SlideShare a Scribd company logo

Secured Development

Burhan Khalid
Burhan Khalid

Burhan Khalid presented on secure software development practices. He discussed the three Ps of security - People, Process, and Persistence/Practice. He emphasized that security is not just about products but also development practices. Standards for secure development include SSE-CMM, TSP-Secure, and SAMM. Practical best practices include standardizing infrastructure, isolating development environments, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures code security.

Technology
1 of 19
Download to read offline
SECURE DEV. BURHAN KHALID BURHAN.KHALID@GMAIL.COM
TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving
THANK YOU QUESTIONS @BURHAN – HTTP://SPKR8.COM/S/15462

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)Matthew J. Bailey , MCT
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!M A Hossain Tonu
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 

More Related Content

What's hot

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 

What's hot (20)

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best Practices
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of code
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extension
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websites
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor Day
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environment
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word press
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome Extensions
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Starts
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology Stacks
 

Similar to Secured Development

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version ControlRed Gate Software
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentShawn Jones
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsRed Gate Software
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalAnna Royzman
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechIIITA
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 

Similar to Secured Development (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version Control
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven Development
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deployments
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btech
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Secured Development

  • 2. TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
  • 3. THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
  • 4. WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
  • 5. STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
  • 6. PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
  • 7. STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
  • 8. ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
  • 9. TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
  • 10. GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
  • 11. PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
  • 12. TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
  • 13. ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
  • 14. COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
  • 15. COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
  • 16. Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
  • 17. CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
  • 18. 3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving