confidentiality
• Privacy
• Password policies
• Encryption
Integrity
• Trustworthiness of data
• Checksums
Availability
• Bandwidths
• Bottlenecks
• Disaster recovery planning
12. SECURITY TESTING ASPECTS IN
ONION MODEL
Network scanning
Vulnerability scanning
Web application security testing
Static code analyze
Web application onfiguration analysis
Operating system configuration analysis
Application server vulnerability scanning
13. HOW ONION MODEL IS LINKED TO
OUR PROJECTS
Public internet
Private networks between servers
Customer network
Host has most commonly shared responsibility
Application is on our responsibility
Part of data is on our responsibility
Part of the data comes from integrations
Updates come from other parties, conf from us
Part of the applications are products (inriver, IIS)
16. TOOLS IN SECURE DEVELOPMENT
LIFECYCLE
Beforedevelopment
Definitionanddesign
Development
Deployment
Maintenance
FxCop X
VisualCodeGrepper X
SonarQube X
Code Metrics X
OWASP ZAP X X X
Nessus X X
jMeter X X X
17. TOOLS IN DEFENCE IN DEPTH
Network
Host
Appserver
Application
Web.config
Sourcecode
FxCop X X
VisualCodeGrepper X X
SonarQube X X
Code Metrics X
OWASP ZAP X X
Nessus X X X X
jMeter X X
21. EPISERVER DEVELOPMENT
› Know your HTTP headers
› Understand the security responsibilities of each party (dev, hosting)
› AntiForgeryTokens!
› Do not EVER leave SQL injections in your application
› Think about security in beforehand
› All the frontend includes………