SlideShare a Scribd company logo

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica
Imola Informatica

Slides from our talk @Devoxx MA 2018. We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.

Technology
1 of 49
Download to read offline
SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
A little patch… #SSDLC@imolinfo
Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
Security misconceptions …or products or tools either #SSDLC@imolinfo
Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
Security as a Process #SSDLC@imolinfo Security should be a process
Software Development LifeCycle SDLC #SSDLC@imolinfo «Security» goes here
A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
Security Testing Tools #SSDLC@imolinfo Security should be testable
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
SonarQube #SSDLC@imolinfo A comprehensive platform for Quality Assurance and Static Analysis Source Testing
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
#SSDLC@imolinfo Let’s play!
Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
Security KPI Security should be measurable #SSDLC@imolinfo
CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo
Luca Molari lmolari@imolainformatica.it @LMolr Stefano Monti smonti@imolainformatica.it @Ste_Monti Alessandro Proscia aproscia@imolainformatica.it @alex184it #SSDLC@imolinfo

Recommended

Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Professional Software Development, Practices and Ethics
Professional Software Development, Practices and EthicsProfessional Software Development, Practices and Ethics
Professional Software Development, Practices and Ethics
Lemi Orhan Ergin
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 

Recommended

Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Professional Software Development, Practices and Ethics
Professional Software Development, Practices and EthicsProfessional Software Development, Practices and Ethics
Professional Software Development, Practices and Ethics
Lemi Orhan Ergin
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
Priya Tomar
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Software Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & SpecificationSoftware Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
Segurança em Desenvolvimento de Software
Segurança em Desenvolvimento de SoftwareSegurança em Desenvolvimento de Software
Segurança em Desenvolvimento de Software
Conviso Application Security
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
Aman Adhikari
 
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.pptChapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
Bule Hora University
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Software Quality Assurance
Software Quality Assurance Software Quality Assurance
Software Quality Assurance
ShashankBajpai24
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Ulf Mattsson
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
Cigital
 
Requirements engineering
Requirements engineeringRequirements engineering
Requirements engineering
Syed Zaid Irshad
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Software Testing
Software TestingSoftware Testing
Software Testing
Mousmi Pawar
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 

More Related Content

What's hot

Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
Priya Tomar
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Software Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & SpecificationSoftware Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
Segurança em Desenvolvimento de Software
Segurança em Desenvolvimento de SoftwareSegurança em Desenvolvimento de Software
Segurança em Desenvolvimento de Software
Conviso Application Security
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
Aman Adhikari
 
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.pptChapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
Bule Hora University
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Software Quality Assurance
Software Quality Assurance Software Quality Assurance
Software Quality Assurance
ShashankBajpai24
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Ulf Mattsson
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
Cigital
 
Requirements engineering
Requirements engineeringRequirements engineering
Requirements engineering
Syed Zaid Irshad
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Software Testing
Software TestingSoftware Testing
Software Testing
Mousmi Pawar
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 

What's hot (20)

Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Risk management(software engineering)
Risk management(software engineering)Risk management(software engineering)
Risk management(software engineering)
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Software Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & SpecificationSoftware Engineering : Requirement Analysis & Specification
Software Engineering : Requirement Analysis & Specification
 
Segurança em Desenvolvimento de Software
Segurança em Desenvolvimento de SoftwareSegurança em Desenvolvimento de Software
Segurança em Desenvolvimento de Software
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
 
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.pptChapter 5 Software Quality Assurance-Finalised_BW.ppt
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Software Quality Assurance
Software Quality Assurance Software Quality Assurance
Software Quality Assurance
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Requirements engineering
Requirements engineeringRequirements engineering
Requirements engineering
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Software Testing
Software TestingSoftware Testing
Software Testing
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 

Similar to Secure Software Development Lifecycle - Devoxx MA 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
Sebastien Gioria
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
Ballerina
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
Anna Völkl
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 

Similar to Secure Software Development Lifecycle - Devoxx MA 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 

Secure Software Development Lifecycle - Devoxx MA 2018

  • 1. SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
  • 2. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
  • 3. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
  • 5. Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
  • 6. Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
  • 7. GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
  • 8. Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
  • 9. Security misconceptions …or products or tools either #SSDLC@imolinfo
  • 10. Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
  • 11. Security as a Process #SSDLC@imolinfo Security should be a process
  • 13. A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
  • 14. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 15. SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
  • 16. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 17. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 19. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 20. SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
  • 21. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
  • 22. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
  • 23. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 24. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 25. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
  • 28. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 29. Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
  • 30. Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
  • 31. Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
  • 32. Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
  • 33. Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
  • 35. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 36. DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
  • 37. Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
  • 39. Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
  • 40. Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
  • 41. Security KPI Security should be measurable #SSDLC@imolinfo
  • 42. CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
  • 43. CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
  • 44. CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
  • 45. WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
  • 46. Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
  • 47. Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
  • 48. Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo